GDPR & Data Protection Compliance
Last updated: 5 April 2026
Our Commitment
Authentifactor is committed to compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR), and the California Consumer Privacy Act (CCPA).
Data Controller
Authentifactor Ltd acts as a Data Controller for platform-level data (account, billing, usage) and as a Data Processor for tenant customer data (orders, addresses, preferences).
Lawful Basis for Processing
| Activity | Lawful Basis |
|---|---|
| Account creation & management | Contract |
| Payment processing | Contract |
| Usage billing | Contract |
| Platform analytics | Legitimate interest |
| Security monitoring | Legitimate interest |
| Marketing emails | Consent |
| Tax records | Legal obligation |
Your Rights
- Right of access — Request a copy of all data we hold about you
- Right to rectification — Correct inaccurate or incomplete data
- Right to erasure — Request deletion of your personal data
- Right to data portability — Receive data in machine-readable format (JSON)
- Right to restrict processing — Limit how we use your data
- Right to object — Object to processing based on legitimate interest
- Right not to be subject to automated decision-making
Data Subject Access Requests (DSAR)
To exercise your rights, email privacy@authentifactor.com. We will respond within 30 days.
Tenant merchants can also request data export or deletion via their admin dashboard at /admin/settings.
Data Processing Agreements
We maintain Data Processing Agreements (DPAs) with all sub-processors:
- Stripe Inc. (payments)
- Paystack (payments)
- Vercel Inc. (hosting)
- Google Cloud Platform (infrastructure)
- Neon Inc. (database)
International Transfers
Data may be transferred outside the UK/EU to the United States. We rely on Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA) to ensure adequate protection.
Data Breach Notification
In the event of a personal data breach, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by Article 33/34 of UK GDPR.
CCPA (California)
- We do not sell personal information
- California residents may request disclosure of data collected and shared
- Right to opt-out of sale (not applicable — we do not sell data)
- Right to non-discrimination for exercising privacy rights
Contact & Supervisory Authority
Data Protection queries: privacy@authentifactor.com
Supervisory authority: Information Commissioner's Office (ICO) — ico.org.uk