In short
Gestio runs without an account and without a server. The vault is an encrypted file stored on the user's computer. The publisher cannot access it.
No profile, no advertising identifier, no usage analytics. The application makes only two network requests, described below, and both can be avoided.
The source code is public: these statements can be verified.
The application
Encrypted on the device, unlocked by the master password. That password is stored nowhere and remains unknown to the publisher. If it is forgotten and no recovery key exists, access to the data is permanently lost. That is the trade-off of having no server.
Triggered by the user only. The password does not leave the device: only the first five characters of its SHA-1 hash are sent to the Have I Been Pwned service. That service returns every known hash starting the same way, and the comparison happens on the device. Response padding is requested so that the response size reveals nothing. The service can therefore identify neither the password being checked nor the result. Like any web request, it exposes the user's IP address to the service being contacted.
On by default, can be turned off in the settings. Gestio downloads a static file from rovrix.tech to compare version numbers. That request carries no information about the user or the vault. The update is signature-verified before installation. The host keeps a technical record of the request, as for any website visit. These checks are also counted by day, without any IP address: only a counter remains. It measures launches, never people, and allows neither tracking nor telling one user from another.
Off by default. Once enabled, data is end-to-end encrypted before being written to a folder chosen by the user (Dropbox, Syncthing, a network drive). The publisher provides no server. The service hosting that folder only ever sees encrypted files. Browser pairings stay local and are never synchronised.
The browser extension
The extension makes no network requests. It communicates only with the application installed on the same computer, through the browser's native messaging channel.
Four values, in the browser's local storage: a pairing identifier, the matching secret that proves to the application that this extension is the authorised one, and two preferences (automatic filling, automatic submit). The extension stores no password.
To the application only: the address of the current page, to look for matching entries, then, on user action, the identifier of the chosen entry in order to obtain its password. These exchanges take place between two programs on the same computer and travel across no network.
It requests them from the application at the moment of use, writes them into the field or the clipboard, and does not keep them. The vault stays in the application: the extension holds no copy of it, not even an encrypted one.
nativeMessaging to talk to the application. storage to keep the pairing and the preferences. activeTab and scripting to write into the fields of the displayed page, on user action. clipboardWrite to copy a password. Site access is optional: it serves automatic filling only, and is requested solely if that option is enabled.
The website
Downloads are counted by day, by country, and according to whether they come from a browser or from a robot. The distinction relies on the identification header sent by the client, which is not kept: only the category is. No IP address is stored: the country is derived in passing, the address is then discarded, and only a counter remains. No cookies, no trackers, no ad network, no third-party analytics.
Like any website, this one is served by a host (OVH) which keeps standard technical logs.
Data rights
The GDPR grants rights of access, rectification and erasure over personal data. As the publisher holds no personal data, there is nothing to disclose, correct or delete. The data stays on the user's machine, and deleting the vault deletes it.
Gestio is published by Rovrix. Contact: pro.jerome.pira@gmail.com.