Privacy Policy

Effective date: 1 June 2026 · Last updated: 1 June 2026

This Privacy Policy explains how ONLYauth ("we", "us", "our") handles your personal data when you use our authentication service. We have designed ONLYauth to collect and retain as little personal data as technically possible.

1. Data controller

The data controller for ONLYauth is the ONLYauth project. Contact: privacy@getonly.co.

2. What data we collect

Your email address (processed, not stored in readable form)
When you sign in, your email address is immediately transformed using a one-way cryptographic hash (HMAC-SHA256). We never store your email address in readable form. The hash is used solely to identify your account. We cannot reverse it to obtain your email.

Per-service anonymous identifiers
For each application you sign in to via ONLYauth, we compute a separate pseudonymous identifier derived from your email hash and the application's client ID. This means different applications receive different identifiers — they cannot link your activity across services.

Session data
We store short-lived authentication sessions (authorization codes, access tokens, ID tokens) to complete the sign-in flow. These expire within one hour and are stored in our database in encrypted form.

Invite records
If you receive or send an invite, we store a record of the email hash of the invited address and the identifier of the inviter. No plaintext email addresses are stored in invite records.

Server logs
Our hosting provider (Railway) may retain standard server logs (IP addresses, request paths, timestamps) for up to 30 days for operational purposes.

3. Legal basis for processing (GDPR)

We process your data on the basis of:

Contract performance (Art. 6(1)(b) GDPR) — processing your email hash is necessary to authenticate you and provide the service.
Legitimate interests (Art. 6(1)(f) GDPR) — retaining invite records to prevent abuse.

4. Data retention

Authentication sessions: deleted automatically after expiry (1 hour or less)
Allowlist records (your email hash): retained for as long as your account is active
Invite records: retained for 12 months, then deleted
Server logs: up to 30 days (controlled by our hosting provider)

5. Data sharing

We do not sell your data. We do not share your data with third parties for marketing. We use the following sub-processors:

Railway (hosting and database) — Railway Privacy Policy
Resend (email delivery) — Resend Privacy Policy. Your email address is passed to Resend solely to deliver the one-time sign-in code. Resend does not store it beyond delivery.

6. Your rights under GDPR

You have the right to:

Access — request a copy of the data we hold about you
Erasure — request deletion of your account and associated data
Restriction — request that we restrict processing of your data
Portability — receive your data in a machine-readable format
Object — object to processing based on legitimate interests
Lodge a complaint — with the Danish Data Protection Agency (datatilsynet.dk)

To exercise any of these rights, contact us at privacy@getonly.co. Because we store your data by email hash (not plaintext email), we will ask you to verify your identity before processing a request.

7. Security

We use HMAC-SHA256 with a server-side secret for all email hashing. Database connections are encrypted. Access tokens are short-lived and single-use. We follow security best practices for authentication systems (PKCE, signed JWTs, timing-safe comparisons).

8. Changes to this Policy

We may update this Privacy Policy as the service evolves. Material changes will be communicated by updating the "Last updated" date above. We encourage you to review this page periodically.

9. Contact

Privacy questions: privacy@getonly.co