Geslar
Privacy Policy
Last updated: May 2026. Applies to the web application geslar.app and browser extensions.
Last updated:
Introduction
Core principle: passwords and passphrases you generate never leave your device.
Geslar is a free password manager and secure password and passphrase generator using Croatian words. This policy describes what data Geslar uses, for what purpose and how it protects it.
Data controller: Daniel Legin, Croatia
Contact: info@geslar.app
Contact: info@geslar.app
Legal basis for processing
Geslar processes minimal data based on the following legal grounds in accordance with Article 6(1) of the GDPR:
Legitimate interest (Art. 6.1.f)
Technically necessary data for the application to function — local settings (localStorage), encryption and decryption on device, breach checking via k-Anonymity protocol.
Consent (Art. 6.1.a)
Contact form — by sending a message, the user consents to the processing of name, email address and message content solely for the purpose of responding to the inquiry.
Performance of contract (Art. 6.1.b)
Secure Send feature — temporary storage of encrypted content on the server is necessary for the performance of the password sharing service between sender and recipient.
Password and passphrase generation
All generation takes place exclusively in the browser on your device. No generated password, passphrase or other user input is sent to a server or stored outside the local device.
Škrinjar (password manager)
All data in Škrinjar (passwords, cards, TOTP keys, notes) is stored exclusively locally on your device — encrypted with AES-256-GCM using a key derived from the master key via PBKDF2 (600,000 iterations). Geslar has no server that receives, stores or processes your Škrinjar data.
On-device encryption
AES-256-GCM with separate salts for master key and verification hash. Keys are kept only in browser RAM (
chrome.storage.session) and are cleared on every restart.Local storage
The encrypted database is stored in
chrome.storage.local on the device. Data never leaves the browser — no cloud sync, no network requests.Auto-lock
Škrinjar automatically locks after inactivity (configurable timeout). The
alarms and idle permissions are used for inactivity detection — exclusively local, no network communication.Import / Export
Data import and export takes place locally in the browser. Encrypted Geslar format, Bitwarden JSON and CSV are supported. A warning is displayed for unencrypted formats.
Cloud account
By registering a Geslar cloud account, the following personal data is processed:
Email address
Used for authentication, sending transactional notifications and account-related communication. Not shared with third parties for marketing purposes.
Password hash
Your password is never stored in plain text. Only a cryptographic hash (Argon2id) is stored. The original password cannot be reconstructed from the hash.
Encrypted vault
Password and note storage is end-to-end encrypted — Geslar servers process only encrypted data. The decryption key never leaves your device.
Audit log
For security events (login, password change, new device), IP address and user agent are stored. For other actions, IP and user agent are not recorded.
Biometric unlock
Geslar supports unlocking Škrinjar via Windows Hello or Touch ID (WebAuthn PRF extension). Biometric data never leaves the platform authenticator of the operating system — Geslar does not see or store it.
Only an encrypted wrapping key is stored locally, which can only be decrypted by a successful biometric verification on the same device. Biometrics serves as a convenience unlock — the master key is still required at least once after browser restart.
Autofill and form detection
Autofill works exclusively on user request — by clicking the Geslar icon in the input field or using the keyboard shortcut (Ctrl+Shift+L). The content script detects login and card input fields on the active page, but does not read, collect or send page content.
Geslar uses a closed shadow DOM with randomized element names, preventing the host page from reading or manipulating the Geslar UI.
Local settings (localStorage)
The application stores your settings locally in the browser via
localStorage — selected separator, dictionaries, theme, font size and similar. This data stays only on your device and is never sent to a server. You can delete it by clearing browser data.
Secure Send (Encrypt & Send)
The Send securely option allows sharing a password via an encrypted link.
- The password is encrypted in the browser (AES-GCM, 256-bit key) before sending
- Only the encrypted blob is sent to the server — the server never sees the original password
- The decryption key is transmitted exclusively via the URL fragment (#) which is not sent to the server
- Data is automatically deleted upon expiry (1, 3 or 7 days) or after the maximum number of views
- The storage server is Cloudflare (EU/global edge), data is not used for any other purpose
Password breach check (Have I Been Pwned)
The Check password function uses a k-anonymous model: a SHA-1 hash is computed from the password, and only the first 5 characters of that hash are sent to the external API (HaveIBeenPwned). The full password and full hash never leave the device.
Analytics
Geslar does not use any analytics tools, tracking scripts or cookies. We do not collect data on visits, user behavior or any personal data via the web application or browser extensions.
Contact form
If you send a message via the Contact page, your name, email address and message content are sent directly to the author. Data is used exclusively to respond to the inquiry and is not stored in a database.
