Privacy policy.
This privacy policy is applicable to the Open Authenticator app (hereinafter referred to as "Application") for mobile devices, which was developed by Skyost (hereinafter referred to as "Service Provider") as a subscription supported service. This service is provided "AS IS".
User Provided Information
The Application acquires the information you supply when you download, configure, register, log in to, or use the Application. Registration with the Service Provider is not mandatory for local-only use. However, you must register or log in to use synchronization, provider linking, account deletion, and subscription-related features. Depending on the login method you choose, the Service Provider may process your email address or the identifier returned by your authentication provider (Google, Apple, GitHub, or Microsoft), as well as a backend user identifier, linked providers, your subscription status, and a stable Application installation identifier used to bind sessions to your device. If you use email login, the Service Provider processes your email address and temporary verification, cancellation, and authorization codes in order to complete the login flow.
Automatically Collected Information
In addition, the Application and its backend may collect certain information automatically, including, but not limited to, the type of device you use, the stable Application installation identifier generated by the Application, your IP address, your operating system, your app version, your user agent, request headers needed to operate the backend, and information about the way you use the Application. This information is used to provide the service, secure sessions, enforce rate limits, maintain compatibility, and troubleshoot issues. The Application and backend also send diagnostic information to a private GlitchTip instance, using the Sentry-compatible error reporting protocol, when bugs or crashes occur. These reports may include technical details such as the app version, operating system version, device model, error message, stack trace, timestamp, recent actions in the Application, and, for backend errors, request information such as the HTTP method, URL, and request headers. Your master password and TOTP secrets are not intentionally sent in these reports.
Does the Application collect precise real-time location information of the device ?
This Application does not gather precise information about the location of your device. The Application may request camera access only to scan TOTP QR codes. Camera images are processed on your device for scanning and are not intentionally sent to the Service Provider. If you enable biometric or local authentication, authentication is handled by your device operating system; the Application does not receive or transmit your biometric data.
Do third parties see and/or have access to information obtained by the Application ?
Aggregated, anonymized data may be periodically transmitted to internal services to aid the Service Provider in improving the Application and their service. Diagnostic information related to bugs or crashes may be transmitted to the Service Provider's private GlitchTip instance for error monitoring and troubleshooting. Data needed to operate the service may be processed by infrastructure providers, authentication providers, RevenueCat, app stores, and optional logo search services when you use the corresponding features. The Service Provider may share your information with third parties in the ways that are described in this privacy statement.
Third-Party Providers
Please note that the Application utilizes third-party services that have their own Privacy Policy about handling data. Below are the links to the Privacy Policy of the third-party service providers used by the Application :
Disclosure of Information
The Service Provider may disclose User Provided and Automatically Collected Information :
- as required by law, such as to comply with a subpoena, or similar legal process;
- when they believe in good faith that disclosure is necessary to protect their rights, protect your safety or the safety of others, investigate fraud, or respond to a government request;
- with their trusted services providers who work on their behalf, do not have an independent use of the information we disclose to them, and have agreed to adhere to the rules set forth in this privacy statement.
What are my opt-out rights?
You can halt all collection of information by the Application easily by uninstalling the Application. You may use the standard uninstall processes as may be available as part of your mobile device or via the mobile application marketplace or network.
Data Retention Policy, Managing Your Information
The Service Provider will retain User Provided data for as long as you use the Application and for a reasonable time thereafter. Backend refresh sessions are normally retained until they expire or are revoked. Deleted TOTP synchronization markers and processed RevenueCat webhook event records may be retained for up to 365 days before pruning. Inactive non-contributor accounts without active sessions or stored TOTPs may be pruned. If you delete your account from the Application, the Service Provider deletes the backend user record, backend sessions, and synchronized TOTP data controlled by the Service Provider. Data held by third-party providers, app stores, or RevenueCat remains subject to their own retention and account-management rules. The Service Provider will retain Automatically Collected information for up to 24 months and thereafter may store it in aggregate. If you'd like the Service Provider to delete User Provided Data that you have provided via the Application, please contact them and they will respond in a reasonable time. Please note that some or all of the User Provided Data may be required in order for the Application to function properly. Your master password is not transmitted to any remote server. If you forget it, we cannot help you recover it. Please be aware that, although we endeavor to provide reasonable security for information we process and maintain, no security system can prevent all potential security breaches.
Children
The Service Provider does not use the Application to knowingly solicit data from or market to children under the age of 13. The Application does not address anyone under the age of 13. The Service Provider does not knowingly collect personally identifiable information from children under 13 years of age.
Security
The Service Provider is concerned about safeguarding the confidentiality of your information. The Service Provider provides physical, electronic, and procedural safeguards to protect information we process and maintain. If you choose to synchronize your data between your devices, the backend stores your TOTP records in encrypted form. The TOTP secret, label, issuer, and image URL are encrypted using an AES-GCM algorithm with an Argon2 derived key based on your master password and a random salt. Some synchronization metadata, such as the TOTP UUID, algorithm, digit count, validity period, update time, and deletion markers, may be stored without being encrypted by the master password so synchronization can work correctly.
Changes
This Privacy Policy may be updated from time to time for any reason. The Service Provider will notify you of any changes to the Privacy Policy by updating this page with the new Privacy Policy.
This privacy policy is effective as of April 1, 2024.
Contact Us
If you have any questions regarding privacy while using the Application, or have questions about the practices, please contact the Service Provider.