Privacy Policy

Introduction

el2FA (“we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, and the choices you have. It applies to all users of the el2FA service, including our web application, browser extensions, and mobile apps.

We built el2FA with a privacy-first mindset. Your 2FA secret keys are encrypted on your device before they ever reach our servers, and we have no ability to access them in plain text. This principle shapes every decision we make about data handling.

By using el2FA, you agree to the practices described in this policy. If you do not agree, please do not use our service.

Information We Collect

Account Information

When you create an account, we collect your name, email address, and company name (if applicable). This information is necessary to provide you with the service, manage your subscription, and communicate with you about your account.

Usage Data

We collect anonymized usage data to understand how our product is used and where we can improve. This includes feature usage patterns, device type and operating system, browser type, and general interaction data. We do not track individual actions tied to your identity for advertising purposes.

Payment Information

Payment processing is handled by a third-party payment processor. We do not store your credit card number, CVV, or full billing details on our servers. We may retain a transaction ID, plan type, and billing email for record-keeping and support purposes.

How We Use Your Information

• Provide and maintain the service — authenticate your identity, sync your vaults, and deliver the core el2FA experience.
• Improve our product — analyze aggregated usage patterns to identify bugs, prioritize features, and optimize performance.
• Communicate with you — send account-related notifications, security alerts, and (with your consent) product updates. You can opt out of non-essential communications at any time.
• Ensure security — detect and prevent fraud, abuse, and unauthorized access to your account.

2FA Code Data

This is the most important section of our privacy policy. Your authenticator secret keys deserve special protection, and we treat them accordingly.

• Encrypted before transmission — when you add a 2FA code to el2FA, the authenticator secret key is encrypted on your device before it is transmitted to our servers. It never leaves your device in plain text.
• Encrypted at rest — secret keys are stored on our servers in encrypted form. The encryption keys needed to decrypt them are not accessible to el2FA.
• We cannot access your codes — this is by design, not by policy. The architecture of el2FA makes it technically impossible for our team to view, read, or reconstruct your authenticator codes in plain text. We deliver your encrypted data. We cannot read it.
• Decrypted only on your device — when you or an authorized team member access a shared vault, codes are decrypted locally on the requesting device. At no point during sync or storage are codes available in unencrypted form on our infrastructure.

Data Sharing

We do not sell, rent, or trade your personal information to third parties. Full stop.

We share limited data only in the following circumstances:

• Service providers — we work with trusted third parties for hosting infrastructure, payment processing, and email delivery. These providers only receive the minimum data necessary to perform their function and are contractually bound to protect it.
• Legal requirements — we may disclose information if required by law, subpoena, or court order. If legally permitted, we will notify you before doing so. Even in these cases, we cannot provide your 2FA secret keys in plain text because we do not have access to them.
• Business transfers — in the event of a merger, acquisition, or sale of assets, your data would be transferred to the successor entity under the same privacy protections described here.

Data Retention

We retain your account information and encrypted vault data for as long as your account is active and you are using the service. If you choose to delete your account, we will delete your personal data and encrypted vault data within 30 days of your request. Some data may be retained longer where required by law (for example, billing records for tax compliance), but this never includes your 2FA secret keys.

Your Rights

Regardless of where you are located, we believe you should have meaningful control over your data. You have the right to:

• Access — request a copy of the personal data we hold about you.
• Correct — update or correct inaccurate information in your account.
• Delete — request deletion of your account and associated data.
• Export — export your vault data in a portable format so you are never locked in.
• Restrict processing — ask us to limit how we use your data in certain circumstances.

We comply with the General Data Protection Regulation (GDPR) for users in the European Economic Area and the California Consumer Privacy Act (CCPA) for California residents. If you have questions about your rights under these or other privacy regulations, contact us at privacy@el2fa.com.

Cookies

el2FA uses essential cookies only. These cookies are necessary for the service to function — they handle authentication, session management, and security tokens. We do not use third-party tracking cookies, advertising cookies, or analytics cookies that track you across other websites.

Security

We take the security of your data seriously. Our measures include:

• Encryption in transit — all data transmitted between your device and our servers is protected with TLS 1.2 or higher.
• Encryption at rest — all stored data is encrypted at rest using industry-standard encryption algorithms.
• Regular security audits — we conduct regular internal and third-party security assessments to identify and address vulnerabilities.
• Access controls — our internal access to production systems is strictly limited, logged, and reviewed.

No system is perfectly secure, and we cannot guarantee absolute security. However, we are committed to following industry best practices and responding quickly to any security issues.

Children's Privacy

el2FA is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected data from a child under 16, we will delete it promptly. If you believe a child under 16 has provided us with personal information, please contact us at privacy@el2fa.com.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the “last updated” date at the top of this page. For material changes that affect how we handle your data, we will notify you by email or through an in-app notification at least 30 days before the changes take effect. We encourage you to review this policy periodically.

Contact Us

If you have questions about this Privacy Policy, your data, or your rights, reach out to us:

• Email — privacy@el2fa.com

We will respond to all privacy-related inquiries within 30 days.