The short version: Bramble is a local-first password manager. It does not collect, sell, or share any of your data. There is no account, no server, no sync service, and no analytics. Everything stays on your device, encrypted. The one exception is an optional password breach check, off by default, that you can turn on; even then, your passwords never leave your device (see below).
Effective date: 10 June 2026
Bramble stores the data you choose to save in it, such as login usernames and passwords, payment cards, secure notes, and two-factor (TOTP) seeds, together with your own app preferences. This data is created and used only to provide the password-manager features you asked for (saving, searching, and autofilling your credentials).
Your vault is stored only on your device, in your browser's local extension storage and/or in a vault file you pick on your own computer. Bramble has no server and no cloud, so your data never leaves your device through Bramble.
Your vault is encrypted. The key that protects it is derived from your master password using Argon2id, and individual entries are encrypted with AES-256-GCM. Encryption and decryption happen locally on your device. Your master password and the keys derived from it are never stored in plaintext and never leave your device.
Bramble can tell you whether one of your saved passwords has appeared in a known data breach. This feature is off by default; you turn it on in Settings. It is the only feature that contacts a server.
When it is on, Bramble checks a password using the Have I Been Pwned "Pwned Passwords" service with a privacy-preserving method called k-anonymity: it computes a SHA-1 hash of the password and sends only the first five characters of that hash to its API (api.pwnedpasswords.com). The service returns a list of possible matches and Bramble compares them on your device. Your password, and even its full hash, never leave your device, and Have I Been Pwned cannot tell which password you checked. Bramble also asks the service to pad its response so the amount of data returned reveals nothing about your query.
Have I Been Pwned is operated by a third party under its own privacy policy: haveibeenpwned.com/Privacy.
To offer to fill saved credentials, Bramble's content script runs on web pages and looks at the structure of forms on the page (for example, whether a field is a username, password, or one-time-code field). This happens entirely on your device. Bramble does not read, collect, or transmit the content of the pages you visit, and it only fills a credential when you explicitly choose one.
When you copy a password, Bramble writes it to your clipboard and, after a short timeout, clears the clipboard to reduce the chance of a secret lingering there. This is done locally and the copied value is never sent anywhere.
If you import a vault from another manager (for example a KeePass .kdbx file), Bramble reads that file locally to add its entries to your vault. The file and its contents are processed only on your device and are not transmitted anywhere.
Bramble has no copy of your master password or the keys derived from it, so it cannot recover your vault or reset your password for you. If you set up a recovery code or a security key, you can use those to regain access. If you lose your master password and every recovery method you set up, your vault cannot be decrypted by you, by us, or by anyone. That is the trade-off for there being no backdoor.
Because your data lives only on your device, you are in control of it. Removing the extension and/or deleting your vault file and clearing the extension's browser storage removes your data. Bramble retains nothing on your behalf because it holds nothing about you anywhere else.
Bramble is a general-purpose tool, not directed at children, and collects no information from anyone.
If this policy changes, the updated version will be posted here with a new effective date.
Questions about this policy or your privacy? Email flythenimbus@pm.me.