Last Updated: December 22, 2025

SecureAuth Privacy Policy

At SecureAuth, privacy is not just a feature—it's our fundamental commitment to you. This Privacy Policy explains how we collect, use, protect, and handle your information when you use our 2FA authenticator and password manager application ("SecureAuth," "the App," "our Service"). By using SecureAuth, you agree to the practices described in this policy.

1. Our Zero-Knowledge Architecture

1.1 What Zero-Knowledge Means

SecureAuth uses zero-knowledge encryption, which means:

• Your Master Password Never Leaves Your Device: Your master password is never transmitted to our servers or stored anywhere except on your local device in an encrypted format.
• Local Encryption Only: All data encryption and decryption happens exclusively on your device using your master password as the encryption key.
• We Cannot Access Your Data: Even if compelled by law, we cannot provide access to your encrypted data because we do not have the ability to decrypt it.
• No Backdoors: We do not build or maintain any backdoors into your encrypted data. There is no "master key" that can unlock your vault.
• Cloud Storage is Encrypted: If you enable cloud sync, only your encrypted data is transmitted and stored on our servers. The encryption keys never leave your device.

1.2 How It Works Technically

When you create your SecureAuth account, your master password is used to generate encryption keys through a process called key derivation using PBKDF2 with SHA-256. These keys are used to encrypt all your data with AES-256 encryption before it leaves your device. Your encrypted data can then be safely stored locally or synced to the cloud, but without your master password, the data is completely unreadable—even to us.

2. Information We Collect

2.1 Information You Provide and We Cannot Access

The following information is stored encrypted and we cannot access it:

• Master Password: Never transmitted or stored on our servers (stored only on your device in encrypted form)
• 2FA Codes and Secrets: TOTP secrets and generated codes are encrypted and inaccessible to us
• Passwords: All passwords stored in the password manager are encrypted locally before storage
• Vault Contents: Files, photos, documents, notes, and any other data stored in your secure vault
• Account Details: Usernames, website URLs, notes, and metadata associated with your saved accounts
• Custom Categories and Tags: Any organizational structure you create is encrypted

2.2 Minimal Technical Information We Collect

To provide and improve our Service, we collect very limited technical information that does not compromise your privacy:

• Email Address (Optional): Required only if you choose to enable cloud sync or account recovery options. We do not require an email address for local-only usage.
• Device Information: Operating system version, device model, and App version (for compatibility and bug fixing purposes only)
• Crash Reports: Anonymous crash logs that help us identify and fix technical issues. These do not contain any of your encrypted data.
• Encrypted Data Sync Metadata: When you enable cloud sync, we store metadata such as sync timestamps and data size (but not the contents of your data)

2.3 Information We Explicitly Do NOT Collect

Unlike many apps, SecureAuth does NOT collect:

• Analytics or usage tracking data
• Advertising identifiers
• Location data
• Contacts or address book information
• Behavioral tracking data
• Social media connections
• Any personally identifiable information beyond optional email
• Information about which services you use 2FA for
• Password strength or patterns
• Frequency of app usage

3. How We Use Your Information

3.1 Core Functionality

The minimal information we collect is used exclusively for:

• Providing the Service: Storing your encrypted data and enabling cloud sync if you choose to enable it
• Account Management: Managing your optional account if you create one for cloud sync
• Security: Protecting your account from unauthorized access and detecting unusual activity
• Technical Support: Responding to your support requests and troubleshooting technical issues
• Service Improvements: Fixing bugs and improving app performance based on anonymous crash reports

3.2 What We Never Do With Your Information

We will never:

• Sell your data to third parties
• Share your information with advertisers
• Use your data for marketing purposes
• Track your behavior across other apps or websites
• Serve you advertisements
• Build user profiles or analytics dashboards
• Attempt to decrypt or access your encrypted data

4. Data Storage and Security

4.1 Local Storage

By default, all your data is stored locally on your device in an encrypted database. The encryption key is derived from your master password, which means your data cannot be accessed without your master password—even if someone gains physical access to your device.

4.2 Cloud Sync (Optional)

If you enable cloud sync:

• Your encrypted data is transmitted securely over HTTPS/TLS to our servers
• Only the encrypted data is stored on our servers—we never receive unencrypted data
• Your encryption keys remain on your device and are never transmitted
• We use industry-leading cloud infrastructure (AWS/Google Cloud) with enterprise-grade security
• Data is replicated across multiple secure data centers for reliability
• You can disable cloud sync at any time and delete all cloud-stored data

4.3 Encryption Standards

SecureAuth uses the following industry-standard encryption:

• AES-256: Military-grade encryption for all stored data
• PBKDF2-SHA256: Key derivation function with 100,000+ iterations
• TLS 1.3: Latest secure transport protocol for all network communications
• RSA-2048: For secure key exchange when applicable
• Argon2: Modern password hashing algorithm for master password storage on device

4.4 Data Retention

• Local Data: Retained on your device until you delete the app or manually clear data
• Cloud Data: Retained until you disable cloud sync or delete your account
• Crash Reports: Retained for up to 90 days for debugging purposes, then automatically deleted
• Email Address: Retained until you delete your account
• Deleted Accounts: All data associated with deleted accounts is permanently removed within 30 days

5. Biometric Authentication

SecureAuth supports biometric authentication (Face ID, Touch ID, fingerprint) for convenient access to your vault. Important details about biometric security:

• Biometric data never leaves your device and is never transmitted to our servers
• We use Apple and Google's secure biometric APIs, which keep biometric data in secure hardware enclaves
• We do not store, collect, or have access to your biometric information
• Biometric authentication simply provides an alternative to entering your master password
• Your master password remains the primary authentication method

6. Third-Party Services

6.1 Services We Use

SecureAuth integrates with minimal third-party services, all chosen for their strong privacy practices:

• Cloud Storage (AWS/Google Cloud): For optional encrypted data sync. These providers only receive encrypted data.
• Crash Reporting: We may use privacy-focused crash reporting tools that collect only anonymous technical data about app crashes.
• App Store Services: Apple App Store and (future) Google Play Store for app distribution and in-app purchases.

