Last updated: February 14, 2026
Thank you for using ReDD 2FA. This Privacy Policy explains how we handle your information when you use our browser extension.
ReDD 2FA does not collect, store, or transmit any of your personal data or usage information to us or any third parties.
The extension is designed to operate entirely locally in your browser. It makes no network requests of any kind — no analytics, no telemetry, no remote servers. All data you enter into ReDD 2FA remains on your local machine.
ReDD 2FA requests only the storage permission, which is used to save your encrypted account
data and preferences locally via browser.storage.local. No host permissions, no access to
browsing history, and no access to web page content are requested.
All account data (TOTP secret keys, labels, and settings) is encrypted using AES-256-GCM before being stored locally. Encryption keys are derived from your master passphrase using PBKDF2 with 600,000 iterations. Your passphrase is never stored — only a verification hash is kept.
If you enable biometric unlock (Touch ID / Windows Hello), your passphrase is encrypted with a key derived from the WebAuthn PRF extension and stored locally. It can only be decrypted when biometric authentication succeeds on your device.
You have full control over your data and can export or delete it at any time.
ReDD 2FA does not load or execute any remote code. All functionality, including cryptographic operations, is implemented locally using the browser's built-in Web Crypto API. The extension has no external dependencies.
We may update our Privacy Policy from time to time. Thus, you are advised to review this page periodically for any changes. We will notify you of any changes by posting the new Privacy Policy on this page.
If you have any questions about our Privacy Policy, please contact us at:
The Reduce Digital Distraction Project
team@reddfocus.org