Legal

Privacy Policy

Last updated: June 8, 2026

Patch is made by Plateau Labs LLC. This policy explains what Patch does with your information. The short version: Patch is built to keep your information on your device, and we don't want to collect more than we need. We've written this in plain language on purpose.

This policy is part of our Terms of Use.

The short version

Patch does its work on your device. Your passwords, usernames, and browsing history stay on your computer.
We don't have a server full of your data. There's nothing there for someone to steal.
The only things that leave your device are a scrambled, partial fingerprint of a password (never the password itself), a request for a public list of known breaches, and — only when you ask us to check something — the text or link you want checked.
We don't sell your information. We don't show you ads.

What Patch reads, and where it stays

On Mac (the full version)

To find security problems, the Mac version reads, on your computer:

Your saved logins from your browser — Chrome, Edge, Brave, and Firefox. This includes the website, your username, and your saved password.
Your browsing history — which sites you visit and how often — so Patch can show you the most important problems first.
The security flags your browser already set — the "compromised," "reused," and "weak" warnings your browser raises on its own.

All of this is read on your Mac. Patch reads your passwords in memory to check them and to find reused ones, but it never stores the password itself. When it needs to check a password again later, it reads it fresh from your browser rather than keeping a copy.

The one thing Patch does keep on your device is a small cache of password fingerprints — scrambled, one-way codes that are not your passwords and can't be turned back into them — paired with how many breaches each was found in, so it doesn't have to re-check the same password every time. This cache lives only on your Mac. It never contains the actual password, and it's never uploaded.

Patch does not read your autofill data, saved addresses, or payment cards.

On iPhone and iPad

Apple's rules don't let apps read your saved accounts, so the iPhone and iPad version can't. Instead, you tell Patch which sites you use, and it checks those. The list of sites you add is stored on your device.

You can also check whether your email address appears in known data breaches. When you do, that check is described below.

What leaves your device, and why

We've kept this list short on purpose. These are the only times information leaves your device:

Checking a password against known breaches (Mac). Patch scrambles your password into a one-way fingerprint on your Mac and sends only the first five characters of that fingerprint to the Have I Been Pwned service. That service can't work out your password from five characters, and your password — and the rest of the fingerprint — never leave your Mac. This is a well-established privacy technique called k-anonymity.
Getting the list of known breaches. Patch downloads a public list of known data breaches from Have I Been Pwned and compares it to your sites on your own device. This request doesn't tell anyone which sites are yours.
Checking an email for breaches. When you ask Patch to check an email address against known breaches, that address is sent to the Have I Been Pwned service to look it up.
Checking whether something is a scam ("Check it"). When you paste a message, link, or text and ask Patch whether it looks like a scam, that text is sent to our checking service to form a verdict. Don't paste anything into Check it that you don't want sent for analysis.

We don't attach your name or identity to these requests, and we don't use them to build a profile of you.

Have I Been Pwned and other outside services

Patch relies on Have I Been Pwned for breach information and on our own checking service for the scam check. When information is sent to an outside service, that service's own handling of it applies. We don't control those services and don't warrant their data.

What we don't do

We don't sell or rent your information.
We don't show you advertising, and we don't let anyone pay to influence what Patch tells you.
We don't track you across other apps or websites.
We don't keep a copy of your passwords, your browsing history, or your saved logins on our servers.

Children

Patch isn't directed at children and isn't intended for use by anyone under 13. We don't knowingly collect information from children.

Changes to this policy

We may update this policy. When we make a meaningful change, we'll update the "last updated" date above, and significant changes will be made clear in the app.

Contact

Patch is made by Plateau Labs LLC. Questions about your privacy or this policy? Email us at hello@patch-security.com.