Accessibility Statement
Privacy - Product
Privacy Policy (Product)
Data Processing Agreement
Subprocessors
Technical & Organizational Measures
Privacy - Marketing
Privacy Policy (Marketing)
Separation of Marketing & Product
No Cookie Banner
Security
Overview
Whitepaper
Vulnerability Disclosure
More
Information for Law Enforcement
Accessibility Statement
Site Notice

Information for Law Enforcement

Latest update: March 17, 2026

About heylogin

heylogin is a password manager developed and operated by heylogin GmbH, based in Braunschweig, Germany. Our service uses hardware-based end-to-end encryption, meaning that all user vaults are encrypted using the security chips of the respective user devices. heylogin GmbH is ISO 27001:2022 certified and operates under German and European Union law.

Information We Cannot Provide

The vast majority of data stored in heylogin is end-to-end encrypted. Our architecture ensures that heylogin GmbH has no technical ability to access, decrypt, or hand over this data, not even in response to a court order.

All user vaults are encrypted using hardware security chips built into the user's personal device (smartphone or FIDO2 security key). The decryption keys never leave these devices and are never transmitted to or stored on our servers. Our cloud infrastructure serves exclusively as encrypted data storage with no means of decrypting its contents.

This means we cannot provide:

  • Stored passwords, credentials, or login data
  • TOTP secrets or two-factor authentication codes
  • Credit card details or other sensitive items stored in user vaults
  • The contents of personal or shared team vaults
  • Vault metadata such as titles, URLs, or notes

There is no backdoor, master key, or recovery mechanism that would allow heylogin GmbH or any third party to access encrypted vault data. For more details on our security architecture, see our Security Whitepaper.

Information We Can Provide in Response to a Lawful Request

A small amount of unencrypted account metadata is necessary to operate the service. Subject to a valid and enforceable legal request, heylogin may be able to provide:

  • Email address associated with the account
  • Account creation date
  • Type of subscription (private, business, etc.)
  • Organization membership (whether a user belongs to a company account)
  • Last login timestamp

Legal Framework

heylogin GmbH is a German company and is subject to German law. We process law enforcement requests in accordance with:

  • The German Code of Criminal Procedure (Strafprozessordnung, StPO)
  • The German Telecommunications Act (Telekommunikationsgesetz, TKG)
  • The EU General Data Protection Regulation (GDPR)
  • Other applicable German and EU legislation

Requests From German Authorities

German law enforcement agencies may submit requests for subscriber data (Bestandsdaten) in accordance with applicable German law. Requests for traffic data or telecommunications interception require a court order.

Requests From Foreign Authorities

Requests from authorities outside Germany must generally be submitted through the appropriate international legal assistance channels, such as:

  • Mutual Legal Assistance Treaties (MLATs) via the German Federal Office of Justice (Bundesamt für Justiz)
  • European Investigation Orders (EIO) for EU member states
  • Direct requests may be considered for account suspension in cases of abuse, phishing, or imminent danger

heylogin GmbH will not provide user data directly to foreign authorities outside of these established legal frameworks.

User Notification

heylogin is committed to transparency. We will notify affected users of law enforcement requests for their data before disclosure, unless:

  • Notification is prohibited by a court order or applicable law
  • There is an immediate risk to the life or safety of an individual
  • Notification would compromise an ongoing investigation as determined by a German court

How to Submit a Request

Law enforcement requests can be sent to:

Email: security@heylogin.com

OpenPGP Fingerprint: 327E E095 BDC1 BD81 631C 8D82 2949 0F2D 481F 4E59

Requests sent via email must be encrypted using our OpenPGP key. Unencrypted requests for user data will be rejected in accordance with data protection requirements.

Required Information

All requests must include:

  • The identity and authority of the requesting agency (name, badge/ID number, official email address, direct phone number)
  • The specific heylogin account(s) subject to the request (e.g., email address)
  • A clear description of the information being requested
  • The legal basis for the request, including relevant statutes or regulations
  • A copy of any applicable court order, subpoena, or other legal process
  • Whether a non-disclosure obligation applies
  • The urgency and deadline of the request

Overly broad, vague, or legally insufficient requests will be rejected.

Transparency Report

heylogin is committed to transparency regarding government requests for user data.

Until now, heylogin GmbH has not received any law enforcement requests for user data.