Privacy Policy
Local by design.
FacePass is a macOS menu-bar helper with an optional iOS companion for paired local approval. It is designed for lock-screen assist and value-only fill for approved administrator/System Settings authorization prompts.
FacePass does not provide Apple Face ID for Mac, system biometrics, or a replacement for macOS authentication. The Mac remains responsible for macOS authentication decisions.
- No cloud service, remote sync, external server, telemetry, analytics, or advertising tracking.
- No upload of passwords, face data, face templates, camera frames, unlock state, prompt contents, Wi-Fi details, display identifiers, or condition signals.
- No APNs, WebSocket, paid service, or cloud account is used for the iPhone StandBy Unlock path.
Data Stored
Mac password
The Mac login password is stored only in macOS Keychain through FacePass password storage. It is not stored in plaintext files, UserDefaults, logs, screenshots, crash reports, analytics, or debug output.
Face templates
Face recognition templates are stored locally as encrypted embeddings with required metadata such as model version. FacePass does not persist raw face photos, raw video frames, crops, or camera sample buffers.
Pairing records
Paired iPhone trust records, public keys, device identifiers, display name, and durable counters are stored locally on the Mac in a separate Keychain-backed store. The iPhone stores only the local pairing information it needs to send signed requests to the paired Mac.
Endpoint cache and counters
The iOS companion may use UserDefaults for non-secret local endpoint cache data and request counter state needed for rediscovery and replay protection. The Mac password is never placed in UserDefaults.
Camera and Recognition
The Mac camera is used only for short local recognition windows when a FacePass flow needs it. Sensitive lock-screen and approved prompt gates wait up to 10 seconds for the first accepted local match; after that, short follow-up captures may collect the remaining required match before returning immediately. Camera processing stays on the Mac, and capture should stop after success, timeout, cancellation, or failure.
FacePass does not send Mac camera frames, face images, face templates, or recognition results to the iPhone companion or to any external service.
iOS Companion
The iPhone companion sends signed local approval requests to the paired Mac. The iPhone never receives, stores, displays, logs, or transmits the Mac password.
WidgetKit Live Activity, Dynamic Island, AppIntent, and optional static widget surfaces are treated only as local request triggers. They do not transfer the Mac password, Mac face data, or Mac camera data.
The Mac accepts only signed requests from the paired iPhone after checking the paired public key, timestamp, replay cache, durable counter, iPhone device ID, Mac device ID, requested action, enabled state, provider policy, current Mac state, password configuration, permissions, and conditions.
Local Network
FacePass uses local HTTP and Bonjour only for paired-device status, pairing, rediscovery, and StandBy Unlock requests on the local network. The endpoint scope is limited to /v1/status, /v1/pair, and /v1/standby-unlock.
Local Network permission may be requested so the iPhone companion can find and reach the paired Mac directly. FacePass does not use cloud routing, APNs, telemetry, analytics, WebSockets, or third-party relay servers.
Scope Limits
- FacePass supports the macOS lock screen and approved administrator/System Settings authorization prompts only.
- Ordinary website and app password fields are not supported targets.
- Administrator/System Settings prompt fill is value-only and does not click OK, Continue, Modify Settings, Login, submit, or press Return.
- Only the narrowly scoped lock-screen path may press Return, and only after locked-session checks and the configured approval policy pass.
Contact
For privacy questions, email contact@robertw.me or review the source repository.
