Privacy Policy | LibreAuth

Plain language

We collect the minimum needed to run a synced authenticator. We do not build advertising profiles, sell data, or run trackers on the app dashboard. This policy describes the default hosted behavior — self-hosted instances are your responsibility.

Data we store

Data	Why	How long
Email address	Account login	Until you delete account
Password hash	Authentication	Managed by Supabase Auth
TOTP labels	Display in vault	Until you delete entry
TOTP secrets	Sync across devices	Until you delete entry
Session cookies	Keep you signed in	Until logout or expiry

What we do not do

No advertising or sponsored placements.
No behavioral profiling or cross-site ad tracking.
No analytics inside the authenticator vault, add flow, or settings.
No selling or renting user data to brokers.
No training AI models on your TOTP secrets — obviously.

Third-party processors

Hosted LibreAuth uses Supabase (database + auth), Vercel (hosting), and optionally PostHog (product analytics on marketing pages only, after cookie consent). Self-hosting removes Vercel from the chain; you choose whether to enable PostHog.

Your rights

Delete individual TOTP entries anytime from the app. Delete your account from Settings (hosted app) or your self-hosted admin. Export is manual today — copy secrets from each entry. Full export bundle is planned.

Self-hosted instances

When you deploy LibreAuth yourself, you become the data controller. Update this policy for your users, choose your region, and control retention yourself.

Cookies & local storage

Session cookies — set when you sign in so LibreAuth can keep you authenticated. Required for sync. Cleared on logout or expiry.
Theme preference — stored in your browser local storage so your chosen theme persists. Not shared with us or third parties.
Cookie consent — we remember that you saw this notice so we do not nag you every visit.
PostHog analytics — only after you accept this banner, and only on marketing and auth pages (homepage, pricing, sign-in, etc.). Not loaded on your vault, add-account, or settings screens.

We do not use advertising cookies or cross-site tracking. Use Cookie settings in the footer to reopen the banner.

Privacy FAQ

Do you see my TOTP codes?

No. Codes generate in your browser. We never compute or log them server-side.

Cookies?

Session cookies keep you signed in. Optional PostHog analytics load only after you accept the cookie banner, and only on marketing/auth pages — never inside the vault.

GDPR / CCPA?

Minimal data collection helps compliance, but self-hosting gives you the cleanest path for EU or California users.

Get started

Privacy you can verify.

Open source. Read the schema. Run your own Supabase.

Security docs See features