Elixpo MascotElixpo Accounts

Privacy Policy

Effective: 22 June 2026 · Last updated: 22 June 2026

1. Who we are

Elixpo Accounts (the "Service") is operated by Elixpo. We provide single sign-on, OAuth identity, and account management for the Elixpo product suite and for third-party applications you grant access to.

2. Information we collect

  • Account information: email address, display name, profile photo, and optional username — provided by you or your social login provider (Google, GitHub, Discord, Microsoft).
  • Authentication signals: a hash of your IP address and a short user-agent string for each session, kept to detect suspicious sign-ins. We do not store raw IP addresses.
  • Multi-factor secrets: when you enroll TOTP, passkeys, or email OTP, we store the secrets in encrypted form on Cloudflare D1 and KV.
  • OAuth app metadata: if you register an OAuth app, we store the app name, redirect URIs, webhook endpoints, and a hashed copy of the client secret.
  • Billing data: when you subscribe to a paid tier, we store your tier and renewal date. Card details are handled exclusively by our payments partner (Razorpay via Elixpo Pay); we never see or store card numbers.

3. How we use your information

  • To authenticate you and your sessions.
  • To deliver service emails (verification, sign-in alerts, billing notifications) via our transactional mail provider (Elixpo Mails).
  • To detect and prevent abuse, fraud, and account takeover.
  • To honor your OAuth consents and forward only the profile attributes you approved to the third-party app.
  • To process payments and provision entitlements through Elixpo Pay.

4. Sharing

We share your data only with:
  • OAuth applications you explicitly grant access — and only the attributes the app requested in its scopes.
  • Service providers we depend on: Cloudflare (hosting, D1, KV), Razorpay (payments), and the identity providers you sign in with.
  • Legal authorities, when compelled by a valid legal process applicable in our operating jurisdiction.

We do not sell your personal data.

5. Data retention

We keep account data for as long as your account is active. When you delete your account, we permanently delete or anonymize your records within 30 days, except where retention is required by law (e.g. invoices and audit logs, which we keep for the period required by Indian tax law).

6. Security

We use industry-standard encryption (TLS in transit, AES-GCM at rest for sensitive fields), HMAC-signed webhooks, and hardware-backed JWT signing keys. We support hardware passkeys, TOTP, and email OTP as second factors; users with three or more OAuth apps must enroll a second factor.

7. Your rights

Depending on where you live, you may have rights to access, correct, export, or delete your personal data. Email privacy@elixpo.com and we'll respond within 30 days.

8. Children

Elixpo Accounts is not directed at children under 13. If you become aware that a child has provided us with personal data, please contact us so we can delete it.

9. Changes

We may update this policy from time to time. If we make material changes we'll notify you via email or an in-app banner at least 14 days before the change takes effect.

10. Contact

Questions about this policy: privacy@elixpo.com.