Privacy Policy
This Privacy Policy describes how Authproof Cloud ("we," "us," or "our") collects, uses, and handles your information when you use our service at cloud.authproof.dev.
1. Information We Collect
We collect the following categories of information:
| Category | What we collect |
|---|---|
| Account information | Email address and hashed password (managed by Supabase Auth) |
| API usage data | Receipt count, plan type, last active timestamp, API key (stored as a random token) |
| Receipt data | Cryptographic hashes of authorization data, receipt metadata (timestamps, expiry, revocation status). We do not store the raw content of operator instructions or agent actions. |
| Verification events | Verification requests, decisions (allow/deny/review), risk scores, and reasons — associated with your account |
| Tool call audit logs | Tool name, hashed arguments and results, decision, risk score, session ID — if you use the tool call auditing feature |
| Billing information | Stripe customer ID and subscription status. We do not store payment card numbers — those are handled entirely by Stripe. |
We do not collect IP addresses, browser fingerprints, or behavioral tracking data beyond what is necessary to provide the Service.
2. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service
- Authenticate your identity and authorize API requests
- Enforce plan limits and process billing
- Send transactional emails (account creation, password reset, billing notifications)
- Respond to support requests
- Monitor for abuse and enforce our Terms of Service
- Improve the Service based on aggregate, anonymized usage patterns
We do not use your data for advertising, profiling, or sale to third parties.
3. Data Storage
Your data is stored on infrastructure provided by Supabase, hosted in the United States (AWS us-east-1 region). Data is encrypted at rest and in transit using industry-standard TLS.
API requests are served via Vercel's edge infrastructure. Vercel may process request metadata transiently but does not store your application data.
4. Data Retention
We retain your account data for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where retention is required by law or legitimate business necessity (such as billing records).
Receipt hashes, verification events, and tool call logs are retained for the life of your account. You may export this data at any time using the audit export feature in your dashboard.
To request account deletion, email ryan@authproof.dev.
5. Third-Party Services
We use the following third-party services to operate Authproof Cloud:
| Service | Purpose | Privacy Policy |
|---|---|---|
| Supabase | Database, authentication, and file storage | supabase.com/privacy |
| Vercel | Hosting and serverless API infrastructure | vercel.com/legal/privacy-policy |
| Stripe | Payment processing and subscription billing | stripe.com/privacy |
| Resend | Transactional email delivery | resend.com/privacy |
We share only the minimum data necessary with each provider for the purpose of operating the Service.
6. Cookies
Authproof Cloud uses minimal session storage. Specifically:
- A session token stored in
localStorageto keep you logged in to the dashboard - Your API key, also stored in
localStorageto authenticate API requests from the dashboard
We do not use third-party advertising cookies, analytics cookies, or cross-site tracking.
7. Your Rights
You have the right to:
- Access — request a copy of the data we hold about you
- Correction — request correction of inaccurate data
- Deletion — request deletion of your account and associated data
- Export — download your receipts and audit logs at any time from the dashboard
- Portability — receive your data in a machine-readable format (JSON or CSV) via the audit export feature
To exercise any of these rights, email ryan@authproof.dev. We will respond within 30 days.
8. Children
Authproof Cloud is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will delete it promptly.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the Service or by emailing the address associated with your account. The current version will always be available at cloud.authproof.dev/privacy.
Your continued use of the Service after notice of changes constitutes your acceptance of the updated policy.
10. Contact
If you have questions or concerns about this Privacy Policy or our data practices, please contact us at: