Privacy Policy
Effective Date: July 10, 2026
1. Introduction
1.1 This Privacy Policy explains how AGW Solutions, LLC ("AGW Solutions," "we," "us," or "our") collects, uses, discloses, and protects personal data in connection with the AwayAuth service (the "Service").
1.2 AwayAuth is a personal anti-impersonation tool. Because the Service exists to protect identity, we take a data-minimization approach: we collect only what we need to provide and secure the Service, and we treat verification and audit history as sensitive.
1.3 This Policy applies to the Personal (free) and Family (paid) plans. We are the controller of the personal data described here (see Section 10).
2. Data We Collect and Why
2.1 Account data. Email address (required) and, optionally, a phone number. Why: to create and secure your account, enable verification, and communicate with you about the Service.
2.2 Device and credential metadata. Public keys and related credential/passkey and hardware-security-key metadata. Why: to authenticate you using passkeys/WebAuthn (FIDO2) without passwords or SMS codes. We do not collect your biometrics. Biometric device unlock happens entirely on your device; your fingerprint, face, or other biometric data never leaves your device and is never transmitted to or stored by AwayAuth. We receive only cryptographic public-key material, not biometric templates.
2.3 Verification session history and audit logs. Records of verification activity: who verified whom, when, the outcome, and any fraud reports. Why: to provide the Service, allow review of activity, support security and fraud investigations, and meet legal or audit obligations. Sensitivity: this history can reveal relationships and calling patterns, so we treat it as sensitive and apply heightened access and retention controls.
2.4 Pairing secrets. The shared secrets used to derive rotating one-time codes. Protection: pairing secrets are encrypted at rest using AWS KMS envelope encryption and handled under strict access controls.
2.5 Waitlist data. If you request an invite, the email address and any optional details you provide. Protection: waitlist emails are stored encrypted at rest, used only to manage access and shape what we build, and deleted on request.
2.6 Minimal usage and security telemetry. Limited technical and security signals needed to keep the Service reliable and safe (for example, error and abuse-prevention events). We keep this minimal and avoid unnecessary tracking.
We do not collect payment card numbers directly; paid-plan billing is handled by our payment processor.
3. Lawful Bases for Processing (GDPR / UK GDPR)
Where the GDPR or UK GDPR applies, we rely on: (a) performance of a contract — to provide the Service; (b) legitimate interests — to secure the Service, prevent fraud and abuse, maintain audit logs, and improve reliability, balanced against your rights; (c) legal obligation — to comply with applicable laws and record-keeping duties; and (d) consent — where required, which you may withdraw at any time.
4. How We Use Personal Data
We use personal data to: (a) provide, operate, and maintain the Service, including verifications and managing your account; (b) secure the Service and prevent, detect, and investigate fraud, impersonation, and abuse; (c) provide customer support; (d) send service and security communications; (e) maintain audit logs and comply with legal, regulatory, and accounting obligations; and (f) analyze and improve reliability and security using minimal telemetry. We do not sell personal data, and we do not use it for cross-context behavioral advertising.
5. How We Disclose Personal Data
5.1 Service providers (processors). We share personal data with vendors who process it on our behalf under contract, including Amazon Web Services (AWS) for hosting (US region), our payment processor for billing, and support and communications tools.
5.2 Within verification. By design, when you complete a verification, the other party in the pairing learns that verification succeeded or failed and the identity signal being confirmed.
5.3 Legal and safety. We may disclose personal data to comply with law, valid legal process, or governmental request, or to protect the rights, safety, or property of our users, the public, or AGW Solutions.
5.4 Business transfers. In a merger, acquisition, financing, or sale of assets, personal data may be transferred subject to this Policy and applicable law.
5.5 We never sell personal data and do not share it for cross-context behavioral advertising.
6. International Data Transfers
6.1 The Service is hosted in the United States (AWS US region). If you access it from outside the United States, your personal data will be transferred to and processed in the United States.
6.2 Where required for transfers from the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK Addendum, where applicable), together with supplementary measures. Request more information using the contact details in Section 14.
7. Data Retention and Minimization
7.1 We retain personal data only as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements, after which we delete or anonymize it.
7.2 Current retention practice: account data is retained while your account is active and for up to 30 days after closure; verification and audit logs are retained for up to 24 months to support security, fraud investigation, and legal/audit needs, then deleted or anonymized, with access restricted because the data is sensitive; pairing secrets are retained only while a pairing is active and are deleted or cryptographically destroyed after the pairing ends or on account deletion; waitlist data is retained until you join or ask to be removed; telemetry is retained for up to 90 days and kept minimal.
8. Your Privacy Rights
8.1 GDPR / UK GDPR
If you are in the EEA or UK, you have the right, subject to conditions, to: access; correct; erase ("right to be forgotten"); restrict or object to processing; data portability; withdraw consent where processing is based on consent; and lodge a complaint with your supervisory authority.
8.2 CCPA / CPRA (California)
If you are a California resident, you have the right, subject to conditions, to: know and access the personal information we collect, use, and disclose; delete it; correct it; portability; opt out of the "sale" or "sharing" of personal information — we do not sell or share personal information, so no opt-out is necessary; and be free from discrimination for exercising your rights. We do not use or disclose sensitive personal information beyond providing and securing the Service.
8.3 How to exercise your rights
To exercise any of these rights, contact us at privacy@awayauth.com. We will verify your request (for example, by confirming control of your account credential) before acting, and respond within the timeframes required by applicable law. You may use an authorized agent where the law permits, and we will not discriminate against you for exercising your rights.
9. Children's Privacy
The Service is intended for adults (18+) and is not directed to children. We do not knowingly collect personal data from children under 13 (or under 16 where a higher age applies under local law). If we learn we have collected such data without appropriate consent, we will delete it. Contact privacy@awayauth.com if you believe a child has provided us personal data.
10. Our Role
10.1 We are the controller. For the personal data described in this Policy (such as your email, optional phone number, credential metadata, your own verification activity, and waitlist data), AGW Solutions determines the purposes and means of processing and acts as the controller.
11. Security
11.1 We use technical and organizational measures designed to protect personal data, including: encryption in transit using TLS; encryption at rest, including AWS KMS envelope encryption for pairing secrets; passwordless, phishing-resistant authentication via passkeys/WebAuthn (FIDO2), biometric device unlock, and hardware security keys — with no SMS one-time passcodes; access controls and least-privilege practices, with heightened controls for sensitive verification and audit data; and monitoring and abuse-prevention safeguards.
11.2 Biometrics stay on your device and are never transmitted to or stored by us.
11.3 No system is perfectly secure. While we work to protect your data, we cannot guarantee absolute security.
12. Breach Notification
We maintain procedures to detect, investigate, and respond to security incidents. If a breach affecting personal data occurs, we will notify affected individuals and applicable regulators without undue delay and consistent with applicable law.
13. Cookies and Telemetry
We use only the cookies and similar technologies needed to operate and secure the Service (for example, to maintain a session). We keep telemetry minimal and do not use third-party advertising or cross-site tracking cookies. Where required, we will provide a cookie notice and obtain consent for any non-essential cookies.
14. Changes and Contact
14.1 Changes. We may update this Policy from time to time. If we make material changes, we will provide notice (for example, by posting the updated Policy with a new Effective Date or notifying you in-app or by email).
14.2 Contact. AGW Solutions, LLC — Privacy inquiries: privacy@awayauth.com · General: support@awayauth.com. Contact privacy@awayauth.com for our registered mailing address or details of any applicable EU/UK representative.