Privacy Policy for Authenticator

Effective Date: May 3, 2026 · Last Updated: May 3, 2026

Introduction

This Privacy Policy describes how Authenticator ("we", "us", "our", or the "App") collects, uses, and shares information when you use our mobile application. Authenticator is operated by Halmob ("Company").

Authenticator is a two-factor authentication (2FA) app that generates Time-based One-Time Passwords (TOTP) and HMAC-based One-Time Passwords (HOTP). Your privacy and the security of your authentication data are our highest priorities.

By downloading, installing, or using Authenticator, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the App.

1. Information We Collect

1.1 Authentication Data (Local Only)

• TOTP / HOTP secrets are encrypted with AES-256 and stored locally on your device. The encryption keys are stored in your device's secure enclave (iOS Keychain / Android Keystore), never in plain storage.
• Account labels and issuers (e.g., service names you add) are encrypted alongside the secrets.

1.2 Account Information (Optional)

If you choose to create an account to enable encrypted cloud backup, we collect:

• Email address
• Display name
• Firebase Authentication UID

You can use the App fully without creating an account.

1.3 Cloud Backup Data (Optional)

• If you enable cloud sync, your encrypted account data is synced to Firebase Realtime Database.
• We never have access to your plaintext secrets. All data is encrypted on your device before transmission. This is a zero-knowledge architecture — our servers see only ciphertext.

1.4 Analytics & Advertising

• Google AdMob — Free users see banner advertisements. AdMob may collect device identifiers for ad personalization. We request non-personalized ads by default.
• RevenueCat — Manages subscription status and processes anonymous purchase data.
• No behavioral analytics: We do not use Mixpanel, Firebase Analytics, or any cross-app behavioral tracking SDK.

1.5 Information We Do Not Collect

• We do not collect or transmit your plaintext authentication secrets — ever.
• We do not collect your phone number, contacts, location, microphone, or camera data.
• We do not use cross-app tracking, advertising IDs for analytics, or behavioral profiling.

2. How We Use Your Information

We use the information we collect to:

• Generate and display TOTP / HOTP codes locally on your device.
• Provide optional encrypted cloud backup and cross-device sync.
• Manage your subscription status (free vs. premium).
• Display advertisements to free users.
• Diagnose crashes and provide customer support.
• Comply with legal obligations.

3. Data Storage and Security

• On-device encryption: All authentication secrets are encrypted with AES-256 before storage. Encryption keys live in iOS Keychain / Android Keystore, never in plain storage.
• Cloud sync: If you opt in, data is encrypted end-to-end on your device before upload to Firebase. Our servers store only ciphertext.
• We cannot decrypt your data. If you lose your encryption recovery key and lose access to your device, we cannot recover your secrets.
• All connections to third-party services use TLS / HTTPS.

4. Third-Party Services

We use the following third-party services:

• Apple App Store / StoreKit & Google Play Billing — Payment processing and subscription management. Apple Privacy · Google Privacy.
• RevenueCat — Subscription status and entitlement checks. Privacy Policy.
• Firebase (Authentication and Realtime Database) — Optional encrypted cloud backup and account login. Privacy Policy.
• Google AdMob — Banner advertisements for free users. Privacy Policy.

These providers process limited data on our behalf under their own privacy policies. We do not sell your data to any third party.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may disclose information only in the following limited cases:

• Service providers (Apple, Google, RevenueCat, Firebase, AdMob) acting on our behalf under confidentiality obligations.
• Legal requirements such as a court order, subpoena, or lawful request by authorities — noting that we cannot decrypt user secrets even if compelled.
• Business transfers in the event of a merger, acquisition, or asset sale (you will be notified).
• With your consent for any other purpose disclosed at the time of collection.

6. Your Rights

Depending on your jurisdiction (GDPR, CCPA, KVKK, etc.), you may have the right to:

• Access — export your recovery key and account data at any time from within the App.
• Delete — delete your account and all associated cloud data via the in-app deletion option, or by contacting us.
• Port — export accounts via the standard otpauth:// URI format.
• Correct inaccurate information.
• Restrict or object to certain processing.
• Withdraw consent at any time. Cloud sync is optional — the App works fully offline.

To exercise these rights, email us at the address in Section 10.

7. Children's Privacy

Authenticator is not directed to children under 13. We do not knowingly collect personal information from children under 13 (or the equivalent age in your jurisdiction). If you believe a child has provided personal information to us, contact us and we will delete it promptly.

8. Data Retention

• Local data remains on your device until you delete the App or remove individual entries.
• Cloud-synced data is retained until you delete your account or remove the entry. Encrypted backups are removed on account deletion.
• Subscription records are retained as required by Apple, Google, RevenueCat, and applicable tax / compliance laws.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date above and, where appropriate, notify you in the App. Continued use of the App after changes constitutes acceptance of the updated policy.

10. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your data:

Email: [email protected]

Company: Halmob

App: Authenticator (Bundle ID: com.halmob.authenticator)

This Privacy Policy applies only to Authenticator and does not cover third-party services, websites, or applications linked from the App.