Privacy Policy

Akiru (“we”, “our”, or “us”) operates the Akiru Auth platform (the “Service”). This Privacy Policy explains how we collect, use, and protect your personal information when you use our Service.

By using Akiru Auth, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Service.

We collect the following categories of personal data:

• Account Information: Your name and email address, provided directly or via OAuth (Google, GitHub).
• Authentication Data: Hashed passwords (never stored in plaintext), OAuth provider IDs, session tokens.
• Technical Information: IP addresses, browser user agent, session timestamps — used for security monitoring.
• Verification Records: One-time codes (OTPs) and magic link tokens, stored temporarily and auto-deleted after use or expiry.

We use collected data solely to:

• Authenticate your identity and secure your account
• Send transactional emails (OTP codes, magic links, welcome messages)
• Detect and prevent fraudulent or unauthorized access
• Maintain and improve the security of the Service

We do not sell, rent, or trade your personal information to any third party for marketing purposes.

Your data is stored in MongoDB Atlas (cloud-hosted, encrypted at rest). Passwords are hashed using bcrypt with 12 salt rounds. Session tokens are cryptographically signed JWTs with short expiry times.

OTP codes and magic-link tokens are stored as SHA-256 hashes and automatically deleted via TTL indexes after expiration (10–15 minutes). All email transmission uses TLS encryption via Resend.

While we implement industry-standard security practices, no method of transmission or storage is 100% secure. We encourage you to use a strong, unique password.

Akiru Auth integrates with the following third-party services:

• Resend — transactional email delivery. Your email address is shared with Resend solely to deliver authentication emails.
• Google OAuth & GitHub OAuth — if you choose to sign in via these providers, we receive your name, email, and provider ID.
• Cloudflare Turnstile — CAPTCHA service to protect against automated abuse. Cloudflare may process your IP address per their privacy policy.
• MongoDB Atlas — cloud database hosting. Data is stored in encrypted clusters.

We only send transactional emails — verification codes, magic links, welcome messages, and password reset codes. We do not send marketing or promotional emails. Each authentication email expires within 10–15 minutes and cannot be reused.

We apply per-address rate limits to prevent abuse of our email quota and protect your inbox from excessive sends.

We retain your account data for as long as your account remains active. Session records expire automatically. OTP records are auto-deleted within 15 minutes. You may request deletion of your account and all associated data at any time by contacting us.

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data (“right to be forgotten”)
• Withdraw consent where processing is consent-based
• Lodge a complaint with your local data protection authority

To exercise these rights, contact us at privacy@akiru.online.

Akiru Auth is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated “Last updated” date. Continued use of the Service after changes constitutes acceptance of the revised policy.

If you have questions about this Privacy Policy or how we handle your data, contact us at: privacy@akiru.online