Otter logoOtterAuth
Enter

Otter Auth

Privacy Policy

Last updated: April 23, 2026

Otter Auth, Inc.

1. Introduction

Otter Auth, Inc. (“Otter Auth,” “we,” “us,” or “our”) provides an identity, authentication, and device fingerprinting platform that businesses (our “Customers”) embed in their applications to verify end users and detect fraud. This Privacy Policy describes how we collect, use, disclose, retain, and protect personal information in connection with our website at https://otterauth.com, our dashboard at https://app.otterauth.com, and all related APIs, SDKs, and services (collectively, the “Service”).

We act in two capacities. When our Customers embed Otter Auth in their applications to authenticate their end users, we act as a data processoron the Customer’s behalf. When you interact with our own website, dashboard, or sales and support channels as an Otter Auth Customer or prospect, we act as a data controller.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with it, you must not access or use the Service.

2. Scope and Roles

This Privacy Policy covers (a) visitors to our public website, (b) representatives of our business Customers who use the Otter Auth dashboard, and (c) end users of our Customers’ applications whose authentication and device signals are processed through the Service. For category (c), the Customer is the controller of the personal information, and this Policy is provided for transparency — the Customer’s own privacy notice will govern.

3. Information We Collect

3.1 Account and Dashboard Information

When a representative of a Customer creates an Otter Auth account, we collect name, work email address, company name, role, hashed password or SSO identifier (Google Workspace, Microsoft Entra), and billing contact information. We use this information to provision the account, authenticate dashboard sessions, issue invoices, and communicate with the Customer.

3.2 Authentication Data

When an end user authenticates through a Customer application that uses Otter Auth, we process the credentials and identity signals required to complete the authentication. Depending on the Customer’s configuration, this may include:

  • email address, phone number, or other user identifier;
  • passwords (stored only as salted, one-way hashes using a modern key-derivation function);
  • passkey and WebAuthn public key credentials, challenge and attestation data;
  • one-time passcodes, magic link tokens, and multi-factor authentication tokens (TOTP, push, SMS);
  • third-party identity provider tokens (Google, Apple, Microsoft, GitHub, and other configured providers); and
  • session tokens, refresh tokens, and audit events (sign-in, sign-out, password change, MFA enrollment).

3.3 Device Fingerprinting and Risk Signals

A core feature of the Service is passive device fingerprinting used to detect fraud, account takeover, and automated abuse. When an Otter Auth SDK or hosted widget is loaded in a Customer application, we and our infrastructure providers automatically collect technical signals from the device and session, including:

  • IP address and approximate geolocation derived from it;
  • user agent string, browser version, installed fonts, screen resolution, timezone, language, and platform;
  • canvas, WebGL, and audio rendering fingerprints used to derive a stable device identifier;
  • hardware characteristics (CPU class, device memory, touch support);
  • network characteristics (ASN, hosting vs. residential, VPN and proxy signals);
  • behavioral signals such as typing cadence, pointer movement patterns, and interaction timing (used in aggregate, not to identify you personally);
  • cryptographic device keys and secure-enclave-backed attestations, where supported by the device; and
  • a stable Otter Auth device identifier derived from the above signals.

These signals are used to compute a risk score, detect anomalies (impossible travel, device swaps, bot traffic), and enable frictionless re-authentication of recognized devices. We do not use fingerprinting data for advertising or for any purpose outside the security and fraud-prevention scope instructed by the Customer.

3.4 Website and Marketing Data

On our public website we use privacy-preserving analytics and marketing cookies to understand traffic and measure the effectiveness of campaigns. This may include IP address, referring URL, pages viewed, UTM parameters, and form submissions. You can manage non-essential cookies via the cookie banner.

4. How We Use Information

  • Deliver the Service: authenticate users, issue and validate sessions, enforce MFA, and synchronize credentials across a user’s trusted devices.
  • Fraud and abuse prevention: compute device fingerprints and risk scores, detect bot traffic, credential stuffing, and account takeover attempts.
  • Customer support and security: investigate security incidents reported by Customers, respond to support requests, and notify Customers of suspicious activity.
  • Service improvement: analyze aggregated, de-identified signals to improve detection models and platform reliability. We do not train general-purpose machine learning models on Customer data without contractual authorization.
  • Legal and compliance: meet obligations under applicable laws, respond to lawful requests from authorities, and enforce our Terms of Service.

5. How We Share Information

We do not sell personal information, and we do not share it for cross-context behavioral advertising. We share information only as follows:

  • With our Customers: authentication outcomes, risk scores, and fingerprinting signals are returned to the Customer whose application initiated the authentication request. The Customer’s privacy notice governs their subsequent use.
  • Sub-processors: we use vetted cloud infrastructure, email delivery, SMS, and observability providers bound by written data-processing agreements. A current list is available on request.
  • Legal disclosures: where required by law, court order, or to protect the rights, property, or safety of Otter Auth, our Customers, or the public.
  • Corporate transactions: in connection with a merger, acquisition, reorganization, or sale of assets, subject to the confidentiality and continuity of this Policy.

6. Retention

We retain personal information only for as long as necessary to deliver the Service and comply with our legal obligations. Dashboard account data is retained for the life of the Customer relationship plus a reasonable tail period. Authentication and device fingerprinting events are retained according to the Customer’s configured retention window (typically 30 to 400 days). Security logs required for incident investigation may be retained longer under defensible business purpose.

7. Security

Otter Auth applies encryption in transit (TLS 1.2+) and at rest (AES-256), tenant isolation, role-based access controls, principle of least privilege, hardware-backed signing keys, and continuous monitoring. We maintain SOC 2 Type II controls and operate a public disclosure program for security researchers. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

8. International Transfers

Otter Auth operates data centers in the United States and the European Union. When personal information is transferred across borders, we rely on appropriate transfer mechanisms, including the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum.

9. Your Rights

Depending on where you live, you may have rights to access, correct, delete, restrict, or port your personal information, and to object to certain processing. If your information was submitted to the Service by one of our Customers, please direct your request to that Customer — they control the data and we will support their response. For personal information we control directly (for example, your Otter Auth dashboard account), contact us at privacy@otterauth.com.

California residents have additional rights under the CCPA/CPRA, including the right to know the categories of personal information collected, the right to delete, and the right to opt out of “sale” or “sharing.” Otter Auth does not sell personal information or share it for cross-context behavioral advertising.

10. Children

The Service is not directed to children under 13 (or 16 in the EEA and UK). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date and, for material changes, provide a more prominent notice. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

12. Contact Us

Otter Auth, Inc.
Email: privacy@otterauth.com
Website: https://otterauth.com