Legal

Privacy Policy

Last updated: March 2025

Authara is a local-first application. Your vault is stored exclusively on your device, encrypted with keys that never leave it. This policy explains exactly what data we collect, why, and how — and in most cases, the answer is: we don't.

1. Data we do not collect

  • Your TOTP secrets or authenticator accounts
  • Your recovery codes
  • Your PIN, password, or biometric data
  • Your vault contents, in any form
  • Crash logs or analytics (we have no analytics SDK)
  • Device identifiers or advertising IDs
  • Location data

2. Data stored on your device only

All vault data — TOTP secrets, recovery codes, account labels, and associated metadata — is stored locally on your device in AES-256-GCM encrypted form. The encryption key is derived from your PIN using Argon2id and is never transmitted anywhere. Authara has no servers that receive vault data, and no capability to decrypt or access your vault even if we wanted to.

3. What happens when you use the email sign-up form

The early-access sign-up form on authara.app collects your email address via Formspree, a third-party form service. This email is stored by Formspree and used only to notify you when Authara launches. It is not shared with any other third party, sold, or used for marketing beyond launch notification. You can request deletion at any time by emailing hello@authara.app.

Formspree's privacy policy is available at formspree.io/legal/privacy-policy.

4. App Store analytics

Apple and Google collect standard platform-level metrics (install counts, crash reports, App Store impressions) under their own privacy policies. We receive aggregated, anonymised summaries and have no access to any individually identifiable data from these systems.

5. Clipboard access

When you tap to copy a TOTP code, Authara writes to your device clipboard. The clipboard is cleared automatically after 60 seconds to minimise exposure. Authara does not read from the clipboard at any point.

6. Biometrics (Face ID / fingerprint)

Biometric authentication is handled entirely by the operating system (iOS LocalAuthentication framework / Android BiometricPrompt). Authara never receives or stores biometric data. The OS returns only a boolean pass/fail result.

7. Children

Authara is not directed at children under 13 and does not knowingly collect personal data from anyone in that age group.

8. Changes to this policy

If we make material changes to this policy, we will update the date at the top of this page and, where appropriate, notify users via the app or email.

9. Contact

Questions about this policy or requests to delete your email from our early-access list: hello@authara.app