Geslar
Privacy Policy
Last updated: June 2026. Applies to the geslar.app web app and browser extensions.
Version 2.9 · Last updated:
Introduction
Core principle: your passwords are zero-knowledge encrypted on your device before they leave the browser. Geslar is technically unable to access their contents.
Geslar is a Croatian password manager with a local Škrinjar (free, no registration required) and optional cross-device cloud synchronisation (registration, Premium subscription). This policy describes what data we process, for what purpose and how we protect it — covering both usage modes.
Data controller: Geslar d.o.o., Miroslava Krleže 13, 51000 Rijeka, Croatia
Contacts: [email protected] (privacy), [email protected] (security incidents), [email protected] (legal matters), [email protected] (customer support)
Security disclosure: /.well-known/security.txt (RFC 9116)
Contacts: [email protected] (privacy), [email protected] (security incidents), [email protected] (legal matters), [email protected] (customer support)
Security disclosure: /.well-known/security.txt (RFC 9116)
Two levels of use:
1. Free / local (no registration) — Škrinjar lives exclusively in your browser. We do not process any of your data on our server.
2. Cloud sync (registered user, Premium / Family / Business) — The encrypted vault is synchronised through our EU-based server. We process identification, billing and security metadata (detailed below). Škrinjar on the web (my.geslar.app) is an additional access point to the same EU backend and the same processing — no new data processing.
1. Free / local (no registration) — Škrinjar lives exclusively in your browser. We do not process any of your data on our server.
2. Cloud sync (registered user, Premium / Family / Business) — The encrypted vault is synchronised through our EU-based server. We process identification, billing and security metadata (detailed below). Škrinjar on the web (my.geslar.app) is an additional access point to the same EU backend and the same processing — no new data processing.
Language versions. This policy is published in Croatian and English. In case of any discrepancy between the language versions, the Croatian version prevails.
Legal basis for processing
Geslar processes minimal data on the basis of the following legal grounds in accordance with Article 6(1) of the GDPR:
Legitimate interest (Art. 6(1)(f))
Security audit log (cyber-security), abuse prevention, breach checking via k-Anonymity protocol, local settings (localStorage), on-device encryption and decryption.
Consent (Art. 6(1)(a))
Contact form, marketing emails (newsletter, promotional content — opt-in at registration), optional analytics in the future (currently none).
Performance of contract (Art. 6(1)(b))
Cloud vault synchronisation, authentication (login, email verification, recovery key confirmation), subscriptions and billing, subscription notifications, Secure Send feature.
Legal obligation (Art. 6(1)(c))
Accounting records of subscriptions (Croatian tax legislation), retention of data required by the NIS2 directive for Business plan customers in essential sectors.
Password and passphrase generation
All generation takes place exclusively in the browser on your device. No generated password, passphrase or other user input is sent to a server or stored outside the local device.
Škrinjar (password manager)
Regardless of whether you use Škrinjar locally or with cloud sync: your data is encrypted on your device before it leaves the browser. The master password and recovery key are Argon2id-derived exclusively on the client — the server never sees their plaintext.
On-device encryption
AES-256-GCM for vault contents with a key derived from the master password via Argon2id (a memory-hard KDF resistant to GPU attacks). Keys are kept only in RAM (
chrome.storage.session) and are cleared on restart.Local storage
The encrypted Škrinjar database is stored in
chrome.storage.local on your device. Free users never have any additional storage outside the device.Cloud synchronisation (optional, Premium+)
If you opt into sync, the client encrypts the entire vault with your key before sending it to the server. The server stores only an encrypted blob (binary package) — it cannot read individual entries.
Auto-lock
Škrinjar automatically locks after inactivity (configurable timeout). The
alarms and idle permissions are used — exclusively local, with no network communication.Recovery key (zero-knowledge)
When creating a cloud account, a 128-bit recovery key is generated — exclusively on the client. The server stores only its SHA-256 hash. If you forget your master password, the recovery key is the only way to regain access — Geslar cannot recover it.
Import / Export / Portability
Importing from other managers (Bitwarden JSON, CSV) takes place locally. Exporting your vault and personal data (Right to data portability, Art. 20 GDPR) is available through Settings → Account → Export data.
Cloud synchronisation (Premium / Family / Business)
Cloud sync is optional. Free users can use Geslar locally for their entire lifetime without registration and without any network communication with our server (except for the optional breach check via HIBP).
If you opt into cloud sync, here is what we actually process on our server:
Email address
Your email serves as an account identifier, a contact for security and transactional messages (verification, billing), and a login credential. It is stored in plaintext (required for sending emails).
