What is meant to stay private
Your readable vault contents, raw password, recovery phrase, and raw vault keys. Encryption is designed to happen locally so these do not need to be readable by our service.
Security, explained clearly
Security should be understandable before you trust it. This is the plain-English version of how Stax Pass is designed to protect your information—and the limits that come with that protection.
The short version
Our service is built to store the protected copy needed to sync your vault. It is not meant to hold a readable copy of your passwords, private notes, recovery phrase, or vault keys.
What happens when you use Stax Pass
Your device uses it to unlock protected key material locally. Stax Pass does not receive your password as readable text or keep it in a customer-support database.
When you save a password or private note, the app encrypts it before protected records are synced. The server needs the locked record to keep your devices in step; it is not supposed to receive the readable item inside.
Email verification and trusted-device approval help stop an unfamiliar device from quietly joining your account. Those checks protect the account entrance; they are not a substitute for your vault password or recovery phrase.
Your recovery phrase is another path to unlock your vault on a new device. Keep it private and offline, like a spare house key. The raw words are not sent to our API for safekeeping.
Your readable vault contents, raw password, recovery phrase, and raw vault keys. Encryption is designed to happen locally so these do not need to be readable by our service.
Your email address, account and device records, protected vault records, wrapped key records, sync information, and security-event history. We need this to operate the account and sync safely.
Password, phrase, and email are different things
Your everyday way into the vault. Choose a unique, strong password and do not share it.
A short-lived account-security check. It helps confirm the email inbox is yours, but it cannot decrypt your vault or replace your recovery phrase.
Please read this before you rely on us
You lose your password but still have your recovery phrase. You can use the recovery path to regain access and set a new password.
You lose your recovery phrase but still know your password. Sign in, replace the recovery protection, and store the new phrase safely.
You lose both but are still signed in on an unlocked device. Treat that as urgent: set a new password and recovery phrase while you still have access.
You lose both and no longer have an unlocked device. Your vault cannot be decrypted. Stax Pass cannot retrieve it, support cannot reset it, and we do not keep a backdoor.
That may feel strict. It is also the point: nobody else should have the power to open your vault just because they have your email address or can contact support.
What we cannot protect you from alone
The technical reference
Stax Pass is designed around public, reviewed cryptography—not a secret recipe. These are the tools behind the protections described above.
Think of this as the lock and tamper seal on a vault record. It protects the contents from being read and helps the app detect a record that was altered.
This deliberately expensive process turns your password into temporary unlock material on your device. It is designed to make large-scale password guessing far more costly. It does not make a weak or reused password safe.
This is the login and recovery proof system. It lets the app and service verify your password or recovery phrase without handing the raw words to the API as a reusable secret.
When secure sharing is used, these tools create a protected copy for the intended recipient rather than exposing a shared vault key as readable data.
The crypto core runs locally on your device, uses secure operating-system randomness, and is designed to fail closed: damaged or unauthenticated protected data should be rejected instead of quietly accepted.
Want to see the whole picture?
Explore the visual guide for the complete data flow, key layers, private sign-in proof, recovery decisions, and technical details.
Questions about security? Contact Stax Pass security.