Effective 2026-04-29. We're a UK-based data controller for the limited personal data we hold.
A blinded hash of your email address, your WebAuthn public key, an encrypted master record (which we cannot decrypt), session tokens, and a minimal audit log. We never store your email address in plaintext anywhere.
In end-to-end-encryption mode: ciphertext only. Even if compelled, we cannot produce a readable document. In standard mode: AES-256-GCM ciphertext plus a wrapped key we can unwrap to support the service. We do not read documents except where required to deliver the service or required by law.
IP-based behavioural tracking. Cross-site cookies. Marketing pixels. Heatmaps. Session recordings. Any third-party analytics that fingerprints you. We use first-party server logs (retained 14 days) for operational troubleshooting only.
A small fixed list, named at /security: our hosting provider, our transactional email provider, and our trusted timestamp authority for sealed documents. We will email account-holders before adding any new sub-processor.
You can export your account data, request deletion, or correct inaccurate records by emailing privacy@authii.com. We respond within thirty days. Sealed documents are excluded from deletion requests because they encode legal facts other parties may rely upon — but we will redact your personal data from our copy on request.
We host in the United Kingdom by default. Enterprise customers can request EU or US-only residency. We do not transfer personal data outside the contracted region.
We set one cookie: an HttpOnly, SameSite=Strict session cookie. No tracking cookies. No consent banner needed.
Privacy questions: privacy@authii.com. Data Protection Officer reachable at the same address.