Privacy Policy

This Privacy Policy describes how Thierry Ouellet, operating under the AuthTwo and Epivalent brands ("we", "us", "our"), collects, uses, stores, and discloses personal information in connection with the AuthTwo application and the Epivalent KeyStore synchronization service (collectively, "the Services").

This Policy applies to all users of the Services regardless of location, and is intended to comply with applicable privacy law, including the Québec Act respecting the protection of personal information in the private sector (Law 25 / Bill 64), the federal Personal Information Protection and Electronic Documents Act (PIPEDA), the European Union General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA), to the extent each applies.

If you have questions about this Policy, contact us at thierry@epivalent.com.

The data controller for personal information collected through the Services is:

3.1 AuthTwo App — Local-Only Mode

When you use the App without creating an Epivalent KeyStore account, we collect no personal information. All TOTP secrets, account names, and related data are stored exclusively on your device and never leave it. We have no access to this data.

3.2 Epivalent KeyStore Account Registration

If you create an Epivalent KeyStore account, we collect the following personal information:

• First name and last name — To identify your account
• Email address — For account registration, email verification, and service communications
• Phone number — For SMS verification during account registration and authentication
• Password (hashed) — Stored as a cryptographic hash using industry-standard algorithms; we cannot recover your plain-text password
• Encrypted TOTP data — Your vault data is end-to-end encrypted before leaving your device; we cannot read its contents
• Verification tokens — Temporary tokens used for email and SMS verification; deleted after use

3.3 Technical and Operational Data

Our server infrastructure may automatically log:

• IP addresses and timestamps of API requests (for security monitoring and abuse prevention)
• Basic request metadata (HTTP method, endpoint path, response code)

Server logs are retained for a maximum of 90 days and then deleted.

3.4 Push Notifications

If you enable push notifications, your device's push notification token is shared with our push notification provider (650 Industries, Inc. / Expo) solely to deliver notifications to your device. We do not use push tokens for tracking, advertising, or any other purpose.

3.5 Device Permissions

• Camera — Accessed only when you scan a QR code. No images or video are captured, stored, or transmitted by us.
• Biometrics (Face ID / Touch ID / fingerprint) — Processed exclusively by the device's native hardware security module. We never receive, access, or store any biometric data.

We process personal information only on the following legal bases:

• Performance of a contract — Processing your account registration data and TOTP vault is necessary to provide the Epivalent KeyStore service you requested.
• Legitimate interests — Server log data is processed to ensure security, investigate abuse, and maintain service integrity. Our legitimate interest does not override your rights.
• Consent — Push notifications are sent only with your explicit permission, which you may revoke at any time in your device settings.
• Legal obligation — We may process data as required by applicable law.

We use the personal information we collect exclusively to:

• Create, maintain, and authenticate your Epivalent KeyStore account
• Verify your email address and phone number at registration and as required thereafter
• Synchronize your end-to-end encrypted TOTP vault across your devices
• Deliver push notifications if you have enabled them
• Monitor for security threats, abuse, or unauthorized access to our infrastructure
• Comply with applicable legal obligations
• Respond to your support inquiries

We do not use your information for advertising, profiling, behavioral tracking, or sale to third parties. We do not use your information to train AI or machine learning models.

We share certain personal data with the following sub-processors, solely as necessary to operate the Services. Each processor is bound by contractual data processing obligations:

Processor legal entities and addresses:

• OVH SAS — 2 rue Kellermann, 59100 Roubaix, France (data center in Beauharnois, QC, Canada)
• Amazon Web Services, Inc. — 410 Terry Avenue North, Seattle, WA 98109-5210, USA
• 650 Industries, Inc. — 624 University Ave FL1, Palo Alto, CA 94301, USA

We do not sell, rent, or share your personal information with any other third parties, except as required by law.

The Epivalent KeyStore server infrastructure is hosted with OVHcloud in Beauharnois, Québec, Canada — your data therefore remains in Canada by default. However, email and SMS verification via AWS SES/SNS and push notification routing via Expo involve data being processed in the United States.

For transfers of personal data subject to the GDPR, we ensure appropriate safeguards are in place through Standard Contractual Clauses or other GDPR-compliant transfer mechanisms. For Québec Law 25 purposes, cross-border data transfers are governed by our agreements with each sub-processor and a privacy impact assessment (PIA) as required.

• Local App data — Stored on your device until you delete the App or its data. We have no access.
• Epivalent KeyStore account data — Retained as long as your account is active. Upon account deletion, all account data (name, email, phone, encrypted vault) is deleted immediately and permanently from our servers.
• Server logs — IP addresses and request logs are retained for a maximum of 90 days, then permanently deleted.
• Verification tokens — Deleted immediately after use or expiry.

We do not retain personal information beyond its stated purpose. Upon the expiry of each retention period, data is permanently deleted or irreversibly anonymized.

We implement a range of security measures to protect personal information:

• End-to-end encryption of all TOTP vault data (encrypted on-device before transmission)
• Industry-standard hashing algorithms for stored passwords
• Encrypted communications using TLS for all data in transit
• VPS hardening, access controls, and regular security monitoring
• Email and SMS two-factor verification for account creation and sensitive operations

Despite these measures, no method of transmission or storage is 100% secure. In the event of a data breach affecting your rights or freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, and affected individuals within a reasonable time as required by applicable law.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access — Request a copy of the personal information we hold about youGDPRLaw 25PIPEDACCPA
• Correction / Rectification — Request correction of inaccurate or incomplete informationGDPRLaw 25PIPEDA
• Deletion / Right to be Forgotten — Request deletion of your personal information. KeyStore account deletion results in immediate and permanent deletion of all associated data.GDPRLaw 25CCPA
• Data portability — Request a copy of your data in a structured, machine-readable formatGDPRLaw 25
• Restriction of processing — Request that we limit how we use your data in certain circumstancesGDPR
• Object to processing — Object to processing based on legitimate interestsGDPR
• Withdraw consent — Withdraw consent at any time (where processing is based on consent), without affecting prior lawful processingGDPRLaw 25
• Non-discrimination — We will not discriminate against you for exercising your privacy rightsCCPA

To exercise any of these rights, contact us at thierry@epivalent.com. We will respond within 30 days (or the applicable deadline under the relevant law). We may ask you to verify your identity before processing your request.

We do not sell, rent, trade, or license your personal information to any third party for any purpose, including advertising or marketing. We do not use any advertising networks, analytics services (such as Google Analytics), or behavioral tracking technologies in the Services. We do not build advertising profiles or perform automated decision-making based on your data.

The Services are not directed to children under the age of 13 (or 16 in GDPR jurisdictions). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, please contact us immediately at thierry@epivalent.com and we will delete it promptly.

The App is currently in public beta (iOS via TestFlight, Android via Google Play testing). Data practices described in this Policy apply during the beta period. Beta versions may be unstable; we do not guarantee that data stored or synced during the beta period will persist through updates. We recommend maintaining your own backups.

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date and, where feasible, provide notice through the App or at this URL. Continued use of the Services after changes are posted constitutes acceptance of the updated Policy.

For significant changes affecting your rights, we will seek fresh consent where required by applicable law.

If you believe your privacy rights have been violated, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction:

• Québec / Canada: Commission d'accès à l'information du Québec (CAI) — cai.gouv.qc.ca
• Federal Canada (PIPEDA): Office of the Privacy Commissioner of Canada — priv.gc.ca
• EU / EEA: Your local data protection authority (DPA)

We encourage you to contact us first at thierry@epivalent.com — we will do our best to resolve any concern promptly.

For any privacy questions, data subject requests, or concerns:

Response time: within 30 days of receipt of your request.