Privacy Policy
Effective Date: April 26, 2026
🔒 Our Core Promise
We do not sell client data. Under any circumstances. Period. We do not monetize your data. We do not share it with third parties for their own commercial purposes. Data entrusted to Yukio's Authentication Gateway remains yours, and ours to protect — never to profit from.
1. What We Collect
As an authentication gateway, our service processes authentication-related data on behalf of our clients. This data is necessary for the operation of the service and is retained only as long as required for authentication workflows.
1.1 Account Data
- Client account identifiers and configuration settings
- Service provider metadata (SAML entity IDs, OAuth redirect URIs, etc.)
- Contact information for account administration
1.2 Authentication Data
- User identifiers (as provided by your backend service)
- Authentication method preferences and enrolled credentials (public keys only for WebAuthn)
- Phone numbers used for SMS challenge/response (transient, not stored long-term)
- Authentication event timestamps and method used
1.3 Technical Data
- IP addresses (logged for security and rate-limiting, retained for 30 days)
- User-agent strings for WebAuthn compatibility checks
- API request metadata for performance monitoring
2. What We Do NOT Collect
- We do not collect end-user passwords for third-party services
- We do not collect biometric data (WebAuthn biometrics remain on the user's device)
- We do not collect device fingerprints beyond what is necessary for authentication
- We do not use tracking pixels, third-party analytics, or advertising cookies on this website
- We do not build user profiles for any purpose beyond authentication
3. How We Use Data
Data processed by Yukio's Authentication Gateway is used exclusively for:
- Performing the authentication operations requested by your backend service
- Maintaining the security and integrity of the authentication service
- Detecting and preventing fraudulent authentication attempts
- Complying with legal obligations (e.g., lawful subpoenas)
4. Data We Share — And With Whom
We share authentication data only with the specific backend service that requested the authentication — and only the minimal data required to complete the authentication.
Sub-processors:
- Twilio, Inc. — for SMS delivery (phone numbers, message content). Twilio's privacy policy applies to data in their systems.
- DigitalOcean, LLC — infrastructure hosting. DigitalOcean does not access application-layer data.
- Cloudflare, Inc. — DNS and DDoS protection. Cloudflare processes IP addresses for security filtering.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Authentication event logs | 90 days |
| Security and access logs | 30 days |
| SMS delivery records | 30 days |
| WebAuthn credential public keys | Until deletion by client |
| Client account configuration | Until account termination + 30 days |
6. Data Security
- All data in transit is encrypted via TLS 1.3
- All data at rest is encrypted using AES-256
- API access requires authenticated and authorized requests
- Regular security audits and penetration testing
- Principle of least privilege applied to all access controls
7. Your Rights
As a client, you have the right to:
- Access your account data and configuration
- Export your authentication data in a machine-readable format
- Delete your account and all associated data
- Be notified of any data breach within 72 hours of discovery
8. Contact
For privacy-related inquiries, contact us at privacy@yukiozen.ai.