Privacy Policy

At ZewstID, we take your privacy seriously. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our authentication platform and related services.

1. Information We Collect

We collect information necessary to provide secure authentication services. This includes:

• Account information -- your email address and display name provided during registration.
• Authentication events -- records of sign-in attempts, authentication method used, and session activity.
• IP addresses -- collected for security monitoring, brute-force protection, and fraud detection.
• Usage analytics -- aggregated data about how you interact with ZewstID services, including page views and feature usage.
• Device information -- browser type, operating system, and device identifiers used for session management.

2. How We Use Your Data

Your data is used exclusively to operate and improve our authentication services:

• Authentication services -- processing sign-in requests, issuing tokens, and managing user sessions across integrated applications.
• Security monitoring -- detecting suspicious activity, preventing unauthorized access, and enforcing brute-force protection.
• Analytics -- providing developers with aggregated authentication metrics and usage insights through the admin dashboard.
• Service improvement -- identifying performance bottlenecks, improving reliability, and developing new features.
• Communication -- sending transactional emails such as magic links, OTP codes, and account notifications.

3. Data Storage & Security

We implement industry-standard security measures to protect your data:

• All data is encrypted at rest and in transit using AES-256 and TLS 1.2+ respectively.
• Infrastructure is hosted on secure, managed cloud services with regular security audits and penetration testing.
• Access to production systems is restricted through role-based access controls, SSH key authentication, and multi-factor authentication for all staff.
• Passwords are never stored in plain text -- they are hashed using modern, salted hashing algorithms provided by our identity provider.
• All API endpoints are protected by rate limiting, CSRF protection, and Content Security Policy headers.

4. Data Retention

We retain your data only as long as necessary to provide our services:

• Account data is retained for as long as your account is active and deleted upon account deletion request.
• Audit logs (sign-in events, security events) are retained for 90 days by default.
• Retention is configurable -- enterprise customers can adjust log retention periods to meet their compliance requirements.
• When an account is deleted, all associated personal data is permanently removed within 30 days, except where retention is required by law.

5. Third-Party Services

We minimize third-party data sharing. The services we use include:

• Stripe -- for payment processing and billing. Stripe handles payment card data directly and is PCI DSS Level 1 certified. We do not store your credit card information on our servers.
• ZewstID Identity Provider -- our identity engine that handles all authentication and token issuance. It runs on our own infrastructure and data does not leave our systems.

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.

6. Your Rights

You have the following rights regarding your personal data:

• Access -- request a copy of the personal data we hold about you.
• Correction -- request corrections to any inaccurate or incomplete personal data.
• Deletion -- request deletion of your account and associated personal data.
• Data export -- download your data in a portable, machine-readable format.
• Opt-out of marketing -- unsubscribe from promotional communications at any time. Transactional emails (such as OTP codes and security alerts) are not affected.

To exercise any of these rights, contact us at [email protected]. We will respond to your request within 30 days.

7. Cookies

ZewstID uses cookies strictly for functional purposes:

• Session cookies -- used to maintain your authenticated session and enable single sign-on across integrated applications. These are httpOnly, secure cookies that cannot be accessed by JavaScript.
• CSRF tokens -- used to protect against cross-site request forgery attacks.

We do not use third-party tracking cookies. We do not use cookies for advertising or behavioral profiling.

8. Children's Privacy

ZewstID is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe that a child under 13 has provided personal data to us, please contact us at [email protected] and we will take steps to delete such information promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. For material changes, we will notify you via the email address associated with your account at least 30 days before the changes take effect. We encourage you to review this page periodically to stay informed about how we protect your data.

10. Contact

If you have questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us:

• Email: [email protected]
• Developer Portal: developers.zewstid.com