PassLab

Privacy policy

Last updated: 5 June 2026

In one paragraph

PassLab generates passwords inside your browser using the Web Crypto API — nothing you type into the generator is ever transmitted to a server. Separately, the PassLab website itself uses analytics and (optionally) advertising tools that do place cookies and track usage. Every one of those tools is disclosed below by name, and you can choose to accept or reject the non-essential ones.

Who we are

PassLab is operated by Marcin Lewandowski t/a Depthia, a sole trader registered in the United Kingdom. Correspondence address: 66 Paul Street, London EC2A 4NA, United Kingdom. ICO data-protection registration number: ZC164548. For any privacy question, write to hello@depthia.com.

We are the data "controller" under the UK GDPR. A Data Protection Officer is not required (Article 37).

What the generator collects

Nothing. Password and passphrase generation runs entirely inside your browser using crypto.getRandomValues(). You can verify this in your browser’s developer tools: open the Network tab, generate as many passwords as you like, and you will see zero outbound requests carrying the generated value.

What the website collects

The PassLab website uses several third-party tools for analytics and advertising. We list every one and what it does. Where consent is required under UK PECR, we ask via the cookie banner.

ProviderPurposeLawful basisTransfer
Vercel Inc.Website hosting and server logs (IP address, user-agent).Legitimate interests (security)USA · UK IDTA
Google Tag ManagerTag container that loads other scripts.ConsentUSA · UK IDTA
Google Analytics (GA4)Aggregate site usage statistics.ConsentUSA · UK IDTA
Google AdSenseContextual and (when consented) personalised advertising.ConsentUSA · UK IDTA
Microsoft ClarityPseudonymised behaviour analytics with text masking (heatmaps, session recordings).ConsentUSA · UK IDTA
PostHog (EU host)Product analytics and error reporting.ConsentEU (eu.posthog.com)

See the cookie policy for cookie-level detail (names, durations).

International transfers

Vercel, Google and Microsoft are based in the United States. Transfers of personal data to those providers are covered by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (the "UK Addendum"). PostHog data is held in the European Union.

How long we keep it

Your rights

Under the UK GDPR you can request access, rectification, erasure, restriction, portability and objection (Articles 15–21). You may withdraw consent at any time.

Email hello@depthia.com; we respond within one calendar month. There is no charge.

You also have the right to complain to the UK Information Commissioner’s Office: ico.org.uk/make-a-complaint.

Automated decisions

PassLab does not use AI or automated decision-making with legal or similarly significant effects on you. Password strength scores are simple mathematical calculations and are advisory only.

Children

Some PassLab pages (Roblox, Minecraft, Fortnite and similar) may be read by children. The password generator processes no personal data through the tool itself. We apply the ICO’s Age-Appropriate Design Code standards to pages likely to be visited by under-18s, including not permitting personalised advertising on those pages.

Changes to this notice

Material changes are flagged with an updated date at the top of this page. Where we hold an email address, we notify the affected person directly.