Privacy Policy
Last updated: July 2026
Two roles: your data and your users' data
auth.is handles two kinds of data with two different responsibilities. For your own account we act as a data controller. For the end users who authenticate through issuers you create, we act as a data processor — we process that data on your behalf, under your instructions, to run the identity service you configured.
What we collect about your account
- Account identity — the email address and name associated with the account you create when you connect the MCP and sign in.
- Configuration — the teams, issuers, clients, federation connections, and themes you create through the MCP.
- Operational records — audit entries for management actions, and basic logs needed to operate and secure the Service.
End-user data we process on your behalf
When you run an issuer, auth.is stores and processes the data required to authenticate your end users: their email and name, verification status, password credentials (stored only as an argon2id hash — never in plain text), passkey credentials, and links to any upstream identity providers they use to sign in. Each issuer has its own isolated user pool; the same email in two different issuers is two unrelated accounts. We process this data to provide the Service to you and do not use it for our own purposes.
Cookies and sessions
The Service uses cookies strictly to keep you (and your end users) signed in during an authentication session. These are functional session cookies scoped to the relevant issuer host, not advertising or cross-site tracking cookies.
Subprocessors
We rely on a small set of infrastructure providers to run the Service — for example hosting/compute, managed databases, and an email delivery provider for verification and notification messages. These subprocessors handle data only as needed to provide their service to us. We will maintain a current subprocessor list and provide advance notice of material changes as we formalize our data-processing terms for general availability.
Data retention
We keep account and configuration data for as long as your account is active. End-user data persists for the life of the issuer that owns it. When you delete a resource — or your account — the associated data is deleted or anonymized within a reasonable period, except where we must retain limited records to meet legal, security, or accounting obligations.
Your rights
Depending on where you live, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. For your own account data, contact us and we will help. For end-user data we process on your behalf, requests are directed to you as the controller — we will assist you in responding.
Contact
Privacy questions or requests? Email [email protected].