Legal

Privacy Policy

Last updated: 2026-05-28

1. Who we are

"Hey Be Safe" is a password-manager service operated by Mill Creek Technology LLC, a Maryland limited liability company. The data controller is Mill Creek Technology LLC. Contact: support@milcreto.com.

2. What we collect

  • Email address — for account identity and for sending authentication and account-management emails.
  • Authentication record — an OPAQUE record stored in Amazon Cognito that proves you know your master password without revealing the password to us.
  • Encrypted vault data — opaque ciphertext blobs we store in Amazon DynamoDB. We cannot decrypt them.
  • Operational metadata — request IPs at the API edge, retained ≤ 30 days, used only for abuse prevention and rate limiting.

3. What we never collect

  • Your master password (it never leaves your device).
  • Decrypted vault contents.
  • Analytics, tracking pixels, or third-party scripts. There are none on this site.
  • Marketing cookies. The only cookie set by the service is an authentication session cookie on /safe/.

4. Sub-processors

We use Amazon Web Services (US East / N. Virginia region) for hosting: Cognito (auth), DynamoDB (storage), Lambda (server logic), API Gateway and CloudFront (network), SES (transactional email), S3 (static hosting). We do not use any other sub-processor.

5. Email

We send transactional email only — account verification, password-reset trigger, and organisation invitations. We do not send marketing email. There is no mailing list and nothing to unsubscribe from.

6. Cookies

No analytics, advertising, or social cookies. A single authentication session cookie is set by Cognito on /safe/ after sign-in; clearing it or signing out removes it.

7. Your rights

If you are in the EU/EEA, the UK, or California, you have the right to access, correct, port, or delete your personal data. You can:

  • Access / export: use the Export feature in your Safe Settings to download your decrypted vault contents.
  • Delete: use "Delete account" in Safe Settings, or email support@milcreto.com. We delete account data within 30 days, with retained backups expiring no later than 90 days.
  • Other rights: email support@milcreto.com and we'll respond within 30 days.

8. Age requirement

Hey Be Safe is intended for users 18 years of age and older. The service is not directed to minors, and Mill Creek Technology LLC does not knowingly collect personal information from minors. If we learn that we have collected personal information from a minor, we will delete that information.

9. International transfer

Our infrastructure runs in the United States (AWS us-east-1). If you access the service from outside the US, your data is transferred to and processed in the US.

10. Changes to this policy

Material changes are announced by email to registered users. Older versions of this policy remain available on request from support@milcreto.com.

11. Mobile app (iOS)

This section describes how the Hey Be Safe iOS app behaves on your device. It complements the rest of this policy and matches the App Privacy disclosures in the App Store.

  • Face ID / Touch ID: If you enable biometric unlock, biometric authentication is handled entirely by Apple's Secure Enclave. Your biometric data stays on the device and is never transmitted to or stored by Mill Creek Technology LLC. Biometrics only gate local unlock of the app; they are not used to derive encryption keys for your vault.
  • iCloud: The iOS app does not sync any data to iCloud. Nothing is written to iCloud Keychain, CloudKit, or iCloud Drive by Hey Be Safe.
  • No third-party SDKs: The iOS app contains no third-party advertising SDKs, no analytics SDKs, and no tracking SDKs. It does not share data with third parties for advertising or measurement.

12. Contact

Mill Creek Technology LLC
Maryland, USA
support@milcreto.com