# Thauth Privacy Policy _Last Updated: April 22, 2026_ This Privacy Policy explains how Thauth (“Thauth”, “we”, “us”, or “our”) collects, uses, and processes personal data in connection with the Thauth platform, APIs, and related services (the “Service”). This Policy applies to: - Visitors to our website - Users of the Thauth dashboard - Customers integrating with our APIs --- ## 1. Roles and Scope Depending on context, Thauth acts as: - **Data Controller** for personal data related to: - Account registration - Billing and communications - Website usage - **Data Processor** for personal data included in Customer Data processed through the Service. Customers are responsible for ensuring they have a lawful basis to process any personal data submitted to the Service. --- ## 2. Categories of Personal Data ### 2.1 Account and Identity Data - Name - Email address - Authentication credentials (hashed passwords, tokens) - Account identifiers ### 2.2 Customer Data (Processed on Behalf of Customers) - Subject identifiers (e.g., user IDs, emails, or other identifiers) - Authorization data (roles, permissions, assignments, overrides) - Request metadata associated with authorization checks Thauth does not independently determine the purpose of processing Customer Data. --- ### 2.3 Technical and Usage Data - IP address - Device and browser information - Log data (requests, errors, timestamps) - API usage metrics --- ### 2.4 Communication Data - Support requests - Email communications --- ## 3. Purposes of Processing We process personal data for the following purposes: ### 3.1 Service Provision - Operating and maintaining the Service - Processing authorization requests - Managing accounts and authentication ### 3.2 Security and Integrity - Detecting fraud, abuse, or unauthorized activity - Monitoring system performance - Investigating incidents ### 3.3 Improvement and Analytics - Understanding usage patterns - Improving system performance and reliability ### 3.4 Billing and Administration - Processing payments via Polar - Managing subscriptions and invoices ### 3.5 Communications - Sending transactional emails (via Resend) - Responding to inquiries --- ## 4. Legal Bases for Processing (GDPR) Where GDPR applies, we rely on: - **Contract Performance** (Art. 6(1)(b)): To provide the Service - **Legitimate Interests** (Art. 6(1)(f)): - Security and fraud prevention - Service improvement - System monitoring - **Legal Obligations** (Art. 6(1)(c)): Compliance with applicable laws --- ## 5. Data Sharing and Subprocessors We may share data with trusted subprocessors: ### Current Subprocessors - **Contabo** — infrastructure hosting - **Polar** — payment processing (Merchant of Record) - **Resend** — transactional email delivery Subprocessors are contractually bound to protect personal data. --- ## 6. International Data Transfers Personal data may be processed in countries outside the European Economic Area (EEA). Where required, we implement safeguards such as: - Standard Contractual Clauses (SCCs) - Equivalent legal mechanisms --- ## 7. Data Retention We retain personal data: - For as long as necessary to provide the Service - As required to comply with legal obligations - For security and audit purposes (logs) Customer Data is retained according to: - Customer instructions - Contractual obligations --- ## 8. Data Subject Rights Where applicable, individuals have the right to: - Access personal data (Art. 15) - Rectify inaccurate data (Art. 16) - Erase data (“right to be forgotten”, Art. 17) - Restrict processing (Art. 18) - Data portability (Art. 20) - Object to processing (Art. 21) Requests should be directed to: 📧 **legal@thauth.dev** For Customer Data, requests should be directed to the Customer (data controller). --- ## 9. Security Measures We implement appropriate technical and organizational measures, including: - Access controls - Authentication and session management - Logging and monitoring - Infrastructure isolation However, no system is completely secure. --- ## 10. Cookies and Tracking We may use limited cookies or similar technologies for: - Authentication - Session management - Security purposes We do not use tracking cookies for advertising purposes. --- ## 11. Children’s Data The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. --- ## 12. Changes to this Policy We may update this Privacy Policy from time to time. Material changes will be communicated where appropriate. --- ## 13. Contact For questions or requests: 📧 **legal@thauth.dev** --- ## 14. Supervisory Authority (EU Users) If you are located in the EU, you have the right to lodge a complaint with your local data protection authority.