Authbound Logo DarkAuthbound

Privacy Policy

Last updated: April 8, 2026

This Privacy Policy explains how Authbound ("we", "us") processes personal data for authbound.io, our business communications, and the Authbound Wallet closed alpha distributed through Google Play. We apply GDPR data-minimisation principles and process data only for legitimate, documented purposes.

The controller for the processing described here is Authbound, Finnish Business ID 3413139-1, Salomaantie 48 I 23, 37630 Valkeakoski, Finland. Privacy questions can be sent to [email protected].

1. Scope

This policy applies to:

  • visitors to authbound.io and related website pages;
  • people who contact us, request demos, or book meetings;
  • invite-only testers using the Authbound Wallet closed alpha; and
  • individuals whose data we process under separate business agreements, except where those agreements or DPAs say otherwise.

2. Data we process

2.1 Website and business contacts

  • technical data such as IP address, browser type, device information, and request logs;
  • cookie and analytics data as described in our Cookie Policy;
  • contact details and message content submitted through forms, email, or meeting-booking tools.

2.2 Authbound Wallet closed alpha

  • account data: email address, display name, handle, and profile-completion status;
  • legal and policy records: accepted terms version, acknowledged privacy version, acceptance timestamps, app version, and platform;
  • account-deletion records: request timestamp, scheduled deletion timestamp, and cancellation timestamp where applicable;
  • device and wallet-security data: installation-linked identifiers, device model, OS version, patch level, attestation material, hardware-security capabilities, wallet activation state, linked-device state, and push token;
  • credential and workflow data needed to operate wallet, issuance, verification, document-signing, notification, and pairing flows;
  • supporting operational data such as service logs, anti-abuse signals, and limited diagnostics needed to secure and improve the alpha.

Credentials and wallet material are designed to remain primarily under your control on your device. Some flows require data to be sent to issuers, verifiers, or other parties you intentionally interact with. Those parties act under their own notices and agreements.

3. Why we process your data

  • Contract performance and pre-contract steps: to create your account, deliver wallet features, link devices, send service notifications, and operate the closed alpha.
  • Legitimate interests: to secure our systems, prevent abuse, troubleshoot errors, improve reliability, enforce our wallet-alpha terms, and respond to support or business enquiries.
  • Consent: where legally required, such as non-essential cookies or optional marketing communications.
  • Legal obligation: where we must comply with applicable law, regulatory requests, or mandatory record-keeping obligations.

4. Sharing and subprocessors

We share data only where necessary with infrastructure and service providers that help us operate the product, such as hosting, authentication, database, notification, and support tooling providers. We also share data with counterparties involved in wallet flows that you initiate, for example credential issuers, relying parties, or signature counterparts.

Some providers may process data outside the EEA. Where required, we use appropriate transfer safeguards such as the European Commission Standard Contractual Clauses and supplementary measures.

5. Retention and account deletion

We keep personal data only as long as needed for the purposes above. Closed-alpha account data is retained while your account remains active and for a limited period afterwards for security, support, dispute handling, and legal compliance.

If you request account deletion through the app or through our public deletion page, we schedule deletion with a 30-day grace period. During that period we lock normal app access and allow cancellation. If you cancel during the grace period, normal access can be restored after sign-in. Once the grace period ends, the request enters processing and can no longer be canceled. We then delete or irreversibly remove your account profile, wallet activation state, linked devices, wallet-encryption data, signing documents and related storage objects, credits, user actions, identifiers, legal-acceptance event records, and other user-owned operational records used by the mobile wallet service.

Some narrowly scoped records may be retained for longer where necessary for security, fraud-prevention, legal defence, financial record-keeping, or compliance. These retained records are limited to what is reasonably necessary for those purposes.

6. Security

We use layered technical and organisational safeguards, including access controls, encrypted transport, production access restrictions, and device-security checks for wallet flows. No service can guarantee absolute security, but we continuously improve our controls and monitor for misuse.

7. Your rights

Depending on applicable law, you may have the right to access, correct, erase, restrict, object, or request portability of your data, and to withdraw consent where processing is consent-based.

To exercise your rights, contact [email protected]. You may also lodge a complaint with the Finnish Data Protection Ombudsman or your local supervisory authority.

8. Related documents and changes

We may update this policy when our services, practices, or legal requirements change. The "Last updated" date identifies the current version. The wallet closed alpha is also governed by the Authbound Wallet Alpha Terms. Website-only use remains subject to our Terms of Service.