BETA

Privacy Policy

Your Data, Your Rights

Effective Date: 14/10/2025

Last Updated: 14/10/2025

Version: 1.0

1. Introduction

Welcome to AuthNGo (the "Authentication Platform", "we", "us", or "our"). We are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our passwordless authentication platform and associated services.

This policy applies to all users of our platform, including:

  • System Administrators: Platform administrators who manage the system
  • Tenant Organizations: Organizations that use our platform for their authentication needs
  • Tenant Users: Administrators and users within tenant organizations
  • End Users: Individuals who authenticate through tenant organizations

Your Rights

Under the General Data Protection Regulation (GDPR) and other applicable data protection laws, you have important rights regarding your personal data. We respect these rights and have implemented self-service tools to help you exercise them. For more information, see Section 9 "Your Rights and Choices."

Contact Information

Data Controller: AuthNGo LTD

Address: Galbally, Enniscorthy, Y21 WK72, County Wexford, Ireland

Email: privacy@authngo.com

Data Protection Officer (DPO): dpo@authngo.com

2. Data We Collect

2.1 Account Registration Data

For Tenant Organizations:

  • Organization name
  • Administrator email address
  • Administrator name
  • Organization contact information

For Tenant Users:

  • Email address
  • Name (first and last)
  • User role within organization
  • Tenant affiliation

2.2 Authentication Data

To provide passwordless authentication via FIDO2/WebAuthn, we collect:

  • Passkey credentials (public keys, credential IDs)
  • Device information (user agent, authenticator type)
  • Recovery codes (argon2-hashed, single-use)

Important: We do NOT store passwords, biometric data, or private keys.

2.3 Cookies

We use essential cookies for authentication:

Cookie NamePurposeDuration
client_infoClient device and session information1 year
sessionIdAuthentication session management1 year
accessTokenAPI authentication token15 minutes

All cookies are HTTP-only, Secure, and SameSite=Strict. Because these cookies are essential for the authentication service to function, they do not require your consent under GDPR ePrivacy Directive.

3. How We Use Your Data

We use your personal data for:

  • Account Management: Creating and managing your account, authentication
  • Service Delivery: Enabling passwordless authentication, managing passkey credentials
  • Security: Monitoring for suspicious activity, fraud prevention
  • Legal Compliance: Complying with GDPR, NIS2, and other legal obligations
  • Service Improvement: Analyzing usage patterns (aggregated, anonymized data)

Legal Basis: We process data based on contract performance (GDPR Article 6(1)(b)), legitimate interests (Article 6(1)(f)), legal obligations (Article 6(1)(c)), and consent (Article 6(1)(a)) where applicable.

4. Data Sharing

We do NOT sell your data to third parties.

We share data only with trusted service providers:

  • Scaleway: Cloud infrastructure (EU-based, GDPR-compliant)
  • Stripe: Payment processing (PCI DSS certified, EU-U.S. Data Privacy Framework)

5. Data Retention

Data CategoryRetention Period
Account DataDuration of account + 30 days
Activity Logs90 days, then anonymized
Billing Records7 years (legal requirement)

6. Security Measures

We implement industry-leading security measures:

  • ✅ FIDO2/WebAuthn passkeys (phishing-resistant)
  • ✅ TLS 1.3 encryption for all connections
  • ✅ AES-256 encryption for data at rest
  • ✅ Multi-tenant data isolation (row-level security)
  • ✅ XSS protection (auto-escaping + CSP headers)
  • ✅ 72-hour breach notification procedure (GDPR Article 33)

7. Your Rights

Under GDPR, you have the following rights:

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate data
  • Right to Erasure: Delete your account and data
  • Right to Data Portability: Download your data in JSON format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time

How to Exercise Your Rights: Use the self-service tools in your account settings, or contact privacy@authngo.com

8. International Data Transfers

Primary Data Location: European Union (France - Scaleway datacenters)

Some service providers (e.g., Stripe for payment processing) may process data outside the EU. We ensure all transfers comply with GDPR Chapter V requirements through Standard Contractual Clauses (SCCs) and adequacy decisions.

9. Children's Privacy

Our platform is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe your child has provided us with personal data, please contact us immediately at privacy@authngo.com

10. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe we have violated your data protection rights.

Our Lead Supervisory Authority:
Data Protection Commission (DPC) Ireland
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Website: https://www.dataprotection.ie
Email: info@dataprotection.ie

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before they take effect. Non-material changes will be reflected by updating the "Last Updated" date.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:

General Privacy Inquiries: privacy@authngo.com

Data Protection Officer: dpo@authngo.com

Response Time: Within 5 business days for inquiries, within 1 month for rights requests

By using our services after the Effective Date, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.