Legal

Legal Documents

Transparency is a core principle. These documents govern how we operate, protect your data, and respect your rights.

Last updated April 15, 2026

Privacy Policy

Last Updated: April 15, 2026 Effective Date: April 15, 2026

This Privacy Policy explains how AuthPI Limited (“AuthPI,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information when you visit our website at authpi.com (the “Website”) or use our identity and authentication services (the “Services”).

AuthPI operates as both a data controller (for our direct relationship with you) and a data processor (when processing data on behalf of our customers). This policy covers both roles.


1. Who We Are

AuthPI Limited 71-75 Shelton Street London, United Kingdom Email: privacy@authpi.com

For GDPR purposes, AuthPI Limited is the data controller for personal information collected through our Website and account registration. When processing end-user data through our Services on behalf of customers, we act as a data processor.


2. Information We Collect

2.1 Information You Provide Directly

Account Information When you create an AuthPI account, we collect:

  • Email address
  • Name (optional)
  • Organization name (if applicable)
  • Password (stored as a cryptographic hash, never in plain text)

Payment Information If you subscribe to a paid plan, our payment processor (Stripe) collects payment details. We receive only non-sensitive confirmation data (last four digits, expiration date, billing address).

Communications When you contact us, we collect:

  • Email address and name
  • Content of your messages
  • Any attachments you send

2.2 Information Collected Automatically

Usage Data

  • Pages visited and features used
  • API endpoints called and response times
  • Error logs and diagnostic information

Device and Browser Information

  • IP address (anonymized after 30 days)
  • Browser type and version
  • Operating system
  • Device type

Cloudflare Analytics We use Cloudflare Web Analytics, which is privacy-focused and does not use cookies or track individuals across sites. It collects aggregate metrics only.

2.3 Information We Process on Behalf of Customers

When you use AuthPI’s Services to authenticate your own users, we process:

  • End-user identifiers (user IDs, email addresses)
  • Authentication credentials (hashed passwords, passkey data)
  • Session information (tokens, device fingerprints)
  • Organization and membership data
  • Custom metadata you choose to store

Important: This end-user data belongs to you (our customer). We process it solely according to your instructions and our Data Processing Agreement. We do not use this data for our own purposes.


3. How We Use Your Information

3.1 To Provide and Improve Our Services

  • Operating and maintaining the AuthPI platform
  • Processing authentication requests
  • Monitoring system performance and security
  • Debugging and fixing issues
  • Developing new features

3.2 To Communicate With You

  • Responding to support requests
  • Sending service announcements and updates
  • Notifying you of security incidents affecting your account

3.3 To Protect Our Services and Users

  • Detecting and preventing fraud, abuse, and security threats
  • Enforcing our Terms of Use
  • Complying with legal obligations
  • Sending marketing communications (you can opt out anytime)
  • Any other purpose for which you give explicit consent

We process personal information under the following legal bases:

PurposeLegal Basis
Providing ServicesPerformance of contract
Account managementPerformance of contract
Security and fraud preventionLegitimate interests
Legal complianceLegal obligation
Marketing (with consent)Consent
Service improvementLegitimate interests

For processing as a data processor, the legal basis is determined by our customers (the data controllers).


5. Data Sharing and Disclosure

5.1 Service Providers

We share data with trusted service providers who assist in operating our Services:

ProviderPurposeLocation
CloudflareInfrastructure, CDN, securityGlobal (edge network)
StripePayment processingUnited States
PostmarkTransactional emailUnited States

All service providers are bound by data processing agreements and are prohibited from using your data for their own purposes.

We may disclose information when required by law, such as:

  • In response to valid legal process (subpoenas, court orders)
  • To protect our rights, property, or safety
  • To prevent fraud or security threats
  • To comply with applicable regulations

5.3 Business Transfers

If AuthPI is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data becomes subject to a different privacy policy.

We may share information for other purposes with your explicit consent.

We do not sell personal information. We do not share personal information with third parties for their marketing purposes.


6. International Data Transfers

AuthPI is based in the United Kingdom. Your data may be processed in:

  • United Kingdom
  • European Economic Area
  • United States (via service providers)

For transfers outside the UK/EEA, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreement (IDTA)
  • Adequacy decisions where applicable

7. Data Retention

We retain personal information only as long as necessary:

Data TypeRetention Period
Account informationDuration of account + 30 days after deletion
Usage logs90 days (anonymized thereafter)
Support communications2 years
Payment records7 years (legal requirement)
Security logs1 year

For data we process on behalf of customers, retention is determined by the customer’s instructions and our Data Processing Agreement.


8. Your Rights

8.1 Rights Under GDPR/UK GDPR

If you are in the UK or EEA, you have the right to:

  • Access your personal information
  • Rectify inaccurate or incomplete data
  • Erase your data (“right to be forgotten”)
  • Restrict processing in certain circumstances
  • Data portability (receive your data in a portable format)
  • Object to processing based on legitimate interests
  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with a supervisory authority

UK Supervisory Authority: Information Commissioner’s Office (ICO) ico.org.uk

8.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose
  • Delete your personal information
  • Opt out of the sale or sharing of personal information (we do not sell data)
  • Non-discrimination for exercising your rights
  • Correct inaccurate personal information
  • Limit use of sensitive personal information

To exercise these rights, contact us at privacy@authpi.com.


9. Security

We implement industry-standard security measures:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Password hashing with Argon2id
  • Regular security assessments and penetration testing
  • Access controls and audit logging
  • Incident response procedures

While we take security seriously, no system is completely secure. We encourage you to use strong, unique passwords and enable multi-factor authentication.


10. Children’s Privacy

AuthPI Services are not directed at children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us immediately at privacy@authpi.com.


11. Cookies and Tracking

11.1 Essential Cookies Only

We use only essential cookies required for the Services to function:

  • Authentication session cookies
  • Security tokens (CSRF protection)

11.2 No Tracking Cookies

We do not use:

  • Advertising or marketing cookies
  • Third-party tracking pixels
  • Cross-site tracking technologies

11.3 Analytics

We use Cloudflare Web Analytics, which does not use cookies, does not track individuals, and does not collect personal information.


Our Website may contain links to third-party websites. We are not responsible for the privacy practices of these sites. We encourage you to review their privacy policies.


13. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

  • Posting the updated policy on our Website
  • Sending an email to your registered address (for material changes)
  • Updating the “Last Updated” date

Your continued use of the Services after changes become effective constitutes acceptance of the revised policy.


14. Contact Us

For questions about this Privacy Policy or to exercise your rights:

Email: privacy@authpi.com

Mail: AuthPI Limited Attn: Privacy 71-75 Shelton Street London, United Kingdom

We aim to respond to all requests within 30 days (or sooner where required by law).