Last updated: June 2026. Applies to the geslar.app web app and browser extensions.
Version 2.10 · Last updated:
Introduction
Core principle: your passwords are zero-knowledge encrypted on your device before they leave the browser. Geslar is technically unable to access their contents.
Geslar is a Croatian password manager with a local Škrinjar (free, no registration required) and optional cross-device cloud synchronisation (registration, Premium subscription). This policy describes what data we process, for what purpose and how we protect it — covering both usage modes.
Two levels of use: 1. Free / local (no registration) — Škrinjar lives exclusively in your browser. We do not process any of your data on our server. 2. Cloud sync (registered user, Premium / Family / Business) — The encrypted vault is synchronised through our EU-based server. We process identification, billing and security metadata (detailed below). Škrinjar on the web (my.geslar.app) is an additional access point to the same EU backend and the same processing — no new data processing.
Language versions. This policy is published in Croatian and English. In case of any discrepancy between the language versions, the Croatian version prevails.
Legal basis for processing
Geslar processes minimal data on the basis of the following legal grounds in accordance with Article 6(1) of the GDPR:
✅
Legitimate interest (Art. 6(1)(f))
Security audit log (cyber-security), abuse prevention, breach checking via k-Anonymity protocol, local settings (localStorage), on-device encryption and decryption.
📝
Consent (Art. 6(1)(a))
Contact form, marketing emails (newsletter, promotional content — opt-in at registration), optional analytics in the future (currently none).
Accounting records of subscriptions (Croatian tax legislation), retention of data required by the NIS2 directive for Business plan customers in essential sectors.
Password and passphrase generation
All generation takes place exclusively in the browser on your device. No generated password, passphrase or other user input is sent to a server or stored outside the local device.
Škrinjar (password manager)
Regardless of whether you use Škrinjar locally or with cloud sync: your data is encrypted on your device before it leaves the browser. The master password and recovery key are Argon2id-derived exclusively on the client — the server never sees their plaintext.
🔐
On-device encryption
AES-256-GCM for vault contents with a key derived from the master password via Argon2id (a memory-hard KDF resistant to GPU attacks). Keys are kept only in RAM (chrome.storage.session) and are cleared on restart.
💾
Local storage
The encrypted Škrinjar database is stored in chrome.storage.local on your device. Free users never have any additional storage outside the device.
☁️
Cloud synchronisation (optional, Premium+)
If you opt into sync, the client encrypts the entire vault with your key before sending it to the server. The server stores only an encrypted blob (binary package) — it cannot read individual entries.
⏱
Auto-lock
Škrinjar automatically locks after inactivity (configurable timeout). The alarms and idle permissions are used — exclusively local, with no network communication.
🔑
Recovery key (zero-knowledge)
When creating a cloud account, a 128-bit recovery key is generated — exclusively on the client. The server stores only its SHA-256 hash. If you forget your master password, the recovery key is the only way to regain access — Geslar cannot recover it.
📤
Import / Export / Portability
Importing from other managers (Bitwarden JSON, CSV) takes place locally. Exporting your vault and personal data (Right to data portability, Art. 20 GDPR) is available through Settings → Account → Export data.
Cloud synchronisation (Premium / Family / Business)
Cloud sync is optional. Free users can use Geslar locally for their entire lifetime without registration and without any network communication with our server (except for the optional breach check via HIBP).
If you opt into cloud sync, here is what we actually process on our server:
📧
Email address
Your email serves as an account identifier, a contact for security and transactional messages (verification, billing), and a login credential. It is stored in plaintext (required for sending emails).
🔑
Master password — derivative (auth_hash)
The client computes an Argon2id derivative of your master password and sends only that auth_hash. The plaintext master password never leaves your device. The server stores only a bcrypt hash of the auth_hash (double protection).
📦
Vault (encrypted blob)
The entire vault contents — passwords, cards, TOTP keys, notes — are AES-256-GCM encrypted on the client before transmission. The server stores a binary blob that it technically cannot read.
🔁
Recovery key — hash
The server stores only the SHA-256 hash of the recovery key for verification during the "account recovery" flow. The plaintext key is generated on the client and is never transmitted.
🪪
Refresh tokens (sessions)
Tokens with rotation to maintain login status between sessions. TTL 30 days; deleted on logout and on detection of suspicious activity.
🌐
Locale
The language you use (HR/EN) for personalised communication (emails, error messages).
What we do NOT store: your master password in plaintext, the recovery key in plaintext, browsing history, IP addresses in persistent storage, browsing history, or the content of pages you visit.
