Password Manager Privacy: 1Password vs Bitwarden

A password manager is the most sensitive software most people use. It holds credentials for every service in your digital life — banking, email, work systems, healthcare records. Which company you trust with that vault matters.

The good news: both 1Password and Bitwarden use zero-knowledge encryption, meaning neither company can read your vault contents. Your passwords are encrypted on your device before they ever reach a server. Even under a court order, neither can hand over decrypted credentials.

The less obvious news: the data practices around your vault — analytics, marketing, jurisdiction, and what gets collected outside the encrypted container — are more different than most comparisons acknowledge.

What zero-knowledge actually means

Both 1Password and Bitwarden use client-side encryption. Your vault is encrypted using a key derived from your master password (and, for 1Password, a Secret Key) before leaving your device. The server stores ciphertext it cannot decrypt.

1Password states: "Secure Data is encrypted using secure cryptographic keys that exist only in the possession and under the control of users or admins of their accounts." Bitwarden states: "Vault Data is encrypted using secure cryptographic keys under your control. Bitwarden cannot access Vault Data."

This is the core promise of both products, and it holds. The audit trail for Bitwarden is particularly strong — the code is fully open source and has been independently audited by named security firms whose reports are publicly available. 1Password's encryption architecture is well-regarded, though the client is not open source.

Where they differ: analytics and tracking

Bitwarden uses Google Analytics — not just on its marketing website, but on the Bitwarden Service itself. This means Google receives data about how you interact with your password manager: which features you use, how often you open it, your session behaviour.

Your vault contents remain encrypted and inaccessible. But the metadata of how you manage your credentials flows to Google. For a product whose core value proposition is security and privacy, embedding the world's largest advertising surveillance infrastructure into the product is a significant design choice. Bitwarden is the only password manager in this tier to do it.

1Password does not use Google Analytics within the password manager product. It does collect usage data for product improvement, and it works with marketing platforms including advertising measurement tools for its website — but those data flows don't touch the product itself in the same way.

Bitwarden's self-hosted option

Bitwarden offers a fully supported, open source self-hosted deployment. Users who self-host send no data to Bitwarden's servers at all — vault data, analytics, and administrative data are all under their own control.

For individuals or organisations with strong data sovereignty requirements, this is a meaningfully different option from 1Password, which does not offer self-hosting. If Google Analytics in a SaaS product is a dealbreaker but you still want Bitwarden's open source architecture, self-hosting resolves the concern entirely — at the cost of managing your own infrastructure.

Jurisdiction

1Password is a Canadian company, incorporated in Ontario. Canada is a Five Eyes member, and Canadian law can compel companies to assist with intelligence gathering. 1Password has a clear policy of notifying users of legal requests where legally permitted, and your vault contents are protected by E2EE regardless of what can be compelled.

Bitwarden is incorporated in California, making it subject to US law including FISA courts and National Security Letters. The US has broader surveillance authorities than Canada. Bitwarden holds EU-U.S. Data Privacy Framework certification, which provides some accountability mechanisms for European users, but the underlying jurisdiction exposure remains.

Neither jurisdiction is ideal for users with serious operational security concerns. For those users, a self-hosted Bitwarden deployment in a preferred jurisdiction is the strongest option either company offers.

What 1Password collects outside your vault

1Password collects a meaningful amount of administrative data: IP addresses, device identifiers, browser type, operating system, crash data, performance metrics, and vault configuration metadata (how many vaults you have, how many items, who can access them). Detailed product usage data collection is optional but available.

It also works with marketing platforms in a way that may constitute a "sale or sharing" of personal information under US state privacy laws (their words in the policy). This applies to marketing data, not vault data — but it's worth knowing before assuming "zero knowledge" extends to the full relationship.

Retention for most administrative data is "as long as necessary" — an open-ended commitment with no specific periods for IP addresses, device data, or usage records. Fastmail, Mullvad, and others commit to specific windows (1 year, 70 days, etc.); 1Password does not.

Side by side

	1Password	Bitwarden
Can read your vault?	✗ No (zero-knowledge)	✗ No (zero-knowledge)
Open source client	✗ No	✓ Yes (with audits)
Self-hosted option	✗ No	✓ Yes
Google Analytics in product	✗ No	✓ Yes
Marketing data sharing	May constitute a sale	Third-party processors
Jurisdiction	Canada (Five Eyes)	US (Five Eyes)
Retention specificity	"As long as necessary"	Vague for most data
Warrant canary / transparency report	✗ No	✗ No
Privacy grade	B	B+

Which one?

For most users, both are trustworthy password managers. The zero-knowledge architecture means neither can expose your actual credentials regardless of what happens with the surrounding data practices.

Choose Bitwarden if: you want open source and independently audited code, you need a self-hosted option, you're comfortable with Google Analytics being present in the product (or willing to self-host to avoid it), or you want a free tier with solid functionality.

Choose 1Password if: you prefer a polished, closed-source product with a long security track record, you work in a team with shared vaults, you want a product that doesn't embed Google Analytics in the password manager itself, and you're comfortable paying for it.

If you're in a high-risk context — journalist, activist, security researcher — neither company's cloud product is the right answer. Self-hosted Bitwarden in a jurisdiction of your choice is the strongest option this category offers.

See the full analyses: Bitwarden · 1Password. Compare them directly: Bitwarden vs 1Password.