Privacy Policy

1. Who we are and scope

Authevo is a developer-first verification API that confirms the identity of your end users by sending one-time passcodes (OTPs) over WhatsApp, with automatic fallback to Telegram when delivery over WhatsApp is unavailable.

This policy explains how Authevo ("we", "us", "our") handles information when you, as a developer or business ("you", "our customer"), integrate our API, and how we handle information about the end users you ask us to verify on your behalf.

It applies to the Authevo API, dashboard, documentation, and marketing website. For the personal data of your end users, you are the data controller and Authevo acts as your processor: we only process that data to provide the verification service you have requested.

2. Data we process

We deliberately keep the data we touch to the minimum needed to deliver and verify one-time codes and to bill accurately. We process:

• Developer account information — the details you provide to create and manage an account, such as your name, work email address, business name, API keys, and WhatsApp Business Account configuration.
• End-user phone numbers — submitted by you to request a verification. Phone numbers are hashed with SHA-256 and are never stored in plaintext at rest; the plaintext number exists only transiently in memory long enough to dispatch the message for delivery.
• One-time codes (OTPs) — generated to verify a user. Codes are short-lived and are never stored in plaintext; we keep only what is needed to validate a code during its brief validity window.
• Delivery and usage metadata — operational records such as verification timestamps, delivery channel (WhatsApp or Telegram), delivery and verification status, and request volume, used for analytics, billing, and abuse prevention.

3. How we use information

We use the information above only to operate and improve the verification service:

• To deliver and verify OTPs — generating a code, dispatching it over WhatsApp (or Telegram as fallback), and confirming the code your end user enters.
• For fraud prevention and rate limiting — our Safety Floor and rate-limiting controls protect both you and us against abuse, spam, and runaway spend.
• For billing — we bill per successful verification, so we record the metadata needed to count successful verifications accurately.
• For product analytics — we use aggregated and operational metadata to understand reliability, troubleshoot delivery, and improve the service.

4. What we do not do

Some commitments about what Authevo will never do with this data:

• We do not sell personal data to anyone, ever.
• We do not use end-user phone numbers for marketing, advertising, or profiling.
• We do not retain plaintext phone numbers or plaintext one-time codes at rest.
• We do not send SMS or email on your behalf — verification is delivered only over WhatsApp, with Telegram as the automatic fallback.

5. How we protect your data

Security is built into the product, not bolted on afterwards:

• Phone numbers are hashed with SHA-256 before storage, so raw identifiers never sit at rest.
• WhatsApp Business Account access tokens are encrypted at rest using AES-256-GCM.
• Outbound webhooks are cryptographically signed so you can verify they genuinely came from Authevo.
• Rate limiting and the Safety Floor throttle abusive traffic before it reaches delivery.

No method of transmission or storage is ever completely secure, but we work to protect your data using industry-standard safeguards.

6. Data retention

We keep data only for as long as it is needed for the purpose it was collected for.

One-time codes are transient and expire automatically — typically within about five minutes — after which they can no longer be used to verify a user.

Operational logs and delivery metadata are retained for a limited period — generally around 30 days — to support troubleshooting, billing, and abuse investigation, after which they are deleted or further anonymized. Account information is retained for as long as your account remains active.

7. Sub-processors

We rely on a small number of trusted third parties to deliver the service. Each processes only the data needed for its function:

• Meta Platforms — the WhatsApp Business Platform, used to deliver one-time codes over WhatsApp.
• Telegram — used as the automatic fallback channel to deliver one-time codes when WhatsApp delivery is unavailable.
• Cloudflare — used for hosting, content delivery, and network-level security.

Delivery providers necessarily receive the destination phone number in order to deliver the message. Their handling of that data is governed by their own privacy terms.

8. International users and data

Authevo is built for developers and businesses in Egypt and the wider MENA region, and our service and support are focused on that market.

Because we and our sub-processors operate internationally, information may be processed in countries other than your own. Wherever it is processed, we apply the same protections described in this policy.

9. Your rights and contacting us

Because Authevo processes end-user data on your behalf, requests from end users to access, correct, or delete their information should usually be directed to the business that asked them to verify — that is, our customer, acting as controller. We will support our customers in responding to such requests.

If you are one of our customers and want to access, correct, export, or delete your account information, or if you have any question about this policy, contact us at privacy@authevo.dev and we will respond promptly.

10. Changes to this policy

We may update this policy from time to time as the product and applicable law evolve.

When we make material changes, we will update the "Last updated" date above and, where appropriate, notify our customers. Your continued use of Authevo after an update means you accept the revised policy.