Privacy policy
Last updated: 5 June 2026
In one paragraph
PassLab generates passwords inside your browser using the Web Crypto API — nothing you type into the generator is ever transmitted to a server. Separately, the PassLab website itself uses analytics and (optionally) advertising tools that do place cookies and track usage. Every one of those tools is disclosed below by name, and you can choose to accept or reject the non-essential ones.
Who we are
PassLab is operated by Marcin Lewandowski t/a Depthia, a sole trader registered in the United Kingdom. Correspondence address: 66 Paul Street, London EC2A 4NA, United Kingdom. ICO data-protection registration number: ZC164548. For any privacy question, write to hello@depthia.com.
We are the data "controller" under the UK GDPR. A Data Protection Officer is not required (Article 37).
What the generator collects
Nothing. Password and passphrase generation runs entirely inside your browser using crypto.getRandomValues(). You can verify this in your browser’s developer tools: open the Network tab, generate as many passwords as you like, and you will see zero outbound requests carrying the generated value.
What the website collects
The PassLab website uses several third-party tools for analytics and advertising. We list every one and what it does. Where consent is required under UK PECR, we ask via the cookie banner.
| Provider | Purpose | Lawful basis | Transfer |
|---|---|---|---|
| Vercel Inc. | Website hosting and server logs (IP address, user-agent). | Legitimate interests (security) | USA · UK IDTA |
| Google Tag Manager | Tag container that loads other scripts. | Consent | USA · UK IDTA |
| Google Analytics (GA4) | Aggregate site usage statistics. | Consent | USA · UK IDTA |
| Google AdSense | Contextual and (when consented) personalised advertising. | Consent | USA · UK IDTA |
| Microsoft Clarity | Pseudonymised behaviour analytics with text masking (heatmaps, session recordings). | Consent | USA · UK IDTA |
| PostHog (EU host) | Product analytics and error reporting. | Consent | EU (eu.posthog.com) |
See the cookie policy for cookie-level detail (names, durations).
International transfers
Vercel, Google and Microsoft are based in the United States. Transfers of personal data to those providers are covered by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (the "UK Addendum"). PostHog data is held in the European Union.
How long we keep it
- Server logs: 30 days.
- Analytics events: up to 14 months (GA4 default).
- Cookie consent record: 12 months, then we re-ask.
- Email correspondence: until no longer needed (maximum 2 years).
Your rights
Under the UK GDPR you can request access, rectification, erasure, restriction, portability and objection (Articles 15–21). You may withdraw consent at any time.
Email hello@depthia.com; we respond within one calendar month. There is no charge.
You also have the right to complain to the UK Information Commissioner’s Office: ico.org.uk/make-a-complaint.
Automated decisions
PassLab does not use AI or automated decision-making with legal or similarly significant effects on you. Password strength scores are simple mathematical calculations and are advisory only.
Children
Some PassLab pages (Roblox, Minecraft, Fortnite and similar) may be read by children. The password generator processes no personal data through the tool itself. We apply the ICO’s Age-Appropriate Design Code standards to pages likely to be visited by under-18s, including not permitting personalised advertising on those pages.
Changes to this notice
Material changes are flagged with an updated date at the top of this page. Where we hold an email address, we notify the affected person directly.