authe collects information to provide, improve, and protect our asset authentication services. We collect different types of information depending on how you interact with our platform.
Account Data
Name, email address, and contact information
Company or organization details (for business accounts)
Account credentials and authentication tokens
Profile preferences and settings
Communication preferences
Product Data
Product descriptions, images, and metadata you upload
autheID assignments and product-to-ID mappings
QR code and label generation history
Product categories and classification data
Custom fields and attributes you define
Usage Analytics
Service usage patterns and feature interactions
Verification scan data (location, time, device type)
Dashboard and analytics preferences
API usage metrics and integration data
Performance and error logs
Blockchain Records
Transaction hashes and smart contract interactions
Wallet addresses associated with your account
On-chain verification timestamps and proofs
Gas usage and transaction metadata
How We Use Your Information
We use your information to deliver and improve our authentication services, ensure platform security, and communicate with you about your account.
Provide and maintain the authe authentication platform
Generate and manage autheIDs for your products
Process verification requests from consumers and partners
Send service notifications and important updates
Improve our AI analysis and authentication algorithms
Detect and prevent fraudulent or unauthorized activities
Provide customer support and respond to inquiries
Generate anonymized analytics and usage reports
Comply with legal obligations and protect our rights
AI Training Disclosure
We may use anonymized and aggregated verification data to improve our AI authentication models. This data is stripped of personal identifiers and cannot be traced back to individual users or products. You may opt out of AI training data usage in your account settings.
Legal Basis for Processing (GDPR Article 6)
Contractual necessity: To provide authentication services you have requested
Consent: For blockchain storage of authentication records and optional features
Legitimate interests: For security, fraud prevention, and service improvement
Legal obligations: For record-keeping and regulatory compliance
Data Storage & Security
Important
IMPORTANT: BLOCKCHAIN DATA IMMUTABILITY
authe employs industry-standard security measures to protect your data. However, the nature of blockchain technology introduces unique considerations for data persistence.
Blockchain Immutability
Once data is recorded on the blockchain, it becomes permanent and cannot be modified or deleted. This includes autheID creation timestamps, verification proofs, and transaction records. While this immutability is fundamental to authentication integrity, it means that blockchain records cannot be erased even upon account deletion. We only store essential authentication hashes on-chain, not personal data.
Blockchain Consent
By creating an account and registering products with authe, you explicitly consent to the permanent storage of authentication hashes on public blockchain networks. This consent is required to use our authentication services. Once data is recorded on-chain, this consent cannot be withdrawn for existing records due to blockchain immutability. You will be clearly informed before any data is written to the blockchain.
Security Measures
AES-256 encryption for data at rest
TLS 1.3 encryption for all data in transit
Multi-factor authentication options for accounts
Regular security audits and penetration testing
SOC 2 Type II compliance (in progress)
Isolated database environments with access controls
Automated backup and disaster recovery systems
24/7 security monitoring and anomaly detection
Data is stored in secure cloud infrastructure within the European Economic Area (EEA), with backup locations also within the EEA to ensure GDPR compliance.
Third-Party Services
Important
EXTERNAL SERVICE PROVIDERS
We partner with carefully selected third-party service providers to deliver our platform. These providers have their own privacy policies governing the data they process.
Stripe Payment Processing
All payment information, including credit card details, bank account information, and billing addresses, is collected and processed directly by Stripe, Inc. authe never receives, stores, or has access to your full payment card details. Stripe is PCI DSS Level 1 certified and maintains the highest standards of payment security.
autheID records are stored on public blockchain networks. Only verification hashes and timestamps are stored on-chain - no personal information is included in blockchain data. Authe Trail messages are sanitized before display. We currently utilize:
Base L2 (Coinbase) and Ethereum networks for authentication records
Google Cloud Storage for secure file storage
Third-party RPC providers for blockchain interactions
AI & Content Services
Google Gemini AI for authentication analysis and verification narratives
Google Cloud Vision for content moderation (SafeSearch on uploads)
Marketplace Integrations (Etsy, Amazon)
When you choose to connect a marketplace account (Etsy shop or Amazon Seller Central), authe acts as a third-party client on your behalf via the marketplace's official OAuth API. We follow a strict principle of least privilege: we request only the permissions needed to import your listings or push drafts back, and never the permissions that would expose your buyers, orders, payments, or messages.
