Privacy Policy

Effective date: April 14, 2026 · Last updated: April 14, 2026 · Version: 2.0

Summary: CAI-AUTH is built for zero-knowledge authentication. We do NOT collect personal data, telemetry, device identifiers, or location. All cryptographic keys remain on your device. The only data that leaves your device are ephemeral authentication challenges sent to servers you explicitly configure.

1. Data Controller

CAI Technology SRL ("we", "us", "our", the "Data Controller")
Address: Bucharest, Romania
Commercial Registry: registered in Romania
Email (general): contact@caitech.ro
Email (privacy): privacy@caitech.ro
Email (security): security@caitech.ro
Data Protection Officer (DPO): dpo@caitech.ro

2. Scope

This Privacy Policy applies to:

The CAI-AUTH Android application (Google Play: ro.caitech.caiauth)
The CAI-AUTH Chrome extension (Chrome Web Store)
The website auth.caitech.ro
API services at auth.caitech.ro (demo/evaluation server)

Enterprise deployments on customer-owned servers are governed by the respective customer's privacy policy, with CAI Technology acting as Data Processor under GDPR Art. 28.

3. Data We Do NOT Collect

We have designed CAI-AUTH to minimize data collection by default. The following are NEVER collected:

Personal identifiers (name, email, phone, postal address, national ID)
Hardware identifiers (IMEI, IMSI, MAC address, Android ID, Advertising ID)
Location data (GPS, coarse network location, Wi-Fi triangulation, cell tower)
Contacts, calendar, SMS, call logs, photos, videos, microphone audio
Browsing history or website visits
Biometric templates (fingerprint/face templates remain in hardware TEE / StrongBox, never transmitted)
Behavioral analytics, heatmaps, session replays
Advertising identifiers or marketing data

4. Data Categories Processed — Complete Disclosure

4.1 Data stored ONLY on your device (never transmitted)

Data Category	Purpose	Storage	Retention
TOTP secrets (OTP keys)	Generate time-based one-time codes	EncryptedSharedPreferences (AES-256-GCM)	Until you delete the account in app
Ed25519 private keys	Classical cryptographic signatures	Android Keystore (hardware-backed when available)	Until uninstall or account deletion
ML-DSA private keys	Post-quantum signatures (NIST FIPS 204)	EncryptedSharedPreferences (AES-256-GCM)	Until uninstall or account deletion
Account labels (you enter)	Identify accounts in the UI	Local encrypted storage	Until you delete the account
Server URLs (you configure)	Know where to send authentication requests	Local encrypted storage	Until you change it
Encrypted backup archives	User-initiated backup to external storage	Your chosen location (ML-KEM-768 + AES-256-GCM)	User-controlled

4.2 Data exchanged with authentication servers

When you initiate an authentication request to a server you have configured:

Data Sent	Purpose	Legal Basis
Public key material (NEVER private keys)	Server identifies your enrolled device	Performance of a contract (GDPR Art. 6(1)(b))
Ephemeral cryptographic challenge signatures	Prove possession of enrolled device	Performance of a contract (GDPR Art. 6(1)(b))
Device capability flags (StrongBox available, biometric strength)	Server decides whether to accept device as sufficiently secure	Legitimate interest (GDPR Art. 6(1)(f)) — fraud prevention
Credential identifier (opaque, server-assigned)	Match request to credential	Performance of a contract

4.3 Firebase Cloud Messaging (FCM) — Required for push authentication

CAI-AUTH uses Firebase Cloud Messaging by Google LLC to deliver push authentication requests from servers to your device. The following data is processed by FCM:

Device registration token (opaque, anonymous, does not identify you personally)
Push payload (encrypted challenge, contains NO personal data)

FCM is subject to Google's Privacy Policy. Google acts as a Data Processor under GDPR. You can disable push authentication by uninstalling the app; FCM tokens are then invalidated automatically. Data is stored on Google's servers in EU and US regions.

4.4 Server logs (auth.caitech.ro demo server)

If you connect to our demo server at auth.caitech.ro, the following logs are captured for security:

Timestamp of authentication attempt
Success/failure status
IP address (truncated to /24 for IPv4, /64 for IPv6, per privacy-by-design)

Retention: 7 days, then automatic deletion. Logs contain no user-identifying information beyond the truncated IP.

5. Legal Basis for Processing (GDPR Article 6)

Performance of a contract (Art. 6(1)(b)) — for providing authentication functionality you request
Legitimate interest (Art. 6(1)(f)) — for security logs, fraud detection, device capability checks
Legal obligation (Art. 6(1)(c)) — for retaining records required by applicable law (none expected for current scope)
Consent (Art. 6(1)(a)) — for optional features where explicitly requested (e.g., cloud backup — currently NOT offered)

6. Data Sharing & Third-Party Services

We share data with the following third parties, each acting as a Data Processor under GDPR Art. 28:

Third Party	Purpose	Data Shared	Privacy Policy
Google LLC (Firebase Cloud Messaging)	Push notification delivery	FCM registration token, encrypted push payload	policies.google.com/privacy
Google LLC (Play Services Scanner module)	QR code scanning (unbundled, loaded at runtime)	None (processing happens on-device)	policies.google.com/privacy

We do NOT share data with:

Advertising networks
Analytics providers
Data brokers
Social media platforms

We do NOT sell personal data under any circumstances.

7. Google Play Data Safety Declaration

In compliance with Google Play's Data Safety requirements:

Data Type	Collected	Shared	Optional	Purpose
Personal info	No	No	—	—
Financial info	No	No	—	—
Health and fitness	No	No	—	—
Messages	No	No	—	—
Photos and videos	No	No	—	—
Audio files	No	No	—	—
Files and docs	User-initiated (backup export)	No	Yes	Encrypted backup to user-chosen location
Calendar	No	No	—	—
Contacts	No	No	—	—
App activity	No	No	—	—
Web browsing	No	No	—	—
App info and performance	Crash logs (no PII)	No (Google Play Console only)	No (required for app stability)	Fix crashes and ANRs
Device or other IDs	FCM registration token (anonymous)	No (used only for push delivery)	No (required for push auth)	Receive authentication approval requests
Location	No	No	—	—

Security practices:

✅ Data is encrypted in transit (TLS 1.3 with certificate pinning on auth.caitech.ro)
✅ Data is encrypted at rest (AES-256-GCM on device)
✅ You can request that your data be deleted (uninstall app; FCM token is revoked automatically)
✅ Independent security review: Red team testing (35/35 passed, April 2026)
✅ Follows Mobile Application Security Verification Standard (MASVS) L2
✅ Hardware-backed keys (StrongBox / Titan M on supported devices)

8. Android Permissions — Why We Request Them

Permission	Required	Purpose
`android.permission.INTERNET`	Yes	Send authentication requests to configured servers
`android.permission.CAMERA`	Only when scanning QR	Scan enrollment QR codes (data processed on-device, never uploaded)
`android.permission.USE_BIOMETRIC`	Yes (modern devices)	Unlock app with fingerprint/face, sign operations with hardware-backed key
`android.permission.POST_NOTIFICATIONS`	Yes (Android 13+)	Show push authentication approval prompts

We do NOT request: location, contacts, SMS, call logs, microphone, accessibility services, overlay, accessing other apps, or reading device state.

9. Chrome Extension Permissions

Permission	Purpose
`storage`	Save your enrolled server URL and credential IDs locally in browser storage
`notifications`	Display authentication status (approved/denied) to you
`host_permissions: auth.caitech.ro`	Send requests to your configured CAI-AUTH server

10. Data Retention

On-device data: kept until you delete the account in-app or uninstall the app
Server logs (auth.caitech.ro demo): 7 days, then permanent deletion
FCM registration token: kept by Google until you uninstall or sign out
Crash reports (Google Play Console): 90 days (Google's default)
Support email correspondence: 3 years (legitimate interest, contract/dispute resolution)

11. Your GDPR Rights (EU/EEA users)

Under GDPR Art. 15-22, you have the following rights:

Right of access (Art. 15): request a copy of your personal data we hold. (We hold none.)
Right to rectification (Art. 16): correct inaccurate data
Right to erasure / "right to be forgotten" (Art. 17): uninstall app and contact privacy@caitech.ro — we will delete any server logs within 30 days
Right to restriction (Art. 18)
Right to data portability (Art. 20): your on-device data is already exportable via encrypted backup
Right to object (Art. 21)
Right not to be subject to automated decision-making (Art. 22) — we do not use automated profiling
Right to withdraw consent — if consent was the basis
Right to lodge a complaint with the supervisory authority — in Romania: ANSPDCP (dataprotection.ro)

To exercise any right, contact privacy@caitech.ro. We respond within 30 days.

12. California Privacy Rights (CCPA/CPRA)

California residents have the right to:

Know what personal information is collected (see Section 4)
Request deletion of personal information
Opt out of sale of personal information (we do not sell data)
Non-discrimination for exercising these rights

Submit requests to privacy@caitech.ro.

13. International Data Transfers

Your on-device data does not leave your device. FCM data may be stored on Google's servers in the United States under Google's Standard Contractual Clauses (SCCs) for EU-US transfers. See Google's data transfer framework.

14. Children

CAI-AUTH is NOT directed at children under 13 years of age. We do not knowingly collect personal data from children. The app is rated 18+ on Google Play. If we learn we have inadvertently collected data from a child, we will delete it immediately. Parents who believe their child has provided data can contact privacy@caitech.ro.

15. Security Measures

Encryption in transit: TLS 1.3 with HSTS, certificate pinning on auth.caitech.ro
Encryption at rest: AES-256-GCM for all local secrets
Key management: Hardware-backed Android Keystore (StrongBox / Titan M) where available
Post-quantum cryptography: ML-KEM-768 (NIST FIPS 203), ML-DSA-65 (NIST FIPS 204)
Code minification: R8 with obfuscation enabled in release builds
Supply chain security: signed APK/AAB with 4096-bit RSA upload key; Google Play App Signing
Reproducible builds: Docker-based isolated build environment
Red team testing: 35 test cases including replay, timing, SQLi, CBOR fuzzing — all passed (April 2026)
Vulnerability disclosure: security@caitech.ro, PGP key available on request

16. Breach Notification

In the unlikely event of a personal data breach affecting EU users, we will notify the competent supervisory authority (ANSPDCP Romania) within 72 hours and affected users without undue delay, per GDPR Art. 33-34.

17. Changes to This Policy

We may update this Privacy Policy. The "Last updated" date at the top reflects the current version. Material changes will be announced in:

App release notes on Google Play
Chrome Web Store listing
A banner on auth.caitech.ro for at least 30 days

Previous versions are archived and available on request.

18. Contact

For any question or request regarding this Privacy Policy:

General: contact@caitech.ro
Privacy / GDPR: privacy@caitech.ro
Security / Vulnerabilities: security@caitech.ro
Legal: legal@caitech.ro
Data Protection Officer: dpo@caitech.ro

← Back to homepage