Authagonal

Privacy Policy

Last updated: 8 April 2026

Authagonal ("we", "us", "our") is operated by Sam Critchley (ABN 69 472 204 717), an Australian sole trader. This policy describes how we collect, use, store and disclose personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

1. Information we collect

We collect the following categories of personal information:

  • Account information — name, email address, and password hash when you sign up as a tenant owner or portal administrator.
  • End-user authentication data — email addresses, password hashes, MFA credentials, session metadata, and login timestamps of users who authenticate through your tenant. This data is processed on your behalf as a data processor.
  • Billing information — we collect your email and tenant name for Stripe checkout. Payment card details are handled entirely by Stripe and never touch our servers.
  • Usage data — aggregated metrics (login counts, token issuance rates, API call volumes) collected per tenant for dashboard analytics. These do not contain personal information.
  • Technical data — IP addresses, user agent strings, and request metadata in server logs. Logs are retained for 30 days.

2. How we use your information

  • To provide and operate the Authagonal authentication service.
  • To authenticate users, issue tokens, and enforce security policies configured by tenant administrators.
  • To process payments and manage your subscription via Stripe.
  • To send transactional emails (account confirmation, password resets). We do not send marketing emails.
  • To monitor service health, detect abuse, and enforce rate limits.
  • To respond to support requests.

3. Data processor role

When your end users authenticate through Authagonal, we act as a data processor on your behalf. You (the tenant) are the data controller and determine what data is collected and how it is used. We process end-user data solely to provide the authentication service as configured by you.

4. How we store and protect data

  • All data is stored in Microsoft Azure data centres. Tenant data is stored in Azure Table Storage with per-tenant isolation (separate table prefixes per shard).
  • All connections use TLS 1.2 or higher. Data at rest is encrypted by Azure Storage Service Encryption.
  • Passwords are hashed using bcrypt. We never store plaintext passwords.
  • Access to production infrastructure requires multi-factor authentication and is restricted to authorised personnel.
  • Signing keys are rotated automatically and stored encrypted in Azure Key Vault.

5. Disclosure of information

We do not sell personal information. We may disclose personal information to:

  • Stripe — for payment processing.
  • Microsoft Azure — as our infrastructure provider.
  • Law enforcement — where required by Australian law or a valid court order.

6. Cross-border data transfers

Our Azure infrastructure is hosted in Australia (Central US during beta). Some data may be processed in other jurisdictions by our sub-processors (Stripe, Microsoft). We take reasonable steps to ensure these parties comply with privacy obligations comparable to the APPs.

7. Data retention

  • Tenant data is retained for the duration of your subscription. Upon cancellation, data is retained for 30 days then permanently deleted.
  • Tenant administrators can configure user retention policies (automatic deactivation and deletion after a period of inactivity).
  • Server logs are retained for 30 days.
  • Backups are retained for 90 days.

8. Your rights

Under the APPs, you have the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate information.
  • Request deletion of your account and associated data.
  • Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs.

Account administrators can access, export, and delete end-user data through the management portal or SCIM API at any time.

9. Cookies

Authagonal uses session cookies for authentication purposes only. We do not use tracking cookies, analytics cookies, or third-party advertising cookies. The management portal uses sessionStorage for OIDC state management.

10. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via the email address associated with your tenant account. The "last updated" date at the top of this page indicates the most recent revision.

11. Contact

For privacy enquiries or to exercise your rights, contact us at privacy@authagonal.io.