Etsy Open API v3 (listings_r, listings_w, shops_r)
We connect via Etsy's OAuth 2.0 with PKCE — your Etsy password is never seen by authe. The only scopes we request are: listings_r (read your own listings), listings_w (create or update your draft listings), and shops_r (read shop info such as shipping profiles and processing profiles needed to publish drafts). We deliberately do NOT request: listings_d (delete), shops_w (modify shop), transactions_r/w (orders and sales), email_r, billing_r, address_r/w, profile_r/w, or any buyer-side scope. As a result, authe never receives buyer identities, order details, payment information, shipping addresses, or Etsy Messages. Etsy access tokens (1-hour lifetime) and refresh tokens (90-day lifetime, rotated on every refresh) are stored encrypted at rest using AES-256-GCM with a dedicated key separate from all other application data. You can disconnect Etsy at any time from Account Settings — this immediately deletes the stored encrypted tokens.
Data we receive from Etsy: shop ID and name, your listings' titles, descriptions, prices, images, taxonomy, and tags
Data we send to Etsy: only the asset content you explicitly choose to export as a draft listing (title, description, price, image, taxonomy, tags)
Data we never request or receive: orders, buyer information, payment data, shipping addresses, Etsy Messages, financial reports
Daily call cap: 1,000 Etsy API calls per user per 24 hours (enforced application-side as an abuse safeguard)
Retention: tokens are kept while your Etsy connection is active; deleted within 24 hours of disconnect
We connect to Amazon Seller Central via Login with Amazon (LWA) OAuth 2.0. We request only the Inventory and Catalog roles required to read your own FBA inbound shipments and product catalog data so we can mirror them into authe. We deliberately do NOT request: Orders, Customer Information, Direct-to-Consumer Shipping, Tax Invoicing, Financial Reports, or any buyer-side role. As a result, authe never receives buyer identities, order numbers, transactional data, customer addresses, or financial reports. Refresh tokens are stored encrypted at rest using AES-256-GCM with a dedicated key. You can disconnect Amazon at any time from Account Settings — this immediately deletes the stored encrypted tokens.
Data we receive from Amazon: your own FBA inbound shipment headers, SKUs, and product catalog attributes (name, ASIN/GTIN, brand, category, images)
Data we never request or receive: orders, buyers, customer PII, payment data, financial reports, settlement reports
Retention: tokens are kept while your Amazon connection is active; deleted within 24 hours of disconnect
GDPR-compliant analytics (no personal data collected)
ZOHO for transactional email communications
Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and resolve disputes.
Account data: Retained until account deletion, plus 30 days for recovery
Product data: Retained until you delete it or close your account
Usage analytics: Anonymized and retained for up to 3 years
Verification logs: Retained for 7 years for audit purposes
Blockchain records: Permanent (cannot be deleted due to immutability)
Communication records: Retained for 5 years after last interaction
Backup data: Retained for 90 days after primary deletion
Post-Deletion Data
Upon account deletion, we will remove your personal data from our active systems within 30 days. However, blockchain records containing authentication hashes will remain on the public ledger permanently. Anonymized or aggregated data may also be retained for analytical purposes.
Your Rights (GDPR)
Important
EU/EEA DATA SUBJECT RIGHTS
As a company registered in the Netherlands, authe complies with the General Data Protection Regulation (GDPR). If you are located in the European Economic Area, you have the following rights regarding your personal data:
Right of Access
You have the right to request a copy of all personal data we hold about you. We will provide this information within 30 days of a verified request.
Right to Rectification
You can request correction of inaccurate personal data at any time through your account settings or by contacting us.
Right to Erasure
Limitation on Erasure
You may request deletion of your personal data. However, please note that blockchain records cannot be erased due to their immutable nature. We can only delete data stored in our off-chain databases. Any on-chain hashes or transaction records will persist indefinitely on the public blockchain.
Right to Data Portability
You can request your data in a structured, machine-readable format (JSON or CSV) for transfer to another service provider.
Right to Object
You may object to processing of your personal data for direct marketing or other purposes. We will cease processing unless we have compelling legitimate grounds.
Right to Withdraw Consent
Where processing is based on consent, you may withdraw it at any time. This does not affect the lawfulness of prior processing.
To exercise any of these rights, contact us at contact [at] authe.app. We will respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
Cookies & Tracking
We use cookies and similar tracking technologies to provide functionality, analyze usage, and enhance your experience on our platform.
Essential Cookies
Required for core platform functionality such as authentication, session management, and security. These cannot be disabled.
Analytics Cookies
Help us understand how you interact with our platform to improve features and performance. You can opt out via your browser or our cookie settings.
Preference Cookies
Remember your settings, language preferences, and customizations across sessions.
