Nook

Privacy Policy

Last updated: June 27, 2026

1. Introduction

Nook is an open-source, client-side password and secrets manager. This policy describes how the Nook web application handles information when you use it in your browser.

Nook is designed as a zero-knowledge, local-first vault. We do not operate a central Nook account service, and we do not receive or store your decrypted secrets on our servers.

2. Summary

3. Information stored on your device

When you use Nook, data is stored locally in your browser, including:

Data Purpose
Encrypted vault (nook_db) Your secrets, device roster, and vault metadata, encrypted before storage.
Device identity key Cryptographic key for this browser/device to participate in the vault.
Sync provider settings (nook_auth) Labels and credentials you save so Nook can read and write encrypted vault replicas.
Preferences and session flags Locale, theme, locked state, and related browser-local UI settings.

You can remove this data by clearing site data for Nook in your browser or clearing the browser profile. If you clear local data without a sync provider replica, you may lose access to your vault.

4. Information we do not collect

Nook does not:

5. Google Drive optional sync

If you choose Sign in with Google, Nook uses Google Identity Services in the browser to obtain an OAuth access token with the https://www.googleapis.com/auth/drive.appdata scope. That scope lets Nook store and read an encrypted vault file in a hidden Google Drive application data folder associated with your Google account.

Google's handling of your account is governed by Google's Privacy Policy. You can revoke Nook's access in your Google Account permissions.

6. GitHub optional sync

If you connect GitHub, you provide a personal access token and repository name. Nook stores the token in your browser and uses GitHub's API to read and write an encrypted vault file in a repository you control. Nook sends ciphertext only to GitHub, not plaintext secrets.

7. Multi-device and backup passwords

Nook supports optional backup passwords and device enrollment so other browsers can join your vault. Enrollment flows may use QR codes or links that carry provider connection details and password-entry identifiers. Share these only with devices and people you trust.

8. Security

Nook uses modern encryption for vault contents. Lock vault clears decrypted data from memory but leaves encrypted data and saved provider tokens on disk until you remove them. Nook is early-stage software; do not use it as your only copy of important credentials unless you also maintain independent backups.

9. Children's privacy

Nook is not directed at children under 13 or the minimum age in your jurisdiction. We do not knowingly collect personal information from children.

10. Changes

We may update this policy as Nook evolves. Material changes should be reflected in the copy hosted at the URL registered in Google Cloud Console.

11. Open source

Nook's source code is available under the MIT License at github.com/meta-secret/nook.

12. Contact

For privacy questions, use GitHub issues or visit nokey.sh.