Master password — derivative (auth_hash)
The client computes an Argon2id derivative of your master password and sends only that
auth_hash. The plaintext master password never leaves your device. The server stores only a bcrypt hash of the auth_hash (double protection).Vault (encrypted blob)
The entire vault contents — passwords, cards, TOTP keys, notes — are AES-256-GCM encrypted on the client before transmission. The server stores a binary blob that it technically cannot read.
Recovery key — hash
The server stores only the SHA-256 hash of the recovery key for verification during the "account recovery" flow. The plaintext key is generated on the client and is never transmitted.
Refresh tokens (sessions)
Tokens with rotation to maintain login status between sessions. TTL 30 days; deleted on logout and on detection of suspicious activity.
Locale
The language you use (HR/EN) for personalised communication (emails, error messages).
What we do NOT store: your master password in plaintext, the recovery key in plaintext, browsing history, IP addresses in persistent storage, browsing history, or the content of pages you visit.
Family and organisational sharing
Sharing that stays yours alone. The Family plan allows sharing passwords, cards and notes with up to 5 members — while encryption remains end-to-end. Each shared entry is encrypted so that only the members it is intended for can access it. Geslar cannot read shared content either — the server sees only encrypted data and public keys.
Who sees what. The family organiser manages membership, shared vaults and permissions (view/edit). The organiser cannot see the contents of anyone's vault or who has accessed any particular entry. Each member can see only what has been shared with them and their own personal vault.
Minors. Persons aged 16 and above may open their own account (pursuant to Article 19 of the Croatian Act on the Implementation of the GDPR (Official Gazette 42/18)). Younger members are added and managed by the family organiser — an adult who confirms they hold parental responsibility. We process the minimum necessary data about minors; we do not profile or advertise to children.
When a member leaves. Upon removing a member, shared keys are automatically rotated and their access ceases; their personal vault remains untouched. Each member may export or delete their own data at any time.
Email verification
Upon registering for cloud sync, we send a verification email with a magic link. Clicking the link proves ownership of the email address. Without verification, access to the admin section and sync mutations is not possible (protection against account takeover through email enumeration).
Token security
The verification token (UUID) is SHA-256 hashed before being stored in the DB. The plaintext token exists only in the sent email and in the client's memory until it is clicked. The token is valid for 7 days (registration) / 1 hour (resend).
Anti-enumeration
The "resend verification" endpoint always returns 200 OK, regardless of whether a user with that email exists. This prevents an attacker from determining which email addresses have a Geslar account via the API.
Rate limiting
3 verification emails per hour per email address, 10 per IP address. Prevents DoS and spam.
Billing and subscriptions (Premium / Family / Business)
Payments are processed by Lemon Squeezy LLC (USA) as our Merchant of Record. Lemon Squeezy is responsible for invoicing, VAT calculation (including EU OSS), and processing card data. Geslar never sees your card number — Lemon Squeezy sends us only a tokenised identifier and subscription status.
What Lemon Squeezy processes
Your email, name (if provided), card number (tokenised), country of residence (for VAT), transaction amount, subscription status. Stored in the USA under Standard Contractual Clauses (SCC) per GDPR Chapter V.
What Geslar receives back
Via webhook: your email (linked to your account), plan slug (premium/family/business), status (active/past_due/canceled), expiry date, customer ID at LS. No card data.
Accounting obligation
Billing data (excluding card data) is retained for 11 years pursuant to the Croatian Accounting Act (Article 9) — tax records. This cannot be deleted under the Right to Erasure while the tax period remains open.
Lemon Squeezy has its own privacy policy available at lemonsqueezy.com/privacy. By using a cloud subscription you also agree to their terms.
Audit log (security diary)
We log security-relevant events to protect your account from unauthorised access and to comply with NIS2 requirements (for Business plan). The audit log uses privacy-minimum metadata — it records only what is strictly necessary for security review.
What we log
Action type (e.g. login, plan upgrade, password change), timestamp, sanitised URL pattern (without IDs), your user_id, organization_id, slug of the feature requested.
What we do NOT log
IP addresses, user agent string, referer header, full URLs with IDs in the path, request body content, response content.
Retention
12 months for Free / Premium / Family. 24 months for Business plan (NIS2 minimum). Automatically deleted upon expiry. On account deletion, the audit log is anonymised (user_id pseudonymised) — security interest under Art. 17(3)(b) GDPR.
