Privacy Policy

Privacy Policy

Your content never leaves your device. We store hashes and ciphertext, not emails or files. If our server is compromised, an attacker should get nothing useful.

Last updated: April 22, 2026 · Operator: Finch Business Services LLC

What AIAuth Does

AIAuth creates tamper-proof receipts for AI-generated work. You interact with it through the Chrome extension, a desktop agent, or direct API calls. The free tier is anonymous by design; the Enterprise tier is self-hosted and runs on your own infrastructure.

What We Store on the Free Tier

1. The anonymous hash registry

Every attested content hash gets a row in a six-column registry:

  • content_hash — SHA-256 of your content (one-way; cannot be reversed)
  • receipt_id — a random UUID
  • parent_hash — the previous version's hash, for chain discovery
  • doc_id — persistent document identifier
  • content_hash_canonical — SHA-256 of the canonical text (enables cross-format chain: xlsx → csv → pdf)
  • registered_at — timestamp

No email. No name. No content. No IP address. Nothing here identifies a person.

2. Email address and account_id — ONLY if you create an account

Creating an account is optional. You can use AIAuth without one — the Chrome extension's "Start Attesting" button enables attestation immediately. An account is only needed if you want to link email addresses across devices, verify your identity for cross-person chain-of-custody use cases, or manage consent for enterprise deployments.

When you create an account, we store:

  • An HMAC hash of your email (never the plaintext)
  • An account identifier
  • Timestamps (created, updated, verified)
  • A separate "domain" field (e.g. acme.com) for enterprise-domain matching

We cannot enumerate who is registered — the hash is salted with a server secret. The only way your email is linked to your account in our database is through the one-way hash.

3. Authentication ephemera

For magic-link logins we store single-use nonces (to prevent token replay) and revoked session IDs (for logout). Both are auto-pruned. No long-lived identifiers.

What We Never Store on the Free Tier

  • Your content. Only a SHA-256 hash is sent, and hashes are one-way.
  • Plaintext emails. We hash with HMAC-SHA256 before writing to disk. Our own database dumps show 64-character hashes, not email addresses.
  • Receipt contents. The full signed receipt is returned to your device; we sign and forget.
  • Behavioral metadata. Time-to-attest, destinations, classifications, concurrent AI apps — none of these are captured on the free tier. (Enterprise customers opt in to these for their own dashboards, on their own servers.)
  • Prompt text. If you attest AI output and we detect the prompt that produced it, only its one-way hash is recorded. We never see the prompt.

Data Hardening

If someone breaks into our server, they should get as little as possible. Concretely:

  • Email addresses are stored as HMAC hashes, salted with a server secret.
  • Enterprise-tier user identifiers (uid) are stored as AES-GCM ciphertext; only an authenticated admin of the owning organization can decrypt them, and only at response time — never written to a log.
  • Consent-log details (who requested what access) are stored as AES-GCM ciphertext.
  • Magic-link emails are delivered via a transactional email provider (Resend) and never written to our filesystem. Local file logging of magic links is off by default.
  • The one residual risk is our private signing keys — losing them means receipts can't be verified, so we keep them on encrypted offline backups and rotate annually. A new signing key never invalidates historical receipts; the old public key stays in our key manifest for verification.

What Changes on the Enterprise Tier

AIAuth Enterprise is self-hosted. You run the server on your own infrastructure, your IT team manages the keys, and your employees' attestation data stays on your network. We never see it. Finch Business Services LLC is a software vendor, not a data processor, for enterprise deployments. Your organization's own privacy policy governs the data your server processes.

GDPR and Data Subject Rights

Because the hash registry contains no personally identifiable information, registry rows are not subject to GDPR — a hash cannot be traced to you.

For accounts, you have the right to export, pseudonymize, or delete your data. Contact us at privacy@aiauth.app and we will respond within 30 days. In most cases, deleting your local data (by uninstalling the extension) and requesting account deletion is sufficient.

What We Don't Do

  • No tracking across sites. No analytics. No ad pixels.
  • No third-party SDKs in the Chrome extension.
  • No selling, renting, or sharing of your data.
  • No scraping or retention of the content you attest.

Server Logs

The reverse proxy (nginx) records standard HTTP access entries — timestamps, paths, status codes, IP addresses — for operational reliability and abuse prevention. Logs are rotated weekly and are not joined to any account profile; AIAuth does not maintain per-user behavioral profiles of any kind.

Third-Party Services

The AIAuth website loads typography fonts from Google Fonts. When you visit a page on aiauth.app, your browser fetches font files from Google's CDN, subject to Google's own privacy terms. The Chrome extension loads no third-party resources.

AIAuth's transactional-email provider is Resend. Resend retains email-delivery metadata (recipient address, timestamp) for up to 30 days for deliverability diagnostics. No other data is transmitted to Resend.

Children

AIAuth is not directed to children under 13 and does not knowingly collect information from them.

Service Commitments

AIAuth is operated by Finch Business Services LLC, a privately held company. Free-tier service is provided without formal SLAs. Enterprise customers receive support levels defined in their executed service agreement. Material operational changes — including any planned discontinuation of the free tier — are announced with at least 90 days of notice per the Terms of Service. The core privacy guarantees on this page are contractual commitments; they will not be weakened without a new major version, a clear diff, and explicit notice to existing account holders.

Contact

Privacy inquiries: privacy@aiauth.app. Security disclosures: security@aiauth.app. Commercial inquiries: sales@aiauth.app.