authepy.

Privacy Policy

Last Updated: June 24, 2026

1. Introduction

This Privacy Policy describes how Valipod Technologies ("Valipod", "Authepy", "we", "us", or "our") collects, uses, processes, and discloses your information, including personal data, in conjunction with your access to and use of the Authepy API, website, widgets, and associated services (collectively, the "Services").

By accessing or using the Services, you acknowledge that you have read, understood, and agree to be bound by the practices described in this Privacy Policy. If you do not agree with this policy, you must not access or use the Services.

2. Information We Collect

We collect information in three primary categories:

  • Information you provide directly to us: When you register for an Authepy account, we collect your name, corporate email address, company name, billing address, and payment information (processed securely via our third-party payment processor, Stripe).
  • Information collected automatically: We automatically collect telemetry and usage data when you access our Services. This includes IP addresses, browser types, operating systems, request timestamps, and API routing latency variables.
  • Information processed on your behalf: When you utilize our Services to verify your end-users, we receive the end-user email addresses and associated verification payloads transmitted to our API.

3. How We Use Information

We utilize the collected data strictly for the following operational purposes:

  • To provide, operate, and maintain the Authepy verification infrastructure.
  • To process and complete billing transactions.
  • To detect, prevent, and mitigate fraud, abuse, security breaches, and technical issues.
  • To comply with applicable legal obligations and enforce our Terms of Service.

We explicitly do not sell, rent, or monetize personal information or end-user verification data to third-party advertising networks or data brokers.

4. Authepy as a Data Processor

Under applicable data protection frameworks (including the GDPR and CCPA), a strict distinction exists between a Data Controller and a Data Processor. For the data of the end-users that our customers submit to the Authepy API for verification purposes, our customers act as the Data Controller, and Authepy acts solely as the Data Processor. We process end-user email addresses strictly in accordance with our customers' instructions for the sole purpose of dispatching and validating cryptographic OTP tokens.

5. Data Sharing & Sub-processors

We do not share your personal information with third parties except in the following limited circumstances:

  • Service Providers (Sub-processors): We engage trusted third-party infrastructure providers to facilitate our Services, including cloud hosting (Amazon Web Services), failover transactional routing (Postmark), and payment processing (Stripe). These sub-processors are legally bound by strict confidentiality and data protection obligations.
  • Legal Compliance: We may disclose data if required to do so by law, or in response to a valid, legally binding request by public authorities.
  • Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, user information may be transferred as a business asset, subject to continuing privacy protections.

6. Data Retention & Deletion

Authepy enforces a strict data minimization protocol. End-user verification tokens and validation contexts are stored exclusively in volatile memory and are permanently destroyed upon verification success, failure, or timeout expiration.

Routing metadata and API logs (including origin IPs and masked target addresses) utilized for security and billing analytics are automatically purged from our databases on a rolling 30-day schedule. Developer account information is retained only for as long as the account remains active, plus a legally mandated retention period for financial auditing purposes.

7. Security Measures

We implement commercially reasonable, industry-standard technical and organizational measures to protect personal data from unauthorized access, loss, misuse, or alteration. These measures include TLS 1.3 encryption for data in transit, AES-256 envelope encryption for sensitive credentials at rest, one-way cryptographic hashing (PBKDF2) for system passwords, and strict role-based access controls. However, no internet-based service can guarantee absolute security, and we cannot warrant the invulnerability of data transmissions.

8. International Data Transfers

Valipod Technologies operates globally, with engineering operations based in India. Information we collect may be transferred to, stored, and processed in regions where our sub-processors maintain facilities (e.g., the United States). By using our Services, you consent to the transfer of information to countries outside of your country of residence. For transfers originating from the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) to ensure adequate data protection.

9. Your Privacy Rights

Depending on your jurisdiction (e.g., the GDPR in Europe, the CCPA in California, or the DPDP Act in India), you may possess specific rights regarding your personal data, including the right to access, correct, delete, or restrict the processing of your information.

Because Authepy operates as a Data Processor for end-user data, any end-users seeking to exercise their privacy rights must contact the Data Controller (our customer) directly. For developer accounts, you may exercise your rights by contacting our compliance team directly.

10. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our legal compliance team at:

Authepy | Valipod Technologies

Email: contact@authepy.com