Privacy Policy | Logto docs

May 6, 2024

For the previous version of the Privacy Policy, please refer to the archive.

At Silverhand Inc., we take your privacy seriously. This Privacy Policy explains how we collect, use, and protect your personal information when you use any of the Logto services provided by Silverhand Inc. By using any of the Logto services (such as Logto Cloud), you agree to the terms of this Privacy Policy.

Information We Collect and the Lawful Basis for Processing

We collect the minimum amount of personal information necessary to provide our services, which includes your name, email address, and other necessary information required for authentication and authorization.

We process this personal information on the basis of the necessity for the performance of our contract with you to provide our services. If you do not provide this information, we may not be able to deliver our services effectively.

Data Processing Details

Purpose of Processing

We process your data primarily to provide and improve our services. The specific purposes for processing include:

Authentication and Authorization: We use your name, email address, and other necessary information to authenticate and authorize access to our services.
Communication: We may use your contact details to communicate with you about updates, security alerts, and support and administrative messages.
Improvement of Services: We use data from cookies and third-party analytics services, like Plausible, to understand user behavior and improve our services.
Advertising and Marketing: With the use of conversion tracking tools, such as Google Ad Conversion Tracking, we gain insights into the effectiveness of our advertising campaigns and improve them accordingly.

Processing Activities

The specific processing activities include the collection, storage, organization, structuring, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure, and destruction of your personal data.

Recipients of Personal Data

In the course of providing our services, we may share your personal data with certain third parties. These include our service providers who assist in providing our services, law enforcement agencies if required by law, and third-party platforms like Google for advertising purposes.

Your personal data will not be sold or rented to any third parties.

Automated Decision Making and Profiling

We do not use your personal data for automated decision-making or profiling purposes.

Data Subject Rights

As a data subject, you have certain rights under the GDPR, including the right to access, correct, update, or request deletion of your personal data. You also have the right to object to processing of your personal information, ask us to restrict processing of your personal information, or request portability of your personal information. You have the right to opt-out of marketing communications we send you at any time.

If you wish to exercise any of these rights, please contact us at [email protected]. We will respond to your request within a reasonable timeframe and always within the legal maximum period of one month.

Data Retention Period

We retain your personal data only for as long as necessary to provide the services you have requested and thereafter for legitimate legal or business purposes. These might include retention periods mandated by legal, contractual, or similar obligations applicable to our business operations; for preserving, resolving, defending, or enforcing our legal/contractual rights; or needed to maintain adequate and accurate business and financial records.

Cross-Border Data Transfers

We store your personal data on secure servers located in data centers within the West Europe region. We may transfer personal data to a country outside of the European Economic Area (EEA) if necessary, for example, to a jurisdiction where our service providers are located. When we do, we ensure that an appropriate level of protection is in place to protect the personal data.

Use of Cookies

We only use strictly necessary cookies to ensure secure authentication and authorization for our services. These cookies do not contain any personal information and are deleted once you sign out of our service.

Use of Plausible Analytics

We use an analytics product called Plausible to help us improve your experience using Logto services. Plausible does not use cookies, and it does not collect any personal information. Plausible collects non-personally identifiable data such as page views, browser type, and device type.

Use of Azure Monitor Application Insights

We use Azure Monitor Application Insights, a web analytics service provided by Microsoft Azure, to monitor and improve the performance and usage of our services. This service may collect and analyze non-personally identifiable information such as user behaviors, device information, and usage patterns.

Use of Google Ad Conversion Tracking

We use Google's ad conversion tracking service to understand the effectiveness of our advertising campaigns. When you click on an ad served by Google, a conversion tracking cookie is placed on your device.

Use of Reddit Pixel

We use Reddit Pixel to track the effectiveness of our advertising campaigns on Reddit. The Reddit Pixel collects non-personally identifiable data such as page views, browser type, device type, and SHA-256 hashed email addresses.

About Google and GitHub User Data

Access to Google and GitHub User Data

Logto only accesses certain Google and GitHub account information with explicit user consent. When a user signs up for Logto, they grant us access to certain account information, such as name, email address, and profile picture.

Use of Google and GitHub User Data

Logto uses Google and GitHub user data solely for the purpose of providing our services to the user. This includes enabling the user to sign in to our app, and providing access to necessary features within Logto Cloud.

Storage of Google and GitHub User Data

Logto stores Google and GitHub user data on secure servers located in data centers within the West Europe region.

Logto does not share Google and GitHub user data with any third parties, except as required by law or to comply with legal process.

We do not sell, rent, or share any personal information with third parties, except as required by law, or to comply with legal process, or as necessary to provide our services.

Data Security

We take the security of your personal information seriously and have implemented various security measures to protect it, including but not limited to:

Secure Communication: The communication between any public party to Logto services is enforced by TLS (Transport Layer Security) to ensure that all data transmitted between you and our service is encrypted and secure.
Private Database Network: The Logto database stays in a private network in the Azure West Europe region, with no direct access to the public internet. This ensures that your data is stored in a secure and protected environment.
Data Isolation: Every tenant has a dedicated database role and every business table has enforced Row-Level Security to ensure that your data is isolated in the database. This means that only authorized users have access to the data, and each tenant's data is separated from other tenants.
Password Encryption: Logto will not store passwords in plain text. All passwords are encrypted using the Argon2 algorithm, which is a secure password hashing algorithm. This ensures that even if a data breach were to occur, your password would not be compromised.
Database Encryption: All data stored in the Logto database is encrypted at rest. See Information protection and encryption for more information.

We regularly review our security practices and update them as necessary to ensure that your personal information is protected. If you have any questions or concerns about the security of your personal information, please contact us at [email protected].

Subprocessor List

We use the following subprocessors to provide our services:

Microsoft Azure: Cloud infrastructure provider
Cloudflare: Content delivery network and DDoS protection service
SendGrid: Email delivery service
Stripe: Payment processing service

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make any material changes to this policy, we will notify in accordance with the Terms of Service.

Data Protection Officer

Data Protection Officer: Gao Sun

If you have any concerns about our use of your personal data, you can make a complaint to us at [email protected]. You can also complain to the data protection authority in your country of residence, place of work, or where an alleged infringement of data protection law has occurred.

Contact Us

If you have any questions or concerns about our Privacy Policy, please contact us at [email protected].

Information We Collect and the Lawful Basis for Processing​

Data Processing Details​

Purpose of Processing​

Processing Activities​

Recipients of Personal Data​

Automated Decision Making and Profiling​

Data Subject Rights​

Data Retention Period​

Cross-Border Data Transfers​

Use of Cookies​

Use of Plausible Analytics​

Use of Azure Monitor Application Insights​

Use of Google Ad Conversion Tracking​

Use of Reddit Pixel​

About Google and GitHub User Data​

Access to Google and GitHub User Data​

Use of Google and GitHub User Data​

Storage of Google and GitHub User Data​

Sharing of Google and GitHub User Data​

Information Sharing​

Data Security​

Subprocessor List​

Changes to this Privacy Policy​

Data Protection Officer​

Contact Us​