Family and organisational sharing
Sharing that stays yours alone. The Family plan allows sharing passwords, cards and notes with up to 5 members — while encryption remains end-to-end. Each shared entry is encrypted so that only the members it is intended for can access it. Geslar cannot read shared content either — the server sees only encrypted data and public keys.
Who sees what. The family organiser manages membership, shared vaults and permissions (view/edit). The organiser cannot see the contents of anyone's vault or who has accessed any particular entry. Each member can see only what has been shared with them and their own personal vault.
Minors. Persons aged 16 and above may open their own account (pursuant to Article 19 of the Croatian Act on the Implementation of the GDPR (Official Gazette 42/18)). Younger members are added and managed by the family organiser — an adult who confirms they hold parental responsibility. We process the minimum necessary data about minors; we do not profile or advertise to children.
When a member leaves. Upon removing a member, shared keys are automatically rotated and their access ceases; their personal vault remains untouched. Each member may export or delete their own data at any time.
Email verification
Upon registering for cloud sync, we send a verification email with a magic link. Clicking the link proves ownership of the email address. Without verification, access to the admin section and sync mutations is not possible (protection against account takeover through email enumeration).
🔐
Token security
The verification token (UUID) is SHA-256 hashed before being stored in the DB. The plaintext token exists only in the sent email and in the client's memory until it is clicked. The token is valid for 7 days (registration) / 1 hour (resend).
⛔
Anti-enumeration
The "resend verification" endpoint always returns 200 OK, regardless of whether a user with that email exists. This prevents an attacker from determining which email addresses have a Geslar account via the API.
⏱
Rate limiting
3 verification emails per hour per email address, 10 per IP address. Prevents DoS and spam.
Billing and subscriptions (Premium / Family plan)
Payments for Premium and Family plans are processed by Creem (legal entity: Armitage Labs OÜ, Tallinn, Estonia) as our Merchant of Record. Creem is responsible for invoicing, VAT calculation (including EU OSS), and processing card data. Geslar never sees your card number — Creem sends us only a tokenised identifier and subscription status.
Business and organisational plans are not billed through Creem — they are arranged on request and billed separately. For business billing enquiries: [email protected].
💳
What Creem processes
Your email, name (if provided), card number (tokenised), country of residence (for VAT), transaction amount, subscription status. Creem operates within the EU (Estonia) — no data transfer outside the EU/EEA for this processing.
📋
What Geslar receives back
Via webhook: your email (linked to your account), plan slug (premium/family), status (active/past_due/canceled), expiry date, customer ID at Creem. No card data.
📜
Accounting obligation
Billing data (excluding card data) is retained for 11 years pursuant to the Croatian Accounting Act (Article 9) — tax records. This cannot be deleted under the Right to Erasure while the tax period remains open.
Creem has its own privacy policy available at creem.io/privacy. By using a cloud subscription you also agree to their terms.
Audit log (security diary)
We log security-relevant events to protect your account from unauthorised access and to comply with NIS2 requirements (for Business plan). The audit log uses privacy-minimum metadata — it records only what is strictly necessary for security review.
✅
What we log
Action type (e.g. login, plan upgrade, password change), timestamp, sanitised URL pattern (without IDs), your user_id, organization_id, slug of the feature requested.
⛔
What we do NOT log
IP addresses, user agent string, referer header, full URLs with IDs in the path, request body content, response content.
🗓
Retention
12 months for Free / Premium / Family. 24 months for Business plan (NIS2 minimum). Automatically deleted upon expiry. On account deletion, the audit log is anonymised (user_id pseudonymised) — security interest under Art. 17(3)(b) GDPR.
Autofill and form detection
Autofill works exclusively on user request — by clicking the Geslar icon in the input field or using the keyboard shortcut (Ctrl+Shift+L). The content script detects login and card input fields on the active page, but does not read, collect or send page content.
Geslar uses a closed shadow DOM with randomised element names, which prevents the host page from reading or manipulating the Geslar UI.
Local settings (localStorage)
The application stores your settings locally in the browser via localStorage — selected separator, dictionaries, theme, text size and similar. This data stays only on your device and is never sent to a server. You can delete it by clearing browser data.
Secure Send (Encrypt & Send)
The Send securely option allows one-time sharing of a password via an encrypted link.
The password is encrypted in the browser (AES-GCM, 256-bit key) before sending
Only the encrypted blob is sent to the server — the server never sees the original password
The decryption key is transmitted exclusively via the URL fragment (#) which is not sent to the server
Data is automatically deleted upon expiry (1, 3 or 7 days) or after the maximum number of views
The storage server is Cloudflare (EU/global edge), data is not used for any other purpose
Password breach check (Have I Been Pwned)
The Check password function uses a k-anonymous model: a SHA-1 hash is computed from the password, and only the first 5 characters of that hash are sent to the external API (HaveIBeenPwned). The full password and full hash never leave the device.
