Privacy Policy
Effective date: March 21, 2026 · Last updated: March 21, 2026
Who we are
FactorCat is a multi-factor authentication (MFA) platform that connects your browser, phone, and TOTP tokens into an approve-and-autofill flow. FactorCat is operated by FactorCat ("we," "us," "our").
Contact: privacy@factorcat.com
What we collect
Account data
- Email address — from your OAuth provider (Google, Apple, or Microsoft). Used as your account identifier.
- Name — as provided by your OAuth provider.
- OAuth provider link — which provider(s) you've used. We never receive your provider password.
Token metadata
- Site names, display names, domains, and URL patterns you provide when adding factors.
- Vault membership — which vault each factor belongs to and its encryption mode.
Encrypted secrets (Cloud Vault)
TOTP secrets encrypted with a server-managed key. FactorCat can decrypt these to generate codes on your behalf (web dashboard, phone-offline fallback).
Encrypted secrets (Locked Vault)
TOTP secrets encrypted with a key derived from your master key. FactorCat stores the encrypted blob but cannot decrypt it. Only your devices can.
Device data
- Push notification tokens (APNs, FCM) for delivering approval notifications.
- Device name as reported by your OS.
Usage data
- Approval log — timestamp, token ID, approve/deny. No TOTP codes logged.
- Analytics — screen views, sessions (Firebase in app; GA4 on marketing site with consent). No PII.
- Error reports — crash data via Sentry. PII disabled.
Cookies and tracking
- Marketing site: Google Analytics via GTM. Cookies load only after you consent via our cookie banner.
- Web dashboard: Essential cookies only (session authentication). No analytics tracking.
- Mobile app: Firebase Analytics (no advertising identifiers).
- Browser extension: No cookies, no tracking, no analytics.
What we do NOT collect
- Passwords. FactorCat is MFA-only.
- Browsing history. The extension detects MFA fields on the current page only.
- Plaintext TOTP secrets in Locked Vault mode.
- Data from children. FactorCat is not intended for users under 16.
How we use your data
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Provide the service | Account data, token metadata, encrypted secrets, device tokens | Contract (Art. 6(1)(b)) |
| Push notifications | Device push tokens | Contract (Art. 6(1)(b)) |
| Web dashboard | Token metadata, encrypted secrets (Cloud Vault) | Contract (Art. 6(1)(b)) |
| Security audit trail | Approval log | Legitimate interest (Art. 6(1)(f)) |
| Improve the product | Analytics, error reports | Consent (Art. 6(1)(a)) |
| Prevent abuse | IP, rate limiting, Turnstile | Legitimate interest (Art. 6(1)(f)) |
We do not sell your data. We do not use it for advertising. We do not engage in automated decision-making or profiling.
International data transfers
FactorCat's infrastructure is hosted on Cloudflare's global network. Your data may be processed in countries outside your jurisdiction, including the United States. Where data is transferred outside the EEA, UK, or Canada, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and sub-processor agreements with appropriate safeguards.
Data retention
- Account data — until you delete your account
- Token metadata + encrypted secrets — until you delete them
- Approval log — 90 days
- Analytics — per provider defaults (14 months)
- Error reports — 90 days
- Payment records — as required by tax law (typically 7 years)
Account and data deletion
Delete your account at any time: Settings → Account → Delete Account in the mobile app, or use the web fallback. You may also email privacy@factorcat.com.
Deletion is permanent. All data is purged within 30 days. Emergency Kits stored offline by you are not affected.
Your rights
All users
- Access your personal data
- Correct inaccurate data
- Delete your account and data
- Export your data (via the API)
European Economic Area and United Kingdom (GDPR / UK GDPR)
- Restrict processing of your data
- Object to processing based on legitimate interest
- Data portability — receive your data in a machine-readable format
- Withdraw consent at any time (e.g., for marketing analytics), without affecting prior processing
- Lodge a complaint with your local data protection authority (EEA DPAs or the UK ICO)
California (CalOPPA)
- This privacy policy is conspicuously linked from our homepage and app
- We disclose what personal information we collect and with whom we share it
- We honor Do Not Track (DNT) signals — when DNT is enabled, the marketing site does not load analytics
- We do not sell personal information
Canada (PIPEDA)
- Access your personal information held by FactorCat
- Challenge the accuracy and have it amended
- Withdraw consent for non-essential processing
- File a complaint with the Office of the Privacy Commissioner of Canada
Security
See our security model for technical details. In the event of a data breach affecting your personal data, we will notify affected users and relevant authorities within 72 hours as required by GDPR, or as otherwise required by applicable law.
Age restriction
FactorCat is not intended for users under 16. We do not knowingly collect data from children. If we learn we have, we will delete it promptly. Contact privacy@factorcat.com if you believe a child has provided data.
Changes to this policy
Material changes will be communicated via in-app notification or email at least 30 days before they take effect.
Contact
Privacy inquiries, data access requests, or complaints:
privacy@factorcat.com
General: hello@factorcat.com