SPASS ConverterOpen converter

Privacy and security.

Your passwords never leave your device -- on either surface. Web decrypts in your browser tab. The iOS app decrypts on-device with native Rust. Neither sends your file anywhere.

Provider / Data controller

Both surfaces are operated by CoreEngineX Inc., a Canadian company. Where this notice refers to "we", "us", or "our", we mean CoreEngineX Inc. Contact: coreenginex@gmail.com.

Privacy checklist

  • Your .spass file never leaves your device (web or iOS)
  • Decryption runs locally -- WASM in the browser, native Rust on iOS
  • Zero analytics, telemetry, cookies, or third-party scripts
  • No account, sign-in, or user profile -- ever
  • Decrypted entries live in memory only; CSV is the only artifact written to disk
  • Open-source Rust core so anyone can verify the claims

What happens on each surface

Web -- SPASS Converter

In-browser, in-memory

  • File read with the browser File API; bytes held in a local JS variable.
  • Decryption runs in WebAssembly compiled from the same Rust crate the iOS app uses.
  • Session metadata (file name, file size, export summary counts) is stored in browser sessionStorage to keep your conversion state across page navigations within the same tab. sessionStorage is not a tracking cookie: it is scoped to one tab, cleared automatically when you close the tab, and never transmitted to a server. Passwords are never written to it.
  • CSV is generated in your browser and downloaded directly. No server sees it.
  • Closing the tab clears everything.

iOS -- SPASSPort

On-device, no copy

  • File picker opens the system Files browser; the app reads the file in place via security-scoped access.
  • Decryption runs as native Rust through a UniFFI binding; never crosses a network boundary.
  • Decrypted entries live in memory only and are cleared when you decrypt a new file or reset.
  • Exported CSV is written to the app's Documents folder, visible in the Files app, and auto-deleted after 24 hours.
  • Zero third-party SDKs. Zero analytics. Logs are OSLog only, on-device.

Details

Local-only processing

The .spass format uses AES-256-CBC with PBKDF2-HMAC-SHA256 (70,000 iterations). On the web that runs in WebAssembly inside your browser tab; on iOS it runs as native Rust through a UniFFI binding. Both paths execute on your device. No derived keys, no password, and no plaintext entries ever leave the device.

No server upload

Zero network requests are made with your data on either surface. You can verify this on the web in DevTools > Network, and on iOS by routing the device through a proxy (Charles, mitmproxy) -- you will see no traffic from SPASSPort during decrypt or export.

Session lifetime

Web: decrypted entries live in JavaScript memory only. Closing the tab, navigating away, or clicking "Start over" discards them; nothing is written to localStorage, IndexedDB, or cookies. iOS: entries live in app memory only and are cleared on a new decrypt or app reset.

Exported CSV safety

Web: the CSV is generated client-side and downloaded directly to the path you pick. Delete it from your Downloads folder right after importing. iOS: the CSV is written to the app's Documents folder so the Files app can show it; it auto-deletes after 24 hours. You can delete it manually from the Files app at any time, or from inside SPASSPort's "Saved" sheet.

iCloud backup caveat (iOS)

iOS backs up the app's Documents folder to iCloud by default. If you have iCloud Drive enabled and have not excluded SPASSPort, the exported CSV may be backed up before the 24-hour auto-delete runs. To prevent this: either delete the CSV from the Files app immediately after importing, or exclude SPASSPort from iCloud backup in Settings > [Your Name] > iCloud > Manage Account Storage > Backups.

Web hosting access logs

The web app is served by Firebase Hosting. Like every web host, Firebase writes server-side access logs (IP address, user-agent, request URL, timestamp) when your browser fetches a page. We do not read, aggregate, or analyze these logs. Firebase's standard log retention applies. This is metadata about the page request, not your password file -- your .spass bytes never reach the server.

Third-party services

The surfaces depend on a small number of third-party services. Each is an independent data controller for what they collect.

  • Firebase Hosting(Google LLC) serves the web app's static files. Firebase emits server-side access logs (IP, user-agent, URL, timestamp) by default; we do not read or aggregate them. See Google's privacy policy at policies.google.com/privacy.
  • Appledistributes the iOS app through the App Store and handles the $2 purchase. Apple's privacy practices govern that transaction. See apple.com/privacy.

What Apple sees (iOS)

Apple receives standard App Store install / update / crash aggregation for SPASSPort. You can opt out in Settings > Privacy & Security > Analytics & Improvements > Share with App Developers (turn it off). The app does not integrate StoreKit and does not send custom analytics to Apple.

Data retention

We do not retain user content. Decrypted password entries live in memory only and are cleared when you close the tab (web) or reset the app (iOS). On iOS the exported CSV auto-deletes from the app's Documents folder after 24 hours; on the web the CSV is downloaded directly to your device and we never see it. Firebase Hosting access logs are retained per Google's defaults (typically up to 90 days). Emails you send us are kept only as long as needed to respond.

Open-source transparency

The Rust core powering both surfaces is published at github.com/CoreEngineX/spass-rs under MIT/Apache-2.0. Anyone can audit the AES-256-CBC + PBKDF2 implementation, build it themselves, and confirm the absence of network code.

Your rights

Depending on where you live, you may have rights under data protection law to:

  • Access any personal data we hold about you
  • Correct inaccurate personal data
  • Request deletion of your personal data
  • Object to or restrict processing
  • Receive a portable copy of your personal data

In practice we hold very little personal data: the surfaces themselves collect none, and the only personal data we receive is what you choose to write to us by email. To exercise any right, email coreenginex@gmail.com and we will respond within the time-frame required by applicable law.

Children's privacy

The surfaces are not directed to children under 13, and we do not knowingly collect personal data from anyone under 13. If you believe a child under 13 has provided personal data to us, email coreenginex@gmail.com and we will delete it.

What this tool is not

Neither surface is a password manager, a vault, a browser extension, or long-term storage. They are one-time conversion utilities. Use them to migrate away from Samsung Pass, then delete every exported file.

Changes to this notice

We may update this notice when the surfaces change or when applicable law changes. The 'Effective' date below indicates when the current version took effect; the 'Last updated' date indicates when we most recently edited it. Material changes are flagged on the home page.

Contact us

For privacy questions, data subject requests, or anything else covered by this notice, contact coreenginex@gmail.com or open an issue at github.com/CoreEngineX/spass-rs/issues.

Frequently asked questions

Effective: 2026-05-14

Last updated: 2026-05-14

Terms of useSource on GitHub
Open converter ->