Privacy Policy

Last updated: March 5, 2026

1. Introduction

AuthGate ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and share information when you use our platform, APIs, SDKs, and website (collectively, the "Service").

2. Information We Collect

Account information

When you create an account, we collect your name, email address, and authentication credentials. If you sign in via a social provider (Google, GitHub, etc.), we receive your profile information from that provider.

Usage data

We collect information about how you interact with the Service, including pages visited, features used, API calls made, timestamps, and IP addresses.

End-user data you process

As a platform, AuthGate processes authentication and billing data on behalf of your applications. You are the data controller for your end users' data; we act as a data processor.

3. How We Use Your Information

  • Provide, maintain, and improve the Service
  • Authenticate your identity and secure your account
  • Process payments and manage subscriptions
  • Send transactional emails (account verification, password resets, billing notifications)
  • Monitor for abuse, fraud, and security threats
  • Comply with legal obligations and enforce our Terms of Service

4. Data Sharing

We do not sell your personal data. We may share information with:

  • Service providers — hosting (Vercel, Neon), email delivery, and payment processing partners who act as sub-processors
  • Legal requirements — when required by law, subpoena, or government request
  • Business transfers — in connection with a merger, acquisition, or sale of assets

5. Data Security

We implement industry-standard security measures including encryption at rest and in transit (AES-256-GCM for sensitive fields, TLS for all connections), regular security audits, and access controls. API keys and TOTP secrets are encrypted before storage and never logged in plaintext.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. After account deletion, we remove personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention).

7. Your Rights

Under the GDPR and applicable data protection laws, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request deletion of your data
  • Restrict or object to processing
  • Data portability
  • Withdraw consent at any time

To exercise these rights, contact us at privacy@authgate.dev.

8. Cookies

We use essential cookies for authentication and session management. We do not use third-party tracking or advertising cookies. Session cookies are HttpOnly and Secure.

9. International Transfers

Your data may be processed in countries outside your own. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required by the GDPR.

10. Children's Privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service at least 30 days before they take effect.

12. Contact

For privacy-related questions or requests, contact us at privacy@authgate.dev.