Privacy Policy
Last updated: July 2026
1. Who we are
AuthLayer is operated by Xegen Ltd, registered in Scotland (company number SC745778). When we say "we", "us", or "our" we mean Xegen Ltd.
2. What data we collect
We collect the minimum data needed to provide secure authentication services:
- Account data — name, email address, hashed password
- Organisation data — organisation name, membership roles
- OAuth data — registered applications, issued tokens (encrypted/hashed)
- Usage data — login timestamps, IP addresses for security monitoring
3. How we use your data
Your data is used exclusively to provide authentication services, enforce security policies, and communicate account-related information. We do not sell or share personal data with third parties for marketing purposes.
4. Data retention
Account data is retained while your account is active. Expired tokens are automatically purged. You may request account deletion at any time by contacting us.
5. Security
Passwords are hashed using industry-standard algorithms. All data is transmitted over HTTPS. Access tokens are short-lived and refresh tokens are rotated on use.
6. Your rights
Under GDPR, you have the right to access, rectify, or delete your personal data. Contact privacy@authlayer.app to exercise these rights.
7. Contact
For privacy enquiries, email privacy@authlayer.app.