Privacy Policy

Last updated: July 2026

1. Who we are

AuthLayer is operated by Xegen Ltd, registered in Scotland (company number SC745778). When we say "we", "us", or "our" we mean Xegen Ltd.

2. What data we collect

We collect the minimum data needed to provide secure authentication services:

  • Account data — name, email address, hashed password
  • Organisation data — organisation name, membership roles
  • OAuth data — registered applications, issued tokens (encrypted/hashed)
  • Usage data — login timestamps, IP addresses for security monitoring

3. How we use your data

Your data is used exclusively to provide authentication services, enforce security policies, and communicate account-related information. We do not sell or share personal data with third parties for marketing purposes.

4. Data retention

Account data is retained while your account is active. Expired tokens are automatically purged. You may request account deletion at any time by contacting us.

5. Security

Passwords are hashed using industry-standard algorithms. All data is transmitted over HTTPS. Access tokens are short-lived and refresh tokens are rotated on use.

6. Your rights

Under GDPR, you have the right to access, rectify, or delete your personal data. Contact privacy@authlayer.app to exercise these rights.

7. Contact

For privacy enquiries, email privacy@authlayer.app.