Legal

Privacy Policy

Jumpstash is a security tool. We hold ourselves to the same standard we ask you to hold your other apps to.

Last updated: May 30, 2026
The short version

Jumpstash does not collect, store, transmit, or share any personal data. There is no Jumpstash account, no Jumpstash server, no analytics SDK, and no telemetry. Your two-factor codes live in your device's iCloud Keychain, end-to-end encrypted by Apple, and are only accessible to your own Apple ID's devices.

If this page disappeared tomorrow, the answer would still be: nothing leaves your device.

On this page
  1. Who we are
  2. What we collect
  3. How your codes are stored
  4. Camera & QR scanning
  5. Face ID & Touch ID
  6. AutoFill extension
  7. Apple Watch
  8. Third parties
  9. Export & backup files
  10. Children's privacy
  11. Your data rights
  12. Changes to this policy
  13. Contact

1Who we are

Jumpstash is published by Danger Close Security Co., doing business as Jumpstash ("Jumpstash", "we", "us", "our"). We are the developer responsible for the Jumpstash iOS, iPadOS, macOS, and watchOS applications and the Jumpstash AutoFill extension (together, the "Service").

This Privacy Policy explains what data the Service handles, where it lives, and what we — as the developer — can and cannot see.

2What we collect

Nothing. Jumpstash does not collect any personal information from you, and the app does not make network requests carrying user data of any kind. Specifically, the Service does not collect or transmit:

There is no Jumpstash account, no sign-up, no email verification, and no login. The app is fully usable the moment you install it.

3How your codes are stored

Your TOTP secrets — the seeds that generate your two-factor codes — are stored exclusively in Apple's iCloud Keychain, using a shared keychain access group scoped to the Jumpstash app and its AutoFill extension.

This means:

For the underlying technical model and Apple's role as the data processor for iCloud Keychain, see Apple's iCloud security overview.

4Camera & QR scanning

Jumpstash uses your device camera only when you explicitly initiate a QR-code scan to add a new code. Camera frames are processed locally by the operating system to decode the QR; nothing is recorded, transmitted, or written to disk.

The decoded otpauth:// URI is held in memory long enough to create a new keychain entry, then released. If you cancel the scan, no data is retained.

5Face ID & Touch ID

Biometric authentication for the optional app lock is handled entirely by Apple's LocalAuthentication framework. Jumpstash never sees your face geometry, fingerprint, or any other biometric template. The framework returns a single boolean — success or failure — and the biometric data itself never leaves the Secure Enclave on your device.

6AutoFill extension

The Jumpstash AutoFill extension surfaces verification-code fields in Safari and any iOS app that requests a one-time code. The extension reads codes from the same shared keychain group as the main app, and only when the system invokes it on your behalf. It does not run in the background, does not make network requests, and does not log which services you fill codes into.

7Apple Watch

The Apple Watch app and complications generate codes locally from the same secrets synced through iCloud Keychain. No data is transmitted to or from the watch beyond Apple's own device-pairing and Keychain synchronization mechanisms.

8Third parties

Jumpstash does not share data with any third party for the simple reason that we don't collect any. We do not embed advertising SDKs, analytics SDKs, attribution SDKs, or any other third-party data collection libraries.

The open-source libraries Jumpstash depends on (CryptoSwift, SwiftOTP, SwiftBase32) are used purely for on-device computation and do not make network calls.

When you install Jumpstash from the App Store, the App Store may collect its own data about the transaction under Apple's privacy policy. That is between you and Apple — Jumpstash receives only anonymous aggregate sales statistics through App Store Connect.

9Export & backup files

If you use the export feature to save your codes as JSON, plain-text otpauth:// URIs, or QR images, the resulting file is written to a location you choose (e.g. iCloud Drive, Files, or shared through your device's standard share sheet). These files contain your TOTP secrets in cleartext and are your responsibility to protect. Jumpstash never sees the contents of a file once it has left the app.

10Children's privacy

Jumpstash is rated 4+ on the App Store and is appropriate for all ages, but because we collect no data from anyone, we collect no data from children either. We do not knowingly process personal information from any user, regardless of age.

11Your data rights

Privacy laws such as the EU GDPR and the California Consumer Privacy Act (CCPA) give you rights over personal data that a business holds about you — including the right to access, correct, delete, port, or object to processing of that data.

Because Jumpstash holds no data about you, there is nothing for us to access, correct, delete, port, or stop processing on your behalf. The data you create (your TOTP entries) is held on your device and in your iCloud Keychain — under your control, not ours. You can delete it at any time from within the app, or by removing the app and clearing the relevant keychain items through iOS or macOS Settings.

12Changes to this policy

If the Service's data practices change in any material way, we will update this page and revise the "Last updated" date at the top. The current policy is always available at this URL. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

13Contact

Questions, concerns, or corrections about this Privacy Policy can be sent to support@jumpstash.app. We read every email.