Authryn
Sign In

Privacy Policy

Last updated: December 27, 2025

1. Introduction

Authryn ("we", "our", or "us"), operated by SpendJot, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

2. Information We Collect

We collect information that you provide directly to us:

  • Account Information: Email address, password (encrypted), and profile details
  • Phone Numbers: For SMS verification purposes only
  • Transaction Data: Receipt details, descriptions, amounts, and timestamps
  • Digital Signatures: Cryptographic signatures bound to verified phone numbers
  • Payment Information: Processed securely by our payment providers

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Verify user identity through SMS verification
  • Create and authenticate digital receipts
  • Process payments and prevent fraud
  • Send important service notifications
  • Respond to customer support requests

4. Phone Number Privacy

Your phone number is protected. On receipts, phone numbers are displayed with only the last 3-4 digits visible (e.g., •••-•••-1234). We use phone numbers solely for verification purposes and never sell or share them with third parties for marketing.

5. Data Security

We take data security seriously and implement multiple layers of protection to safeguard your information:

Encryption & Cryptography

  • AES-256-GCM Encryption: All sensitive data at rest is encrypted using Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode
  • TLS 1.3: All data in transit is protected with the latest Transport Layer Security protocol
  • SHA-256 Hashing: Receipt integrity is verified using Secure Hash Algorithm 256-bit for tamper-evident records
  • Bcrypt Password Hashing: User passwords are hashed with bcrypt using adaptive cost factors, making brute-force attacks computationally infeasible
  • HMAC Signatures: Digital signatures are generated using Hash-based Message Authentication Code bound to verified phone numbers

Database & Infrastructure Security

  • Supabase PostgreSQL: Our database is hosted on Supabase with enterprise-grade security, SOC 2 Type II compliance, and automatic backups
  • Row Level Security (RLS): Database policies ensure users can only access their own data
  • Encrypted Backups: All database backups are encrypted and stored in geographically distributed locations
  • Network Isolation: Database servers are isolated in private networks with no direct public access
  • Vercel Edge Network: Application hosted on Vercel's global edge network with DDoS protection and WAF

Phone Number Protection

  • Masked Display: Phone numbers are displayed with only the last 3-4 digits visible (e.g., •••-•••-1234)
  • Hashed Storage: Full phone numbers are cryptographically hashed before storage, making them unreadable
  • VoIP Detection: We block VoIP and virtual numbers to prevent fraud and ensure authentic verification
  • Twilio Verification: SMS verification is powered by Twilio with carrier-grade security and compliance
  • No Third-Party Sharing: Phone numbers are never sold, shared, or used for marketing purposes

Authentication & Access Control

  • Supabase Auth: Secure authentication powered by Supabase with JWT tokens and refresh token rotation
  • OAuth 2.0: Google Sign-In integration using industry-standard OAuth 2.0 protocol
  • 6-Digit Passcode: Additional layer of protection for sensitive operations like receipt creation
  • OTP Verification: Time-based one-time passwords for phone verification with automatic expiration
  • Session Management: Secure session handling with automatic timeout and device tracking

Receipt Integrity & Non-Repudiation

  • Cryptographic Binding: Each signature is mathematically bound to the receipt ID, phone number, timestamp, and role
  • Tamper-Evident Records: Any modification to a receipt would invalidate its SHA-256 hash, making alterations detectable
  • Non-Transferable Signatures: Signatures cannot be copied or reused on other receipts
  • Immutable Audit Trail: All receipt actions are logged with timestamps for complete traceability
  • QR Code Verification: Each receipt includes a QR code linking to its public verification page

6. Verification Session Data

For security and functionality purposes, we track certain session data during the verification process:

  • Verification Timers: We track when a buyer accesses a verification link to enforce the 10-minute verification window
  • Receipt Creation Timestamps: Used to enforce the 24-hour inactivity timeout for pending receipts
  • Session Storage: Timer data is stored locally in your browser and is automatically cleared when the session ends

This data is used solely for enforcing verification timeframes and is not shared with third parties.

7. Data Retention

We retain your account information and transaction records for as long as your account is active or as needed to provide services. Receipts are stored permanently as part of the authenticated record. You may request deletion of your account, but authenticated receipts may be retained for legal and verification purposes.

8. Third-Party Services

We use trusted third-party services:

  • Twilio: For SMS verification
  • Supabase: For database and authentication
  • Stripe: For payment processing
  • Vercel: For hosting

These services have their own privacy policies governing their use of your data.

9. Your Rights

You have the right to:

  • Access the personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your account and personal data
  • Opt out of marketing communications
  • Export your transaction data

10. Cookies and Tracking

We use essential cookies to maintain your session and preferences. We do not use advertising cookies or sell your data to advertisers. We may use analytics to improve our service, but this data is anonymized.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through the Service. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact our support team.

Terms of ServiceRefund PolicySupportHome