OakAuth is developed and operated by Oakinkin Labs, a sole-proprietorship technology company based in the United States. Our contact email is listed at the bottom of this page.
This privacy policy governs data collected through the OakAuth mobile application and the oakauth.app website. It does not cover data processed by third-party services you may use alongside OakAuth.
| Data type | What exactly | Why | Linked to you |
|---|---|---|---|
| Device identifier | A UUID assigned to your enrolled device at enrollment time | To identify which device sent an approval response | Yes |
| Push token (FCM) | Firebase Cloud Messaging registration token issued when you enroll | To deliver sign-in approval push notifications to your device | Yes |
| TOTP secret | A base32-encoded seed used to generate and verify one-time codes (RFC 6238) | To verify TOTP codes when push delivery is unavailable | Yes |
| Device metadata | Device platform, OS version, app version, device name you provide | Displayed in the admin panel so the account owner can identify enrolled devices | Yes |
| Recovery email | An email address you optionally provide, used only for account recovery | To send a recovery link if you lose access to your enrolled device | Yes (optional) |
| IP address (audit log) | The IP address of the browser or device making sign-in requests | Security audit; detecting unauthorized sign-in attempts | Yes (90 days) |
| User agent (audit log) | Browser or OS string associated with a sign-in attempt | Security context; displayed on the approval request card | Yes (90 days) |
| Approval event log | Timestamps and outcomes of each sign-in approval: approved, denied, timed out | Security audit trail; your in-app Activity screen | Yes |
Your data is stored in a PostgreSQL database running on a VPS located in the United States. The database is not publicly accessible; it listens only on the local network interface. Access is controlled by a dedicated database role with least-privilege grants.
All communication between the OakAuth app and our server uses HTTPS (TLS 1.2 or higher). Approval responses from your device are signed with an Ed25519 private key stored in your device's hardware-backed secure storage. This key never leaves your device.
Your TOTP secret and Ed25519 private key are stored in your device's hardware-backed keychain (Android Keystore on Android). These values are protected by biometric authentication on your device and cannot be extracted even with root access on supported hardware.
App preferences are stored in local device storage and are not transmitted to our server.
| Data type | Retention period |
|---|---|
| Account data (username, device records, TOTP secret) | Until you deregister your device or your account is deleted |
| Recovery email | Until you remove it or your account is deleted |
| IP address and user-agent in audit log | 90 days; automatically set to null after expiry. Event type and timestamp are retained permanently. |
| Approval event log (timestamps and outcomes) | Retained permanently as a security audit trail |
| FCM push token | Until your device is deregistered or FCM reports the token as invalid |
We do not sell, rent, or share your personal data with third parties for commercial purposes.
We share data with the following service providers only to the extent necessary to operate OakAuth:
We may disclose data if required to do so by law, court order, or valid legal process. We will notify you of any such request to the extent permitted by law.
Regardless of where you are located, you can exercise the following rights by contacting us at oakinkinlabs@gmail.com:
You can request a copy of the data we hold about you in JSON format within 30 days.
You can request deletion of your account and all associated personal data. Deregister your device in the app, or email us. We will complete deletion within 30 days. Security audit log entries are anonymized rather than deleted.
You can update your device name and recovery email from within the app or by contacting us. You can request your data in a machine-readable JSON format.
California residents have the right to know what personal information we collect, the right to delete it, and the right to opt out of its sale. We do not sell personal information. To exercise your rights, contact us at oakinkinlabs@gmail.com.
You have additional rights including the right to restrict processing and the right to lodge a complaint with your local data protection authority. Our legal basis for processing is legitimate interests (security and authentication functionality). Contact us to exercise any GDPR rights.
OakAuth is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, contact us immediately and we will delete it.
OakAuth is operated from the United States. If you are accessing OakAuth from outside the United States, your data will be transferred to and processed on servers located in the United States and will be subject to US law. By using OakAuth, you consent to this transfer.
We may update this privacy policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify you via the app or via email if you have provided a recovery email address.
Your continued use of OakAuth after a policy update constitutes your acceptance of the updated policy.
If you have questions about this privacy policy or want to exercise any of your data rights, contact us:
Email: oakinkinlabs@gmail.com
We aim to respond to all privacy inquiries within 5 business days.