Privacy Policy
How Guardivion collects, uses, and protects personal data across our device-based authentication platform.
1. Who we are
Guardivion is a universal, device-based authentication platform. We provide multi-factor authentication (MFA) and passwordless sign-in to organisations ("Customers") and their end users. Guardivion [TO BE CONFIRMED — legal entity name once incorporated] ("Guardivion", "we", "us") is the data controller for account, billing, and website data, and acts as a data processor for the authentication data we handle on behalf of Customers. For processor activities, see our Data Processing Agreement.
2. How authentication works
Guardivion is designed around data minimisation. End users authenticate from the Guardivion mobile app using a cryptographic key pair generated and held inside the device's hardware-backed keystore and unlocked with the device's biometric or PIN; authentication requests are delivered as push notifications. Administrators sign in to the web portals with a password and a time-based one-time passcode (TOTP).
3. Data we collect
Organisation & account data
- Organisation display name and handle, and administrator contact name and work email.
- For each administrator: name, work email, and role.
Administrator credentials
- Passwords stored only as Argon2id hashes — never in plaintext.
- The TOTP secret used to verify MFA one-time codes.
- Session and one-time activation tokens, stored only as SHA-256 hashes.
- API keys issued to the organisation, stored only as hashes.
End-user device data
- The device's public key and an enrolment record.
- A push-notification token used to deliver authentication requests to the device.
Authentication & audit data
- Authentication and approval events.
- An append-only audit log of administrative and key actions (actor, action, detail, timestamp).
We do not collect
- Users' private keys — generated in and never leaving the device hardware keystore.
- Biometric data — matched on the device by the operating system; never transmitted to us.
- Advertising or cross-site tracking identifiers. We do not sell personal data.
4. How we use data
- To verify identity and complete authentication and MFA challenges.
- To detect and prevent fraud, account takeover, and abuse.
- To provide audit logs to Customer administrators.
- To operate, secure, and improve the service, and to meet legal obligations.
5. Legal bases (GDPR)
| Provide the service | Performance of a contract (Art. 6(1)(b)). |
|---|---|
| Security & fraud prevention | Legitimate interests (Art. 6(1)(f)). |
| Legal & audit retention | Legal obligation (Art. 6(1)(c)). |
| Optional communications | Consent (Art. 6(1)(a)), withdrawable at any time. |
7. Retention
Draft retention periods ([TO BE CONFIRMED] — confirm with counsel and against your deployment):
- Authentication and audit logs: configurable window (draft default: 12 months).
- Account and enrolment records: life of the contract plus up to 90 days.
- Backups: rolling cycle (draft: 35 days).
8. Your rights
Depending on your jurisdiction (GDPR — including the Republic of Ireland and other EEA states; UK GDPR — including Northern Ireland, England, Wales, and Scotland), you may access, correct, delete, port, or restrict processing of your personal data, and object to certain processing. End users should contact their organisation's administrator first; Guardivion will support the Customer in fulfilling the request. You may also contact us at [TO BE CONFIRMED] (privacy contact email).
9. Security
We protect data in transit over HTTPS/TLS. Sensitive values are stored only as hashes — passwords with Argon2id, and session tokens, activation tokens, and API keys with SHA-256. End-user private keys are isolated in device hardware and never reach our servers. Database-level encryption at rest is deployment-dependent ([TO BE CONFIRMED]). See the Security Overview.
10. International transfers
Where data is transferred outside the EEA/UK, we intend to rely on Standard Contractual Clauses and the UK International Data Transfer Addendum, with technical safeguards such as encryption and data minimisation ([TO BE CONFIRMED] — confirm transfer mechanism and hosting regions).
11. Contact
Privacy enquiries: [TO BE CONFIRMED] (contact email / postal address / EU-UK representative).
