Skip to content
Passlock
Login Signup Docs

Privacy policy

1. Introduction

Section titled “1. Introduction”

Passlock (“we”, “us”, “our”) provides authentication services using passkeys and WebAuthn technology. This Privacy Policy explains how we collect, use, and protect personal data when you use Passlock, including our APIs, SDKs, and websites (collectively, the “Services”).

We are committed to minimizing data collection and protecting user privacy by design.

2. Data We Collect

Section titled “2. Data We Collect”

2.1 End Users (Users authenticating via Passlock)

Section titled “2.1 End Users (Users authenticating via Passlock)”

When an end user authenticates using Passlock, we may process:

  • Public key credentials

    • Public keys associated with passkeys
    • Credential IDs
    • Authenticator metadata (e.g. device type, attestation data where applicable)

  • Authentication data

    • Authentication timestamps
    • Challenge/response data used for verification

  • Optional identifiers (provided by our customers)

    • User ID or username (as defined by the integrating application)

2.1.1 Mailbox challenges

Section titled “2.1.1 Mailbox challenges”

If you use our mailbox verification challenges / one time codes we will record the end user’s email address for a short period. This is necessary to enforce rate-limiting and other security measures.

Mailbox challenges (including email addresses) are deleted:

  • When they are marked as verified via an API call
  • When they are invalidated via an API call
  • Once the rate lmiting window as closed (typically 30 minutes)

2.2 Customers (Developers / Businesses using Passlock)

Section titled “2.2 Customers (Developers / Businesses using Passlock)”

If you are integrating Passlock into your application, we may collect:

  • Account information (name, email, organisation)
  • API usage data (requests, errors, rate limits)
  • Billing-related data (if applicable)

2.3 Automatically Collected Data

Section titled “2.3 Automatically Collected Data”

We may collect limited technical data such as:

  • IP address
  • User agent / browser type
  • Request metadata (timestamps, endpoints)

This is used strictly for:

  • Security monitoring
  • Abuse prevention
  • Service reliability

3. How We Use Data

Section titled “3. How We Use Data”

We use data to:

  • Provide authentication services (core functionality)
  • Verify passkey-based login requests
  • Prevent fraud and abuse
  • Monitor and improve system performance
  • Comply with legal obligations

We do not use personal data for advertising.

4. Data Minimisation & Security

Section titled “4. Data Minimisation & Security”

Passlock is designed with privacy in mind:

  • We only store public key material, never secrets
  • Authentication is based on cryptographic proof, not shared credentials
  • Data is encrypted in transit (HTTPS/TLS)
  • Sensitive data is encrypted at rest where applicable
  • Access is restricted and audited

5. Data Sharing

Section titled “5. Data Sharing”

We do not sell personal data.

We may share data only in the following cases:

  • With customers (developers):
    Authentication results are returned to the application integrating Passlock

  • With service providers:
    Infrastructure providers (e.g. hosting, logging) under strict data protection agreements

  • Legal obligations:
    If required by law or valid legal request

6. Data Retention

Section titled “6. Data Retention”

We retain data only as long as necessary:

  • Credential data: retained while the account exists
  • Logs: retained for a limited period (e.g. 30–90 days) for security and debugging
  • Account data: retained until deletion request or account closure

7. Your Rights (GDPR / UK GDPR)

Section titled “7. Your Rights (GDPR / UK GDPR)”

If you are in the UK or EEA, you have the right to:

  • Access your data
  • Correct inaccurate data
  • Request deletion
  • Restrict or object to processing
  • Data portability

Note: In many cases, Passlock acts as a data processor on behalf of the application using it. Requests may need to be directed to that application.

8. Cookies & Tracking

Section titled “8. Cookies & Tracking”

Passlock itself does not rely on tracking cookies for authentication.

However:

  • Integrating applications may use cookies independently
  • Our websites (e.g. docs or console) may use minimal cookies for:
    • Session management
    • Security (e.g. bot protection)

9. International Data Transfers

Section titled “9. International Data Transfers”

Data may be processed in countries outside your jurisdiction.
Where applicable, we use appropriate safeguards such as:

  • Standard Contractual Clauses (SCCs)
  • Equivalent UK mechanisms

10. Children’s Privacy

Section titled “10. Children’s Privacy”

Passlock is not intended for direct use by children.
We do not knowingly collect data from children.

11. Changes to This Policy

Section titled “11. Changes to This Policy”

We may update this Privacy Policy from time to time.
Changes will be posted on this page with an updated “Last updated” date.

12. Contact

Section titled “12. Contact”

For privacy-related questions or requests: