Privacy Policy

This Privacy Policy describes how Authio, Inc. (“Authio”, “we”, “us”) processes personal data when you use our authentication platform (the “Service”) or visit our websites. For data you submit on behalf of your end users, you are the data controller and Authio is the data processor; our Data Processing Addendum governs that relationship and is available on request.

Account data. Name, work email, organization name, role, and account-level preferences you provide when you create a dashboard account or invite team members.

Authentication identifiers (from your end users). Email address, phone number (for SMS magic links), federated identity subject (e.g. Google sub claim), public WebAuthn credential identifiers, and any custom identifier you submit via the management API.

Session and device metadata. Session creation and revocation timestamps, IP address, user agent string, coarse-grained geolocation (country / region from IP), device fingerprint hash, and per-session risk signals used by the adaptive risk engine.

Audit events. Records of state-changing actions: sign-ins, sign-outs, membership changes, role grants, SSO setup, recovery flow events, webhook deliveries, admin actions in your project. Audit events include the actor, the target, the action, and a minimal context payload.

Billing data. If you upgrade to a paid plan we collect billing contact information, payment method tokens (handled by Stripe; we do not store full card numbers), and invoice records.

Website telemetry. When you visit our marketing and documentation sites we collect basic analytics (page views, referrers, screen size) using first-party cookies and server-side aggregation. We do not run third-party advertising trackers.

We process personal data to deliver the Service to you and your end users (contract performance), to secure the Service (legitimate interest in preventing fraud, abuse, and unauthorized access), to operate billing (contract performance), to comply with legal obligations (tax, audit retention), and to improve the Service (legitimate interest). Where required by law (GDPR Art. 6, UK GDPR, CCPA, LGPD) we rely on the appropriate lawful basis listed.

Account data: for the life of your account plus a reasonable post-termination window for tax and audit purposes (typically 7 years for invoice records).

Authentication identifiers: for the life of the corresponding user record in your project, plus 30 days after deletion to allow recovery, before tombstoning.

Sessions: until revoked, expired, or replaced by refresh-token rotation.

Audit events: default 90 days; configurable up to 7 years on Enterprise. Stream-out to your own SIEM is available for long-term retention you control.

Backups: retained on a 30-day rolling basis; deleted data persists in backups for that window.

We use the following sub-processors to operate the Service. The list is current as of the date above and may be updated; you can subscribe to changes via the dashboard.

• Railway — application hosting and managed Postgres / Redis. United States by default; EU on request.
• Amazon Web Services (AWS) — KMS, S3, SES, Secrets Manager. Region selected per project.
• Cloudflare — edge networking, DDoS mitigation, and (where you opt in) custom-domain TLS via Cloudflare for SaaS.
• Stripe — payment processing for paid plans. Payment card data is handled by Stripe under PCI DSS.
• Twilio — SMS magic-link delivery, only for projects that have enabled SMS as an auth channel.
• ClickHouse Cloud — audit-analytics warehousing, only for projects on Growth or Enterprise tiers that have enabled it.

We will not engage a new sub-processor that processes Customer Data without first updating this list and giving you notice via the dashboard at least 30 days in advance for Enterprise customers, or via this page for self-serve plans.

The default region for Customer Data is the United States (us-east-1). EU-tagged projects live entirely in eu-central-1 (Frankfurt). India-tagged projects live in ap-south-1. Australia-tagged projects live in ap-southeast-2. Residency tagging is a per-project setting; once set it cannot be changed without a planned migration. Cross-region replication is opt-in.

When personal data is transferred from the EEA, UK, or Switzerland to a country not deemed adequate under GDPR / UK GDPR / Swiss FADP, we rely on the EU Standard Contractual Clauses (2021), the UK International Data Transfer Addendum, and equivalent mechanisms. These are incorporated into our DPA. We perform Transfer Impact Assessments for each new sub-processor.

Under GDPR, UK GDPR, CCPA / CPRA, and similar laws you have rights including access, correction, deletion, portability, restriction, objection, and the right to withdraw consent. Where Authio is the controller (e.g. your dashboard account), you can exercise these rights by emailing privacy@authio.com. Where Authio is the processor (data about your end users), please contact the controller — typically the company whose product authenticated you. We will support our customers in responding to data-subject requests.

California residents may also exercise the “Do Not Sell or Share My Personal Information” right under CPRA. We do not sell or share personal information for cross-context behavioral advertising; this right is therefore non-operative for our Service, but we acknowledge it explicitly.

You have the right to lodge a complaint with your local supervisory authority.

The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, contact us and we will delete it promptly. Customers whose products are directed to children must comply with applicable child protection laws (e.g. COPPA, GDPR Art. 8) on their own — the Service is not designed for use as a child-directed identity provider.

We maintain technical and organizational measures appropriate to the risk, including encryption in transit (TLS 1.2+), encryption at rest for managed databases, envelope encryption for sensitive secrets (ChaCha20-Poly1305), refresh-token rotation, rate limiting, role-based access control for our team, mandatory passkey authentication for our staff, and continuous evidence collection toward SOC 2 (pre-audit readiness; Type I targeted 2027-Q1). Full architecture is described on the Security page and the current compliance posture lives on the Compliance page.

We will post updates to this page and update the “Last updated” date at the top. Material changes will be announced via email to the project owner of record and via the dashboard at least 30 days in advance.

Privacy questions and data-subject requests: privacy@authio.com. EU representative and DPA execution requests: dpo@authio.com.