secauth.io — Privacy Policy

Effective Date: April 11, 2026 · Version 1.0

// Plain English Summary — We automatically collect device fingerprint signals (canvas, WebGL, audio, fonts, behavioral) at login and registration to identify devices and compute security risk scores. We collect account information you provide during registration. We do not sell your data, share it with advertisers, or use third-party analytics. All data is stored on a self-hosted server under our control. You can request deletion at any time.

1. Introduction

This Privacy Policy describes how secauth.io ("Platform," "we," "us," or "our"), operated by Alec Grogan, collects, uses, stores, and protects information about you when you use the Platform. This policy applies to all visitors and registered users of secauth.io.

By using the Platform, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Platform.

2. Information We Collect

We collect two categories of information:

A. Account Information (provided by you at registration)

Data	Purpose	Required
First & Last Name	Account identification and personalization	Yes
Username	Unique account identifier for login	Yes
Email Address	Account identification, future notifications	Yes
Phone Number	Account identification (US only)	Yes
Date of Birth	Identity data, age verification	Yes
Password	Authentication (stored as bcrypt hash, never plaintext)	Yes
TOTP Secret	Two-factor authentication (stored AES-256 encrypted)	Yes

B. Device & Behavioral Signals (collected automatically at login and registration)

Signal	What It Captures	Stored As
Canvas fingerprint	GPU/driver-specific pixel rendering differences	SHA-256 hash
WebGL renderer	Exact GPU model and vendor string	SHA-256 hash
AudioContext	CPU/audio hardware DSP output differences	SHA-256 hash
Font detection	List of installed system fonts	SHA-256 hash
Screen signals	Resolution, color depth, pixel ratio	SHA-256 hash
Navigator signals	CPU cores, memory, timezone, language, platform	SHA-256 hash
Storage signals	localStorage/sessionStorage/IndexedDB availability	SHA-256 hash
Mouse velocity	Average and peak pointer movement speed	Numeric metrics
Click patterns	Number of click events	Count
Scroll behavior	Depth and speed of page scrolling	Numeric metrics
Idle periods	Periods of inactivity	Count
Time on page	Duration of page visit at collection time	Seconds
IP address	Network origin, geolocation (country)	Raw + country code
User agent	Browser and OS identification string	Raw (truncated 512 chars)
Cloudflare headers	CF-Ray, threat score, bot score, country	Raw values

Important: Raw signal values (e.g., the actual canvas pixel data, the actual font list) are not stored. Only cryptographic hashes of these values are stored, making it impossible to reverse-engineer the original data from our database.

3. How We Use Your Information

We use collected information for the following purposes:

Device identification — assigning a persistent BFP_ID to your device so we can recognize it on return visits
Risk scoring — computing a security risk score (0-100) for each login attempt based on device signals, behavioral patterns, and network characteristics
Authentication decisions — determining whether to require additional verification (TOTP) based on risk score
Account security — detecting unauthorized access attempts, credential stuffing, and automated bot activity
Audit logging — maintaining a log of authentication events for security investigation purposes
Security research — improving the fingerprinting and risk scoring algorithms as a research and demonstration project

We do not use your information for advertising, marketing profiling, or any purpose other than those listed above.

4. Device Security Analysis

secauth.io automatically analyzes your device and browser characteristics when you log in or create an account. This analysis is performed as a necessary part of our authentication security process to verify your identity, detect unauthorized access attempts, and protect your account from fraud.

The following information is collected and analyzed during authentication:

Hardware signals: A cryptographic fingerprint of your device's graphics processing unit (GPU), audio hardware, and display characteristics. These signals are stored as one-way hashes and cannot be used to reconstruct the original values.

Browser signals: Your browser type and version, installed font set, screen resolution, color depth, language preferences, timezone, and available hardware resources (CPU cores, memory tier).

Network signals: Your IP address, approximate geographic location derived from your IP address, and connection characteristics provided by our CDN infrastructure.

Behavioral signals: Mouse movement patterns, scroll behavior, click timing, and time spent on the login page. These signals help distinguish human users from automated programs.

This information is used solely for authentication security purposes. It is not sold, shared with advertisers, or used for any purpose unrelated to protecting your account and preventing unauthorized access.

Lawful basis: This processing is carried out under our legitimate interest in maintaining the security of the platform and protecting users from unauthorized account access.

Retention: Device security profiles are retained for as long as you maintain an active account. If you close your account, device records associated with your account are deleted within 30 days.

Your rights (California residents): Under the California Consumer Privacy Act (CCPA), you have the right to know what personal information is collected about you, request deletion of your personal information, and not be discriminated against for exercising your privacy rights. To exercise these rights, contact us at the address below.

5. Data Storage and Security

All data is stored on a self-hosted server (Akamai cloud infrastructure) located in the United States. We employ the following security measures:

Passwords — bcrypt hashed with cost factor 12. Plaintext passwords are never stored or logged.
TOTP secrets — AES-256-CBC encrypted at rest using a key stored separately from the database.
Device signals — stored as SHA-256 hashes only. Raw signal values are not retained.
Sessions — JWT tokens stored in httpOnly, Secure cookies. Not accessible to JavaScript.
Transport — all traffic encrypted via TLS 1.2+.
Access control — database credentials use least-privilege roles. Admin access requires authentication.

While we implement reasonable security measures, no system is completely secure. We cannot guarantee the absolute security of your information.

6. Data Retention

Data Type	Retention Period
Account data	Until account deletion is requested
Device fingerprints	Up to 90 days of inactivity, then eligible for purge
Visit history per device	Capped at 50 most recent visits
Login audit logs	Up to 12 months
Expired session tokens	Automatically deleted via MongoDB TTL index

7. Third-Party Services

The Platform uses the following third-party services:

Cloudflare — CDN, DDoS protection, and bot detection. Cloudflare processes requests before they reach our server and provides threat intelligence headers. Cloudflare's privacy policy applies to their processing: cloudflare.com/privacypolicy
Cloudflare Turnstile — bot challenge widget used on login and registration forms. Turnstile verifies human presence without tracking cookies. Learn more
Google Fonts — font files served from Google's CDN. Google may log the request. See: Google Privacy Policy

We do not use Google Analytics, Facebook Pixel, advertising networks, or any other tracking or analytics services.

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

Access — request a copy of the data we hold about you
Correction — update inaccurate account information via your account settings
Deletion — request deletion of your account and associated data
Portability — request your data in a machine-readable format
Objection — object to certain types of processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Colorado Privacy Act (CPA) — If you are a Colorado resident, you have rights under the CPA including the right to opt out of the processing of personal data for targeted advertising (we do not conduct targeted advertising), and the right to appeal a refusal to act on a rights request.

9. Children's Privacy

The Platform is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us immediately and we will take steps to delete that information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The effective date at the top of this document will reflect the most recent revision. Continued use of the Platform after any changes constitutes acceptance of the revised policy. Significant changes will be communicated via the Platform interface where possible.

11. Contact

For privacy-related inquiries, data requests, or concerns:
Alec Grogan
alecgrogan.com