Authy App Privacy Notice
THIS VERSION OF THE AUTHY PRIVACY NOTICE IS NO LONGER IN EFFECT. THE CURRENT VERSION OF THE TWILIO PRIVACY STATEMENT IS AVAILABLE HERE.
Last Updated: April 4, 2022 (View the prior version of our privacy statement here.)
Welcome to Authy! As a courtesy, below is a quick summary of our privacy practices when you use the Authy desktop or mobile app. The full version can be found by scrolling down. The full version is the one that is legally controlling.
When you use our app we collect:
- Your phone number, device information, and email address.
- If you use an application that integrates our 2-factor authentication API, they will send us your phone number and email address so we can validate who you are on their behalf.
- We keep a record of your log-ins to accounts for which you use Authy for 2-factor authentication.
- We do not sell your personal information.
- We use the information we gather from you to monitor for unusual or suspicious activity in your account, to communicate with you about your account, and as additional information that can be used to validate who you are if you need to recover your account or your account has been or may be compromised.
- Websites and programs that integrate our 2-factor authentication API will be able to see information they sent us about you, your login activity to their website and program, your primary device type, and other device related information relevant to identifying unusual or suspicious activity, but they will not see any other websites or programs for which you use Authy.
- We also share your information with our third party service providers as necessary for them to provide their services to us. We may also have to share your information with third parties if required to do so by law.
- Your information will be transferred to the U.S.
- If you have questions about our data practices or information we store about you, you can email us at firstname.lastname@example.org.
- Data about our users
- How we use your personal information
- How we share your personal information
- How to make choices about your personal information
- International data transfers
- How we secure your personal information
- Handling disputes relating to our data protection practices
- Other information you may find useful
Authy, a Twilio service, offers a desktop and mobile app for two-step verification. The Authy apps generate one time passwords and push notifications on your desktop computer or mobile device that can be used as a part of a 2-step verification process with your Authy-compatible accounts to add another layer of security. Authy can be used as an alternative to programs such as Google Authenticator or as a provider of 2-factor authentication for applications or programs that directly integrate with Authy’s 2-factor authentication API.
Below is a summary of our practices when it comes to your personal information collected when you download and use the Authy desktop or mobile app.
If you are interested in our practices relating to personal information collected when you build an application that integrates with Authy’s API to add two-factor authentication to your application, click here.
When we refer to Twilio, we mean the Twilio entity with which you have contracted. Please see our main Privacy Notice for more information.
Before you submit any information on or through Authy, please carefully review this notice.
Data we collect automatically
Device Information. When you download and open the Authy desktop or mobile app, we automatically collect information about the type of device you have downloaded the app on and your device identifier. We collect this to ensure we deliver the right version of the app for your device and so that we can provide appropriate follow up support as necessary.
Login History and Authy Account History. When you use an Authy token to log into an account, whether the token was generated on the app or one sent to you via your phone number, we collect and keep information associated with your login activity including information like your IP address, what application or program you logged in to, that you logged in, and when. If you change your phone number or email associated with your Authy account, we will also keep a log of that. We collect this information to monitor for suspicious activity and also as another piece of information that could be used to verify your identity if your account is compromised or may be compromised.
Geolocation information. If you have location services turned on, we collect your location based on your IP address. We use this information for anti-fraud purposes, to check for suspicious activity and, again, as another piece of information we can use to verify your identity if we suspect your account may be compromised.
How we use your personal information
We use your phone number as an identifier for your Authy account. This allows you to download the Authy app onto various devices and associate those devices with your same Authy account. We may also use your phone number to send you verification codes as a second factor for authenticating a login for an application that integrates with the Authy 2-Factor Authentication API. We also use logs of any changes to your phone number to monitor for suspicious or unusual activity and as another piece of information that could be used, if necessary, to verify your identity if your account is or may be compromised.
We use your email address, and any history of email addresses associated with your Authy account, as another piece of information that could be used, if necessary, to verify your identity if your account is or may be compromised. We also use your email address to communicate notices to you about your account, such as suspicious logins or other activity that could indicate a compromise of your account. In addition, we may use your email address to send you information about other Authy and Twilio products, services, or events that you might be interested in. You can choose not to receive marketing emails from us. If you wish to stop receiving our marketing emails you may click on the unsubscribe link that will appear at the bottom of any of our marketing emails or you can contact customer support.
We use information associated with your login activity, device information, and changes to your account to monitor for unusual or suspicious activity on your account and as any other piece of information that could be used to help us verify your identity if your account is compromised or may be compromised.
In addition to using device information as described above, we also use your device information ensure proper delivery of our service and to provide and deliver support and maintenance of the Authy app.
Your personal information is generally stored until you advise us to close your Authy account and delete your records, and activity logs may be stored for up to a year for security purposes, or, if there is an ongoing investigation, until that matter is concluded.
How to make choices about your personal information
You can make updates to your information associated with your account by going into the settings in the Authy apps. You can also make a request to change your phone number associated with your account by clicking here.
You may have certain rights to make choices regarding your personal information, including accessing it, deleting it, correcting it, restricting its use, porting it, or withdrawing consent. To make a request for deletion of your Authy account, to make a request to access additional information associated with your account, or to express any other choice regarding your personal information, contact Authy Support or email@example.com. Please be aware that when you ask us for these things, we will take steps to verify that you are authorized to make the request.
Please keep in mind that when you ask us for your personal information, or you ask us to delete your personal information, we may need to withhold or retain some of that personal information for security, legal, or anti-fraud reasons. Also, we do need some of the personal information we have to maintain customer accounts. If you ask us to delete that information, we may not be able to continue providing you our services.
If you want to remove a program or application from your Authy account that uses the Authy 2-Factor API, but you do not want to delete your entire Authy account, you should contact the provider of the program or application that you want to remove.
Promotional communications. In addition, you can choose not to receive promotional emails from us by following the unsubscribe/opt-out instructions in those emails. You can also opt-out by contacting customer support. Please note that even if you opt out of promotional communications, we may still send you non-promotional messages relating to things like updates to our terms of service or privacy notices, security alerts, and other notices relating to your access to or use of our products and services.
International data transfers
Your personal information may be transferred to the United States, and possibly other countries where we or our service providers operate. Twilio employs appropriate safeguards for cross-border transfers of personal information, as required by applicable local law.
Twilio has established and implemented a set of Binding Corporate Rules (“BCRs”) for internal transfers of Authy personal information between Twilio group companies in the European Union and Twilio group companies elsewhere. Twilio’s BCRs have been approved by European Union Data Protection Authorities and are a commitment by Twilio to adequately protect personal information that Twilio processes regardless of where the information resides. You can access Twilio’s BCR controller policy here.
Where Twilio’s BCRs do not apply, we will rely instead on other safeguards to transfer personal information outside the European Economic Area (EEA) and Switzerland, such as European Union Model Clauses, also known as Standard Contractual Clauses. You can read more about these in the main Twilio Privacy Notice and in the Data Protection Addendum that we provide to all our customers.
Legal basis for processing personal information (EEA only)
If you are from the EEA, our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.
However, we normally collect personal information from you only where we need the personal information to perform a contract with you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms, or where we have your consent to do so. In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person such as in the case where we request personal information from you in response to a request from law enforcement.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us by using the contact details provided in the “How you contact us” section above.
How we secure your personal information
We use appropriate measures to protect the security of your personal information both online and offline. These measures vary based on the sensitivity of the information that we collect, process and store and the current state of technology. Please note though that no service is completely secure. So, while we strive to protect your personal information, we cannot guarantee that unauthorized access, hacking, data loss or a data breach will never occur.
There are also things you can do to add extra protection to your Authy account. First, you should password protect or activate biometrics (like Touch ID) for all devices on which you have downloaded the Authy app. This will prevent unauthorized users from accessing your Authy app. Further, you have the option of setting a protection pin for your Authy app. You can do this by going into your app and clicking on settings. In settings, you should click on “Protection Pin.” You can choose to include a Protection Pin which will require you to enter a pin number of your choosing before accessing settings and your Account Info. Depending on your device’s capabilities, you may also be able to add biometric protection. You can also choose to protect the entire app which will require you to enter your chosen Pin and/or use biometric to open the Authy app on your device. We recommend that if you have downloaded Authy onto a shared device, that you use this last option of protecting the entire app.
If you have multiple devices associated with your account and one of your devices is lost or stolen, you can remove that device from your circle of trusted devices by going into one of the other devices associated with your account, and over which you still control, and remove the lost or stolen device under Settings > Devices. If you only have a single device that is associated with your Authy account and that device is lost or stolen, you can alert us through customer service.
Handling disputes relating to our privacy practices
If you have a dispute with us relating to our privacy practices, please contact our customer support or email us at firstname.lastname@example.org or contact our Customer Support. Most disputes can be resolved that way. If we can’t resolve our dispute that way, and you live in the U.S. or Canada, please see Section 9.7 (Agreement to Arbitrate) of our Terms of Service, which describes how disputes will be resolved between us. As described in that section, the American Arbitration Association will conduct the dispute resolution proceedings. Please be sure to review our Terms of Service, including Section 9.7, before you use any of our products and services.
If you’re in Europe, you may complain to an independent dispute resolution provider, at no cost to you. We outline this process in our Privacy Shield Statement (while we do not rely on Privacy Shield for data transfers, we continue to comply with the framework, including its dispute resolution process).
For more information about Twilio’s complaint handling procedures, see Twilio’s BCR: Complaint Handling Procedure.
How we tell you about changes to our privacy practices
We may change our Privacy Notice from time to time. If we make changes, we’ll revise the “Last UpdatedEffective” date at the top of this notice, and we may provide additional notice such as on the Twilio website homepage, in the app, or via the email address we have on file for you. We will comply with applicable law with respect to any changes we make to this notice, and seek your consent to any material changes if this is required by applicable law.
Information from children
We do not knowingly permit children (under the age of 13 in the US or 16, if you live in the EEA) to sign up for an Authy account. If we discover that someone who is underage has signed up for an Authy account, we will take reasonable steps to promptly remove that person’s personal information from our records. If you believe that a person who is underage has signed up for an Authy account, please contact us at email@example.com.
You can contact the Office of the Data Protection Officer either by emailing us at firstname.lastname@example.org or by writing to us at any of the following addresses:
Twilio Ireland Limited
Twilio UK Limited