Privacy Policy

1. Introduction

Sudomimus is an authentication and authorization platform that helps applications verify the identity of their users without managing passwords. We act both as the service you sign in with and as an identity provider that, under your control, passes a limited set of identity details to the applications you choose to sign into. Sudomimus also offers a developer and organization platform where businesses register applications and manage how their users sign in.

This Privacy Policy explains what information we collect when you use Sudomimus, how we use it, how and when we share identity details with applications, and the choices available to you.

2. Information We Collect

Account information: when you sign up, we store one or more email addresses associated with your account and a unique internal account identifier. If you provide a name, we store it as well. An account can hold several verified email addresses, one of which may be marked as primary.

Authentication credentials: for passkey-based sign-in, we store the public key portion of your WebAuthn credential and metadata such as credential name and creation date. We never store private keys; they remain on your device. For email sign-in, we store the information needed to issue and verify one-time codes.

Connected third-party and native logins: if you choose to sign in through a third-party provider — Google, GitHub, Discord, Battle.net, or X — we store the subject identifier that provider assigns to you and the basic profile details (such as an email address or username) returned during sign-in. For Steam, we store the Steam ID and, where applicable, the owning Steam ID used for Family Sharing. If you use an access key to authenticate a native client, we store the records needed to validate it.

Identity claims you choose to share: separately from the above, you can grant individual applications permission to receive your email address, first name, or last name. We record these per-application choices so we can honour and revoke them. See "Sharing Your Identity With Applications" below.

Authentication logs: we record authentication attempts (timestamp, originating origin, success or failure, and a coarse-grained reason) for security monitoring, abuse prevention, and debugging.

Device information: when you authenticate, we may record the user-agent string and IP address of the request for the purposes described above.

Developer and organization information: if you create an organization or register an application, we store the details you provide — organization and application names, configuration and sign-in rules, any email domains you adopt, and enterprise sign-in (federation) connector settings, including credentials you supply for those connectors.

3. How We Use Information

We use the information we collect to: provide and operate the authentication service; verify your identity during sign-in; pass the identity details you have authorized to the applications you sign into; operate the developer and organization platform; detect, investigate, and prevent fraud, abuse, and security incidents; communicate with you about your account and the service; and comply with legal obligations.

We do not use your information to build advertising profiles, and we do not sell your information to third parties.

4. Sharing Your Identity With Applications

When you sign into an application through Sudomimus, the application does not receive your internal account identifier or your raw email address by default. Instead, it receives a purpose-scoped, opaque identifier that is unique to that application (or group of applications). That identifier cannot be linked back to you, or correlated against unrelated applications, without information only Sudomimus holds.

Beyond that opaque identifier, an application receives personal details — your email address, first name, or last name — only if you have explicitly granted them. Claim sharing is off by default: nothing is shared until you grant it, and you can revoke a grant at any time, after which the application stops receiving that detail on subsequent sign-ins. Some applications mark certain claims as required; if you decline a required claim you may be unable to complete sign-in to that application, but the choice remains yours.

Where an application signs you in using the OpenID Connect protocol, the identity details returned are further limited to the scopes that application requested and you authorized.

5. Organization-Managed and Enterprise Sign-In

If the organization that controls your email domain (for example, your employer) has adopted that domain with Sudomimus, it can influence how accounts using addresses on that domain sign in. An organization may require that sign-ins for its domain go through its own enterprise identity provider (single sign-on), or it may block Sudomimus sign-in for that domain entirely.

When you sign in through such an enterprise identity provider, identity details such as your verified email address are exchanged between that provider and Sudomimus to establish your identity. Your organization may be able to see that, and when, you authenticate through its provider. These controls apply only to addresses on a domain the organization has verified it controls.

6. Cookies and Local Storage

Sudomimus uses cookies and browser local storage to keep you signed in and to remember your preferences. Typical items we store include: an authentication token cookie scoped to the Sudomimus domain, a theme preference (sudomimus-theme) in local storage, and a locale preference cookie.

These items are necessary for the service to function. You can clear them at any time using your browser controls, but doing so will sign you out.

7. Data Retention

We retain account information for as long as your account exists. Authentication logs are retained for a limited period sufficient to support security investigations and operational debugging, after which they are deleted or anonymised. When you delete your account, we delete or anonymise associated personal data within a reasonable time, except where retention is required by law.

8. Service Providers

We do not sell your personal information. To operate the service we rely on a small number of service providers, such as a transactional email provider for delivering one-time codes and account notifications, and cloud infrastructure providers for hosting. These providers process information only on our instructions.

Separately from these providers, when you choose to sign in through a third-party login (such as Google, GitHub, Discord, Battle.net, X, or Steam) or through an organization's enterprise identity provider, information is exchanged with that party to complete sign-in, subject to that party's own privacy policy. How we share your identity details with the applications you sign into is described in "Sharing Your Identity With Applications" above.

9. Your Rights

Depending on your location, you may have rights to access, correct, export, or delete the information we hold about you, and to object to or restrict certain processing. You can review and revoke the identity details shared with each application, and manage your connected third-party logins, directly in product. Account deletion is also available directly in product — see the next section. To exercise the other rights, or if the in-product flow does not work for your situation, contact us at the address below. We will respond within the timeframe required by applicable law.

10. Deleting Your Account

You can permanently delete your Sudomimus account at any time by visiting the Profile page at with.sudomimus.com/account and using the "Delete my account" control in the Danger Zone. We ask you to re-type your email address (or display name, for accounts without an email) to confirm.

When you delete your account, we erase the personal data we hold about you: your name, email address records, passkey public keys, third-party login subject identifiers (Google, GitHub, Discord, Battle.net, X, and Steam), any access keys you registered, and the per-application claim-sharing choices you made. Audit records that mention your account are retained only as a pseudonymous account identifier; the underlying personal data inside those records (such as login emails or third-party usernames captured at the time of an authentication attempt) is redacted in the same step.

Already-issued access tokens are not actively revoked — they expire by their normal short-lived TTL (typically a few hours). Refresh tokens are revoked immediately.

If you are the sole owner of an organization that still holds live applications or sectors, you must retire or transfer those resources before deleting your account. The in-product flow tells you which organizations or applications are blocking deletion. We will not silently delete other people's data along with yours.

Account deletion is irreversible. Once erased, an account cannot be recovered; signing up again with the same email creates a fresh, unrelated account.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you through the service. Continued use of Sudomimus after a change indicates acceptance of the revised policy.

12. Contact

Questions about this Privacy Policy or our privacy practices can be sent to [email protected].