Privacy Policy

Last updated: 5 April 2026

1. Introduction

Authentifactor Ltd ("we", "us", "our") operates the Authentifactor multi-tenant commerce platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform, including our website at authentifactor.com and all tenant storefronts powered by our infrastructure.

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR), and the California Consumer Privacy Act (CCPA).

2. Information We Collect

2.1 Personal Data

Account information: name, email address, phone number, password (hashed)
Billing information: processed by Stripe — we do not store full card numbers
Order information: shipping address, order history, payment status
Communications: emails, support requests, feedback

2.2 Usage Data

IP address, browser type, device information
Pages visited, time spent, referral source
Infrastructure usage metrics (build times, bandwidth, API calls)

2.3 Cookies and Tracking

See our Cookie Policy for details on how we use cookies and similar technologies.

3. How We Use Your Information

To provide, maintain, and improve our platform
To process transactions and send related information
To communicate with you about your account, orders, and services
To monitor and analyse usage patterns and infrastructure performance
To compute billing based on actual platform usage
To detect, prevent, and address fraud and security issues
To comply with legal obligations

4. Legal Basis for Processing (UK/EU GDPR)

Contract: Processing necessary to perform our contract with you (account management, order fulfilment, billing)
Legitimate interest: Platform improvement, security, fraud prevention, analytics
Consent: Marketing communications, non-essential cookies
Legal obligation: Tax records, regulatory compliance

5. Data Sharing

We share personal data only with:

Stripe: Payment processing (PCI DSS compliant)
Paystack: Payment processing for African markets
Vercel: Infrastructure hosting (edge network)
Google Cloud: Backend infrastructure, database hosting
Neon: PostgreSQL database hosting

We do not sell your personal data to third parties.

6. Data Retention

Account data: retained while your account is active + 2 years after deletion
Transaction data: 7 years (legal/tax requirements)
Usage analytics: 24 months
Server logs: 90 days

7. Your Rights

Under UK GDPR, EU GDPR, and CCPA, you have the right to:

Access: Request a copy of your personal data
Rectification: Correct inaccurate data
Erasure: Request deletion of your data ("right to be forgotten")
Portability: Receive your data in a structured, machine-readable format
Restriction: Limit how we process your data
Objection: Object to processing based on legitimate interest
Opt-out of sale: Under CCPA, you can opt out of the sale of personal information (we do not sell data)

To exercise any of these rights, contact us at privacy@authentifactor.com.

8. International Transfers

Your data may be processed in the UK, EU, and United States. We ensure appropriate safeguards (Standard Contractual Clauses, UK IDTA) are in place for international transfers.

9. Security

We implement industry-standard security measures including:

TLS/HTTPS encryption for all data in transit
Encryption at rest for databases
JWT-based authentication with token rotation
Role-based access control (RBAC)
Regular security audits

See our Security Policy for details.

10. Children's Privacy

Our platform is not intended for children under 16. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this policy periodically. We will notify you of material changes via email or platform notification.

12. Contact

Authentifactor Ltd
Email: privacy@authentifactor.com
Website: authentifactor.com

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.