Privacy Policy

Auri Auth (Mobile App and Chrome Extension)

Effective Date: March 20, 2026
Last Revised: May 3, 2026 (added Chrome Extension section)
Operated by ff Inc.

1. Introduction

This Privacy Policy describes how ff Inc. ("we," "us," or "our") handles information in connection with the Auri Auth product family, which includes:

• The Auri Auth & Tool mobile application for iOS and Android (the "Mobile App").
• The Auri Auth Chrome browser extension (the "Extension").

Collectively referred to as the "Service." The Mobile App is a push-based authentication tool that enables users to approve or deny authentication requests from paired services. The Extension is a TOTP (Time-based One-Time Password) authenticator. We are committed to protecting your privacy and minimizing data collection.

2. Information Collected by the Mobile App

This section applies to the Mobile App. For the Extension, see "Section 6: Chrome Extension."

The Mobile App does not collect personal information such as your name, email address, or phone number. The Mobile App does not use analytics or advertising SDKs.

2.1 Device Information

• Device name and device type (iOS or Android): Collected during device pairing to identify your device within the paired service.

2.2 Cryptographic Keys

• Ed25519 signing keys and X25519 encryption keys: Generated and stored locally in your device's secure storage. Private keys never leave your device. Only public keys are transmitted to the service server during the pairing process.

2.3 Push Notification Tokens

• Firebase Cloud Messaging (FCM) tokens: Used to deliver authentication requests to your device. These tokens are registered with the paired service server.

2.4 Location Data (Optional)

• Location data may be sent as part of an authentication request only when the paired service requires it. Location access is optional and requires your explicit permission.

2.5 Locally Processed Data

The following data is processed entirely on your device and is not transmitted to any server:

• Camera access: Used solely for scanning QR codes during device pairing.
• Bluetooth: Used for nearby device scanning.
• Local network access: Used for LAN scanning and mDNS device discovery.
• Biometric data (fingerprint or facial recognition): Used for local device authentication via the operating system's biometric APIs. Biometric data is managed by your device's operating system and is never accessed or stored by the App.

3. How We Use Information

We use the collected information exclusively for the following purposes:

• Device pairing: Registering your device with a service by transmitting your public key and device information.
• Authentication delivery: Sending push notifications containing authentication requests to your device via FCM.
• Authentication response: Transmitting your signed approval or denial back to the requesting service, along with location data if required by the service and permitted by you.
• Local security: Verifying your identity on the device through biometric authentication before processing authentication requests.

4. Third-Party Sharing

We do not sell, trade, or rent your information to third parties.

Information is shared only in the following limited circumstances:

• Firebase Cloud Messaging (Google): FCM tokens are processed by Google's Firebase service to deliver push notifications. Google's privacy policy applies to FCM: https://policies.google.com/privacy
• Paired service servers: Your public keys, device name, device type, and FCM token are transmitted to the service server you pair with. The handling of this data by the paired service is governed by that service's own privacy policy.
• Legal requirements: We may disclose information if required by law, regulation, or legal process.

5. Data Security

We implement the following measures to protect your data:

• Private cryptographic keys are stored in your device's secure storage (Keychain on iOS, Keystore on Android) and never leave the device.
• Biometric authentication is handled by the operating system and is not accessible to the App.
• Communication with paired services uses cryptographic signing to ensure authenticity and integrity.
• The Service collects only the minimum data necessary for its authentication function.

While we take reasonable precautions, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security.

6. Chrome Extension

This section applies to the Chrome browser extension version of Auri Auth. The Extension stores TOTP secrets locally in encrypted form, and synchronization across devices is performed via Chrome's built-in sync mechanism (chrome.storage.sync). No data is transmitted to ff Inc. servers.

6.1 Information Collected and Stored

• TOTP secret keys entered by the user
• Service names and account names (entered at the user's discretion)
• Encrypted data derived from the user's master password

6.2 Encryption

• TOTP secrets and related data are encrypted using AES-256-GCM.
• The encryption key is derived from the user's master password via PBKDF2 (SHA-256, 600,000 iterations).
• The master password itself is never transmitted to ff Inc. servers or any third party, and is never stored in plaintext. Verification is performed via the AES-GCM authentication tag (i.e., decryption either succeeds with the correct password or fails).

6.3 Synchronization

• Encrypted account data is synchronized to other Chrome instances signed in to the same Google account, using Chrome's standard chrome.storage.sync API.
• The synchronized payload is always encrypted. Google and any third parties cannot read its contents because they do not possess the master password required for decryption.
• ff Inc. servers are not involved in this synchronization. We do not receive, store, or have any access to the synchronized data.

6.4 Permissions Requested

The Extension requests only the following Chrome permissions:

• storage: To store encrypted account data and to sync it across devices via Chrome's sync feature.
• clipboardRead: To accept QR code images pasted from the clipboard. Clipboard content is read only for QR code decoding and is never stored or transmitted.

6.5 QR Code Images

QR code images that the user pastes or drops into the Extension are decoded entirely locally within the browser and are not retained after decoding. They are never transmitted to ff Inc. servers or any third party.

6.6 Analytics and Advertising

The Extension does not use any analytics or advertising SDKs.

7. Your Rights

You have the following rights regarding your data:

• Unpair your device (Mobile App): You may remove your device registration from a paired service at any time, which deletes your public key and device information from that service's server.
• Revoke permissions: You may revoke camera, location, Bluetooth, or local network permissions through your device's system settings at any time.
• Delete the App or Extension: Uninstalling removes all locally stored data, including cryptographic keys, TOTP secrets, and notification tokens.
• Reset Chrome sync: You may clear synced data for the Extension via Chrome's sync settings at any time.
• Request information: You may contact us to inquire about any data associated with your device.

8. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us at:

ff Inc.
https://auri.itsherpa.net/

9. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted within the Service or on our website. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy. We encourage you to review this policy periodically.

---

Last updated: May 3, 2026