Privacy Policy

Last updated: February 7, 2025

Signonix is a passwordless email verification service. We take your privacy seriously and collect only the minimum data necessary to authenticate you securely. This policy explains what we collect, how we use it, and the choices you have.

1. What We Collect

When you use Signonix to sign in to an application, we collect the following:

• Email address — provided by you during the verification flow. This is the core identifier used to authenticate your identity.
• IP address — collected solely for rate limiting and abuse prevention. We do not use IP addresses to track your activity across sessions or applications.
• Browser information — we store a one-way hash of your user-agent string to help detect suspicious login attempts. The full user-agent string is never stored.
• Session data — a minimal session record that ties your authenticated state to your browser. This includes a session identifier and its expiration timestamp.

We do not collect your name, physical address, phone number, or any financial information. We do not build advertising profiles or track your browsing behavior.

2. How We Use Your Data

We use the data we collect for three purposes only:

• Email verification — to send you a one-time passcode and confirm your identity when you sign in to a third-party application through Signonix.
• Abuse prevention — to enforce rate limits, detect automated attacks, and protect the service from misuse.
• Service operation — to maintain authenticated sessions, resolve technical issues, and ensure the reliability of the platform.

We do not use your data for marketing, advertising, analytics profiling, or any purpose unrelated to providing the authentication service.

3. What We Share

We never sell, rent, or trade your personal data to anyone.

When you use Signonix to sign in to a third-party application, that application may receive:

• A static identifier (static_id) — a pseudonymous, application-specific identifier that allows the app to recognize you across sessions without exposing your email address.
• Your email address — shared with the application only if you explicitly consent during the sign-in flow. You are always shown a clear prompt before your email is disclosed.

No other personal data is shared with third-party applications. Each application receives only the permissions you approve.

4. Cookies

Signonix uses a single cookie:

• signonix_session — a session cookie used to maintain your authenticated state. This cookie is set with the HttpOnly, Secure, and SameSite=Lax flags to prevent cross-site attacks and ensure it cannot be accessed by client-side scripts.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. There are no cookie banners because there is nothing to opt out of — we only set the one functional cookie required to operate the service.

5. Data Storage

All data is stored on Amazon Web Services (AWS) infrastructure in the us-east-1 region. Specifically:

• Amazon S3 — used to store authentication-related data, encrypted at rest using AES-256 server-side encryption.
• Amazon DynamoDB — used to store rate-limiting records and session data, encrypted at rest using AWS-managed encryption keys.

All data transmitted between your browser and our servers is encrypted in transit using TLS 1.2 or higher. Internal service-to-service communication within our infrastructure is also encrypted.

6. Data Retention

We retain data only as long as it is needed to provide the service:

• Sessions — expire automatically after a maximum of 30 days. Expired sessions are deleted.
• Rate-limiting records — expire automatically via DynamoDB time-to-live (TTL) policies. These records are short-lived and are purged once they are no longer relevant.
• One-time passcodes (OTPs) — expire 10 minutes after they are generated. Used or expired codes are permanently deleted.

When you delete your account, all associated data is removed. See Section 8 for details.

7. Your Rights

You have full control over your data on Signonix. At any time, you can:

• View connected applications — see every third-party app that you have signed in to through Signonix, along with the permissions you granted.
• Revoke application access — disconnect any application so it can no longer verify your identity or receive your data through Signonix.
• Delete your account — permanently remove your account and all associated data from our systems. This fulfills the right to erasure under the GDPR and similar data protection regulations.
• Export your data — request a copy of the personal data we hold about you in a portable, machine-readable format.

To exercise any of these rights, visit your account settings page or contact us at hello@signonix.com.

8. Account Deletion

You can delete your Signonix account at any time from your account settings page. When you delete your account, we permanently remove:

• Your email address and user profile
• All active sessions
• All consent records linking you to third-party applications
• Your static identifiers across all connected apps
• Any stored browser-information hashes

Deletion is irreversible. Once your account is deleted, third-party applications that previously relied on Signonix to authenticate you will no longer be able to do so. Rate-limiting records tied to your IP address may persist until they naturally expire via TTL, as they are not linked to your user account.

9. Third-Party Services

Signonix relies on the following third-party services to operate:

• Amazon Web Services (AWS) — provides the cloud infrastructure on which Signonix runs, including compute, storage, and database services. AWS processes data on our behalf and is bound by their data processing agreement.
• Amazon Simple Email Service (SES) — delivers the verification emails containing your one-time passcodes. Your email address is transmitted to SES solely for the purpose of sending these messages.
• Stripe — processes payments for application developers who use the Signonix API. Stripe does not receive or process end-user authentication data. If you are an app developer using our paid plans, Stripe's privacy policy applies to your payment information.

We do not use any third-party analytics, advertising, or tracking services.

10. Children

Signonix is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete that information promptly. If you believe a child under 13 has created a Signonix account, please contact us at hello@signonix.com.

11. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of Signonix after changes are posted constitutes your acceptance of the revised policy.

12. Contact

If you have questions about this privacy policy, your data, or your rights, contact us at:

hello@signonix.com