Privacy Policy

Last Updated: May 11, 2026

This Privacy Policy explains how oneauth.in ("OneAuth", "we", "our", or "us") collects, uses, stores, secures, and shares information when users access our authentication, identity, authorization, account linking, and federated login services.

1. Overview

OneAuth is an identity and authentication platform that allows users to:

- Sign in using supported identity providers and social login providers.
- Link multiple authentication providers to a single OneAuth account.
- Authenticate with multi-factor authentication methods including TOTP and email OTP.
- Authorize third-party client applications using OAuth 2.0 and OpenID Connect compatible flows.
- Receive a unique OneAuth subject identifier ("sub") for use with authorized client applications.

2. Information We Collect

2.1 Information Provided by Identity Providers

When users authenticate using third-party identity providers, we may receive:

- Provider-specific unique identifiers.
- Basic profile information.
- Email address information.
- Profile image information.
- Authentication status information.
- Account verification information.

The exact information shared depends on the permissions granted by the user and the policies of the selected identity provider.

2.2 Information Provided by Users

Users may provide:

- Email addresses for verification purposes.
- Multi-factor authentication configuration information.
- Account recovery information.
- Linked account preferences.
- Consent and authorization preferences.

2.3 Technical and Security Information

We may collect:

- IP addresses.
- Device identifiers.
- Browser and operating system information.
- Authentication timestamps.
- Session identifiers.
- Security and audit logs.
- OAuth client authorization activity.

3. How We Use Information

We use collected information to:

- Authenticate users.
- Provide OAuth 2.0 and OpenID Connect services.
- Issue and validate tokens.
- Provide multi-factor authentication.
- Link and manage multiple authentication providers.
- Prevent fraud, abuse, and unauthorized access.
- Maintain service security and integrity.
- Generate unique subject identifiers for client applications.
- Operate account recovery and security systems.
- Comply with legal obligations.

4. Subject Identifiers and Client Applications

OneAuth generates OneAuth-specific subject identifiers ("sub") for authorized client applications.

Client applications may receive:

- Subject identifiers.
- Authorized profile information.
- Verification status claims.
- Custom claims configured for the client application.

Client applications are independently responsible for how they process, store, and use information received from OneAuth.

5. Linked Accounts

Users may link multiple authentication providers and accounts to a single OneAuth account.

Linked providers may include multiple accounts from the same provider type.

Users may unlink supported authentication providers subject to security and account recovery requirements.

6. Authentication and Security

OneAuth uses security measures including:

- Multi-factor authentication.
- Time-based one-time passwords (TOTP).
- Email OTP verification.
- OAuth 2.0 authorization flows.
- OpenID Connect authentication flows.
- Access token validation.
- Refresh token rotation.
- Session monitoring.
- Encryption in transit.
- Security logging and auditing.

No method of electronic storage or transmission over the internet is completely secure, and we cannot guarantee absolute security.

7. Sharing of Information

We do not sell personal information.

Information may be shared:

- With authorized client applications based on user authorization.
- With infrastructure and security service providers.
- To comply with legal obligations.
- To protect the security, integrity, and operation of the service.
- During fraud prevention and abuse investigations.

8. OAuth and OpenID Connect Permissions

OneAuth may request permissions from third-party identity providers to:

- Authenticate users.
- Access basic profile information.
- Access email address information.
- Verify account ownership and identity.

OneAuth does not access private user content, messages, files, contacts, or other unrelated provider data unless explicitly required and authorized.

9. Data Retention

We retain information for:

- Authentication operations.
- Security monitoring.
- Fraud prevention.
- Legal compliance.
- Service integrity and reliability.

Retention periods may vary depending on operational, security, and legal requirements.

10. User Rights and Controls

Users may:

- Manage linked authentication providers.
- Configure authentication methods.
- Revoke authorized applications.
- Update account information.
- Request account deletion where applicable.
- Contact us regarding privacy concerns.

11. Third-Party Services

Authentication providers, client applications, and third-party services integrated with OneAuth may have independent privacy policies and practices.

We are not responsible for the privacy practices of third-party services.

12. Children's Privacy

OneAuth is not directed toward children under the age required by applicable laws in their jurisdiction.

13. International Use

Users understand that information may be processed and stored in jurisdictions different from their own.

14. Cookies and Similar Technologies

OneAuth uses cookies and similar technologies to operate authentication sessions, maintain security, improve user experience, prevent fraud, and support OAuth 2.0 and OpenID Connect authentication flows.

14.1 Types of Cookies We Use

Essential Cookies

Essential cookies are required for the operation and security of the service. These cookies may be used to:

- Maintain authenticated sessions.
- Protect against unauthorized access.
- Support OAuth authorization flows.
- Prevent cross-site request forgery (CSRF).
- Maintain security preferences.
- Validate refresh token and session continuity.
- Support multi-factor authentication workflows.

Security Cookies

Security-related cookies may be used to:

- Detect suspicious activity.
- Prevent abuse and fraud.
- Rate limit authentication requests.
- Identify malicious or automated activity.
- Protect account linking and authorization operations.

Preference Cookies

Preference cookies may store user-selected settings such as:

- Language preferences.
- Authentication preferences.
- Session-related preferences.
- User interface preferences.

Analytics Cookies

We may use analytics or performance-related technologies to understand service usage, improve reliability, monitor system performance, and enhance security.

14.2 Third-Party Cookies

Certain third-party services, identity providers, infrastructure providers, security services, or analytics services may place cookies or similar technologies in connection with authentication and authorization flows.

Such third-party technologies are governed by the respective third-party privacy policies.

14.3 OAuth and Authentication Sessions

Cookies may be used during:

- OAuth 2.0 authorization flows.
- OpenID Connect authentication flows.
- Multi-factor authentication verification.
- Session continuation and refresh operations.
- Account linking and unlinking operations.
- Client authorization workflows.

14.4 Cookie Retention

Some cookies are temporary session cookies and expire automatically when the browser is closed. Other cookies may persist for longer durations depending on security, authentication, or operational requirements.

14.5 Managing Cookies

Users may control or disable cookies through browser settings.

Disabling certain cookies may affect authentication functionality, security protections, account linking functionality, session continuity, or the availability of certain features.

14.6 Similar Technologies

In addition to cookies, OneAuth may use similar technologies including:

- Local storage.
- Session storage.
- Secure browser storage.
- Device identifiers.
- Token storage mechanisms.
- Security and anti-abuse technologies.

14.7 Consent

By using OneAuth, users consent to the use of cookies and similar technologies as described in this Privacy Policy, subject to applicable laws and browser settings.

15. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Updated versions will be posted on this page with a revised effective date.

16. Contact

For privacy, security, or data protection inquiries, visit our contact page.