diff --git a/README.md b/README.md
index a5fdbe3..7dc6f46 100644
--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@ An offline-first password manager that runs entirely in your browser. No server,
 - **Password generator** — Configurable length (4–64), character types, custom exclusions, strength indicator.
 - **Copy to clipboard** — One-click copy with 15-second auto-clear.
 - **JSON import/export** — Export your entire vault as encrypted JSON. Import with merge or replace mode.
-- **Auto-lock** — Vault locks automatically on tab switch, visibility change, or configurable inactivity timer.
+- **Auto-lock** — Vault locks automatically on tab switch, visibility change, or 5-minute inactivity timer.
 - **Dark theme** — Responsive layout that works on desktop and mobile.
 
 ## Quick Start
@@ -53,9 +53,9 @@ Master Password ──PBKDF2──→ 256-bit Key ──AES-GCM──→ Encrypt
 
 | Store | Fields |
 |---|---|
-| `entries` | `id`, `title`, `username`, `password` (encrypted), `url`, `notes` (encrypted), `groupId`, `createdAt`, `updatedAt` |
+| `entries` | `id`, `title`, `username`, `encryptedPassword` (encrypted), `url`, `notes`, `groupId`, `tags`, `createdAt`, `updatedAt` |
 | `groups` | `id`, `name`, `color`, `createdAt` |
-| `meta` | `salt`, `testEncrypted`, `testPlaintext` |
+| `meta` | `salt`, `testEncrypted`, `testPlaintext`, `dbVersion` |
 
 ## Security Considerations
 
@@ -65,13 +65,14 @@ Master Password ──PBKDF2──→ 256-bit Key ──AES-GCM──→ Encrypt
 | Weak passwords | Strength indicator on generator |
 | Clipboard leakage | Auto-clear after 15 seconds |
 | Tab left open | Auto-lock on visibility change (tab switch) |
-| Database tampering | All sensitive data encrypted at rest with AES-256-GCM |
+| Database tampering | Passwords encrypted at rest with AES-256-GCM |
 | Brute force | PBKDF2 with 100,000 iterations slows offline attacks |
 
 ### Known limitations
 
 - **No browser fingerprinting or anti-keylogger** — This is a local tool, not a hardened security appliance.
-- **IndexedDB can be inspected** — Encrypted data is safe, but metadata (titles, usernames, URLs) may be visible if not encrypted. Currently only `password` and `notes` are encrypted; titles/usernames/URLs are stored in plaintext for searchability.
+- **IndexedDB can be inspected** — Only `encryptedPassword` is encrypted at rest. Titles, usernames, URLs, and notes are stored in plaintext for searchability and are visible if the database is inspected.
+- **Test plaintext stored in IndexedDB** — The `testPlaintext` value used for password verification is stored unencrypted in the `meta` store. An attacker with access to IndexedDB could use it to verify guessed passwords alongside the salt.
 - **No automatic backups** — Use the JSON export feature to back up your vault regularly.
 
 ## Development