Privacy Policy

Last updated: February 11, 2026

1. Introduction

SutraID ("we," "our," or "us") operates the sutraid.com website and the SutraID identity and access management platform (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Service.

By accessing or using SutraID, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Email address, name (optional), and profile picture when you create an account.
  • Authentication Credentials: Password hashes (if using password-based auth). We never store plaintext passwords.
  • Organization Data: Organization name, domain, and member details for enterprise accounts.
  • Communications: Any information you provide when contacting support.

2.2 Information Collected Automatically

  • Usage Data: IP address, browser type, device information, pages visited, and timestamps.
  • Authentication Logs: Login timestamps, authentication method used, IP address, and device fingerprint for security purposes.
  • Session Data: Session tokens and refresh tokens to maintain your authenticated state.

2.3 Information from Third Parties

  • SSO Providers: When you authenticate via SAML or OIDC, we receive identity attributes (email, name, groups) from your identity provider as configured by your organization.

3. How We Use Your Information

We use collected information to:

  • Provide, operate, and maintain the Service
  • Authenticate your identity and manage sessions
  • Process and deliver magic link and password reset emails
  • Enforce security policies, detect fraud, and prevent unauthorized access
  • Send service-related communications (security alerts, account notifications)
  • Improve and optimize the Service
  • Comply with legal obligations

We do not sell your personal data to third parties. We do not use your data for advertising or behavioral profiling.

4. Data Storage and Security

Your data is stored in secure, SOC 2 compliant cloud infrastructure. We implement the following security measures:

  • All data in transit is encrypted via TLS 1.2+
  • Passwords are hashed using bcrypt with appropriate cost factors
  • Authentication tokens are hashed with SHA-256 before storage
  • Database connections use encrypted channels
  • Access to production systems is restricted and audited
  • Magic links and password reset tokens expire after 15 minutes

5. Data Sharing and Disclosure

We may share your information only in the following circumstances:

  • Service Providers: We use third-party services to operate our platform, including Resend (email delivery), Neon (database hosting), Vercel (web hosting), and Railway (API hosting). These providers process data on our behalf under data processing agreements.
  • Your Organization: If you use SutraID through an enterprise organization, your organization administrator may access your activity and profile data.
  • Legal Requirements: We may disclose information if required by law, regulation, or valid legal process.
  • Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction.

6. Your Rights

Depending on your jurisdiction, you may have the following rights:

Under GDPR (EEA/UK residents)

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your personal data
  • Restriction: Request restriction of processing
  • Portability: Request your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interests

Under CCPA (California residents)

  • Right to know what personal information is collected and how it is used
  • Right to delete personal information
  • Right to opt-out of the sale of personal information (we do not sell your data)
  • Right to non-discrimination for exercising your rights

To exercise any of these rights, contact us at privacy@sutraid.com. We will respond within 30 days.

7. Cookies and Tracking

SutraID uses minimal cookies strictly necessary for the Service to function:

  • Authentication tokens: Stored in localStorage to maintain your session
  • Theme preference: Stored in localStorage to remember your light/dark mode choice

We do not use third-party tracking cookies, advertising pixels, or analytics trackers that share data with external parties.

8. Data Retention

  • Account Data: Retained for as long as your account is active. Deleted within 30 days of account deletion request.
  • Authentication Logs: Retained for 90 days for security and audit purposes.
  • Session Tokens: Automatically expire and are purged after 30 days.
  • Magic Link Tokens: Expire after 15 minutes and are purged within 24 hours.

9. Children's Privacy

SutraID is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us at privacy@sutraid.com and we will delete it.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place, including standard contractual clauses, to protect your data in accordance with this Privacy Policy and applicable law.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: