Terms of Use

These Terms of Use ("Terms") constitute a legally binding agreement between you ("User", "you", "your") and Thierry Ouellet, an individual developer operating under the AuthTwo and Epivalent brands ("we", "us", "our"), governing your access to and use of all Services as defined below.

By downloading, installing, accessing, registering for, or using any part of the Services, you confirm that you have read, understood, and agree to be bound by these Terms in their entirety. If you do not agree, you must immediately cease using the Services and uninstall the App.

Definitions

• App — The AuthTwo mobile and desktop application, available on iOS, Android, macOS, and Windows.
• Epivalent KeyStore — The optional account-based synchronization service operated by us.
• Services — Collectively, the App, the Epivalent KeyStore sync service, the AuthTwo website, and any related features or infrastructure.
• User Content — Any data you submit, store, or transmit through the Services.

2.1 AuthTwo App

AuthTwo is a two-factor authentication (2FA) application available as a public beta on iOS (via Apple TestFlight) and Android (via Google Play testing), and as a direct download for macOS and Windows. It enables you to generate TOTP codes compliant with RFC 6238, import accounts via QR code or manual entry, export your data, and optionally synchronize your encrypted data.

2.2 Epivalent KeyStore (Optional Sync Service)

Epivalent KeyStore is an optional, account-based synchronization service. To use it, you must register by providing your first name, last name, email address, phone number, and a password. Email and phone verification are performed at registration. All TOTP data transmitted through Epivalent KeyStore is end-to-end encrypted before leaving your device — we cannot read your secrets.

You may alternatively synchronize using your own self-hosted server, without creating a KeyStore account.

We reserve the right to modify, suspend, or discontinue any feature of the Services at any time, with or without notice, and without liability.

The App is currently in public beta. iOS is distributed via Apple TestFlight, Android via Google Play testing, and desktop versions via direct download. Beta software is provided for evaluation and testing purposes only.

Beta versions may contain bugs, errors, security vulnerabilities, or incomplete features. We do not guarantee stability, data integrity, or continued availability of any beta feature. Do not rely solely on the App to store your only copy of TOTP secrets. Always independently preserve recovery codes obtained from each service for which you enable 2FA.

Subject to your compliance with these Terms, we grant you a limited, non-exclusive, non-transferable, revocable, royalty-free license to install and use the App on devices you own or control, solely for personal, non-commercial use.

You may not:

• Copy, modify, distribute, sell, sublicense, rent, lease, or create derivative works of the App or any part of the Services
• Reverse engineer, decompile, disassemble, or attempt to derive the source code, algorithms, or trade secrets of the App by any means
• Remove, alter, or obscure any copyright, trademark, or other proprietary notices on or in the App
• Use the Services to store credentials belonging to others without their explicit, informed consent
• Probe, scan, or test the vulnerability of any system or network associated with the Services, or breach any security measure
• Use automated tools, bots, or scripts to interface with the Services in any unauthorized manner
• Use the Services to develop a competing product or service
• Use the Services in any manner that violates applicable law or regulation

You must be at least 13 years of age to use the Services. In jurisdictions subject to the GDPR, you must be at least 16, or have verifiable parental consent. By using the Services, you represent you meet the applicable minimum age for your jurisdiction.

If you access the Services on behalf of a legal entity, you represent that you have authority to bind that entity to these Terms.

You are solely and entirely responsible for:

• The physical security of all devices on which the App is installed
• The secrecy of your master password, biometric credentials, and any Epivalent KeyStore account credentials
• Creating and maintaining secure, off-device backups of your TOTP secrets and recovery codes. We cannot recover your secrets.
• Any consequence arising from sharing your device, credentials, or account access with any third party
• Ensuring your use of the Services complies with all applicable law in your jurisdiction
• All activities occurring under your account or device

If you create an Epivalent KeyStore account, you additionally agree to:

• Provide accurate, current, and complete registration information: first name, last name, email address, phone number
• Keep your account information updated and accurate at all times
• Keep your password confidential and not share it with any third party
• Notify us immediately at thierry@epivalent.com if you suspect unauthorized access to your account
• Not create more than one personal account
• Not transfer your account to another person

You are responsible for all activity under your account. We may suspend or terminate accounts we reasonably believe are compromised, abused, or in violation of these Terms.

The App may request the following permissions. Denying them may limit functionality but will not prevent core TOTP code generation:

• Camera — Used exclusively to scan QR codes when adding accounts. No images or video are captured, stored, or transmitted.
• Biometric (Face ID / Touch ID / fingerprint) — Used to unlock the App. All biometric processing occurs inside the device hardware security module (Apple Secure Enclave, Android Keystore). We never have access to biometric data.
• Push notifications — Used to deliver authentication alerts if you enable this feature. You can revoke notification permissions at any time from your device settings.

9.1 Distribution Platforms

Your use of the App through Apple TestFlight or the App Store is additionally subject to Apple Inc.'s terms. Your use through Google Play is additionally subject to Google LLC's terms. These Terms do not supersede platform terms; both apply concurrently.