Autofill and form detection
Autofill works exclusively on user request — by clicking the Geslar icon in the input field or using the keyboard shortcut (Ctrl+Shift+L). The content script detects login and card input fields on the active page, but does not read, collect or send page content.
Geslar uses a closed shadow DOM with randomised element names, which prevents the host page from reading or manipulating the Geslar UI.
Local settings (localStorage)
The application stores your settings locally in the browser via
localStorage — selected separator, dictionaries, theme, text size and similar. This data stays only on your device and is never sent to a server. You can delete it by clearing browser data.
Secure Send (Encrypt & Send)
The Send securely option allows one-time sharing of a password via an encrypted link.
- The password is encrypted in the browser (AES-GCM, 256-bit key) before sending
- Only the encrypted blob is sent to the server — the server never sees the original password
- The decryption key is transmitted exclusively via the URL fragment (#) which is not sent to the server
- Data is automatically deleted upon expiry (1, 3 or 7 days) or after the maximum number of views
- The storage server is Cloudflare (EU/global edge), data is not used for any other purpose
Password breach check (Have I Been Pwned)
The Check password function uses a k-anonymous model: a SHA-1 hash is computed from the password, and only the first 5 characters of that hash are sent to the external API (HaveIBeenPwned). The full password and full hash never leave the device.
Analytics
Geslar does not use any analytics tools, tracking scripts or cookies. We do not collect data on visits, user behaviour or any personal data via the web application or browser extensions.
Contact form
If you send a message via the Contact page, your name, email address and message content are sent directly to the author. Data is used exclusively to respond to the inquiry and is not stored in a database.
Browser extension — permissions
activeTab
Access to the active tab only when the user triggers autofill — exclusively for entering a password or card into the focused input field.
scripting
Injecting a script into the active tab on user request, for detecting login fields and inserting data.
clipboardWrite
Copying a password, TOTP code or card number to the clipboard on user request.
storage
Storage of the encrypted Škrinjar database and user settings locally on the device via
chrome.storage.local. Data never leaves the device.alarms
Periodic check for auto-locking Škrinjar after inactivity. Used exclusively locally — no network calls.
idle
User inactivity detection (locked/idle/active state) for auto-locking Škrinjar. No activity data is collected.
The extension does not read web page content, does not track browsing history and does not collect any usage data. The only network communication is breach checking (HIBP, k-Anonymity) and favicon fetching (DuckDuckGo API).
Cookies
Geslar does not use cookies for tracking or personalisation. Application settings are stored exclusively in the browser's
localStorage, not in cookies.
Data retention period
Geslar applies the principle of data minimisation — data is retained only as long as necessary to fulfil its purpose.
Vault (cloud sync)
The encrypted vault blob is stored on the server while your account is active. Deleting the account through Settings → Account → Delete removes the vault immediately. Backups rotate and exit the system within 30 days.
Cloud data after cancellation
A cancelled plan stays active until the end of the paid period. After expiry the account switches to Free — your vault keeps working locally, cloud synchronisation turns off, and the cloud copy of your data is kept for another 30 days for export or re-subscribing; it is then permanently deleted from the servers. The Shared vault is read-only during that window. Data on your devices stays untouched.
Local settings
Stored in the browser (chrome.storage.local) until the user deletes them or clears browser data. Geslar does not delete them automatically.
Audit log
12 months for Free / Premium / Family. 24 months for Business plan (NIS2 minimum). Automatic cleanup cron. Anonymised on account deletion (Art. 17(3)(b) — security interest).
Refresh tokens
Auth tokens for maintaining login sessions — TTL 30 days with rotation. Deleted on logout, password change, and after an inactivity period. Suspicious activity triggers immediate revocation.
Verification tokens
Email verification: 7 days (registration), 1 hour (resend). Password reset: 1 hour. Automatically deleted after expiry or first use.
Email log (Brevo events)
Delivery status of transactional emails (sent / delivered / bounced / complained) — 90 days. Used for detecting delivery issues. Message content is NOT stored, only metadata.
Billing records
Invoices and proof of payment — 11 years pursuant to the Croatian Accounting Act (Article 9). Not subject to Right to Erasure while the tax period remains open (Art. 17(3)(b) — legal obligation).
Secure Send
The encrypted payload is stored on the server until the selected expiry (1–90 days) or until the view limit is reached, after which it is automatically and permanently deleted.
Contact messages
Name, email and message content are kept only until the inquiry is answered, after which they are deleted. They are not stored in a database.
Breach check
No data is stored — the check takes place in real time via the k-Anonymity API.
