KolayLogin
DocsPricing
Legal

Privacy Policy

Last updated: 27 April 2026. We process the minimum data needed to operate the Service and never sell it.

What we collect

  • Workspace owners (you). Email, name, hashed password, billing address, payment-method metadata stored in Stripe.
  • End users in your apps. Whatever your app collects (email, OAuth profile, MFA factors). We process this on your behalf as your data processor.
  • Operational telemetry. IP, user-agent, request metadata for rate-limiting, abuse detection, and audit logs.

What we don't do

No third-party advertising. No data sold or shared with brokers. No cross-site tracking. We don't use end-user data to train models.

Sub-processors

  • Postgres / Redis hosting — same provider you self-host on (or our cloud).
  • Stripe — payment processing.
  • Resend — transactional email delivery.
  • Twilio — SMS OTP (only if you enable phone auth).

Your rights (GDPR / CCPA)

You can access, export, correct, or delete personal data at any time from the dashboard, or by emailing privacy@kolaylogin.com. We respond within 30 days.

Retention

Workspace data is retained as long as your workspace is active. After account deletion we erase it within 30 days, except where law requires longer retention (tax, anti-fraud).

Security

TLS in transit, AES-GCM at rest for sensitive secrets (RSA private keys, TOTP seeds). HttpOnly + Secure + SameSite cookies. See the Security overview for the full list.

Contact

Data protection officer: privacy@kolaylogin.com.

This page is a starter draft and not a substitute for legal review.