Analytics
Geslar does not use any analytics tools, tracking scripts or cookies. We do not collect data on visits, user behaviour or any personal data via the web application or browser extensions.
Contact form
If you send a message via the Contact page, your name, email address and message content are sent directly to the author. Data is used exclusively to respond to the inquiry and is not stored in a database.
Browser extension — permissions
🔖
activeTab
Access to the active tab only when the user triggers autofill — exclusively for entering a password or card into the focused input field.
💉
scripting
Injecting a script into the active tab on user request, for detecting login fields and inserting data.
📋
clipboardWrite
Copying a password, TOTP code or card number to the clipboard on user request.
💾
storage
Storage of the encrypted Škrinjar database and user settings locally on the device via chrome.storage.local. Data never leaves the device.
⏰
alarms
Periodic check for auto-locking Škrinjar after inactivity. Used exclusively locally — no network calls.
💤
idle
User inactivity detection (locked/idle/active state) for auto-locking Škrinjar. No activity data is collected.
The extension does not read web page content, does not track browsing history and does not collect any usage data. The only network communication is breach checking (HIBP, k-Anonymity) and site icons via Geslar's own first-party proxy — never fetched directly from third parties; icon display can be turned off in settings.
Cookies
Geslar does not use cookies for tracking or personalisation. Application settings are stored exclusively in the browser's localStorage, not in cookies.
Shared and business data
Content encryption. All shared vaults — family and business — are end-to-end encrypted. Geslar never sees the content (passwords, credentials, notes). Secret content is never written to logs or audit records.
👤
Who can access
Shared vaults are accessible only to members who have been assigned that vault, under the permission granted (view or edit). The organisation owner/administrator manages membership and permissions — but cannot read vault contents.
🔍
What an administrator sees
Administrators see: member list, assigned permissions, access-event metadata (audit). Administrators do NOT see: password contents, credentials or notes — content is E2E encrypted.
📋
Audit records (shared context)
In shared vaults, access metadata (who, which resource, when) is logged for security and accountability. Legal basis: legitimate interest (Art. 6(1)(f) GDPR) + performance of service contract. IP addresses are anonymised. Personal (single-user) context: no audit logging. Default retention 18 months; security records may be retained for a shorter period. Members have the right to access records about themselves (Art. 15 GDPR).
🚪
Member removal
A removed member immediately loses access to all shared vaults; shared keys are automatically rotated with no possibility of subsequent retrieval. The member's personal vault remains untouched. Note: the 30-day export window applies to cancellation of the entire plan, not to removal of an individual member.
🗑️
Account deletion
Permanent deletion within 30 days of the request. Security and audit records are pseudonymised (user_id replaced by a hash) — a permanent record is kept without personal identifiers. Local data on user devices remains under their own control.
🇪🇺
Data processing and transfer
All shared and business vault data is processed and stored within the EU/EEA. A DPA (Data Processing Agreement) with sub-processors is in place; available on request to business customers.
GDPR roles (business context): When an organisation uses the Geslar Business plan, Geslar acts as a data processor and the organisation acts as the data controller in respect of its employees' / members' data within the shared vaults. A DPA (Data Processing Agreement) is available on request — [email protected].
Data retention period
Geslar applies the principle of data minimisation — data is retained only as long as necessary to fulfil its purpose.
📦
Vault (cloud sync)
The encrypted vault blob is stored on the server while your account is active. Deleting the account through Settings → Account → Delete removes the vault immediately. Backups rotate and exit the system within 30 days.
☁️
Cloud data after cancellation
A cancelled plan stays active until the end of the paid period. After expiry the account switches to Free — your vault keeps working locally, cloud synchronisation turns off, and the cloud copy of your data is kept for another 30 days for export or re-subscribing; it is then permanently deleted from the servers. The Shared vault is read-only during that window. Data on your devices stays untouched.
💾
Local settings
Stored in the browser (chrome.storage.local) until the user deletes them or clears browser data. Geslar does not delete them automatically.
🔍
Audit log
12 months for Free / Premium / Family. 24 months for Business plan (NIS2 minimum). Automatic cleanup cron. Anonymised on account deletion (Art. 17(3)(b) — security interest).
🪪
Refresh tokens
Auth tokens for maintaining login sessions — TTL 30 days with rotation. Deleted on logout, password change, and after an inactivity period. Suspicious activity triggers immediate revocation.
✉️
Verification tokens
Email verification: 7 days (registration), 1 hour (resend). Password reset: 1 hour. Automatically deleted after expiry or first use.
