Privacy Policy for SendAuth
Effective Date: 1/23/2025
1. Introduction
Welcome to SendAuth (“we,” “us,” or “our”). We provide a secure authentication and identity‑verification service that allows organizations to verify end‑users through passkey‑based and biometric‑based authentication linked to their mobile devices. This Privacy Policy explains how we collect, use, disclose, and protect personal information when individuals use our authentication services (the “Service”).
By accessing or using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the Service.
2. Information We Collect
To authenticate and verify identity, SendAuth collects the minimum data necessary for secure operation.
2.1 Personal Information
Depending on how you interact with SendAuth, we may collect:
• Phone number or email address used for identity verification
• Device information, such as operating system, model, OS version, and device identifiers
• Account identifiers provided by the organization requesting authentication
• User contact metadata, such as inbound phone number, email headers, timestamps, and routing data
2.2 Authentication‑Related Information
During enrollment and authentication:
• Passkey registration data (public keys, attestation metadata)
• Biometric verification signals (pass/fail only — we never receive or store biometric templates)
• FIDO/WebAuthn protocol data, including challenge/response payloads
• Risk and integrity data, such as device trust flags, IP address, region, and fraud indicators
2.3 Usage Data
We collect usage information, which may include:
• Time, date, and status of authentication attempts
• Interaction logs within the authentication flow
• Error logs and diagnostic data for troubleshooting
• Browser or client metadata (if applicable)
2.4 Cookies and Tracking Technologies
If accessing our web-based authentication pages, we may use cookies or similar technologies to:
• Maintain session integrity
• Prevent fraud
• Improve user experience
You may disable cookies through your browser, but authentication may not work without them.
3. How We Use Your Information
• Authenticate users through passkeys, biometrics, and device-based verification
• Verify identity for inbound phone or email requests
• Prevent fraud, spoofing, and unauthorized access
• Communicate authentication outcomes to the organization requesting verification
• Improve service performance, reliability, and security
• Comply with legal or regulatory requirements
• Provide customer support and respond to inquiries
SendAuth does not sell personal information to third parties.
4. Legal Basis for Processing (GDPR)
For users in the EU/UK, SendAuth processes information under the following legal bases:
• Legitimate interest (secure authentication and fraud prevention)
• Performance of a contract (providing Services to our customers)
• Compliance with legal obligations
Where required, SendAuth relies on consent for specific optional features.
5. How We Share Your Information
SendAuth may share information with:
5.1 Your Service Provider / Organization
Since SendAuth authenticates users on behalf of another entity, we share:
• Authentication success/failure
• Device trust indicators
• Metadata necessary to confirm identity
We never share biometric templates — we do not receive or store them.
5.2 Third‑Party Subprocessors
We may use trusted infrastructure or communication vendors (e.g., cloud hosting, SMS/email providers). These vendors:
• Are contractually restricted from using data for their own purposes
• Must meet strict security requirements
A current list of subprocessors is available upon request.
5.3 Compliance with Law
We may disclose information when required by:
• Law enforcement
• Regulatory bodies
• Legal processes
We will challenge overbroad or inappropriate requests whenever legally possible.
6. Data Retention
SendAuth retains data only for as long as necessary to:
• Provide authentication services
• Meet audit, fraud-prevention, and legal requirements
• Support contractual obligations with our customers
Authentication logs may be retained for security and audit purposes but can be minimized or anonymized at a customer’s request.
7. Security of Your Information
We implement industry-leading measures to protect data:
•End-to-end encryption of authentication transactions
• Encryption at rest (AES-256 or stronger)
• Zero-knowledge design: we never store passwords or biometric templates
• Hardware-backed keys on supported devices
• Strict least-privilege access controls
• Continuous monitoring and incident response procedures
• Regular penetration tests and third-party audits
Authentication secrets (private keys, biometrics) never leave the user’s device.
8. Children’s Privacy
SendAuth does not knowingly collect or process information from children under 13 years old (or the minimum age required by applicable law). If a child must authenticate, their controlling organization is responsible for obtaining appropriate consent.
9. International Transfers
SendAuth may process information globally. When transferring data internationally, we use:
• Standard Contractual Clauses (SCCs)
• Adequate safeguards required by GDPR and other regulations
10. Your Privacy Rights
Depending on your location, you may have rights to:
• Access the personal information we process about you
• Request deletion
• Correct inaccurate data
• Opt out of certain processing
• Obtain a copy of your data (“data portability”)
SendAuth may redirect these requests to the organization that requested authentication, as we act primarily as a Data Processor.
11. Third‑Party Links
Our web-based authentication pages may link to third‑party sites or services. SendAuth is not responsible for their privacy practices.
12. Changes to This Privacy Policy
We may update this Privacy Policy periodically. The updated version will include a new “Effective Date.” Continued use of the Service constitutes acceptance of the revised Policy.
13. Contact Us
If you have questions about this Privacy Policy or SendAuth’s privacy practices, contact us at: