Privacy Policy for Login Passkey Manager
Last Updated: November 15, 2025
Effective Date: November 15, 2025
TL;DR: We don't collect your data. We don't transmit your data. We don't store your data on servers. Everything stays on your device and your personal NFC card. That's our commitment to your privacy.
Introduction
Phenomenal Aktiebolag ("we," "our," or "us") operates the Login Passkey Manager mobile application (the "App"). This Privacy Policy explains how we handle information in connection with your use of our App.
Our Commitment: We are committed to protecting your privacy. This App is designed with privacy as a core principle - we do not collect, transmit, or store any personal data on our servers.
Information We Collect
Data Stored on Your NFC Card (Required)
The App stores the following data on your personal MIFARE DESFire EV3 NFC card:
- Passkeys (Authentication Credentials): WebAuthn/FIDO2 passkeys you create for websites and services
- Credential Metadata: Website names, usernames, and creation dates associated with passkeys
Important: All passkey data is protected by PIN-based access control using AES-128 authentication. The encryption key is derived from your PIN with PBKDF2-HMAC-SHA256 at 600,000 iterations (configurable up to 2,000,000) and bound to the card UID, then used to authenticate with the card. While a session is active, passkeys are held in memory only; nothing about them persists on the device.
Data Stored Locally on Your Device
The App stores the following data on your device:
- PIN Hash: A one-way PBKDF2-HMAC-SHA256 hash of your PIN (600,000 iterations, random per-device salt) used for offline PIN verification. The PIN itself is never stored.
- Application Settings: Your preferences and configuration choices
- Disclaimer Acceptance: Record of your acceptance of our terms and disclaimer
What is not stored on disk: Your passkeys are not persisted on the device. They live in RAM during an active session only, each private key envelope-encrypted with AES-256-GCM under a non-exportable, hardware-backed (when supported) Android Keystore wrapping key. The cache is cleared on logout, app close, session expiry, or after 3 failed PIN attempts.
What We DO NOT Collect
We explicitly DO NOT collect, access, or transmit:
- ❌ Personal information (name, email, phone number, etc.)
- ❌ Usage analytics or statistics
- ❌ Device identifiers or advertising IDs
- ❌ Location data
- ❌ Crash reports or diagnostic data
- ❌ Any data to remote servers
No Cloud Storage: This App does not use cloud storage or any remote servers for credential storage.
How We Use Data
Data on your NFC card and in the in-memory session cache is used solely for:
- Passkey Management: Storing and retrieving your passkeys for authentication
- App Functionality: Providing the core features of the application
- NFC Card Storage: Your NFC card is the primary (and only persistent) storage location for all passkeys
- In-Memory Session Cache: Loaded into RAM after PIN verification so signing operations are fast; cleared when the session ends
Data Sharing and Third Parties
We do not share any data with third parties. Period.
- ✅ No advertising networks
- ✅ No analytics services
- ✅ No data brokers
- ✅ No third-party libraries that collect data
- ✅ No cloud service providers
Permissions Explained
Required Permissions
1. NFC Permission
- Purpose: Read and write data to NFC cards for passkey storage (required for app functionality)
- Data Access: When you create, read, or authenticate with passkeys
- Scope: Your personal MIFARE DESFire EV3 NFC card only
2. Credential Manager
- Purpose: Integration with Android's credential manager for passkey autofill
- Data Access: Passkeys stored locally on your device
- Scope: Android system only, no external access
3. Internet Permission
- Purpose: Required by the NXP TapLinx SDK library for NFC card operations
- Usage: No actual network communication for data transmission
- Clarification: While this permission is declared, the App does not transmit any user data over the internet
4. Network State
- Purpose: Required by the NXP TapLinx SDK library
- Usage: Not actively used for data collection or transmission
No Sensitive Permissions
The App does NOT request:
- ❌ Location access
- ❌ Camera access
- ❌ Microphone access
- ❌ Contacts access
- ❌ SMS access
- ❌ Storage access (beyond app-specific storage)
Data Security
Encryption
- In-Memory Session Cache: Each private key encrypted with AES-256-GCM under a non-exportable Android Keystore wrapping key (hardware-backed when available). Nothing persists on disk.
- NFC Card Storage: AES-128 application keys derived from your PIN with PBKDF2-HMAC-SHA256 (600,000+ iterations) using the card UID as salt.
- NFC Communication: All over-the-air NFC traffic uses DESFire
Enciphered mode with per-session keys negotiated during authentication.
Access Control
- Card & PIN: Reading or writing passkeys requires physical possession of the NFC card and knowledge of the PIN.
- Failed-Attempt Erasure: After 3 failed PIN attempts, the in-memory cache, the stored PIN hash, and any locally held passkey state are wiped.
- No Remote Access: No network access to your credentials — all storage is local.
Data Retention and Deletion
Retention
Data is retained on your device until you:
- Manually delete individual passkeys
- Uninstall the application
- Clear the app's data in Android settings
Deletion
You can delete your data at any time:
- Individual Passkeys: Delete specific passkeys within the app
- All Data: Uninstall the app or clear app data in Android settings
- NFC Backup: Physically destroy your NFC card or overwrite it
Immediate Effect: All deletions are permanent and immediate. There is no recovery mechanism because there are no backups on our servers.
Children's Privacy
This App is not directed to children under the age of 13 (or the minimum age required in your jurisdiction). We do not knowingly collect information from children.
Your Rights
Since we do not collect or store any personal data on our servers, traditional data rights (access, portability, erasure requests) are not applicable. You have complete control over your data because it exists only on your device and your personal NFC card.
Your Control
- ✅ Full control over all data stored on your device
- ✅ Ability to delete data at any time
- ✅ No third-party access to your data
- ✅ No need to request data deletion from us (you control it directly)
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by:
- Updating the "Last Updated" date at the top of this policy
- Displaying a notice within the App (for material changes)
- Requiring re-acceptance of terms (for significant changes)
International Users
This App is designed to work internationally. Since all data is stored locally on your device:
- ✅ No cross-border data transfers
- ✅ Compliance with GDPR (no data processing)
- ✅ Compliance with CCPA (no data selling)
- ✅ Compliance with other privacy regulations (no data collection)
Contact Us
If you have questions about this Privacy Policy or our privacy practices:
Phenomenal Aktiebolag
Email: support@phenomenal.se
Website: https://phenomenal.se
For security vulnerabilities, please contact us at support@phenomenal.se.
Disclaimer
This App is provided "AS IS" without warranty of any kind. We are not responsible for lost, stolen, or compromised credentials. You are solely responsible for:
- Keeping your device secure
- Protecting your PIN
- Storing your NFC card safely
- Managing your credentials
For complete terms and conditions, please read our full Terms & Disclaimer.