1Password and Your Privacy
The simplest way for us to protect your privacy is to have no data about you or your use of 1Password to protect. And so to keep things simple we have designed 1Password so that we don’t see information about you, your 1Password usage or data, or your systems. The details and “fine print” are below.
- Using 1Password
- When you contact us
Your 1Password data resides completely on your devices (and on any synchronization services you use, such as Dropbox or iCloud). 1Password does not need to connect to or interact with any server or system we may run.
Of course 1Password on iOS does have a web browser in it, and so it makes the same sorts of connections to the network that any web browser does.
Amazon’s Cloud Front Content Distribution Network
AgileBits uses Amazon’s Cloud Front service for content distribution. Software updates, Rich Icons, News, Help files may be served from domains such as
d2x2f6qan2kccj.cloudfront.net. For example,
learn.agilebits.com is a DNS alias for
A description of all of the connections 1Password or its components make make follows.
The AgileBits image server
If you enable Show Rich Icons then 1Password will attempt to fetch icons for Logins and Software listed in your data from:
We do not see the IP addresses for any connection, and indeed we only log “misses” without IP address. Logging the misses helps us see what images do need to be added.
Although it may not be possible for us to collect IP addresses of requests coming in to the Rich Icon image server, uses should assume that it is possible for Amazon to do so if they wish to or are compelled to.
The use of Rich Icons can be switched on or off
In 1Password 4 for iOS Settings > Display “Show Rich Icons”
In 1Password 4 for Mac Preferences > General “Use rich icons”
1Password 4 will periodically check for News items which may view from Settings. The request is made to
https://d13itkw33a7sus.cloudfront.net/dist/1P/ios4/news.json, and as with requests to our image server, we do not see the IP addresses of the originating request.
On-line help and learn.agilebits.com
Using online Help within 1Password may redirect you to
learn.agilebits.com (alias for
Checking for updates
1Password for Mac as sold through the Mac App Store and 1Password for iOS do not check for updates to themselves. However the 1Password browser extensions do check for updates.
The 1Password browser extensions
1Password browser extensions may check for updates from
d13itkw33a7sus.cloudfront.net. Some versions may check through the browser vendors distribution system, for example some versions of the 1Password extension for Google Chrome may check for updates from the Chrome Web Store.
1Password for Mac (non-Mac App Store) and 1Password for Windows
Versions of 1Password that are from the AgileBits webstore will check for updates from
1Password 4 Beta
Some versions of 1Password 4 Beta may check for updates to
HockeyApp.netwhich has its own Cloud Front domain,
Little Snitch and domain names
There is a peculiarity of how some firewall software, Little Snitch in particular, may report these connections. Little Snitch’s Connection Inspector will display “all names currently known to resolve to one of the IP addresses of the server.” [§3.2 of Little Snitch 3 – Documentation (iBooks, PDF)].
Given how the Cloud Front content distribution network operates, the particular
cloudfront.net subdomains do not correspond to a unique IP address. Nor is an individual IP address limited to a single cloudfront subdomain.
For example, one of the IP addresses associated with
126.96.36.199. That same IP address may also be associated with some other cloudfront subdomain entirely unconnected to Agile Bits. That IP address may also be associated with something like
The upshot of this interaction between Cloud Front domain names, IP address, and Little Snitch’s reporting habits is that Little Snitch erroneously reports 1Password attempting to connect to
example.com in that example.
1Password Mini on localhost
The 1Password browser extensions communicate with 1Password Mini over a websocket listening on
127.0.0.1 TCP ports
localhost listening and connecting is not available over the network. Indeed
localhost connections do not involve your computer’s networking hardware at all.
Some computer security software may attempt to block localhost connections or web browsers making websocket connections on the reasonable principle that if something facility isn’t needed it should be disabled by default. However, if you do take a “default deny” approach, you will find yourself having to allow various things as they are need. In the case of 1Password both localhost connections are needed as is the ability for web browsers to make (local) websocket connections.
Please see these instructions to configure Sophos on your Mac.
Purchases through Apple
For your privacy and protection, Apple provides no information about individual customers to developers. When you purchase our software through Apple’s app store, we get no information about the buyer. Apple will send us aggregate information about the number of purchases for each country.
Purchases through AgileBits’ online store
If you purchase or have purchased software through the AgileBits online store, then we will have a record of that purchase. That record will include the information that you provided to us and the license code for your product. It will also include the time and date of the purchase.
We do not have the information you provided for credit card processing other than the first four and the last four digits of the credit card used. This is to help us identify records for customers who may have lost a record of their software licenses. We do not have CVV verification numbers, not expiry dates of customer credit cards.
These purchase records are used solely to assist customers with lost licenses, upgrades, refunds and other purchase and licensing related services. This is the only thing that such data will be used for.
When you contact us
When you contact us or post to our forum or support system, we do retain the information that you provide us.
This also includes header information that is included in email headers, information that comes through the web browser connection (including source IP address), and the email address used whenG registering for our forums and support system.
We only rarely ever look at header information. It is examined when spam is posted to our forums. In even rarer occasions we may look at Email headers to see whether a customer is mailing from Windows or Mac when that is relevant to their query and the information isn’t apparent from what they have told us.
Sometimes during a support query we make request that you send us a diagnostics report. The precise details of what is in the report vary from platform to platform and time to time. Your 1Password data is not included in the diagnostics report, but a great deal of data about your 1Password data is.
Additionally, these reports will typically contain a great deal of information about your system in general (and thus your usage of it). For example, the diagnostics report on the Mac will attempt to compile a list of browser extensions you may have installed. System logs that may reveal information about other software running on your system may also be included.
On the whole, when you chose to send us a diagnostic report, you will be sending us a great deal of information. We will use that information for nothing other than diagnosing the issues which you contacted us about.