secauth.io — Privacy Policy

Effective Date: April 11, 2026 · Version 1.0

// Plain English Summary — We collect device fingerprint signals (canvas, WebGL, audio, fonts, behavioral) to identify devices and compute security risk scores. We collect account information you provide during registration. We do not sell your data, share it with advertisers, or use third-party analytics. All data is stored on a self-hosted server under our control. You can request deletion at any time.

1. Introduction

This Privacy Policy describes how secauth.io ("Platform," "we," "us," or "our"), operated by Alec Grogan, collects, uses, stores, and protects information about you when you use the Platform. This policy applies to all visitors and registered users of secauth.io.

By using the Platform, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Platform.

2. Information We Collect

We collect two categories of information:

A. Account Information (provided by you at registration)

Data	Purpose	Required
First & Last Name	Account identification and personalization	Yes
Username	Unique account identifier for login	Yes
Email Address	Account identification, future notifications	Yes
Phone Number	Account identification (US only)	Yes
Date of Birth	Identity data, age verification	Yes
Password	Authentication (stored as bcrypt hash, never plaintext)	Yes
TOTP Secret	Two-factor authentication (stored AES-256 encrypted)	Yes

B. Device & Behavioral Signals (collected automatically with consent)

Signal	What It Captures	Stored As
Canvas fingerprint	GPU/driver-specific pixel rendering differences	SHA-256 hash
WebGL renderer	Exact GPU model and vendor string	SHA-256 hash
AudioContext	CPU/audio hardware DSP output differences	SHA-256 hash
Font detection	List of installed system fonts	SHA-256 hash
Screen signals	Resolution, color depth, pixel ratio	SHA-256 hash
Navigator signals	CPU cores, memory, timezone, language, platform	SHA-256 hash
Storage signals	localStorage/sessionStorage/IndexedDB availability	SHA-256 hash
Mouse velocity	Average and peak pointer movement speed	Numeric metrics
Click patterns	Number of click events	Count
Scroll behavior	Depth and speed of page scrolling	Numeric metrics
Idle periods	Periods of inactivity	Count
Time on page	Duration of page visit at collection time	Seconds
IP address	Network origin, geolocation (country)	Raw + country code
User agent	Browser and OS identification string	Raw (truncated 512 chars)
Cloudflare headers	CF-Ray, threat score, bot score, country	Raw values

Important: Raw signal values (e.g., the actual canvas pixel data, the actual font list) are not stored. Only cryptographic hashes of these values are stored, making it impossible to reverse-engineer the original data from our database.

3. How We Use Your Information

We use collected information for the following purposes:

Device identification — assigning a persistent BFP_ID to your device so we can recognize it on return visits
Risk scoring — computing a security risk score (0-100) for each login attempt based on device signals, behavioral patterns, and network characteristics
Authentication decisions — determining whether to require additional verification (TOTP) based on risk score
Account security — detecting unauthorized access attempts, credential stuffing, and automated bot activity
Audit logging — maintaining a log of authentication events for security investigation purposes
Security research — improving the fingerprinting and risk scoring algorithms as a research and demonstration project

We do not use your information for advertising, marketing profiling, or any purpose other than those listed above.

4. Consent for Device Fingerprinting

Device fingerprinting on the public-facing pages of the Platform is opt-in only. First-time visitors are presented with a consent banner that clearly describes what signals are collected and why. Fingerprinting only begins after you click "Accept."

By completing account registration, you provide explicit consent to device fingerprinting as part of the Platform's security infrastructure. This consent is logged with a timestamp and your IP address.

You may withdraw consent at any time by:

Clearing your browser's localStorage (removes the device token)
Requesting account deletion (removes all associated device records)
Contacting us to have specific device records purged

Note that withdrawing consent may affect the Platform's ability to recognize your device and may result in additional security challenges at login.

5. Data Storage and Security

All data is stored on a self-hosted server (Akamai cloud infrastructure) located in the United States. We employ the following security measures:

Passwords — bcrypt hashed with cost factor 12. Plaintext passwords are never stored or logged.
TOTP secrets — AES-256-CBC encrypted at rest using a key stored separately from the database.
Device signals — stored as SHA-256 hashes only. Raw signal values are not retained.
Sessions — JWT tokens stored in httpOnly, Secure cookies. Not accessible to JavaScript.
Transport — all traffic encrypted via TLS 1.2+.
Access control — database credentials use least-privilege roles. Admin access requires authentication.

While we implement reasonable security measures, no system is completely secure. We cannot guarantee the absolute security of your information.

6. Data Retention

Data Type	Retention Period
Account data	Until account deletion is requested
Device fingerprints	Up to 90 days of inactivity, then eligible for purge
Visit history per device	Capped at 50 most recent visits
Login audit logs	Up to 12 months
Consent records	Duration of account existence
Expired session tokens	Automatically deleted via MongoDB TTL index

7. Third-Party Services

The Platform uses the following third-party services:

Cloudflare — CDN, DDoS protection, and bot detection. Cloudflare processes requests before they reach our server and provides threat intelligence headers. Cloudflare's privacy policy applies to their processing: cloudflare.com/privacypolicy
Cloudflare Turnstile — bot challenge widget used on login and registration forms. Turnstile verifies human presence without tracking cookies. Learn more
Google Fonts — font files served from Google's CDN. Google may log the request. See: Google Privacy Policy

We do not use Google Analytics, Facebook Pixel, advertising networks, or any other tracking or analytics services.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

Access — request a copy of the data we hold about you
Correction — update inaccurate account information via your account settings
Deletion — request deletion of your account and associated data
Portability — request your data in a machine-readable format
Objection — object to certain types of processing
Withdrawal of consent — withdraw consent for device fingerprinting at any time

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Colorado Privacy Act (CPA) — If you are a Colorado resident, you have rights under the CPA including the right to opt out of the processing of personal data for targeted advertising (we do not conduct targeted advertising), and the right to appeal a refusal to act on a rights request.

9. Children's Privacy

The Platform is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us immediately and we will take steps to delete that information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The effective date at the top of this document will reflect the most recent revision. Continued use of the Platform after any changes constitutes acceptance of the revised policy. Significant changes will be communicated via the Platform interface where possible.

11. Contact

For privacy-related inquiries, data requests, or concerns:
Alec Grogan
alecgrogan.com