Privacy Policy

1. Introduction

This Privacy Policy describes how Auth1, Inc. ("Auth1," "we," "us," or "our") collects, uses, shares, and protects personal information when you use our authentication platform, APIs, SDKs, and related services (collectively, the "Service").

We believe in transparency. This policy is written to be clear and readable, not buried in legal jargon. If anything is unclear, please reach out to privacy@auth1.ai and we will explain it.

By using the Service, you agree to the collection and use of information as described in this policy. This policy should be read alongside our Terms of Service.

2. Information We Collect

Account Information

When you create an Auth1 account, we collect:

• Email address — Required for account creation and communication
• Name — Optional, used for personalization
• Phone number — Required only if you use SMS OTP features

Authentication Data

When you or your end users authenticate through Auth1, we process:

• Hashed passwords — Stored using Argon2id. We never store or have access to plaintext passwords.
• OTP codes — Temporary, auto-deleted after verification or 10-minute expiry
• OAuth tokens — Encrypted at rest using AES-256-GCM
• TOTP secrets — Encrypted at rest for MFA

Usage Data

We automatically collect certain information when the Service is used:

• Login timestamps — When authentication events occur
• IP addresses — For security, fraud detection, and consent records
• User agents — Browser and device information
• Device information — Operating system, browser type, screen resolution (for BotShield)
• Authentication method used — Which auth method was selected (SMS, email, OAuth, etc.)

Tenant Data

If you are an Auth1 customer (tenant), we store:

• API keys — Used to authenticate your application's requests
• Webhook endpoints — URLs you configure to receive event notifications
• Branding configuration — Custom logos, colors, and messaging for your auth screens

Consent Records

To comply with TCPA, CAN-SPAM, and GDPR, we maintain detailed consent records including:

• What was consented to (e.g., transactional SMS, marketing email)
• When consent was given or withdrawn (timestamp)
• The IP address from which consent was recorded
• The user agent at the time of consent
• Optional: Post-quantum (ML-DSA-65) digital signatures on consent records for tamper-proof evidence

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide authentication services — Deliver SMS OTP, email verification, magic links, OAuth, password authentication, and MFA
• Send verification codes and transactional messages — OTP codes, password reset links, security alerts
• Detect and prevent fraud — BotShield scoring, VOIP number detection, rate limit enforcement, suspicious login detection
• Monitor service health — Track API performance, error rates, and system availability
• Comply with legal obligations — Respond to lawful requests, maintain consent records, fulfill regulatory requirements
• Improve the Service — Aggregate and anonymized usage analytics to improve features and reliability

• We do NOT sell your personal data to anyone, ever
• We do NOT use your data for advertising or ad targeting
• We do NOT share your data with third parties for their marketing purposes
• We do NOT train AI models on your personal data or your end users' data
• We do NOT profile your end users for purposes unrelated to authentication and security

4. Third-Party Services

We use the following third-party services to operate the Auth1 platform. Each provider is bound by a data processing agreement and processes data only as necessary to deliver their service:

Provider	Purpose	Data Shared
Twilio	SMS delivery (OTP codes)	Phone numbers, message content
AWS SES	Email delivery (verification codes, magic links)	Email addresses, message content
AWS (RDS, ElastiCache, EB)	Infrastructure hosting	All data (encrypted at rest and in transit)
Netlify	Marketing site hosting	None (marketing site only, no user data)
Stripe	Payment processing	Billing information (handled directly by Stripe)

We do not share personal data with any other third parties unless required by law or with your explicit consent.

5. Data Security

We implement multiple layers of security to protect your data:

Layer	Implementation
Passwords	Argon2id hashing via compiled Rust binary — never stored in plaintext, never reversible
PII at rest	Optional AES-256-GCM encryption (Enterprise tier)
Transport	TLS 1.3 enforced for all API connections
Tokens	httpOnly cookies only — no localStorage, no client-accessible tokens
Audit trail	Immutable consent and activity logs — append-only, no deletions
Post-quantum	Optional ML-DSA-65 (Dilithium) signatures on audit records for tamper-proof, quantum-resistant evidence
Secret comparisons	Constant-time (timing-safe) algorithms to prevent side-channel attacks
Resilience	Circuit breakers, rate limiting, and structured logging for incident response

Despite these measures, no security system is perfect. If we discover a breach that affects your data, we will notify you as required by applicable law and take immediate steps to mitigate the impact.

6. Data Retention

We retain data only as long as necessary for the purposes described in this policy:

Data Type	Retention Period
Account data (email, name, phone)	Until account deletion
OTP codes	Auto-deleted after verification or 10-minute expiry
Session data	7 days after last activity
Authentication audit logs	2 years (or as required by applicable law)
Consent records	7 years (TCPA statute of limitations requirement)
Billing records	7 years (tax and accounting requirements)

After account deletion, all personal data is purged within 30 days, with the exception of records we are legally required to retain (consent audit logs and billing records). Retained records are anonymized where possible.

7. Your Rights (GDPR/CCPA)

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right to access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to deletion: Request deletion of your account and personal data ("right to be forgotten")
• Right to portability: Request your data in a structured, machine-readable format (JSON)
• Right to restrict processing: Request that we limit how we process your data
• Right to object: Object to processing of your data for specific purposes
• Right to withdraw consent: Withdraw any consent you previously gave at any time, without affecting the lawfulness of prior processing
• Right to non-discrimination: (CCPA) We will not discriminate against you for exercising your rights

To exercise any of these rights, contact us at privacy@auth1.ai. We will respond to verified requests within 30 days (or sooner as required by law). We may ask you to verify your identity before processing a request.

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

8. For Our Customers' End Users

If you use Auth1 through one of our customers' applications (for example, when you log in to an app that uses Auth1 for authentication), please note the following:

• The customer (the company whose app you are using) is the data controller — they determine why and how your data is processed
• Auth1 is the data processor — we process your data solely to provide authentication services on the customer's behalf
• For questions about how your data is handled, please refer to the customer's own privacy policy
• For data access, deletion, or other rights requests, please contact the customer directly

Our customers are contractually required to have a lawful basis for processing your data through Auth1 and to inform you about their data practices.

9. Children

Auth1 is not directed at children under the age of 13 (or under 16 in the European Economic Area). We do not knowingly collect personal information from children below these ages.

If we become aware that we have collected personal data from a child without verified parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at privacy@auth1.ai.

10. International Data Transfers

Auth1's infrastructure is hosted in the United States (AWS us-east-1 region, Northern Virginia). If you access the Service from outside the United States, your data will be transferred to and processed in the United States.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland:

• Data transfers to the United States are conducted under the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses (SCCs) as approved by the European Commission
• Enterprise customers may request a copy of the applicable SCCs by contacting legal@auth1.ai

We ensure that any international transfer of personal data is subject to appropriate safeguards as required by applicable data protection laws.

11. Cookies

Auth1 uses cookies in a limited and transparent way:

Authentication Cookies (API)

Auth1's APIs use httpOnly session cookies to maintain authenticated sessions. These cookies are:

• Strictly necessary for the Service to function
• Not accessible to client-side JavaScript (httpOnly flag)
• Encrypted and signed to prevent tampering
• Expire after 7 days of inactivity

Marketing Site Cookies

Our marketing site (auth1.ai) uses minimal analytics cookies to understand how visitors interact with our documentation and marketing content. We do not use:

• Third-party tracking cookies
• Cross-site tracking pixels
• Advertising or retargeting cookies

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

• We will provide at least 30 days' advance notice for material changes
• Material changes will be communicated via email to the address associated with your account
• We will update the "Effective Date" at the top of this page
• The updated policy will be posted on our website

We encourage you to review this policy periodically. Your continued use of the Service after the updated policy takes effect constitutes your acknowledgment of the changes.

13. Governing Law & Disputes

This Privacy Policy is governed by the laws of the State of Florida, United States. Any disputes relating to this Privacy Policy are subject to the mandatory binding arbitration and class action waiver provisions set forth in our Terms of Service (Section 18).

14. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Auth1, Inc.
Privacy inquiries: privacy@auth1.ai
Legal inquiries: legal@auth1.ai
General support: support@auth1.ai

For EU/EEA residents, if you are not satisfied with our response, you have the right to contact your local supervisory authority.