Privacy Policy
A product of Eventum Digital Agency · Last updated: 2026-07-01
Bastique is built around a simple, unyielding promise: your secrets stay yours. There is no telemetry, no tracking, and no hidden databases. We believe that true security is only possible when you, and only you, have absolute custody over your keys and secrets.
1. Data Collection
We collect absolutely nothing. Bastique requires no online accounts, no registration, and no emails. We do not integrate any tracking, usage diagnostics, or analytics SDKs. The developers never see, receive, store, or have any access to your passwords, credit cards, files, or master password.
2. Where Your Data Lives
All of your data is stored only on your local device inside an encrypted database. It is protected by military-grade XChaCha20-Poly1305 authenticated encryption and Argon2id key derivation using your master password. Without your master password, your saved secrets are just meaningless, unbreakable digital noise. Your master password and recovery key are never stored on disk and never leave your mind and physical paper.
3. Cloud synchronization & Relaying (Sync & Share)
When you explicitly opt-in to use Sync or Share features, Bastique utilizes secure cloud-based relays to transfer E2E encrypted packages:
- Secure Syncing: Your synchronized devices join an encrypted group and share a secret group key directly. The Cloudflare Workers sync relay only receives highly encrypted snapshots and binary files which are mathematically unreadable by the relay server.
- One-Time Share: Sharing an item generates a short-code and a PIN, producing an E2E encrypted packet. This packet sits on the Cloudflare Workers relay temporarily and is permanently destroyed the moment the recipient retrieves it (one-time pickup).
The developers do not hold the keys to decrypt these transmissions. All syncing and sharing payloads are 100% zero-knowledge on the server side.
4. Network Use & k-Anonymity Privacy
Bastique runs fully offline and makes no outbound connections by default. The only network connections made by the app are triggered manually and explicitly by your actions:
- Sync/Share: Connecting to your Cloudflare Workers relay endpoint to update encrypted snapshots or pick up shared packets.
- Optional Breach Check (Have I Been Pwned): An off-by-default security tool to check if passwords exist in public breaches. This utilizes the secure k-anonymity protocol: Bastique hashes your password locally and sends only the first 5 characters of the SHA-1 hash to the API. The full hash and the plain password are never transmitted, ensuring total anonymity.
5. Encrypted Local Attachments
Any PDF, scan, image, or document you attach to your vault entries is encrypted with its own dedicated Data Encryption Key (DEK) and saved locally. When viewed, attachments are temporarily decrypted into a secure temporary directory. On closing the document or once the safety timer (TTL) expires, the app executes a complete cryptographic overwrite (secure wipe) of the decrypted file bytes on disk, preventing recovery by forensics software.
6. Third Parties
There are no third-party advertisements or trackers in the application. The optional breach checking feature queries the HaveIBeenPwned range API, which operates under its own strict privacy protocols (HaveIBeenPwned Privacy).
7. Your Control & Deletion
You are in absolute control of your data. You can delete entries, clear your database, export fully encrypted backups, or delete the app entirely at any moment. Deleting Bastique from your device instantly and permanently destroys its local encrypted storage.
8. Contact & Legal Owner
Bastique is owned and developed by Eventum Digital Agency.
For any privacy-related inquiries, please contact us at Bastique@eventumdigital.com.
Official Website: Bastique.eventumdigital.com