Privacy Policy
Back to Home

Privacy First Commitment

We are committed to protecting your privacy with enterprise-grade security measures. We never share, sell, or monetize your personal information.

GDPR Compliant
CCPA Compliant
SOC 2 Type II
Effective Date & Contact Information
Effective Date
June 17, 2025
Data Controller
Your Company Name
Privacy Officer
[email protected]
Data Protection Officer (DPO)
[email protected]
This privacy policy applies to the Liminal ID Authentication Service and complies with GDPR, CCPA, PIPEDA, and applicable government/military data protection standards.
Information We Collect
Authentication Information
  • Account Credentials: Username, email address, and encrypted password hashes
  • Multi-Factor Authentication: TOTP secrets, SMS verification numbers, hardware security key identifiers
  • Session Data: Login timestamps, IP addresses, user agent strings for security monitoring
Security & Audit Information
  • Access Logs: Authentication attempts, endpoint access, and security events
  • Rate Limiting Data: Request frequency data to prevent abuse
  • Compliance Audit Trails: Required for SOC2, ISO27001, and government security standards
Technical Information
  • Device Identifiers: Browser fingerprints for fraud detection
  • Network Information: IP addresses for geolocation security policies
  • Performance Metrics: Response times and system health data (anonymized)
What We DON'T Collect
  • Personal information beyond what is necessary for authentication
  • Cookies for tracking or advertising
  • Biometric data (unless explicitly configured by your administrator)
  • Social media platform data for collection
How We Protect Your Information
Encryption Standards
  • Data at Rest: AES-256 encryption for all stored data
  • Data in Transit: TLS 1.3 encryption for all communications
  • Password Security: Argon2id hashing with per-user salts
  • Database Encryption: Column-level encryption for sensitive fields
Security Infrastructure
  • Zero-Trust Architecture: Every request is authenticated and authorized
  • Network Segmentation: Isolated environments with firewall protection
  • Intrusion Detection: Real-time monitoring for security threats
  • Regular Security Audits: Quarterly penetration testing and vulnerability assessments
Access Controls
  • Role-Based Access Control (RBAC): Principle of least privilege
  • Multi-Factor Authentication: Required for all administrative access
  • Session Management: Automatic timeout and secure session tokens
  • Audit Logging: Comprehensive logging of all data access
Cy4Secure™ Integration

When configured by your administrator, we may use Cy4Secure™ (by Cy4 Data Labs) for advanced encryption key generation. Important:

  • Cy4Secure™ generates encryption keys and tokens but never has access to your actual data
  • They are an on-demand encryption service that only provides cryptographic keys
  • Your data remains encrypted and inaccessible to Cy4Secure™ at all times
  • This integration can be disabled by your administrator at any time
Data Sharing & Third Parties
Zero Data Sharing Commitment

We never share, sell, rent, or monetize your personal information. Your data is yours and yours alone.

Single Sign-On (SSO) Authentication

When SSO is enabled by your administrator and you choose to use it:

  • Minimal Data Exchange: We only share the minimum information required for authentication (typically just your email/username)
  • User Control: You choose whether to use SSO; it's never mandatory
  • Administrator Controlled: SSO providers are configured and approved by your organization's administrator
  • Standard Protocols: We use industry-standard OAuth 2.0 and OpenID Connect protocols
Service Providers

We may share data with service providers only when:

  • Legally Required: Court orders, government requests with proper legal authority
  • Security Incidents: Coordination with law enforcement for cybersecurity threats
  • Infrastructure Providers: Cloud hosting providers with strict data processing agreements
  • Emergency Situations: To prevent immediate harm to persons or property
Government & Military Compliance

We maintain compliance with FedRAMP, FISMA, NIST Cybersecurity Framework, and other government security standards. Data sharing only occurs under lawful government authority with proper legal process.

Your Rights & Data Control
Under GDPR (European Union)
  • Right to Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate personal data
  • Right to Erasure: Request deletion of your personal data
  • Right to Restrict Processing: Limit how we process your data
  • Right to Data Portability: Receive your data in a structured format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for data processing
Under CCPA (California)
  • Right to Know: What personal information we collect and how it's used
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt-out of the sale of personal information (we don't sell data)
  • Right to Non-Discrimination: Equal service regardless of privacy choices
Under PIPEDA (Canada)
  • Right to Access: Access your personal information we hold
  • Right to Correct: Correct inaccurate personal information
  • Right to Complain: File complaints with the Privacy Commissioner
Exercising Your Rights

To exercise any of these rights, contact us at:

Email: [email protected]
Response Time: Within 30 days
Verification: Identity verification may be required

Retention Periods
  • Active Accounts: Data retained while account is active
  • Inactive Accounts: Data deleted after 2 years of inactivity (configurable by administrator)
  • Security Logs: Retained for 7 years for compliance and security monitoring
  • Audit Trails: Retained per regulatory requirements (typically 7-10 years)
  • Session Data: Deleted after 90 days
Secure Deletion
  • Cryptographic Erasure: Encryption keys are destroyed, making data unrecoverable
  • Multi-Pass Overwriting: Physical storage is overwritten multiple times
  • Certificate of Destruction: Available upon request for compliance purposes

Essential Cookies Only
  • Session Cookies: Required for authentication and security
  • CSRF Protection: Prevent cross-site request forgery attacks
  • Security Preferences: Remember your security settings
What We DON'T Use
  • No advertising or tracking cookies
  • No third-party analytics (Google Analytics, etc.)
  • No social media tracking pixels
  • No behavioral profiling or targeting

  • Data Residency: Your data is stored in the region specified by your administrator
  • Transfer Protections: All international transfers use Standard Contractual Clauses (SCCs)
  • Adequacy Decisions: We prioritize transfers to countries with adequate data protection
  • No Surveillance Concerns: We implement safeguards against unlawful government surveillance

In the unlikely event of a data breach:

  • 72-Hour Notification: We notify relevant authorities within 72 hours
  • User Notification: We notify affected users without undue delay if there's high risk
  • Transparency: We provide clear information about what happened and what we're doing
  • Remediation: We take immediate steps to secure systems and prevent future breaches

Privacy Compliance
  • GDPR (General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)
  • PIPEDA (Personal Information Protection and Electronic Documents Act)
  • COPPA (Children's Online Privacy Protection Act)
Security Standards
  • SOC 2 Type II
  • ISO 27001
  • NIST Cybersecurity Framework
  • FedRAMP (when applicable)
  • FISMA Compliance
Contact Information
Privacy Inquiries

Email: [email protected]
Response Time: 24-48 hours

Data Protection Officer

Email: [email protected]
Role: GDPR Compliance & Data Protection

Security Concerns

Email: [email protected]
Response Time: Immediate for critical issues

Mailing Address
Your Company Name
Privacy Officer
123 Main Street
City, State, ZIP
Last Updated: January 17, 2025
Version: 1.0
This privacy policy is designed to meet the highest standards of data protection and privacy compliance.