UniAuth.ID

Privacy Policy

Last updated: February 24, 2026

This Privacy Policy describes how UniAuth.ID (“we”, “us”, or “our”) collects, uses, and protects your personal information when you use our authentication platform and related services.

1. Information We Collect

Account information

When you create an account, we collect your email address, name (optional), phone number (optional), and a hashed version of your password. We never store plaintext passwords.

Authentication data

  • Session tokens and JWT claims
  • WebAuthn/passkey credential IDs and public keys
  • TOTP secrets (encrypted at rest)
  • OAuth tokens from connected providers (Google, GitHub)

Usage data

  • IP addresses and user agent strings (for security logging)
  • Login timestamps and session activity
  • Device type and approximate location (derived from IP)

Profile data

  • Profile picture (stored locally on our servers)
  • User preferences (language, timezone, notification settings)

2. How We Use Your Information

  • Authenticate you and manage your sessions
  • Provide multi-factor authentication services
  • Send security alerts and verification emails
  • Detect and prevent fraudulent or unauthorized access
  • Maintain audit logs for security and compliance
  • Improve our platform based on aggregate usage patterns

3. Data Sharing

We do not sell, rent, or trade your personal information. We share data only in these limited circumstances:

  • Service providers: Email delivery (SMTP), SMS delivery (Twilio) — only the minimum data required for the service
  • OAuth providers: When you choose to connect Google or GitHub, we exchange tokens per the OAuth 2.0 protocol
  • Legal requirements: When required by law, subpoena, or to protect our legal rights

4. Data Security

  • End-to-end encryption on all authentication payloads
  • Post-quantum cryptography (ML-KEM for key encapsulation, ML-DSA for digital signatures) protects against quantum computing threats
  • Passwords are hashed using bcrypt with salt rounds
  • All data transmitted over TLS 1.3
  • JWT tokens signed with quantum-resistant keys and expire after 7 days
  • WebAuthn challenges use cryptographic random values
  • Zero-knowledge architecture — sensitive credentials are never accessible to our servers in plaintext
  • ML-based anomaly detection identifies suspicious login patterns in real time
  • Rate limiting and adaptive lockout protect against brute-force attacks
  • Sessions can be revoked individually or in bulk

5. Data Retention

We retain your account data for as long as your account is active. Activity logs are retained for up to 1 year. When you delete your account, all associated data is permanently removed within 30 days.

6. Your Rights

  • Access: Export all your data in JSON format from your account settings
  • Correction: Update your profile information at any time
  • Deletion: Delete your account and all associated data
  • Portability: Download a complete copy of your data

7. Cookies

We use a single essential cookie (auth_token) to maintain your authenticated session. It is httpOnly, secure in production, and expires after 7 days. We do not use tracking cookies or third-party analytics cookies. See our Cookie Policy for details.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a notice on our platform. Continued use of our services after changes constitutes acceptance.

9. Contact

If you have questions about this Privacy Policy or your data, contact us at [email protected].