SecureSonic

Privacy Policy

Privacy First Approach: SecureSonic is designed with privacy as a fundamental principle. We believe your authentication data should remain yours and yours alone.

1. Information We Collect

1.1 Authentication Data

SecureSonic stores the following information locally on your device:

• Account Names: Service names and account identifiers you add
• Shared Secrets: Encrypted authentication keys for generating codes
• Configuration Settings: Time intervals, algorithm preferences, and app settings
• Usage Timestamps: When codes were last generated (stored locally only)

1.2 Device Information

We may collect minimal device information for security purposes:

• Device type and operating system version
• App version information
• Crash reports and error logs (anonymized)

1.3 What We Don't Collect

Zero Knowledge Architecture
SecureSonic explicitly does NOT collect:

• Your authentication codes or secrets
• Personal identifying information
• Location data
• Contact lists or device contents
• Browsing history or usage patterns

2. How We Use Your Information

The limited information we process is used solely for:

• Core Functionality: Generating time-based and counter-based authentication codes
• Security: Protecting your accounts through secure code generation
• App Improvement: Analyzing anonymized crash reports to fix bugs
• Support: Providing technical assistance when requested

3. Data Storage and Security

3.1 Local Storage

All your authentication data is stored locally on your device using:

• AES-256 Encryption: Industry-standard encryption for all sensitive data
• Secure Keychain/Keystore: Platform-native secure storage systems
• Biometric Protection: Optional fingerprint, face, or PIN protection

3.2 Cloud Backup (Optional)

If you enable cloud backup features:

• Data is encrypted before leaving your device
• We cannot decrypt your backed-up data
• You control backup frequency and retention
• Backups can be deleted at any time

3.3 Data Transmission

SecureSonic operates primarily offline. When network access is required:

• All communications use TLS 1.3 encryption
• Certificate pinning prevents man-in-the-middle attacks
• No authentication secrets are transmitted

4. Data Sharing and Disclosure

No Data Sharing: SecureSonic does not sell, rent, or share your personal information with third parties for commercial purposes.

We may disclose limited information only in the following circumstances:

• Legal Requirements: When required by law or valid legal process
• Security Threats: To protect against fraud or security threats
• Service Providers: Minimal data with trusted partners (crash reporting, etc.)

5. Your Rights and Controls

5.1 Data Access and Control

You have complete control over your data:

• Export: Export your authentication data in standard formats
• Delete: Remove individual accounts or all data at any time
• Modify: Edit account names, icons, and settings
• Backup Control: Enable/disable cloud synchronization

5.2 Privacy Settings

SecureSonic provides granular privacy controls:

• Screen recording protection
• App backgrounding privacy
• Automatic lock timers
• Screenshot prevention options

6. International Data Transfers

Since SecureSonic primarily operates locally on your device, international data transfers are minimal. When they occur (such as for app updates or support), we ensure:

• Compliance with GDPR, CCPA, and other privacy regulations
• Appropriate safeguards for data protection
• User consent where required

7. Children's Privacy

SecureSonic does not knowingly collect personal information from children under 13. If we become aware that a child has provided us with personal information, we will take steps to delete such information promptly.

8. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will:

• Notify users of material changes through in-app notifications
• Provide 30 days notice before changes take effect
• Maintain previous versions for reference
• Allow users to review changes before acceptance

9. Security Incident Response

In the unlikely event of a security incident: