Privacy Policy

Last updated: March 7, 2026

1. Introduction

Zauthy, Inc. ("Zauthy," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our authentication, identity verification, and fraud prevention services (the "Services").

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, organization name, and payment information (processed securely through our payment provider).

2.2 Authentication Data

We process authentication credentials (hashed passwords, TOTP secrets, passkey public keys), session tokens, and login metadata (IP address, device information, timestamps) to provide our authentication services.

2.3 Identity Verification Data

For KYC services, we process identity documents (passport, driver's license, national ID), selfie images for face matching, liveness detection data, and extracted document information (name, date of birth, document number). This data is processed on behalf of our customers and is subject to strict retention policies.

2.4 Security and Device Data

We collect device fingerprints, geolocation data (IP-based), browser information, and behavioral signals for fraud prevention and security purposes.

2.5 Usage Data

We collect API usage metrics, dashboard interactions, and feature usage patterns to improve our Services.

3. How We Use Your Information

  • Providing and maintaining our authentication and identity verification services
  • Processing and verifying identity documents
  • Detecting and preventing fraud, abuse, and security threats
  • Managing your account and processing payments
  • Sending transactional communications (security alerts, verification results, account updates)
  • Improving our Services, including model training for document recognition and liveness detection
  • Complying with legal obligations and regulatory requirements

4. Data Retention

We retain data according to the following schedule:

  • Account data: Retained while your account is active, deleted 30 days after account closure
  • Authentication logs: Retained for 90 days for security and audit purposes
  • KYC verification data: Identity documents are deleted within 30 days of verification completion. Verification results (pass/fail, risk scores) are retained for the duration of your subscription
  • Biometric data: Face embeddings and liveness data are deleted immediately after verification processing
  • Security logs: Retained for 1 year for threat detection and compliance

5. Data Sharing and Disclosure

We do not sell your personal information. We may share data with:

  • Service providers: Cloud infrastructure (encrypted at rest and in transit), payment processors, email delivery services
  • Our customers: Verification results and authentication events are shared with the organization that initiated the verification
  • Legal authorities: When required by law, court order, or regulatory requirement
  • Business transfers: In connection with a merger, acquisition, or sale of assets

6. Data Security

We implement industry-standard security measures including AES-256 encryption at rest, TLS 1.3 for data in transit, regular security audits, SOC 2 Type II compliance, role-based access controls, and automated threat detection. Passwords are hashed using bcrypt with appropriate work factors. API keys and webhook secrets are generated using cryptographically secure random number generators.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Correct inaccurate or incomplete personal data
  • Deletion: Request deletion of your personal data (subject to legal retention requirements)
  • Portability: Receive your data in a structured, machine-readable format
  • Restriction: Restrict the processing of your personal data
  • Objection: Object to the processing of your personal data

To exercise these rights, contact us at privacy@zauthy.com.

8. GDPR Compliance

For users in the European Economic Area, we process personal data as both a data controller (for account management) and a data processor (for identity verification on behalf of our customers). Our legal bases for processing include contract performance, legitimate interests (security, fraud prevention), and legal obligations. For KYC processing, our customers are the data controllers and should obtain appropriate consent from their end users.

9. Cookies

We use essential cookies for authentication sessions and security (CSRF protection). We do not use tracking cookies or third-party advertising cookies. Session cookies expire when you close your browser or after a defined inactivity period.

10. Children's Privacy

Our Services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child, we will take steps to delete that information promptly.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or through the dashboard at least 30 days before changes take effect. The "Last updated" date at the top indicates when this policy was last revised.

12. Contact Us

For privacy-related questions or to exercise your data rights, contact us at privacy@zauthy.com.