CCPA / CPRA
Protocols.
How Authepy operates as a strict "Service Provider" to ensure your California-based users' personal information is never sold, shared, or monetized.
Our Designation as a Service Provider
Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), a business must carefully control how vendors handle consumer data. Authepy acts exclusively as a Service Provider. We process the personal information (email addresses) of your end-users solely for the business purpose of delivering and verifying cryptographic OTP tokens.
No Sale or Sharing of Data
Authepy strictly prohibits the monetization of your users' data. We do not sell, rent, or share personal information (including email addresses or IP metadata) with third-party advertising networks, data brokers, or cross-context behavioral tracking systems.
Programmatic Data Destruction
CPRA mandates that businesses inform consumers of data retention periods. Authepy enforces a strict, programmatic 30-day retention policy for all transactional routing logs. This ensures that consumer footprint data is continuously purged from our PostgreSQL ledger without requiring manual intervention.
Handling Consumer Rights Requests
When your business receives a "Right to Delete" or "Right to Know" request from a California resident, Authepy's architecture simplifies compliance. Because we process tokens in volatile memory and drop transit logs automatically, your compliance burden regarding data stored on our infrastructure is functionally reduced to zero.