I don't want my password manager tracking me

Password managers sit at an unusual point in a privacy threat model: they are tools you adopt to improve security, but in doing so you give a single vendor access to the metadata of your entire digital life. Even with zero-knowledge encryption — which means the vendor genuinely cannot read your passwords — they may still see which websites you have accounts on, your IP address, device fingerprints, and usage patterns. The question of how much metadata a password manager collects is separate from whether it encrypts your passwords.

Privacy in a password manager is multi-layered. Encryption is one layer. Jurisdiction — which country's laws govern data requests — is another. Open-source auditability is a third. Metadata encryption, which most managers don't do, is a fourth. How these layers combine determines your actual privacy posture, not any single feature.

Quick answer

You want full metadata encryption — URL, title, username all encrypted

Proton Pass — the only provider in this comparison designed to encrypt metadata that most competitors leave exposed

You want open-source + self-hosting to remove cloud dependency entirely

Bitwarden — full open-source stack; self-hosting removes all reliance on Bitwarden's infrastructure

You want jurisdiction outside Five Eyes and 14-Eyes

NordPass (Panama) or Proton Pass (Switzerland) — both outside major intelligence-sharing alliances

When it matters

Metadata encryption — only Proton Pass encrypts URL metadata. Every other provider stores website addresses in plaintext on their servers. The 2022 LastPass breach demonstrated the privacy cost of this: attackers obtained a map of every user's online presence
Jurisdiction — Bitwarden, LastPass, Dashlane, and Keeper are US companies subject to CLOUD Act and FISA requests. NordPass is incorporated in Panama; Proton Pass in Switzerland. Zero-knowledge limits practical exposure, but jurisdiction determines the legal process an attacker or government must navigate
Open source — Bitwarden and Proton Pass publish client code publicly. Others rely on compliance audits. Open source allows the security community to find and report vulnerabilities independently
Self-hosting — Bitwarden is the only manager in this comparison with a supported self-hosted deployment. Running your own instance removes the cloud provider from the trust relationship entirely

When it fails

Zero-knowledge protects credential content — it does not protect usage metadata, IP addresses, or device fingerprints that the provider collects during normal operation
Open source verifies the published code — it does not verify that the published code is what runs on the provider's servers, unless the server is also open source
Swiss or Panama jurisdiction reduces legal exposure — it does not eliminate it. Proton complied with a 2021 Swiss court order to log IP data for a user. Jurisdiction limits exposure; it does not provide absolute protection
Self-hosting provides the strongest privacy posture — but it introduces operational responsibility. A poorly configured self-hosted instance may be less secure than a well-maintained cloud service

How providers fit

Proton Pass fits if metadata privacy is the primary concern. URL encryption, Swiss jurisdiction, and open-source clients form a coherent privacy architecture. SimpleLogin integration adds email alias generation to reduce breach surface on signup. The product is newer with a shorter audit history.

Bitwarden fits if self-hosting and open-source auditability are the priorities. A self-hosted Bitwarden instance removes all dependency on the company's cloud infrastructure. The EU data region (bitwarden.eu) provides GDPR-resident cloud storage for users who want EU jurisdiction without self-hosting.

NordPass fits if cipher architecture and Panama jurisdiction are the criteria. XChaCha20 with Argon2, outside Five Eyes and 14-Eyes. No self-hosting, no metadata encryption — but a clean breach history and favourable incorporation.

Bottom line

Proton Pass for the strongest metadata privacy posture. Bitwarden for the most flexible privacy architecture via self-hosting. NordPass if jurisdiction outside intelligence alliances is the priority and you accept the absence of metadata encryption.

Password managers by jurisdiction Password managers that encrypt URL metadata Open-source password managers Password managers you can self-host