Privacy
Your locks are yours. So is your data.
Last updated July 4, 2026
The short version: lokreo stores the list of sites you choose to protect and your settings, tied to your account, so they sync across your devices. Your passwords are hashed on your own device and never stored or sent in a form anyone can read, including us. We don’t track your browsing, we don’t read the pages you visit, and we don’t sell anything to anyone.
What we collect
Account details. Authentication is handled by Clerk. When you sign up with email, we store your email address. If you sign in with Google, we receive and store the basic profile Google returns for you (your name and email address). We do not receive your Google password.
Your protection settings.The website rules you add to your protected list, your default relock timer, any per-site relock timers, and which sites you’ve given a custom password. This is the information that makes the product work and syncs it between your devices.
Password verifiers, never the passwords. Your master password and any per-site passwords are put through a one-way hash on your own device — PBKDF2 with SHA-256, 210,000 iterations, and a unique random salt for each password — before anything is saved. Only that salt and the resulting hash are stored, on your device and on your account. The password itself never leaves your device and cannot be reconstructed from what we hold, by an attacker or by us.
What we never collect
We do not collect your browsing history, the contents of the pages you visit, or your keystrokes. lokreo does not log what you type on any website. The password box on the lock screen is read only to check it, on your device, against the stored hash.
We never store or transmit your plaintext passwords, and lokreo runs no advertising trackers and builds no profile of you.
How the extension uses site access
The lokreo browser extension asks for access to websites so it can place the lock screen on the sites you choose. That permission is broad only because you can protect anysite — but the lock screen is registered for and activates only on the specific sites in your protected list. The extension reads the current tab’s address to decide whether that page should be locked; this check happens on your device and the address is not sent to us.
Where your data lives
On your device.The extension keeps a local copy of your settings and password hashes in the browser’s own extension storage, so locking works instantly, even offline.
On your account. The same settings are stored server-side in private account metadata via Clerk, which is readable and writable only through an authenticated request made by you. This is what syncs your setup to any computer where you sign in.
Cookies
lokreo uses only essential cookies, set by Clerk, to keep you signed in during a session. We do not use advertising or cross-site tracking cookies.
Who we share it with
We don’t sell your data and we don’t share it for advertising. We rely on a small number of service providers purely to run lokreo:
- Clerk— authentication and account storage.
- Vercel— hosting for the website and API.
- Google— only if you choose “Sign in with Google,” and only to verify who you are.
Your choices
You can view and change every setting from your dashboard at any time. Deleting a protected site removes its rule, its timers, and any custom password from both your device and your account. You can manage or delete your account from the account menu in the dashboard; deleting your account removes your stored settings and password hashes. You can also email us to request deletion.
Children
lokreo is not directed at children under 13, and we do not knowingly collect personal information from them.
Changes to this policy
If we change how lokreo handles data, we’ll update this page and the date at the top. Material changes will be reflected here before they take effect.
Contact
Questions about privacy, or a deletion request? Reach us at lokreoteam@gmail.com.