Privacy Policy - Cloud2FA

1. Introduction

This Privacy Policy describes how Cloud2FA ("we", "us", or "our") collects, uses, and protects your personal information when you use our service.

2. What Data We Collect

2.1. Account Data

Email address
Username
Hashed password
Two-factor authentication settings

2.2. Company Data

Company name
Member list
Roles and access permissions

2.3. TOTP Secrets

Encrypted TOTP secrets (we do not have access to decrypted data)
Metadata: name, issuer, category

2.4. Technical Data

IP addresses
Browser and device information
Access logs

3. How We Use Data

We use the collected data to:

Provide and support the service
Authenticate and authorize users
Ensure account security
Send important service notifications
Improve service quality

4. Data Protection

We implement the following security measures:

Encryption at rest — all TOTP secrets are encrypted with AES-256-GCM
Encryption in transit — all connections are protected with TLS
Password hashing — we use bcrypt with salt
Access audit — we maintain a log of all actions

5. Sharing Data with Third Parties

We do not sell or share your personal data with third parties, except in the following cases:

With your explicit consent
To comply with legal requirements
With service providers necessary for service operation (hosting, email), under appropriate agreements

6. Data Retention

We retain your data as long as your account is active or as necessary to provide the service. When you delete your account, we delete all associated data within 30 days.

7. Your Rights

You have the right to:

Obtain a copy of your data
Correct inaccurate data
Delete your account and data
Export your TOTP secrets

8. Cookies

We only use technically necessary cookies to maintain authorization sessions. We do not use tracking or advertising cookies.

9. Policy Changes

We may update this policy. For significant changes, we will notify you via email or through the service interface.

10. Contact

For privacy inquiries, contact us at [email protected]