CommonAUTH Privacy Policy

Effective Date: March 30, 2025

This Privacy Policy ("Policy") explains how QWYK iSoft, a dba of IWYNO Finworks LLC ("CommonAUTH," "we," "us," or "our"), collects, uses, discloses, and protects the personal information of users ("you" or "your") of our authentication and authorization services ("Service"). By using the Service, you agree to the practices described in this Policy. If you do not agree with this Policy, please do not use the Service.

1. Scope of This Policy

This Policy applies to all personal information we collect through the Service, including when you sign up, log in, use our authentication features, or interact with third-party Client Platforms integrated with CommonAUTH. It does not apply to information collected by third parties, including Client Platforms, unless otherwise stated.

2. Information We Collect

We may collect the following types of information:

A. Information You Provide Directly

Account Information: When you create a CommonAUTH profile, we may collect your name, email address, phone number, and password (or other authentication credentials, such as social media login details).
Optional Information: You may choose to provide additional information, such as preferences for authentication methods (e.g., OTP, social sign-in) or data anonymization settings.

B. Information Collected Automatically

Usage Data: We may collect information about how you use the Service, such as IP address, device information (e.g., device type, operating system), browser type, and log data (e.g., dates and times of access).
Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies to enhance your experience, analyze usage, and ensure security. You can manage cookie preferences through your browser settings.

C. Information from Third Parties

Client Platforms: When you use a Client Platform integrated with CommonAUTH, they may share certain information with us (e.g., your user ID or authentication requests) to facilitate sign-in or sign-up.
Social Media Providers: If you use social sign-in (e.g., Google, Facebook), we may receive information such as your name, email address, and profile picture, subject to your privacy settings with those providers.

3. How We Use Your Information

We use the information we collect for the following purposes:

Provide and Improve the Service: To authenticate and authorize your access to Client Platforms, manage your account, and ensure the Service functions properly.
Enhance Security: To detect and prevent fraud, unauthorized access, and other security threats.
Personalization: To tailor your experience, such as suggesting preferred authentication methods or offering data anonymization options.
Compliance and Legal Obligations: To comply with applicable laws, respond to legal processes, or enforce our Terms of Service.
Analytics and Research: To analyze usage trends and improve the Service, ensuring it remains secure and user-friendly.

We do not sell your personal information. However, we may share your information in the following circumstances:

A. With Client Platforms

We share only the minimum necessary data required to authenticate and authorize your access to their platforms. For example, we may share a unique identifier or tokenized data, especially if you opt for data anonymization. We do not share sensitive personal information (e.g., passwords, social security numbers) unless required by law or explicitly authorized by you.
Client Platforms are solely responsible for their own data practices and must comply with their own privacy policies and applicable laws. We are not liable for their handling of your data after it is shared.

B. With Service Providers

We may engage third-party service providers (e.g., cloud hosting, analytics, security) to help operate the Service. These providers are contractually obligated to protect your data, use it only for the purposes we specify, and comply with applicable data protection laws. A list of our current service providers is available upon request.

C. For Legal Reasons

We may disclose your information if required by law, to respond to subpoenas, court orders, or government requests, or to protect the rights, property, or safety of CommonAUTH, our users, or the public.

D. Business Transfers

In the event of a merger, acquisition, or sale of all or part of our assets, your information may be transferred to the new owner. We will notify you before any such transfer and give you the opportunity to opt out.

5. Data Anonymization and Minimization

As part of our commitment to privacy, we offer optional data anonymization services. If you enable this feature, we will process your data in a way that removes personally identifiable information, ensuring that Client Platforms receive only the data necessary for authentication (e.g., a tokenized ID). You can manage these settings in your CommonAUTH account.

6. Data Security

We implement industry-standard physical, technical, and administrative safeguards to protect your personal information from unauthorized access, disclosure, alteration, or destruction. These measures include:

Encryption of data in transit and at rest using [specify protocol, e.g., AES-256, TLS 1.3].
Regular security audits and penetration testing by third-party experts.
Multi-factor authentication (MFA) for access to our systems.
Firewalls, intrusion detection systems, and secure socket layer (SSL) technology.

No method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security. However, we maintain cyber liability insurance and have a dedicated incident response plan to address any breaches promptly.

7. Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

Notify you and any affected regulatory authorities without undue delay (and no later than 72 hours after becoming aware of the breach), as required by applicable law.
Provide details of the breach, the data affected, and the steps we are taking to mitigate harm.
Cooperate with you and relevant authorities to address the incident.

8. Your Rights and Choices

Depending on your location and applicable laws, you may have the following rights regarding your personal information:

Access: You can request a copy of the personal information we hold about you.
Correction: You can update or correct inaccurate or incomplete information in your account.
Deletion: You can request that we delete your personal information, subject to legal retention requirements.
Restriction: You can request that we limit how we use your information.
Portability: You may request a copy of your data in a structured, machine-readable format.
Opt-Out: You can opt out of certain data processing activities, such as marketing communications (if applicable).

To exercise these rights, contact us at [email protected]. We will respond to your request within 30 days (or as required by law) and may require verification of your identity before fulfilling your request.

9. International Data Transfers

If you are located outside the United States, your information may be transferred to, stored, and processed in the U.S. or other countries where we or our service providers operate. These countries may have data protection laws that are different from those in your country. We ensure that such transfers comply with applicable laws, including using Standard Contractual Clauses (SCCs) or other mechanisms approved by data protection authorities.

10. Retention of Data

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

Account data: Up to 7 years after account closure, unless required longer by law for tax or audit purposes.
Usage data: Up to 2 years for analytics and security purposes, after which it is anonymized or deleted.
Log data: Up to 1 year for security monitoring, after which it is deleted.

If you delete your account, we will delete your data within a reasonable timeframe (typically 30 days), except where we are required to retain it by law.

11. Children’s Privacy

The Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will take steps to delete it. If you believe we have inadvertently collected information from a child, please contact us immediately.

By using the Service, you consent to the collection, use, and disclosure of your information as described in this Policy. We obtain your consent through clear affirmative actions (e.g., checking a box, clicking "I Agree") during sign-up or when enabling optional features.

We may update this Policy from time to time to reflect changes in our practices, legal requirements, or other factors. Any changes will be effective upon posting on our website or within the Service, and we will notify you of significant changes via email or a prominent notice at least 30 days in advance. Your continued use of the Service after such changes constitutes your acceptance of the new Policy.

13. Contact Us

If you have questions, concerns, or complaints about this Policy or our data practices, please contact us via the contact us section of the QWYK iSoft website.

You also have the right to lodge a complaint with a data protection authority in your jurisdiction.

14. Third-Party Links

The Service may contain links to third-party websites or services (e.g., Client Platforms or social media providers). We are not responsible for the privacy practices or content of these third parties. We encourage you to review their privacy policies before providing any personal information.