6.2 No Analytics or Tracking Services

Unlike most apps, SecureAuth does NOT use:

• Google Analytics or similar analytics platforms
• Facebook SDK or social media tracking
• Advertisement networks
• Behavioral tracking services
• Third-party authentication services (OAuth providers)

7. Your Privacy Rights and Controls

7.1 Access and Control

You have complete control over your data:

• Export Your Data: Export all your vault data in encrypted or unencrypted format at any time
• Delete Your Data: Delete individual items, clear entire categories, or delete your entire vault
• Disable Cloud Sync: Stop cloud syncing and delete all cloud-stored data
• Delete Your Account: Permanently delete your account and all associated data from our servers
• Request Information: Contact us to request information about what data we have (minimal technical data only)

7.2 Account Deletion

To delete your account and all associated data:

1. Open SecureAuth and go to Settings → Account
2. Select "Delete Account"
3. Confirm deletion by entering your master password
4. All cloud-stored data will be permanently deleted within 30 days
5. Local data on your device will remain until you uninstall the app

8. Children's Privacy

SecureAuth is not intended for use by individuals under the age of 13 (or the minimum age in your jurisdiction). We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@secureauth.app, and we will promptly delete such information.

9. International Data Transfers

If you use cloud sync, your encrypted data may be transferred to and stored on servers in different countries where our cloud infrastructure providers operate. Because your data is encrypted with keys that only you possess, international transfer does not pose a privacy risk—your data remains unreadable regardless of where it's stored.

We implement appropriate safeguards for international transfers, including:

• Standard contractual clauses with our cloud providers
• End-to-end encryption that makes data location irrelevant to privacy
• Compliance with GDPR, CCPA, and other privacy regulations

10. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of what personal information we collect (email address and minimal technical data only)
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out of Sale: We do not sell personal information, so this does not apply
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise your CCPA rights, contact us at support@secureauth.app with "CCPA Request" in the subject line.

11. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

• Legal Basis for Processing: We process minimal data based on:
  • Your consent (for optional cloud sync)
  • Performance of our contract with you (providing the Service)
  • Legitimate interests (security and service improvement)
• Right of Access: Request a copy of your data (email and minimal technical metadata)
• Right to Rectification: Correct inaccurate information
• Right to Erasure: Request deletion of your data
• Right to Restrict Processing: Limit how we process your data
• Right to Data Portability: Export your data in a portable format
• Right to Object: Object to certain types of data processing
• Right to Lodge a Complaint: File a complaint with your local data protection authority

Contact us at support@secureauth.app with "GDPR Request" in the subject line to exercise these rights.

12. Security Measures

In addition to zero-knowledge encryption, we implement comprehensive security measures:

• Secure Infrastructure: Enterprise-grade cloud infrastructure with physical and digital security
• Regular Security Audits: Periodic third-party security audits of our infrastructure and code
• Secure Development: Security-first development practices and code review processes
• Incident Response: Rapid response procedures for any security incidents
• Employee Access Controls: Strict limits on employee access to any systems (employees cannot access encrypted user data)
• Penetration Testing: Regular testing to identify and fix vulnerabilities

13. Data Breach Notification

In the unlikely event of a data breach affecting our systems, we commit to:

• Promptly investigate and assess the scope of the breach
• Notify affected users within 72 hours of discovery
• Report the breach to relevant authorities as required by law
• Provide detailed information about what data may have been affected
• Take immediate steps to secure systems and prevent future breaches

Important Note: Because of our zero-knowledge architecture, even in the event of a server breach, your encrypted data would remain completely secure and unreadable without your master password.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make changes:

• We will update the "Last Updated" date at the top of this policy
• For material changes, we will notify you via email or in-app notification
• You will have the opportunity to review changes before they take effect
• Continued use of SecureAuth after changes are posted constitutes acceptance

We will never make changes that compromise our zero-knowledge architecture or reduce your privacy protections without explicit consent.

15. Master Password Recovery

Critical Information About Master Password Loss:

Due to our zero-knowledge architecture, we cannot recover, reset, or provide access to your account if you forget your master password. This is a security feature, not a limitation. If you lose your master password, you will permanently lose access to your encrypted data.

We strongly recommend:

• Choose a strong but memorable master password
• Write down your master password and store it in a secure physical location
• Set up account recovery options in the app (recovery kit, trusted contacts)
• Never share your master password with anyone
• Do not store your master password in plain text on your device

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your privacy rights, please contact us:

For data subject requests (access, deletion, correction, portability), please include:

• Your email address associated with your account (if applicable)
• Detailed description of your request
• Device information to help us locate any relevant technical data
• Your country/region of residence

17. Commitment to Privacy