Privacy Policy

FluxWillow Password Security is built on a fundamental principle: security tools should never themselves become a security risk. Our tool is a static client-side application. Your password is processed entirely within your browser's JavaScript engine (V8, SpiderMonkey, etc.) and lives only in your device's RAM. We have no backend database, no logging of inputs, and no way to retrieve what you typed.

When you check for breaches, we use the industry-standard k-Anonymity protocol via the HaveIBeenPwned (HIBP) API: 1. Your browser hashes your password using SHA-1 locally. 2. Only the first 5 characters of that hash are sent to the HIBP API. 3. The API returns thousands of matching hash suffixes. 4. Your browser checks locally whether your full hash is in that list. Result: Neither FluxWillow nor the HIBP API ever sees your actual password or the full hash.

We collect minimal technical data to keep the service running: • Google Analytics: Aggregated, anonymised usage data (page views, session duration). No personally identifiable information (PII) is collected. • Server Logs: Standard access logs (IP address, browser type, timestamp) for DDoS prevention and uptime monitoring. Purged every 30 days.

We may use cookies to remember tool preferences (e.g. generator settings). If Google AdSense ads are displayed, Google may use cookies based on your browsing history. You can opt out at google.com/settings/ads. We do not use tracking cookies ourselves.

Under GDPR (EU/UK) and CCPA (California), you have the right to know what data is held about you. Since we do not store accounts or passwords, there is no user-specific data to request or delete. For any privacy inquiries, contact: [email protected]