9.2 Sub-processors and Third-Party Services

We use the following third-party services to operate the Services. Each is a separate company with its own terms and privacy policy:

• OVH SAS (OVHcloud) — Hosts the Epivalent KeyStore server infrastructure in Beauharnois, Québec, Canada. Legal entity: OVH SAS, 2 rue Kellermann, 59100 Roubaix, France.
• Amazon Web Services, Inc. (AWS SES / SNS) — Delivers email and SMS verification messages for KeyStore account creation and authentication. (410 Terry Avenue North, Seattle, WA 98109-5210, USA)
• 650 Industries, Inc. (Expo Push Service) — Routes push notification delivery to your devices. (624 University Ave FL1, Palo Alto, CA 94301, USA)

We are not responsible for the availability, security, or practices of any third-party service. Your use of such services is at your own risk and governed by their respective terms.

The App, Epivalent KeyStore, the names "AuthTwo" and "Epivalent", associated logos, and all interfaces, designs, code, and content are the exclusive property of Thierry Ouellet, protected by Canadian and international copyright, trademark, and intellectual property laws.

The limited license in Section 4 is the full extent of your rights. Any feedback, bug reports, or suggestions you submit may be freely used by us for any purpose, without compensation, attribution, or confidentiality obligation.

The services are provided "as is", "as available", and "with all faults", without any warranty of any kind.

To the fullest extent permitted by law, we disclaim all warranties, express, implied, statutory, or otherwise, including without limitation:

• Implied warranties of merchantability, satisfactory quality, fitness for a particular purpose, title, or non-infringement
• Any warranty that the Services will be uninterrupted, error-free, secure, or free of viruses or security vulnerabilities
• Any warranty that TOTP codes will be generated correctly in all circumstances
• Any warranty that data will not be lost, corrupted, or rendered inaccessible
• Any warranty that the beta App is suitable for any particular purpose

This does not affect any warranty rights you may have under mandatory consumer protection law that cannot be waived by contract.

To the fullest extent permitted by applicable law, we shall not be liable for any damages of any kind arising from or related to the services.

In no event shall Thierry Ouellet be liable for any indirect, incidental, special, exemplary, consequential, or punitive damages, including but not limited to:

• Loss of data, corruption of data, or inability to access your data
• Loss of access to any third-party account for which you used the App as a second factor
• Business interruption, loss of revenue, loss of profits, or loss of goodwill
• Device failure, hardware malfunction, theft, or loss of your device
• Unauthorized access to your account, device, or credentials
• Failure of any third-party service (Apple, Google, OVH SAS, AWS, or Expo)
• Any bug, error, or defect in beta or production versions of the App

Because the App is provided to you free of charge, our maximum aggregate liability to you for all claims of any kind — whether in contract, tort, strict liability, or otherwise — shall not exceed CAD $0.00 (zero dollars), or such minimum amount as mandatory applicable law in your jurisdiction may require, whichever is greater.

Some jurisdictions do not allow exclusion of certain warranties or limitation of certain damages; to the extent such laws apply, the above exclusions and limitations may not apply to you in full.

To the fullest extent permitted by law, you agree to indemnify, defend, and hold harmless Thierry Ouellet from and against all claims, demands, losses, damages, liabilities, costs, and expenses (including reasonable legal fees) arising from or related to:

• Your use of or inability to use the Services
• Your breach or alleged breach of these Terms
• Your violation of any applicable law or the rights of any third party
• Your Epivalent KeyStore account or any activity thereunder
• Any false or misleading information you provide in connection with the Services

We shall not be liable for any failure or delay resulting from circumstances beyond our reasonable control, including: acts of God, natural disasters, pandemic, war, terrorism, civil unrest, fire, flood, power failures, internet or telecommunications outages, or actions or failures of third-party providers including OVH SAS, Amazon Web Services, or 650 Industries (Expo).

These Terms remain effective until terminated. You may terminate by ceasing all use of the Services and removing the App from all devices.

We may suspend or terminate your access and/or your Epivalent KeyStore account at any time, with or without cause, with or without notice, without liability, if we believe you have violated these Terms or for security or operational reasons.

Upon termination: (a) your license is immediately revoked; (b) your KeyStore account and all associated server-side data will be deleted immediately upon your request or our termination; (c) Sections 10–14 and 16–17 survive termination.

These Terms are governed by the laws of the Province of Québec and the applicable federal laws of Canada, without regard to conflict of law principles.

Any dispute that cannot be resolved by good-faith negotiation within thirty (30) days of written notice shall be submitted to the exclusive jurisdiction of the courts of the Province of Québec, Canada. You irrevocably consent to personal jurisdiction in those courts.

Nothing in these Terms limits rights you may have under mandatory EU consumer protection law (if you reside in the EU/EEA), the Québec Consumer Protection Act (where applicable), or any other mandatory consumer protection law in your jurisdiction that cannot be waived by contract.

Severability. If any provision is found illegal, invalid, or unenforceable, it is severed without affecting the remaining provisions.

No Waiver. Failure to enforce any right does not constitute a waiver. Any waiver must be in writing and signed by us.

No Agency. These Terms do not create a partnership, joint venture, employment, or agency relationship between you and us.

Language. These Terms are drafted in English. A French version is available upon request at thierry@epivalent.com. In case of conflict, the English version prevails to the extent permitted by Québec law.

Entire Agreement. These Terms and our Privacy Policy constitute the entire agreement between you and Thierry Ouellet regarding the Services and supersede all prior agreements, representations, or understandings.

For any questions, concerns, or legal notices regarding these Terms: