1. Introduction

Welcome to EngagePlus ("we," "our," or "us"). We are committed to protecting your privacy and being transparent about the limited data we collect. This Privacy Policy explains how we handle your information when you use our authentication widget and platform.

Our Core Privacy Principle:

We collect the absolute minimum data necessary to provide authentication services. We do not sell your data, use it for marketing purposes, or share it with third parties except as described below.

2. Data We Collect

2.1 Account Information (Dashboard Users)

When you create an account to manage authentication providers, we collect:

Email address - Used for login and account recovery only
First name - Used for personalization in the dashboard
Organization name - The name of your organization using EngagePlus

We do NOT collect: Last name, phone number, physical address, payment card numbers (handled by Stripe), or any other personal information beyond what's listed above.

2.2 End-User Authentication Data

When end-users authenticate through your website using our widget, we do not store their data. We act as a pass-through authentication proxy:

Authentication requests are proxied to your configured identity providers (Google, Facebook, etc.)
Identity tokens are returned directly to your application
We do not create user profiles or store end-user credentials
We only log authentication events for analytics (IP address anonymized, no PII)

2.3 Technical Data

We automatically collect:

Authentication events - Timestamp, provider type, success/failure status (no user identities)
Usage analytics - Number of authentications per organization, provider usage, feature adoption
Log data - IP addresses (anonymized), browser type, authentication flow errors
Cookies - Session cookies for dashboard login, temporary authentication state cookies (see Cookie Policy below)

2.4 Payment Information

Payment processing is handled by Stripe. We do not store credit card numbers, CVV codes, or full payment details. We only store:

Stripe Customer ID (for managing subscriptions)
Subscription status and tier
Billing period end dates

3. How We Use Your Data

We use the collected data solely for:

Service delivery - Providing authentication services to your users
Account management - Managing your dashboard access and organization settings
Billing - Processing payments and managing subscriptions
Analytics - Understanding platform usage to improve our services (anonymized)
Security - Detecting and preventing fraud, abuse, or security incidents
Support - Responding to your inquiries and technical issues

We do NOT use your data for:

Marketing campaigns or promotional emails (unless you opt-in)
Selling or renting to third parties
Behavioral advertising or tracking across other websites
Training AI models or data mining

4. Data Sharing

We share data only with the following third-party services necessary to operate our platform:

4.1 Service Providers

AWS (Amazon Web Services) - Hosting infrastructure (servers, database)
Upstash - Redis storage for temporary authentication tokens
Stripe - Payment processing and subscription management
Google Analytics - Anonymous usage analytics (see Cookie Policy)

4.2 Identity Providers

When end-users authenticate, their requests are proxied to the identity providers you configure (e.g., Google, Facebook, Microsoft, custom OIDC providers). These providers may collect data according to their own privacy policies.

4.3 Legal Obligations

We may disclose data if required by law, court order, or to protect our legal rights, but we will notify you unless prohibited.

4.4 Business Transfers

If EngagePlus is acquired or merged, your data may be transferred to the new entity, but this Privacy Policy will continue to apply.

5. Data Security

We implement industry-standard security measures:

Encryption in transit - All data transmitted over HTTPS/TLS
Encryption at rest - Database and backups encrypted
Access controls - Role-based access, multi-factor authentication
Token security - Cryptographically secure tokens, PKCE protection, single-use codes
Regular audits - Security reviews and dependency updates
Minimal retention - Authentication tokens expire after 10 minutes to 30 days

6. Data Retention

Data Type	Retention Period
Account information (email, name)	Until account deletion
Authorization codes	10 minutes
Access tokens	1 hour
Refresh tokens	30 days
Authentication event logs	90 days
Webhook delivery logs	30 days
Analytics data (Google Analytics)	14 months (configurable)
Billing records	7 years (legal requirement)

7. Cookie Policy

7.1 Strictly Necessary Cookies

These cookies are essential for the platform to function:

Cookie Name	Purpose	Duration
`session_token`	Dashboard login session	30 days
`current_org`	Remember selected organization	30 days
`oauth_callback_state`	OAuth security (CSRF protection)	10 minutes

7.2 Analytics Cookies (Optional)

With your consent, we use Google Analytics 4 to understand platform usage:

Cookie Name	Purpose	Duration
`_ga`	Google Analytics - distinguish users	2 years
`_ga_*`	Google Analytics - session persistence	2 years

IP Anonymization: We enable IP anonymization in Google Analytics, meaning your full IP address is not stored.

You can opt out of analytics cookies via the cookie consent banner or disable them in your browser settings.

8. Your Rights (GDPR & CCPA)

You have the following rights regarding your data:

Right to Access - Request a copy of your data
Right to Rectification - Correct inaccurate data
Right to Erasure - Delete your account and all associated data
Right to Restriction - Limit how we process your data
Right to Data Portability - Receive your data in a machine-readable format
Right to Object - Object to data processing (e.g., analytics)
Right to Withdraw Consent - Change your cookie preferences anytime

To exercise these rights, email us at privacy@engageplus.devor delete your account directly from the dashboard settings.

9. International Data Transfers

Our servers are located in the United States (AWS US-East-1). If you access EngagePlus from outside the US, your data will be transferred to and processed in the United States.

We ensure adequate protections through:

Standard Contractual Clauses (SCCs) with service providers
Encryption in transit and at rest
Compliance with GDPR and CCPA requirements

10. Children's Privacy

EngagePlus is not intended for users under 16 years of age. We do not knowingly collect data from children. If you become aware that a child has provided us with personal information, please contact us at privacy@engageplus.dev.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the new policy on this page
Updating the "Last Updated" date
Sending an email notification (for significant changes)

Your continued use of EngagePlus after changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related questions, data requests, or concerns:

Email: privacy@engageplus.dev

Data Protection Officer: dpo@engageplus.dev

Response Time: Within 30 days (GDPR requirement)

13. Additional Rights by Jurisdiction

13.1 European Union (GDPR)

If you are in the EU/EEA, you have additional rights under GDPR, including the right to lodge a complaint with your local supervisory authority.

13.2 California (CCPA)

California residents have the right to request:

Categories of personal information collected
Purpose for collecting personal information
Categories of third parties with whom we share data
Deletion of personal information (with exceptions for legal compliance)

We do not sell personal information as defined by CCPA.

Privacy Summary

✅ Minimal data collection - Only email and first name for dashboard users
✅ No end-user data storage - We don't create user profiles
✅ No marketing use - Your data is never sold or used for ads
✅ Strong security - Encryption, PKCE, secure tokens
✅ GDPR & CCPA compliant - Full data rights support
✅ Transparent - Clear about what we collect and why