Data processors and transfers to third countries
Geslar is an EU-domiciled password manager. Your encrypted vault and transactional emails never leave the EU. Billing data (email + amount only) is processed by Lemon Squeezy in the USA under the Standard Contractual Clauses (SCC) mechanism of the GDPR.
Hetzner Online GmbH (Germany)
Primary processor — VPS hosting for the API + Postgres database + Valkey cache + daily backups. Locations: Frankfurt + Falkenstein. All encrypted vault and transactional data resides in the EU. Hetzner is GDPR-compliant with a signed DPA.
Brevo (Sendinblue, France)
Transactional email delivery — email verification, security notifications, billing notifications. Location: Paris. EU-domiciled, intra-EU transfer. Click and open tracking is disabled for all transactional messages (privacy by design).
Lemon Squeezy LLC (USA)
Billing (Merchant of Record). Processes email, card data (tokenised), transaction amount, subscription status. US transfer under Standard Contractual Clauses (SCC) integrated into the DPA. Geslar never sees your card number.
Cloudflare Inc. (USA, EU edges)
DNS and CDN/proxy for web pages. Configured for EU edge servers where possible. Transfer under SCC and the Data Privacy Framework. Cloudflare processes only IP addresses on requests — not the encrypted content passing through it.
HaveIBeenPwned (HIBP)
Password breach checking. Servers are on Cloudflare (USA/global edge). The k-Anonymity protocol is used — the API receives only the first 5 characters of the SHA-1 hash, not the full password. The original password cannot be reconstructed from this prefix.
For ancillary functions we select providers giving priority to EU residency. We are happy to provide a complete, up-to-date list of sub-processors and a security review on request — contact us at [email protected].
Note: Apart from the services listed above, Geslar does not communicate with any other external service. All fonts, scripts and styles are served from its own domain (geslar.app).
Data subject rights
In accordance with Articles 15–21 of the General Data Protection Regulation (GDPR), you have the following rights:
- Right of access (Art. 15) — Settings → Account → Export data generates a ZIP with all your data we process (JSON metadata + encrypted vault blob). Instant, no waiting, automated.
- Right to rectification (Art. 16) — change your email and language in Settings → Account. Change your master password through the dedicated change-master flow with recovery key verification.
- Right to erasure (Art. 17) — Settings → Account → Delete account. CASCADE chain: your user record + your organisations (as owner) + your encrypted vault + your memberships in other organisations (member role). The audit log is anonymised (user_id → pseudonym) pursuant to Art. 17(3)(b).
- Right to restriction of processing (Art. 18) — contact us at [email protected]. We can "freeze" your account without deletion during a dispute about accuracy or for a verification period.
- Right to data portability (Art. 20) — same endpoint as access. JSON format is structured and machine-readable. The vault blob can be imported into another password manager that supports the format.
- Right to object (Art. 21) — opt out of marketing emails by clicking "unsubscribe" in any email. Transactional messages (verification, billing, security alerts) are not subject to opt-out — they are necessary for the performance of the contract.
SLA: We respond to requests pursuant to Art. 12 GDPR within 30 days (extendable by a further 60 days with justification). Most rights are self-service through the extension Settings — instant, without waiting for our intervention.
Free / local user: As Geslar Free does not collect personal data on our server (no user accounts, cookies or tracking), most of these rights are automatically fulfilled — there is no data we could disclose, rectify or delete. Your local Škrinjar is entirely under your control.
Supervisory authority
If you believe that the processing of your personal data is in violation of the GDPR, you have the right to lodge a complaint with the competent supervisory authority:
Agencija za zaštitu osobnih podataka (AZOP)
Selska cesta 136, 10 000 Zagreb, Croatia
Phone: +385 1 4609 000
Web: azop.hr
Email: [email protected]
Selska cesta 136, 10 000 Zagreb, Croatia
Phone: +385 1 4609 000
Web: azop.hr
Email: [email protected]
Privacy questions and contact
Geslar uses dedicated email aliases for different types of enquiries to ensure your message reaches the right person:
General privacy questions, GDPR requests (access, erasure, objection), questions about data processors.
Responsible disclosure of security vulnerabilities. See also security.txt (RFC 9116).
Legal questions, DPA requests for B2B Business plan customers, vendor due diligence.
Customer support — functional questions, account issues, suggestions for improvement. Or use the contact form.
SLA: We respond within 5 business days for all privacy-related questions (Art. 12 GDPR — without undue delay).
Take control of your passwords
AES-256-GCM encryption, local, free for basic use.