SnapAuth Privacy Policy
Last updated 2024-04-30 — Draft Version
SnapAuth is designed from the ground up to protect the privacy of you and your users. We collect and store only the minimum amount of data to provide our service, and the vast majority of it is not personalized. In general, if you don't directly and intentionally send it to us, we do not collect it.
Terminology
-
Us, we, our: SnapAuth — the website, and services and APIs it offers.
-
You, your site, your app, your organization: An entity which has signed up for and uses SnapAuth services. This includes both free and paid usage unless otherwise stated. This can be a person or legal entity, or person acting on behalf of same.
-
Users, your users, end-users: Persons or customers of your site. SnapAuth has no direct relation with your users, but acts as a custodian of some of your users data in order to offer our services.
Data we DON'T collect
- Users real names, email addresses, phone numbers, physical addresses, physical locations, or payment information.
- Biometric data of any kind.
- Private encryption keys.
Data we collect, and why
Personal Data
From you:
- Your email address. This is used to contact you about important account updates, such as providing payment receipts.
- Domain name(s) on which you integrate SnapAuth. This is necessary since SnapAuth is based on WebAuthn, which is domain-specific.
From your users:
- Like any internet service, we have access to information such as IP addresses and user agent strings through processing network requests. We do not store this information.
Non-personal data
From you:
-
Identifiers and, optionally, handles for your users. We send these values back to you to provide you information about who is authenticating.
Note: We strongly discourage sending any kind of PII in either of these fields. We treat them as opaque identifiers, and recommend obfuscating sensitive information.
-
Basic information about usage of our sites and tools. See Website Analytics, below.
From your users:
- WebAuthn credential data.
This contains:
- A public encryption key.
- Information about whether the key can be and is backed up.
- Sometimes, attestation information about the device or processing system that manages the user’s encryption keys.
- Authentication history on your site. This is used only for billing purposes.
Data we share, and why
We do not voluntarily share any end-user data with anyone. If served with a subpoena or other court order, we will provide the minimum amount of data to legally comply. Our system is designed to avoid the collection of any user identifying data.
Payments
As SnapAuth is a paid service, we need to collect contact and payment information from you or someone in your organization, and provide it to our payment processor, Stripe. We do not handle or store payment card information; this is handled directly by Stripe.
We provide you important account updates through email; in order to do so, your email address is shared with our email provider, SendGrid. We have disabled open and click tracking.
We will never attempt to directly contact your users.
Operational Telemetry
In order to monitor our service, we provide certain non-personal telemetry to third parties. This includes data like resource usage, request rates, and aggregate usage information. This contains no user data.
Website Analytics
At of this document’s last update date, we use client-facing analytics from Plausible Analytics. Plausible is a privacy-friendly analytics tool; see their data policy for what is collected and how it remains private. In short, measurements are anonymous, do not collect or retain PII, and do not follow you across the internet.
We don't want to know who you are or where else you're browsing. All we want to understand are things like “is a marketing campaign effective” or “is our website behaving as expected”.
We do not and will not run or install analytics on your site or application through integrating with SnapAuth.
How we protect your data
For more details, see our Security Policies.
-
SnapAuth runs over HTTPS, and will reject insecure connections. This ensures that data is always encrypted in transit.
-
Our database systems are encrypted at rest, and connections to them are also encrypted. Connections require an allowlisted IP address.
-
Our infrastructure has a deeply-integrated fail-secure permissions system which rejects requests that fail to match an allowlist. In short: our APIs are automatically tested to enforce permissions, so we would be alerted in development if a permission check is missing or incorrect.
-
We have added safeguards to our APIs to ensure that use of our service does not reveal whether someone has an account on your website or application.
Our servers are geographically located within the US. By integrating with our service, your end-users will make direct connections to our APIs. This means data could cross international boundaries.
Contacting us
If you have a question or concern about our privacy policy, please contact us and we will get back to you as soon as possible.