Privacy Policy

What we don't collect

• We never receive your TOTP secret keys.
• We never receive the 6-digit codes generated from them.
• We never receive your QR codes or otpauth:// URIs.

All TOTP math (HMAC-SHA1, time-step, truncation) runs locally in your browser using the Web Crypto API. There is no API call to a server when you generate or refresh a code.

What is processed automatically

Like any website, our hosting provider sees standard HTTP request metadata (IP address, user agent, requested path, timestamp) in their server logs for the purpose of delivering the site and protecting against abuse. We do not link this data to any identity.

Cookies

2FA auth does not set tracking cookies. The site may store small non-identifying preferences (such as your light/dark theme choice) in your browser's local storage. This data never leaves your device.

Third parties

We do not embed third-party trackers, advertising pixels, or social media widgets that receive your activity on this site.

Children

2FA auth is a general-purpose technical tool and is not directed at children under 13.

Contact

Questions about this policy? Reach out through the contact channel listed on the About page.