Privacy Policy

Last updated: April 7, 2026

Overview

AuthFI ("we", "us", "our") operates the identity control plane at authfi.app. This policy explains how we collect, use, store, and protect your information when you use our platform.

The short version: Your data stays in the region you choose. We don't sell it. We don't share it. We don't use it for advertising. We use it only to provide and improve the service you're paying for.

What we collect

Account information

When you create an AuthFI account, we collect your email address, name, and company name. If you subscribe to a paid plan, we collect billing information through our payment processor (Stripe). We never store credit card numbers directly.

Tenant and user data

When you use AuthFI to manage identity for your application, we store the data you configure: users, groups, roles, permissions, SSO connections, organizations, and audit logs. This data belongs to you. We process it only to provide the AuthFI service.

Usage data

We collect anonymized usage metrics to improve the platform: API call counts, error rates, feature adoption. We do not track individual user behavior or sell this data.

Data residency

Every tenant is assigned a data region at creation. Your user data, tokens, and audit logs are stored exclusively in your chosen region:

  • United States — us-central1 (GCP)
  • European Union — europe-west1 (GCP)
  • India — asia-south1 (GCP)
  • Australia — australia-southeast1 (GCP)

Data is never transferred between regions without your explicit consent. Cloudflare edge nodes process requests globally for performance but do not store persistent data.

How we protect your data

  • Encryption at rest: AES-256 for all stored data
  • Encryption in transit: TLS 1.3 for all API connections
  • Per-tenant isolation: Each tenant gets its own RSA-2048 keypair for JWT signing
  • Access controls: Internal access to production data requires MFA and is fully audited
  • No shared keys: Zero static cloud credentials stored. All access via temporary federation tokens

Third-party services

We use the following third-party services to operate AuthFI:

  • Google Cloud Platform — infrastructure hosting and data storage
  • Cloudflare — edge network, DDoS protection, DNS routing
  • Stripe — payment processing
  • Ghost — blog content management

We do not share your tenant data with any third party for marketing, analytics, or advertising purposes.

Your rights

GDPR (EU residents)

If you're in the European Union, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your data ("right to be forgotten")
  • Export your data in a machine-readable format
  • Object to processing
  • Withdraw consent at any time

Data deletion

You can delete your account and all associated data at any time from the AuthFI console. Deletion is permanent and takes effect within 30 days. Audit logs may be retained for up to 90 days for compliance purposes, after which they are permanently deleted.

Data export

You can export all your tenant data (users, groups, roles, permissions, audit logs) at any time via the AuthFI API or console.

Cookies

We use essential cookies only — session management and authentication state. We do not use tracking cookies, advertising cookies, or third-party analytics scripts.

Children's privacy

AuthFI is not directed at individuals under the age of 16. We do not knowingly collect personal information from children.

Changes to this policy

We may update this policy from time to time. We'll notify you of material changes via email or in-app notification at least 30 days before they take effect.

Contact us

For privacy-related questions or requests: