Privacy Policy

Last updated: March 23, 2026

Our Privacy Commitment

TofuPass was built on a simple principle: your passwords belong to you. We do not run analytics, serve ads, or sell personal data. Privacy isn't a feature. It's the foundation.

1. Our Commitment

No data. No tracking. No compromises.

TofuPass is designed to minimize data collection and keep password generation local whenever possible. Most core features work entirely in your browser, and where a network request is required, this policy explains exactly what is sent and why.

TofuPass is owned and operated by Matthew Johnson, also known publicly as TofuWater.

2. What We Don't Collect

The short list: everything.

  • Passwords from the main generator
    Generated locally in your browser. Not sent to TofuPass servers.
  • Accounts and profiles
    No signups, logins, user profiles, or account-based identifiers.
  • Analytics
    No Google Analytics, Plausible, Fathom, or any tracking scripts.
  • Advertising
    No ad networks. No targeted advertising. No monetized tracking.
  • Personal Information
    No names, emails, accounts, or any identifying information required or collected.

3. How It Works

Local generation, honest API.

Website

The main password generator creates passwords in your browser using the Web Crypto API. TofuPass does not receive the passwords you generate on that page. After the page loads, generation works offline.

API

The public API generates passwords and passphrases server-side using a cryptographically secure RNG. Generated values are returned in the response and are not intentionally stored after delivery. The API also exposes aggregate counters through /api/stats.

4. Third-Party Requests

Used sparingly and explained clearly.

Some pages request supporting assets or services from third parties as part of normal page delivery. Those providers may receive technical request data such as your IP address, browser metadata, and standard HTTP headers when your browser loads those resources.

  • Stress Tester breach checks
    The Stress Tester sends only the first 5 characters of your password's SHA-1 hash to the Have I Been Pwned range API. Your full password and full hash stay on your device, and matching is done locally.
  • Fonts and front-end libraries
    The site currently loads some assets from providers such as Bunny Fonts, Tailwind's CDN, and jsDelivr/Alpine.js. Loading those assets may create standard browser requests to those providers.
  • Infrastructure providers
    TofuPass is delivered through infrastructure such as Cloudflare, which may process connection metadata to provide caching, security, and abuse protection.

5. Local Browser Features

Clipboard and in-browser processing only.

TofuPass can copy generated passwords or code snippets to your clipboard when you click copy controls. That action is handled by your browser on your device. The Stress Tester computes password hashes locally before making any k-anonymity request.

6. Cookies And Tracking

No analytics cookies from TofuPass.

TofuPass does not use first-party analytics, advertising cookies, or tracking pixels. Third-party providers involved in delivering assets or infrastructure may use their own cookies or logging mechanisms according to their policies.

7. Security

Defense in depth.

All pages are served over HTTPS. TofuPass uses modern browser cryptography for local generation and relies on infrastructure protections such as Cloudflare for availability and edge security.

8. Contact

Questions? We're easy to reach.

If you have any questions about this privacy policy or how TofuPass handles your data, email hello<at>tofuwater.com.