We do not use third-party advertising cookies
We do not sell or share cookie data with advertisers
You can manage cookie preferences in your account settings
Most browsers allow you to block or delete cookies
Do Not Track
We currently do not respond to Do Not Track (DNT) browser signals, as there is no consistent industry standard for handling these requests. We encourage you to use our cookie settings panel for granular control.
Children's Privacy
authe is a business-to-business service intended for use by adults. Our services are not directed at children under the age of 16.
We do not knowingly collect personal data from children under 16
If we discover we have collected data from a child, we will delete it promptly
Parents or guardians who believe their child has provided data should contact us immediately
Business accounts must be operated by individuals of legal age
If you become aware that a child has provided personal information to us without appropriate consent, please contact us at contact [at] authe.app.
International Data Transfers
authe is headquartered in the Netherlands and primarily stores data within the European Economic Area (EEA). However, some of our service providers may process data outside the EEA.
Primary data storage is within the EEA (Netherlands, Germany, Ireland)
Backup systems are also located within the EEA
Some third-party processors (e.g., certain cloud services) may transfer data to the US
We use Standard Contractual Clauses (SCCs) for transfers outside the EEA
We conduct transfer impact assessments as required by GDPR
Blockchain Considerations
Blockchain networks are globally distributed. When data is written to the blockchain, it is replicated across nodes worldwide. This is an inherent characteristic of decentralized systems and is necessary for authentication integrity. We minimize personal data on-chain and only store cryptographic hashes.
Automated Decision-Making
In accordance with GDPR Article 22, we inform you about our use of automated decision-making and profiling technologies.
AI-Assisted Authentication
Our Service uses artificial intelligence to assist with asset authentication analysis. These AI systems provide probabilistic assessments and recommendations but do not make final binding decisions that produce legal or similarly significant effects on individuals.
AI analysis provides guidance, not definitive authentication judgments
Human review is available for all authentication assessments upon request
AI outputs are informational and do not automatically affect your legal rights
You may request human intervention in any AI-assisted process
Fraud Detection
We use automated systems to detect potentially fraudulent activities, unusual access patterns, and security threats. If automated systems flag suspicious activity, human review is conducted before any adverse action is taken against your account.
Your Rights
You have the right to: (1) obtain meaningful information about the logic involved in automated processing; (2) request human intervention; (3) express your point of view; and (4) contest decisions that significantly affect you. Contact us at contact [at] authe.app to exercise these rights.
California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information.
Your California Rights
Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you
Right to Delete: You may request deletion of your personal information, subject to certain exceptions
Right to Correct: You may request correction of inaccurate personal information
Right to Opt-Out: You may opt out of the sale or sharing of your personal information
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
Categories of Information Collected
Identifiers (name, email, account ID)
Commercial information (transaction history, service usage)
Internet activity (log data, device information)
Professional information (company name, role)
Inferences drawn from the above categories
We Do Not Sell Personal Information
authe does not sell, rent, or share your personal information with third parties for their direct marketing purposes. We do not engage in "sales" of personal information as defined under CCPA/CPRA.
To exercise your California privacy rights, contact us at contact [at] authe.app or use the account settings in your dashboard. We will respond to verified requests within 45 days.
Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we are committed to notifying affected users and relevant authorities in accordance with GDPR Article 33 and 34.
Our Breach Response
We will notify the Dutch Data Protection Authority within 72 hours of becoming aware of a qualifying breach
We will notify affected users without undue delay if the breach poses a high risk to their rights
Notifications will describe the nature of the breach and approximate number of affected records
We will provide contact information for our data protection team
We will describe likely consequences and measures taken to address the breach
User Notification
If a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly via email at the address associated with your account. The notification will include clear guidance on steps you can take to protect yourself.
Security Measures
We maintain comprehensive security incident response procedures, including regular testing and updates. Our security team monitors for potential threats 24/7 and conducts regular vulnerability assessments to prevent breaches before they occur.
Changes to Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors.
Material changes will be communicated via email to registered users
The "Last updated" date will reflect the most recent revision
Continued use of the Service after changes constitutes acceptance
Previous versions are available upon request
We recommend reviewing this policy regularly
For significant changes that affect how we handle personal data, we will provide at least 30 days notice before the changes take effect, giving you the opportunity to review and delete your account if desired.
Contact Information
For questions about this Privacy Policy, your personal data, or to exercise your rights, please contact us:
For general inquiries, please contact contact [at] authe.app.
Supervisory Authority
If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
By using authe, you acknowledge that you have read and understood this Privacy Policy.