📨
Email log (Brevo events)
Delivery status of transactional emails (sent / delivered / bounced / complained) — 90 days. Used for detecting delivery issues. Message content is NOT stored, only metadata.
💸
Billing records
Invoices and proof of payment — 11 years pursuant to the Croatian Accounting Act (Article 9). Not subject to Right to Erasure while the tax period remains open (Art. 17(3)(b) — legal obligation).
🔗
Secure Send
The encrypted payload is stored on the server until the selected expiry (1–90 days) or until the view limit is reached, after which it is automatically and permanently deleted.
📧
Contact messages
Name, email and message content are kept only until the inquiry is answered, after which they are deleted. They are not stored in a database.
🔍
Breach check
No data is stored — the check takes place in real time via the k-Anonymity API.
Data processors and transfers to third countries
Geslar is an EU-domiciled password manager. Your encrypted vault, transactional emails, and billing data never leave the EU/EEA — 100% of your data stays within the European Union.
🇩🇪
Hetzner Online GmbH (Germany)
Primary processor — VPS hosting for the API + Postgres database + Valkey cache + daily backups. Locations: Frankfurt + Falkenstein. All encrypted vault and transactional data resides in the EU. Hetzner is GDPR-compliant with a signed DPA.
🇫🇷
Brevo (Sendinblue, France)
Transactional email delivery — email verification, security notifications, billing notifications. Location: Paris. EU-domiciled, intra-EU transfer. Click and open tracking is disabled for all transactional messages (privacy by design).
🇪🇪
Creem / Armitage Labs OÜ (Estonia)
Billing (Merchant of Record). Processes email, card data (tokenised), transaction amount, subscription status. Location: Tallinn. EU-domiciled — no US transfer, no SCC required for this processing. Geslar never sees your card number.
☁
Cloudflare Inc. (USA, EU edges)
DNS and CDN/proxy for web pages. Configured for EU edge servers where possible. Transfer under SCC and the Data Privacy Framework. Cloudflare processes only IP addresses on requests — not the encrypted content passing through it.
🔍
HaveIBeenPwned (HIBP)
Password breach checking. Servers are on Cloudflare (USA/global edge). The k-Anonymity protocol is used — the API receives only the first 5 characters of the SHA-1 hash, not the full password. The original password cannot be reconstructed from this prefix.
For ancillary functions we select providers giving priority to EU residency. We are happy to provide a complete, up-to-date list of sub-processors and a security review on request — contact us at [email protected].
Note: Apart from the services listed above, Geslar does not communicate with any other external service. All fonts, scripts and styles are served from its own domain (geslar.app).
Data subject rights
In accordance with Articles 15–21 of the General Data Protection Regulation (GDPR), you have the following rights:
Right of access (Art. 15) — Settings → Account → Export data generates a ZIP with all your data we process (JSON metadata + encrypted vault blob). Instant, no waiting, automated.
Right to rectification (Art. 16) — change your email and language in Settings → Account. Change your master password through the dedicated change-master flow with recovery key verification.
Right to erasure (Art. 17) — Settings → Account → Delete account. CASCADE chain: your user record + your organisations (as owner) + your encrypted vault + your memberships in other organisations (member role). The audit log is anonymised (user_id → pseudonym) pursuant to Art. 17(3)(b).
Right to restriction of processing (Art. 18) — contact us at [email protected]. We can "freeze" your account without deletion during a dispute about accuracy or for a verification period.
Right to data portability (Art. 20) — same endpoint as access. JSON format is structured and machine-readable. The vault blob can be imported into another password manager that supports the format.
Right to object (Art. 21) — opt out of marketing emails by clicking "unsubscribe" in any email. Transactional messages (verification, billing, security alerts) are not subject to opt-out — they are necessary for the performance of the contract.
SLA: We respond to requests pursuant to Art. 12 GDPR within 30 days (extendable by a further 60 days with justification). Most rights are self-service through the extension Settings — instant, without waiting for our intervention.
Free / local user: As Geslar Free does not collect personal data on our server (no user accounts, cookies or tracking), most of these rights are automatically fulfilled — there is no data we could disclose, rectify or delete. Your local Škrinjar is entirely under your control.
Supervisory authority
If you believe that the processing of your personal data is in violation of the GDPR, you have the right to lodge a complaint with the competent supervisory authority:
Agencija za zaštitu osobnih podataka (AZOP) Selska cesta 136, 10 000 Zagreb, Croatia Phone: +385 1 4609 000 Web: azop.hr Email: [email protected]
Privacy questions and contact
Geslar uses dedicated email aliases for different types of enquiries to ensure your message reaches the right person: