/The developer conference by TwilioWATCH RECAPS

Summary

Welcome to Authy! As a courtesy, below is a quick summary of our privacy practices when you use the Authy desktop or mobile app. Please click here for the full version of our privacy notice. The full version is the one that is legally controlling.

When you use our app we collect:

  • Your phone number, device type, and email address.
  • If you use an application that integrates our 2-factor authentication API, they will send us your phone number and email address so we can validate who you are on their behalf.
  • We keep a record of your log-ins to accounts for which you use Authy for 2-factor authentication.
  • We use the information we gather from you to monitor for unusual or suspicious activity in your account, to communicate with you about your account, and as additional information that can be used to validate who you are if you need to recover your account or your account has been or may be compromised.
  • Websites and programs that integrate our 2-factor authentication API will be able to see information they sent us about you, your login activity to their website and program, and your primary device type, but not any other websites or programs for which you use Authy.
  • We also share your data with our third party service providers as necessary for them to provide their services to us. We may also have to share your data with third parties if required to do so by law.
  • Your data will be transferred to the U.S.
  • If you have questions about our data practices or data we store about you, you can email us at privacy@twilio.com.

Full Version

Introduction
What data we collect, how we collect it and why
What we use your data for
Who we may share your data with
International Operations and Transfers Out of the EEA and Switzerland
Information from Children
How we secure your data
How we tell you about changes to our privacy practices
How to make choices about your data
How to resolve disputes relating to our privacy practices
How you contact us

Introduction

Authy, a Twilio service, offers a desktop and mobile app for two-step verification. The Authy apps generate one time passwords and push notifications on your desktop computer or mobile device that can be used as a part of a 2-step verification process with your Authy-compatible accounts to add another layer of security. Authy can be used as an alternative to programs such as Google Authenticator or as a provider of 2-factor authentication for applications or programs that directly integrate with Authy’s 2-factor authentication API.

Below is a summary of our practices when it comes to your data collected when you download and use the Authy desktop or mobile app.

If you are interested in our practices relating to data collected when you build an application that integrates with Authy’s API to add two-factor authentication to your application, click here.

For purposes of this notice, the words “our,” “us,” “we,” and “Authy,” “Twilio” refer to Twilio Inc. and our affiliates (which includes any person or entity that controls us, is controlled by us, or is under common control with us, such as our subsidiary, parent company, or our employees). If you are a user outside of the United States, this service is provided to you by Twilio Ireland Limited, located at 25-28 North Wall Quay, Dublin 1, Ireland. Twilio Ireland Limited is the controller of personal data processed in connection with your use of the Authy apps.

Before you submit any information on or through Authy, please carefully review this Notice. By using any part of the Authy apps, you consent to the collection, use, disclosure and sharing of your information as further outlined below in this Notice.

What data we collect, how we collect it and why

Device Information. When you download and open the Authy desktop or mobile app, we will automatically collect information about the type of device you have downloaded the app on and your device identifier. We collect this information to ensure we deliver the right version of the app for your device and so that we can provide appropriate follow up support as necessary.

Phone Number and Email Address. Once you open the Authy app, you will be asked to provide us with a phone number to create your Authy account. We will send a verification code to that phone number to ensure that the person creating the Authy account also has control over the phone number entered. After the phone number is verified, the phone number you use will serve as an identifier for your Authy account that allows you to add and associate additional devices to your same Authy account. The device on which you first created your Authy account is considered your “primary device.” You may also enter your email address.

If you are a user of an application or program that directly integrates with Authy’s 2-Factor Authentication API, those applications or programs will collect your phone number and email address and share that information with us so that we can use that information to associate your account on that application or program with your Authy account that you created when you downloaded the Authy app.

If you have not downloaded the Authy app, but use an application or program that directly integrates with Authy’s 2-Factor Authentication API, when that application or program shares your phone number and email address with us, we will create an Authy account for you. We will use your phone number to communicate to you verification codes so you can log into your account on that application or program.

We collect your email address as another piece of information to validate who you are if you need to recover your account or your account has been compromised, and also to communicate notices about your account to you such as suspicious logins or other activity that could be related to a compromise of your Authy account or one of your accounts in other applications or programs that integrate with the Authy 2-Factor Authentication API.

Login History and Authy Account History. Whenever you use an Authy token to log into an account, whether the token was generated on the app or one sent to you via your phone number, we collect and keep information associated with your login activity including information like your IP address, what application or program you logged in to, that you logged in, and when. If you change your phone number or email associated with your Authy account, we will also keep a log of that. We collect this information to monitor for suspicious activity and also as another piece of information that could be used to verify your identity if your account is compromised or may be compromised.

Identity Confirmation Data. If you need to change your phone number associated with your account but are not able to access your Authy app to change your number in under Settings, you can submit a request to change your phone number here. If we cannot easily confirm that you are the rightful account holder of the Authy account associated with your old number, we will ask you for your phone account information and a copy of physical identification such as a drivers’ license, national ID, or passport, which we then use to confirm your claim to the account. From time to time, if there are other situations where we need to verify that you are the rightful account holder of your Authy account, our support team may require you to provide identity information such as from a drivers’ license, national ID or passport.

What we use your data for

We use your phone number as an identifier for your Authy account. This allows you to download the Authy app onto various devices and associate those devices with your same Authy account. We may also use your phone number to send you verification codes as a second factor for authenticating a login for an application that integrates with the Authy 2-Factor Authentication API. We also use logs of any changes to your phone number to monitor for suspicious or unusual activity and as another piece of information that could be used, if necessary, to verify your identity if your account is or may be compromised.

We use your email address, and any history of email addresses associated with your Authy account, as another piece of information that could be used, if necessary, to verify your identity if your account is or may be compromised. We also use your email address to communicate notices to you about your account, such as suspicious logins or other activity that could indicate a compromise of your account. In addition, we may use your email address to send you information about other Authy and Twilio products, services, or events that you might be interested in. You can choose not to receive marketing emails from us. If you wish to stop receiving our marketing emails you may click on the unsubscribe link that will appear at the bottom of any of our marketing emails or you can contact customer support.

We use information associated with your login activity, device information, and changes to your account to monitor for unusual or suspicious activity on your account and as any other piece of information that could be used to help us verify your identity if your account is compromised or may be compromised.

In addition to using device information as described above, we also use your device information ensure proper delivery of our service and to provide and deliver support and maintenance of the Authy app.

Who we may share your data with

An application or program that integrates with the Authy 2-Factor API is able to access a record of the email address and phone number that it sent to Authy. It will also be able to access your primary device type and information associated with your login activity to that application or program. It may also retain this information on its own servers. It will not be able to see other accounts for which you use Authy to provide 2-factor authentication.

In addition, we may share your data with third parties as follows:

  • Third-party service providers or consultants. We may share your data with third-party service providers or consultants who need access to the data to perform their work on our behalf, like sharing data with our storage provider for the purposes of storing your data on our behalf. These third-party service providers are limited to only accessing or using this data to provide services to us and must provide reasonable assurances that they will appropriately safeguard the data.
  • Compliance with Laws. We may disclose your data to a third party if (i) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request (including to meet national security or law enforcement requirements), (ii) to enforce our agreements and policies, (iii) to protect the security or integrity of our services and products, (iv) to protect ourselves, our other customers, or the public from harm or illegal activities, or (v) to respond to an emergency which we believe in good faith requires us to disclose data to assist in preventing a death or serious bodily injury. If we are required by law to disclose any of your data that directly identifies you, then we will use reasonable efforts to provide you with notice of that disclosure requirement, unless we are prohibited from doing so by statute, subpoena or court or administrative order. Further, we object to requests that we do not believe were issued properly.
  • Affiliates. We may share your data with our affiliates. We all will only use the data as described in this notice.
  • Business transfers. If we go through a corporate sale, merger, reorganization, dissolution or similar event, data we gather from you may be part of the assets transferred or shared in connection with the due diligence for any such transaction. Any acquirer or successor may continue to use the data as described in this notice.
  • Aggregated or de-identified data. We might also share data with third parties if that data has been de-identified or aggregated in a way that does not directly identify you.

