Privacy Policy

We collect information you provide directly to us, including: • **Account Information**: Email address, name, and password when you create an account • **Device Information**: Device identifiers, operating system, and app version for authentication • **Authentication Data**: Timestamps and metadata for authentication requests (we never store your biometric data) • **Usage Information**: How you interact with our services to improve user experience • **Payment Information**: Processed securely through Stripe; we never store full card numbers

We use the information we collect to: • Provide, maintain, and improve our authentication services • Process authentication requests and verify your identity • Send push notifications for authentication approvals • Communicate with you about service updates and security alerts • Detect, investigate, and prevent fraudulent or unauthorized access • Comply with legal obligations and enforce our terms

We implement industry-standard security measures to protect your data: • **Encryption**: All data is encrypted in transit (TLS 1.3) and at rest (AES-256) • **Access Controls**: Strict access controls and audit logging for all data access • **Infrastructure**: Hosted on SOC 2 Type II certified infrastructure • **Key Management**: API keys are hashed using SHA-256 before storage • **Regular Audits**: Third-party security assessments conducted annually

We do not sell your personal information. We may share data with: • **Service Providers**: Third parties who assist in operating our services (hosting, analytics) • **Legal Requirements**: When required by law, court order, or government request • **Business Transfers**: In connection with a merger, acquisition, or sale of assets • **With Your Consent**: When you explicitly authorize sharing with third parties All third-party providers are contractually bound to protect your data.

We retain your data only as long as necessary: • **Account Data**: Retained while your account is active • **Authentication Logs**: Retained for 90 days (Pro) or as specified by your plan • **Deleted Accounts**: Personal data purged within 30 days of account deletion • **Legal Holds**: Some data may be retained longer if required by law You can request data deletion at any time through your account settings or by contacting us.

Depending on your location, you may have the right to: • **Access**: Request a copy of your personal data • **Correction**: Update or correct inaccurate information • **Deletion**: Request deletion of your personal data • **Portability**: Receive your data in a portable format • **Objection**: Object to certain processing of your data • **Restriction**: Request limited processing of your data To exercise these rights, contact us at privacy@affirmid.com.