SentryKey is a two-factor authentication (TOTP) app for Garmin watches with Android and iOS companion apps. This policy explains what the apps do and don't do with your data.
Data Privacy Standard
SentryKey does not collect, transmit, or sell any personal data. Everything stays strictly on your local devices and your personal VPS backup host.
What data the app handles
- 2FA accounts (labels and secret keys). You add these by scanning a QR code or entering them manually. They are used only on-device to generate your rotating codes.
Where it is stored
- Android: In the app's private, encrypted on-device storage.
- iOS: In the secure device Keychain.
- Garmin watch: In the app's on-device storage.
- VPS Cloud Backup: Optionally stored on your own self-hosted server in a passphrase-encrypted
.skbackup format.
We do not operate any centralized backend server. Your secrets are never shared with us or any third party. Any data transmission is either a direct Bluetooth sync to your Garmin watch or an upload to your private VPS.
Permissions and why
- Camera — to scan 2FA QR codes. Images are processed locally on-device and are never stored or transmitted.
- Bluetooth — to sync your vault to your paired Garmin watch.
- Internet — used only to load issuer icons (favicons) on Android and check for software updates. No personal data is ever transmitted.
Data sharing
- Exporting: Exporting a backup or QR code is an action you initiate. Backups can be encrypted with a passphrase you choose or exported as plaintext in the standard
otpauth:// format. You are fully responsible for where you send or store these files.
Changes to this policy
Updates to this policy will be posted on this page and in the project's repository.
Contact
Questions? Open an issue at github.com/chrisdfennell/SentryKey/issues.