Privacy Policy
Last updated: June 27, 2026
1. Introduction
Nook is an open-source, client-side password and secrets manager. This policy describes how the Nook web application handles information when you use it in your browser.
Nook is designed as a zero-knowledge, local-first vault. We do not operate a central Nook account service, and we do not receive or store your decrypted secrets on our servers.
2. Summary
- Your vault is encrypted in your browser before it is saved or synced.
- Plaintext secrets exist only in your browser's memory while the vault is unlocked.
- Sync providers receive encrypted vault files only, under credentials you choose.
- Nook does not include advertising or third-party analytics in the core open-source application.
3. Information stored on your device
When you use Nook, data is stored locally in your browser, including:
| Data | Purpose |
|---|---|
Encrypted vault (nook_db) |
Your secrets, device roster, and vault metadata, encrypted before storage. |
| Device identity key | Cryptographic key for this browser/device to participate in the vault. |
Sync provider settings (nook_auth) |
Labels and credentials you save so Nook can read and write encrypted vault replicas. |
| Preferences and session flags | Locale, theme, locked state, and related browser-local UI settings. |
You can remove this data by clearing site data for Nook in your browser or clearing the browser profile. If you clear local data without a sync provider replica, you may lose access to your vault.
4. Information we do not collect
Nook does not:
- Create or manage a Nook user account on our servers.
- Upload decrypted passwords, notes, seed phrases, or API keys to Nook-operated servers.
- Host or recover your vault on your behalf.
- Have access to your encryption keys in plaintext.
5. Google Drive optional sync
If you choose Sign in with Google, Nook uses Google Identity Services
in the browser to obtain an OAuth access token with the
https://www.googleapis.com/auth/drive.appdata scope. That
scope lets Nook store and read an encrypted vault file in a hidden
Google Drive application data folder associated with your Google
account.
- The OAuth token is stored only in your browser.
- Nook may read your Google account email address to show "Signed in as" in the UI.
- Nook sends ciphertext only to Google Drive, not plaintext secrets.
Google's handling of your account is governed by Google's Privacy Policy. You can revoke Nook's access in your Google Account permissions.
6. GitHub optional sync
If you connect GitHub, you provide a personal access token and repository name. Nook stores the token in your browser and uses GitHub's API to read and write an encrypted vault file in a repository you control. Nook sends ciphertext only to GitHub, not plaintext secrets.
7. Multi-device and backup passwords
Nook supports optional backup passwords and device enrollment so other browsers can join your vault. Enrollment flows may use QR codes or links that carry provider connection details and password-entry identifiers. Share these only with devices and people you trust.
8. Security
Nook uses modern encryption for vault contents. Lock vault clears decrypted data from memory but leaves encrypted data and saved provider tokens on disk until you remove them. Nook is early-stage software; do not use it as your only copy of important credentials unless you also maintain independent backups.
9. Children's privacy
Nook is not directed at children under 13 or the minimum age in your jurisdiction. We do not knowingly collect personal information from children.
10. Changes
We may update this policy as Nook evolves. Material changes should be reflected in the copy hosted at the URL registered in Google Cloud Console.
11. Open source
Nook's source code is available under the MIT License at github.com/meta-secret/nook.
12. Contact
For privacy questions, use GitHub issues or visit nokey.sh.