Overview
MyAuth is built on the principle of zero-knowledge encryption. This Privacy Policy explains how we handle your data — or more accurately, how we ensure we cannot access your data. Your privacy isn't just a feature; it's the foundation of our architecture.
Data We Collect
Account Information
When you create an account, we store your email address and name for authentication purposes. This is the only personally identifiable information we require.
Encrypted Data
Your 2FA secrets are encrypted on your device using your private key before being transmitted to our servers. We store this encrypted data to enable cross-device sync, but we cannot decrypt it.
Usage Analytics
We may collect anonymous, aggregated usage statistics (e.g., app version, platform) to improve the product. No personal data or 2FA secrets are ever included in analytics.
Zero-Knowledge Architecture
MyAuth uses a zero-knowledge encryption model, which means:
- Your master password is never transmitted to our servers
- Encryption keys are derived locally using Argon2id
- All 2FA secrets are encrypted with AES-256-GCM before leaving your device
- Our servers only store encrypted blobs that are meaningless without your key
- We CANNOT recover your data if you lose both your password and recovery code
Data Sharing
We do not sell, trade, or share your personal information with third parties. Since we cannot access your encrypted data, there is nothing meaningful we could share even if compelled. If you use self-hosted infrastructure (BYOS), your data never touches our servers at all.
Your Rights
- Self-host your data for complete control using BYOS
- Audit the source code to verify our privacy claims
Contact
For privacy-related inquiries, please open an issue on our GitHub repository.