dragonAuthdragonAuth
Star on GitHub

Privacy Policy

Last updated: Loading...

This Privacy Policy describes how Dragon Auth collects, uses, and manages your personal information when you use our authentication services. Your privacy and data security are our top priorities.

Information We Collect

We collect information to provide and improve our authentication services. This includes:

Information You Provide

When you register for an account, we collect your first name, last name, email address, and phone number. We also store your password as a secure hash; your plain-text password is never stored.

Project Information

We collect the name of the project you register for or join. Your user account is associated with this project for access control.

Automatically Collected Information

When you log in, we record the time of your login to update your "last login" status and for security auditing. This helps us protect your account from unauthorized access.

How We Use Your Information

Your data is used exclusively to operate and secure the Dragon Auth service. Key uses include:

  • Authentication and Authorization: To verify your identity when you log in and to enforce access controls based on your assigned role (user, admin, or superadmin) and project affiliation.
  • Account Management: To create and manage your user profile and associate you with the correct project or tenant.
  • Communication: To send you one-time passwords (OTPs) via services like WhatsApp if you choose to use phone-based login.
  • Security: To monitor for and prevent fraudulent or unauthorized activity and to secure your session using JSON Web Tokens (JWTs).

How We Share and Disclose Your Information

We do not sell your personal data. We only share it in the following limited circumstances:

  • With Your Project Admin: If you are a member of a project, your name, email, and role are visible to the admin(s) and superadmin(s) of that project on the admin dashboard.
  • With Service Providers: We use third-party services to operate, such as our database provider (Valkey) and communication services for sending OTPs. These providers are bound by strict data protection agreements and only use your information to deliver the services we request.
  • For Legal Compliance: We may disclose your information if required by law, subpoena, or other legal processes, or if we have a good-faith belief that disclosure is necessary to protect our rights, your safety, or the safety of others.

Data Security

We implement robust security measures to protect your data:

  • Password Hashing: Your password is never stored in plain text. We use a strong, one-way hashing algorithm to protect it.
  • Data Isolation: Your user data is logically separated by project. Admins can only see users within their designated project, while superadmins have global visibility for administrative purposes.
  • Secure Sessions: We use JSON Web Tokens (JWTs) to manage user sessions securely, ensuring that each request is properly authenticated and authorized.

Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with our services. If you or your project admin deletes your account, your personal data is permanently removed from our active databases, subject to any legal requirements for data retention.

Changes to This Privacy Policy

We may update this privacy policy from time to time. If we make significant changes, we will notify you through our service or by other means. We encourage you to review this policy periodically.

Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us.