How to read a password manager privacy policy — the signals that matter

Privacy policies for consumer software are written by lawyers to limit liability while preserving maximum operational flexibility. They are not written to inform users. A privacy policy that discloses everything required by law may simultaneously reveal very little about what the company actually does with data in practice. 'We may share information with trusted partners for purposes including service improvement' is legally complete disclosure. It tells you almost nothing about what data, which partners, for what purposes, and for how long.

Password manager privacy policies have specific sections that are more important than others. A policy that is vague in some sections but specific in others tells you something about where the company has made deliberate privacy commitments versus where it has preserved flexibility.

The goal is not to parse every sentence but to identify the specific signals that distinguish a genuine privacy commitment from legal boilerplate.

The assumption 'long privacy policies are worse than short ones' is the wrong heuristic. Length is a consequence of legal coverage requirements and jurisdictional complexity, not of data practices. A short policy that uses vague language for key categories ('we may collect and use information to improve our services') may provide less protection than a longer policy with specific commitments. The relevant measurement is specificity in high-importance categories, not total length.

A second assumption is that GDPR compliance means strong privacy protection. GDPR compliance is a legal baseline for EU users — it establishes minimum requirements for data handling and user rights. Companies can be GDPR-compliant while still collecting significant metadata, retaining data for extended periods, and sharing with advertising partners within the consent framework. Compliance ≠ privacy-maximising.

A third assumption is that 'we do not sell your data' means the company does not monetise user data. 'Sell' has a specific legal definition that excludes many forms of data monetisation — sharing with advertising partners for 'service improvement,' using aggregate usage data for product development, or providing data to analytics providers. The absence of the word 'sell' does not mean data is not being used for commercial purposes beyond direct service delivery.

The specific signals in a password manager privacy policy worth looking for: (1) Named data categories with specific descriptions — 'we collect log data including IP address, browser type, and pages visited' is more informative than 'we collect usage information.' (2) Explicit statements about advertising or data monetisation — look for whether the policy prohibits advertising use or merely requires consent for it. (3) Retention periods — 'we retain data for as long as your account is active' is meaningfully different from 'we retain log data for 90 days and delete it.' (4) Explicit prohibition on selling or sharing with advertisers — should be stated affirmatively, not merely implied by absence.

Red flags: vague 'trusted partners' language without specification; 'service improvement' purposes that could cover a wide range of data use; absence of any statement about advertising use (which could mean it isn't done, or that the policy avoids committing either way); overly broad retention periods; opt-out rather than opt-in for data sharing.

Genuine positive signals: named categories of data collected with clear descriptions; explicit retention limits with specific timeframes; clear prohibition on data selling and advertising use; specific statement about what data zero-knowledge architecture protects and what falls outside it; annual transparency reports with government request statistics.

Privacy policy analysis reflects the text of the policy, not necessarily the company's practices. A company can write an excellent privacy policy and maintain practices that don't match it. Open source code (where available) and independent audits provide verification that policy analysis cannot.