Moltypass — Privacy Policy

Last updated: 2026-05-31

The short version

• Your API keys never leave your device.
• Moltypass does not collect telemetry, analytics, or crash reports by default.
• We never see your keys, and we don't want to.
• When you grant a site access to a key, only that site sees that key — and only after you click Allow.

What Moltypass stores locally

Moltypass keeps an encrypted vault on your device only. The vault contains:

• Your API keys (AES-GCM ciphertext, decrypted only in memory while the vault is unlocked)
• Per-site permissions — which sites you've granted access to which keys
• A local audit log: when keys were used, on what site, with what status. Never includes the keys themselves.

Encryption uses Argon2id (memory-hard KDF) with PBKDF2(600k SHA-256) as a fallback. The key derivation salt is per-installation and never leaves your device.

What Moltypass never collects

• Your API key bytes — they are never logged, telemetered, included in crash reports, or transmitted anywhere except the upstream provider you authorize.
• The bodies of your AI requests or responses — Moltypass proxies them through but does not read or persist them.
• Your browsing history outside of the per-site permissions you explicitly grant.
• Any identifier tied to you personally.

What Moltypass sends to providers

When a site you've granted access to makes an AI request through Moltypass, Moltypass forwards the request to the provider you chose (e.g. api.anthropic.com, api.openai.com, generativelanguage.googleapis.com) with your API key in the appropriate header. The provider sees the request body, your IP address, and the key. Their privacy policy applies.

Optional enterprise mode

If your organization deploys Moltypass via Chrome Enterprise policy and configures a collector URL, Moltypass will send structured event metadata (timestamps, origin, service, key fingerprint, status, latency) to that collector. The collector is run by your organization. Moltypass never sends raw keys or request bodies to any collector. Enterprise mode is disabled unless explicitly enabled by an administrator and is fully inert for personal users.

Permissions explained

• storage — to store the encrypted vault, permissions, and audit log on your device.
• alarms — to schedule the vault auto-lock timer and the daily audit-log retention sweep.
• tabs — to open the audit dashboard tab when you click the Moltypass icon.
• contextMenus — to add the "Save selection to Moltypass…" right-click option.
• host_permissions on AI provider domains — to proxy your AI requests directly to the provider you chose without routing them through any Moltypass server.
• content scripts on provider key-creation pages — to detect when you generate a new key and offer the "Save to Moltypass" banner. The content script reads the key text from the page's DOM, then sends it to Moltypass via the extension's private message channel — never via the system clipboard.

Your controls

• The Moltypass popup shows every key you've stored, every site that has been granted access, and lets you revoke any grant or rotate any key.
• You can export the audit log to JSON or CSV.
• You can delete the vault entirely from the popup — this is permanent.

Contact

Security disclosures: security@moltypass.app. Privacy questions: privacy@moltypass.app.