Browser extension — permissions
activeTab
Access to the active tab only when the user triggers autofill — exclusively for entering a password or card into the focused input field.
scripting
Injecting a script into the active tab on user request, for detecting login fields and inserting data.
clipboardWrite
Copying a password, TOTP code or card number to the clipboard on user request.
storage
Storage of the encrypted Škrinjar database and user settings locally on the device via
chrome.storage.local. Data never leaves the device.alarms
Periodic check for auto-locking Škrinjar after inactivity. Used exclusively locally — no network calls.
idle
User inactivity detection (locked/idle/active state) for auto-locking Škrinjar. No activity data is collected.
The extension does not read web page content, does not track browsing history and does not collect any usage data. The only network communication is breach checking (HIBP, k-Anonymity) and favicon fetching (DuckDuckGo API).
Cookies
Geslar does not use cookies for tracking or personalization. Application settings are stored exclusively in the browser's
localStorage, not in cookies.
Data retention period
Geslar applies the principle of data minimization — data is retained only as long as necessary to fulfill its purpose.
Local settings
Stored in the browser (localStorage) until the user deletes them or clears browser data. Geslar does not delete them automatically.
Secure Send
The encrypted payload is stored on the server until the selected expiry (1–90 days) or until the view limit is reached, after which it is automatically and permanently deleted.
Contact messages
Name, email and message content are kept only until the inquiry is answered, after which they are deleted. They are not stored in a database.
Breach check
No data is stored — the check happens in real time and the result is displayed only in the user's browser.
Cloud account data
Data is retained while the account is active. After a deletion request, a 30-day grace period applies, after which all data is permanently deleted. An anonymised deletion record in the email log is retained for an additional 6 months.
Audit log
Security and authentication events are retained for 12 months. Billing and organisational events are retained for 24 months. After expiry they are automatically permanently deleted.
Refresh tokens
Expired tokens are automatically deleted 30 days after expiry. Logout invalidates the token immediately.
Data export (GDPR Art. 20)
A ZIP archive of your data is available for download for 24 hours from generation, after which it is automatically deleted from the server.
Data transfers to third countries
Geslar uses the following external services (data processors) whose servers may be located outside the European Economic Area (EEA):
Hetzner (EU)
Hosting for the API server and database. Data centres are located in Germany (EU). Hetzner is a signatory to Standard Contractual Clauses (SCC). Privacy policy
Brevo (EU)
Sending transactional emails (registration confirmation, new device notification, data export). Brevo is GDPR-certified and headquartered in Paris (EU). Geslar sends Brevo only the recipient's email address and notification content. Privacy policy
Lemon Squeezy
Payment processor for Premium subscriptions. Lemon Squeezy acts as Merchant of Record — taking responsibility for billing, VAT and compliance. Geslar does not store payment card data. Lemon Squeezy uses SCC for transfers outside the EEA. Privacy policy
Cloudflare
Serving web pages and storing encrypted payloads (Secure Send). Cloudflare has an EU representative and uses Standard Contractual Clauses (SCC) for transfers outside the EEA. Geslar sends Cloudflare exclusively encrypted data — the decryption key never leaves the user's device.
HaveIBeenPwned (HIBP)
Password breach checking. Servers are on Cloudflare (US/global edge). The k-Anonymity protocol is used — the API receives only the first 5 characters of the SHA-1 hash, not the full password. The original password cannot be reconstructed from this prefix.
Note: Apart from the services listed above, Geslar does not communicate with any other external service. All fonts, scripts and styles are served from its own domain (geslar.app).
Data subject rights
In accordance with Articles 15–21 of the General Data Protection Regulation (GDPR), you have the following rights:
- Right of access (Art. 15) — you may request confirmation of whether your personal data is being processed and access to that data
- Right to rectification (Art. 16) — you may request correction of inaccurate personal data
- Right to erasure (Art. 17) — you may request deletion of personal data when it is no longer necessary for the purpose of processing
- Right to restriction of processing (Art. 18) — you may request restriction of processing in certain circumstances
- Right to data portability (Art. 20) — you may request transfer of data in a structured, machine-readable format
- Right to object (Art. 21) — you may object to processing based on legitimate interest
How to exercise your rights:
- Registered users — the right to data portability (Art. 20) and the right to erasure (Art. 17) can be exercised directly in settings: Settings → Account → Export my data / Delete account.
- Local users without a cloud account — your data has never left your device, your rights are automatically fulfilled.
- For other requests (rectification, restriction of processing, objection) contact us at info@geslar.app.
Supervisory authority
If you believe the processing of your personal data is in violation of the GDPR, you have the right to file a complaint with the competent supervisory authority:
Croatian Personal Data Protection Agency (AZOP)
Selska cesta 136, 10 000 Zagreb, Croatia
Phone: +385 1 4609 000
Web: azop.hr
Email: azop@azop.hr
Selska cesta 136, 10 000 Zagreb, Croatia
Phone: +385 1 4609 000
Web: azop.hr
Email: azop@azop.hr
Privacy questions
For any questions regarding privacy, reach out via the Contact page or directly at info@geslar.app.
Take control of your passwords
Military-grade encryption, local, free with no limits.