Privacy Policy

Unified Citizen Identification ("UCI," "we," "our") is committed to protecting the privacy and security of all data processed through our infrastructure. This Privacy Policy explains how we collect, use, store, and protect information when you utilize our identity verification, authentication, and access management services.

This policy applies to all UCI services including OAuth2 authentication, single sign-on, passkey management, and associated infrastructure.

We collect the following categories of information:

ACCOUNT DATA

• Email address and username
• Password hashes (never plaintext passwords)
• Profile information you provide
• Connected social accounts (Discord, RSI)

AUTHENTICATION DATA

• Session tokens and refresh tokens
• Passkey credentials (public keys only)
• Multi-factor authentication settings
• OAuth2 authorization grants

AUTOMATICALLY COLLECTED DATA

• IP addresses and approximate location
• Device information and browser type
• Login timestamps and session duration
• Authentication success/failure logs

SERVICE DELIVERY

• Authenticating users and managing sessions
• Processing OAuth2 authorization requests
• Managing passkeys and MFA settings
• Connecting social authentication providers

SECURITY & COMPLIANCE

• Detecting and preventing unauthorized access
• Investigating security incidents
• Complying with legal requirements
• Protecting against fraud and abuse

SERVICE IMPROVEMENT

• Analyzing usage patterns for optimization
• Identifying and resolving issues
• Developing new features

DATA STORAGE

All data is stored using encrypted storage with redundant backups. Passwords are hashed using industry-standard algorithms (Argon2) and are never stored in plaintext.

RETENTION PERIODS

• Session data: Duration of session plus 30 days
• Authentication logs: 90 days
• Account information: Duration of account plus 2 years
• Security incident data: 5 years

We implement comprehensive security measures:

ENCRYPTION

• TLS 1.3 for all data in transit
• AES-256 encryption for data at rest
• Secure key management practices

ACCESS CONTROLS

• Role-based access with least privilege
• Multi-factor authentication for administrative access
• Regular access reviews and audits

MONITORING

• Continuous security monitoring
• Automated threat detection
• Regular security assessments

We may share data with third parties only in these circumstances:

SERVICE PROVIDERS

• Infrastructure providers for hosting services
• Social authentication providers (with your consent)

LEGAL REQUIREMENTS

• Response to valid legal process
• Compliance with regulatory obligations
• Protection of rights and property

We never sell personal data to third parties for marketing or advertising purposes.

You have the following rights regarding your data:

• ACCESS - Request a copy of data we hold about you
• CORRECTION - Request correction of inaccurate information
• DELETION - Request deletion of your data
• PORTABILITY - Receive your data in a standard format
• RESTRICTION - Request limitation of processing
• OBJECTION - Object to processing based on legitimate interests

To exercise these rights, contact us through your account settings or email. We will respond within 30 days.

This Privacy Policy may be updated periodically. Material changes will be communicated through:

• Email notification to registered users
• Posted notices on our website
• Updated policy effective date

Continued use of services after policy updates constitutes acceptance of the revised terms.