Privacy Policy

Last updated: April 22, 2026 · Operator: Finch Business Services LLC

What AIAuth Does

AIAuth creates tamper-proof receipts for AI-generated work. You interact with it through the Chrome extension, a desktop agent, or direct API calls. The free tier is anonymous by design; the Enterprise tier is self-hosted and runs on your own infrastructure.

What We Store on the Free Tier

1. The anonymous hash registry

Every attested content hash gets a row in a six-column registry:

• content_hash — SHA-256 of your content (one-way; cannot be reversed)
• receipt_id — a random UUID
• parent_hash — the previous version's hash, for chain discovery
• doc_id — persistent document identifier
• content_hash_canonical — SHA-256 of the canonical text (enables cross-format chain: xlsx → csv → pdf)
• registered_at — timestamp

No email. No name. No content. No IP address. Nothing here identifies a person.

2. Email address and account_id — ONLY if you create an account

Creating an account is optional. You can use AIAuth without one — the Chrome extension's "Start Attesting" button enables attestation immediately. An account is only needed if you want to link email addresses across devices, verify your identity for cross-person chain-of-custody use cases, or manage consent for enterprise deployments.

When you create an account, we store:

• An HMAC hash of your email (never the plaintext)
• An account identifier
• Timestamps (created, updated, verified)
• A separate "domain" field (e.g. acme.com) for enterprise-domain matching

We cannot enumerate who is registered — the hash is salted with a server secret. The only way your email is linked to your account in our database is through the one-way hash.

3. Authentication ephemera

For magic-link logins we store single-use nonces (to prevent token replay) and revoked session IDs (for logout). Both are auto-pruned. No long-lived identifiers.

What We Never Store on the Free Tier

• Your content. Only a SHA-256 hash is sent, and hashes are one-way.
• Plaintext emails. We hash with HMAC-SHA256 before writing to disk. Our own database dumps show 64-character hashes, not email addresses.
• Receipt contents. The full signed receipt is returned to your device; we sign and forget.
• Behavioral metadata. Time-to-attest, destinations, classifications, concurrent AI apps — none of these are captured on the free tier. (Enterprise customers opt in to these for their own dashboards, on their own servers.)
• Prompt text. If you attest AI output and we detect the prompt that produced it, only its one-way hash is recorded. We never see the prompt.

Data Hardening

If someone breaks into our server, they should get as little as possible. Concretely:

• Email addresses are stored as HMAC hashes, salted with a server secret.
• Enterprise-tier user identifiers (uid) are stored as AES-GCM ciphertext; only an authenticated admin of the owning organization can decrypt them, and only at response time — never written to a log.
• Consent-log details (who requested what access) are stored as AES-GCM ciphertext.
• Magic-link emails are delivered via a transactional email provider (Resend) and never written to our filesystem. Local file logging of magic links is off by default.
• The one residual risk is our private signing keys — losing them means receipts can't be verified, so we keep them on encrypted offline backups and rotate annually. A new signing key never invalidates historical receipts; the old public key stays in our key manifest for verification.

What Changes on the Enterprise Tier

AIAuth Enterprise is self-hosted. You run the server on your own infrastructure, your IT team manages the keys, and your employees' attestation data stays on your network. We never see it. Finch Business Services LLC is a software vendor, not a data processor, for enterprise deployments. Your organization's own privacy policy governs the data your server processes.

GDPR and Data Subject Rights

Because the hash registry contains no personally identifiable information, registry rows are not subject to GDPR — a hash cannot be traced to you.

For accounts, you have the right to export, pseudonymize, or delete your data. Contact us at privacy@aiauth.app and we will respond within 30 days. In most cases, deleting your local data (by uninstalling the extension) and requesting account deletion is sufficient.

What We Don't Do

• No tracking across sites. No analytics. No ad pixels.
• No third-party SDKs in the Chrome extension.
• No selling, renting, or sharing of your data.
• No scraping or retention of the content you attest.

Server Logs

Our reverse proxy (nginx) logs standard HTTP access records — timestamps, paths, status codes, IP addresses — for operational reliability and abuse prevention. These are rotated weekly and not linked to any user profile (because we don't maintain user profiles in the traditional sense).

Third-Party Services

Our website loads typography fonts from Google Fonts. When you visit a page on aiauth.app, your browser fetches font files from Google's CDN — subject to Google's own privacy terms. The Chrome extension loads no third-party resources.

Our transactional email provider is Resend. They hold email-delivery metadata (recipient address, timestamp) for up to 30 days for deliverability diagnostics. We do not transmit anything else to them.

Children

AIAuth is not directed to children under 13 and does not knowingly collect information from them.

Honest Reality

AIAuth is built by a one-person business. We offer no SLAs, no 24/7 support line, and no formal data-protection officer. What we offer is software that tries to be small, honest, and correct. If you have questions or concerns, you'll get a direct reply from a human within a few days.

Changes to This Policy

Material changes are announced on this page and the "last updated" date changes. The core guarantees (content never transmitted; no plaintext emails stored; no selling data) will never change without a new major version and explicit notice to existing account holders.

Contact

Questions: privacy@aiauth.app. Security advisories: security@aiauth.app.