Legal
Privacy Policy
Last updated: February 28, 2026
This Privacy Policy explains how Chuggy Labs, Inc., a Delaware corporation, collects, uses, stores, and shares information when you use PersonalAuth products and services.
At a Glance
What we collect
We store identity, security, billing, and audit metadata needed to run the product and defend it.
What stays public
Your display name, public key, and verification status are public by design when someone has your verify link or key ID.
What we cannot read
We do not hold the decryption keys for your private key, so we cannot sign or recover it for you.
Jump to a Section
1. Information We Collect
- Identity data: display name, public key, key status, and creation timestamp.
- Linked account hashes: one-way hashes of linked account identifiers (including email addresses and OAuth account IDs), without storing raw identifiers in plaintext after verification.
- Encrypted private key: encrypted client-side before storage; we cannot decrypt it.
- Guardian data: guardian email addresses and invitation status for configured recovery.
- Verification metadata: proof records, challenge-response data, and signature logs.
- Security and audit logs: authentication events, IP addresses, device metadata, and timestamps.
- Billing data: payment processing through Stripe; we store billing email and subscription status, not credit card numbers.
- Usage data: page views, feature usage, and error logs for service improvement.
2. How We Use Information
- Provide, maintain, and improve the service.
- Process verifications and cryptographic operations.
- Prevent fraud, abuse, and unauthorized access.
- Process billing and subscriptions.
- Communicate service updates and security alerts.
- Comply with legal obligations.
3. What We Cannot Access
We cannot access your private key. It is encrypted client-side using either device-bound credentials (WebAuthn PRF) or a passphrase you set. We do not hold decryption keys. This means we cannot sign on your behalf, recover your identity if you lose access, or comply with requests to produce your private key.
5. Public Information
Your display name, public key, and verification status are publicly accessible by design. Anyone with your verify link or key ID can view this information. Linked account types (but not the accounts themselves) may also be visible to verifiers.
6. Data Retention
We retain data as long as your identity is active. Audit and security logs may be retained longer for legal and security purposes. You may request deletion by contacting us, but cryptographic proofs recorded on behalf of third parties may be retained for their records.
7. Security
We implement reasonable technical and organizational measures to protect data, including encryption at rest and in transit, access controls, and security monitoring. No system is completely secure, and we cannot guarantee absolute security against all threats.
8. Your Rights
Depending on your jurisdiction, you may have rights to access, correct, delete, or export your data, and to object to or restrict processing. Contact us to exercise these rights. Some data, including public keys and cryptographic proofs, may be permanent by system design and may not be deletable.
9. Children
PersonalAuth is not intended for use by anyone under 16. We do not knowingly collect data from children.
10. International Transfers
Your information may be processed in countries other than your own. We use appropriate safeguards for cross-border transfers consistent with applicable law.
12. Changes
We may update this policy. Material changes will be posted with a revised date.
13. Contact
PersonalAuth is operated by Chuggy Labs, Inc., a Delaware corporation.
Privacy questions can be sent to support@personalauth.io.