International Operations and Transfers Out of the EEA and Switzerland

Twilio employs appropriate mechanisms for cross-border transfers of personal data, as required by applicable local law. Twilio has certified with the U.S. – Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from Switzerland. Twilio may process some personal data from individuals or companies in Switzerland via other compliance mechanisms, including data processing agreements based on the EU Standard Contractual Clauses. To learn more about the U.S.-Swiss Safe Harbor program, and to view Twilio’s certification, please visit http://export.gov/safeharbor. Twilio has further certified with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of “personal data” (as defined under the Privacy Shield principles) from applicable European Union member countries. You can access our Privacy Shield Statement here.

Information from Children

We do not knowingly collect any personal information directly from children under the age of 13. If we discover we have received any personal information from a child under the age of 13 in violation of this Policy, we will take reasonable steps to delete that information as quickly as possible. If you believe we have any information from or about anyone under the age of 13, please contact us at privacy@twilio.com.

How we secure your data

We use appropriate measures to protect the security of your data both online and offline. These measures vary based on the sensitivity of the information that we collect, process and store and the current state of technology. Please note though that no service is completely secure. So, while we strive to protect your data, we cannot guarantee that unauthorized access, hacking, data loss or a data breach will never occur.

There are also things you can do to add extra protection to your Authy account. First, you should password protect or activate biometrics (like Touch ID) for all devices on which you have downloaded the Authy app. This will prevent unauthorized users from accessing your Authy app. Further, you have the option of setting a protection pin for your Authy app. You can do this by going into your app and clicking on settings. In settings, you should click on “Protection Pin.” You can choose to include a Protection Pin which will require you to enter a pin number of your choosing before accessing settings and your Account Info. Depending on your device’s capabilities, you may also be able to add biometric protection. You can also choose to protect the entire app which will require you to enter your chosen Pin and/or use biometric to open the Authy app on your device. We recommend that if you have downloaded Authy onto a shared device, that you use this last option of protecting the entire app.

If you have multiple devices associated with your account and one of your devices is lost or stolen, you can remove that device from your circle of trusted devices by going into one of the other devices associated with your account, and over which you still control, and remove the lost or stolen device under Settings > Devices. If you only have a single device that is associated with your Authy account and that device is lost or stolen, you can alert us through customer service.

How we tell you about changes to our privacy practices

We may change this privacy notice from time to time. If we make changes, we’ll revise the “Last Updated” date at the top of this notice, and we may provide additional notice such as on the Twilio website homepage, in the app, or via the email address we have on file for you. We will comply with applicable law with respect to any changes we make to this notice.

How to make choices about your data

Deletion, access, and changes to your data. You can make changes to your information associated with your account by going into the settings in the Authy apps. You can also make a request to change your phone number associated with your account by clicking here.

To make a request for deletion of your Authy account or to make a request to access additional information associated with your account, you may email privacy@twilio.com.

If you want to remove a program or application from your Authy account, but you do not want to delete your entire Authy account, you should contact the provider of the program or application that you want to remove.

Promotional communications. You can choose not to receive promotional emails from us by following the unsubscribe/opt-out instructions in those emails. You can also opt-out by contacting customer support. Please note that even if you opt out of promotional communications, we may still send you non-promotional messages relating to things like updates to our terms of service or privacy notices, security alerts, and other notices relating to your access to or use of our products and services.

How to resolve disputes relating to our privacy practices

Except for residents of the European Union, if you have a dispute with us relating to our privacy practices, please contact our customer support or email us at privacy@twilio.com or contact our Customer Support. Most disputes can be resolved that way. If we can’t resolve our dispute that way, and you live in the U.S. or Canada, please see Section 17 (Agreement to Arbitrate) of our Terms of Service , which describes how disputes will be resolved between us. As described in that section, the American Arbitration Association (http://www.adr.org) will conduct the dispute resolution proceedings. Please be sure to review our Terms of Service, including Section 17, before you use any of our products and services. European residents with disputes regarding our privacy practices should refer to our Privacy Shield Statement for information on resolving such disputes.

How you contact us

You may contact via email at privacy@twilio.com. Or, you may write to us at the address listed below.

Twilio Inc.
375 Beale Street, Suite 300
San Francisco, CA 94105

Twilio Ireland Limited,
25-28 North Wall Quay,
Dublin 1, Ireland