Privacy Policy — Beezifi Identity

This Privacy Policy describes how Beezifi Inc. ("Beezifi," "we," "our," or "us") collects, uses, stores, and discloses information when you use the Beezifi Identity service (the "Service") — the centralized authentication and single sign-on platform that powers all Beezifi-connected applications. By creating an account or using the Service, you acknowledge and agree to this Privacy Policy in full.

1. Information We Collect

Account Data

When you register, we collect your display name, email address, and a password. Passwords are stored exclusively as bcrypt hashes (never in plaintext). If you enable two-factor authentication, we store an encrypted TOTP secret used solely for authentication verification.

Session & Technical Data

For security, abuse prevention, and audit purposes we collect: your IP address and browser/device type at the time of login, session tokens, timestamps of authentication events (login, logout, token issuance, revocation), and device fingerprint data used for trusted-device recognition.

OAuth2 & Application Data

If you register OAuth2 applications through the Service, we store application names, client credentials, permitted redirect URIs, and scope consent records you grant. This data is necessary to operate the authorization service.

Audit Logs

We maintain append-only audit logs of significant security events — including authentication attempts, token issuance, scope consent grants, policy changes, and admin actions — to support security monitoring and incident response.

2. How We Use Your Information

Authenticating your identity and issuing secure session and OAuth2 tokens
Enforcing access policies and detecting unauthorized access attempts
Providing, maintaining, and improving the Service
Sending transactional communications (account confirmation, password reset, security alerts)
Detecting and preventing fraud, abuse, and security incidents
Complying with applicable legal obligations

We do not sell your data. We do not use your account or session data to train machine learning models or for any advertising or marketing profiling purposes.

3. Data Isolation

User accounts are maintained in isolated, access-controlled database instances. Your authentication credentials are never accessible to or shared with other users or third-party applications beyond what you explicitly authorize through the OAuth2 consent flow.

4. Data Sharing & Third Parties

We do not sell, rent, or trade your personal information.

Data may be shared only in the following limited circumstances:

Service providers: Infrastructure and hosting providers operate under confidentiality agreements and are permitted to use data only for service delivery.
Legal requirements: We may disclose information where required by valid subpoena, court order, or applicable law. Where legally permitted, we will provide advance notice.
Business transfers: In the event of a merger, acquisition, or asset sale, user data may be transferred. Users will be notified with a reasonable opportunity to export or delete their data.
Explicit consent: Any sharing beyond the above requires your prior written consent.

5. Data Retention

Your account data is retained while your account is active. Upon account deletion:

Account data enters a 30-day recovery window before permanent deletion
After 30 days, deletion is permanent and irreversible
Backup snapshots are purged within 90 days of deletion
Authentication logs and security records may be retained for up to 7 years to meet legal and compliance obligations

To request early deletion, contact privacy@beezifi.com.

6. Security

We implement technical safeguards including bcrypt password hashing, TLS 1.2+ encryption in transit, short-lived JSON Web Tokens, optional TOTP two-factor authentication, rate limiting, HTTP security headers, and role-based access controls. Full details are in our Security Policy.

No system is 100% secure. Despite our best efforts, we cannot guarantee absolute security of data transmitted over the internet or stored on our systems. In the event of a breach, affected users will be notified within 72 hours as required by applicable law. Beezifi Inc. shall not be liable for any damages, losses, or claims arising from unauthorized access to your account or data resulting from circumstances beyond our reasonable control, including but not limited to your own failure to maintain adequate password security or failure to enable available security features.

7. Cookies & Local Storage

The Service uses minimal browser storage:

Session cookie / localStorage: Used to maintain your authenticated session. This is essential to the functionality of the Service and cannot be disabled without preventing login.
No advertising cookies.
No third-party analytics or tracking pixels.

Clearing your browser's local storage or cookies will sign you out of the Service.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

Access: Request a copy of the personal data we hold about you
Rectification: Correct inaccurate or incomplete data
Erasure: Request deletion of your account and associated data
Portability: Export your data in a machine-readable format
Objection: Object to processing based on legitimate interests
Withdraw consent: Withdraw any consent-based processing at any time

To exercise these rights, contact privacy@beezifi.com. We will respond within 30 days.

9. Children's Privacy

The Service is intended for business and professional use and is not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has submitted personal information, contact privacy@beezifi.com and we will promptly delete it.

10. Disclaimer of Warranties

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR UNINTERRUPTED AVAILABILITY. BEEZIFI INC. DOES NOT WARRANT THAT THE SERVICE WILL BE ERROR-FREE, SECURE, OR CONTINUOUSLY AVAILABLE.

11. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, BEEZIFI INC. AND ITS OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, AND AFFILIATES SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF DATA, LOSS OF REVENUE, LOSS OF BUSINESS, OR LOSS OF GOODWILL, ARISING OUT OF OR IN CONNECTION WITH YOUR USE OF OR INABILITY TO USE THE SERVICE, EVEN IF BEEZIFI INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL BEEZIFI INC.'S TOTAL CUMULATIVE LIABILITY EXCEED THE GREATER OF (A) THE AMOUNT YOU PAID FOR THE SERVICE IN THE 12 MONTHS PRECEDING THE CLAIM OR (B) ONE HUNDRED DOLLARS (USD $100).

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 14 days before taking effect. The "Last Updated" date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Governing Law

This Privacy Policy and any disputes arising out of or relating to it shall be governed by and construed in accordance with the laws of the State of Washington, United States, without regard to its conflict-of-law provisions. By using the Service, you consent to the exclusive jurisdiction of the courts located in Washington State for any matters not subject to arbitration under our Terms of Use.

14. Contact Us

For privacy-related inquiries, contact us at:
Email: privacy@beezifi.com
Response target: 5 business days