GuardivionGuardivion← Back to app

Privacy Policy

Effective 26 June 2026 · Last updated 26 June 2026

How Guardivion collects, uses, and protects personal data across our device-based authentication platform.

Draft — pending legal review. Guardivion is a pre-incorporation venture; a UK entity will be registered ahead of any formal commercial agreement. Items marked [TO BE CONFIRMED] are placeholders to be completed before publication. Guardivion is working toward formal SOC 2 and ISO/IEC 27001 certification and is not yet certified.

1. Who we are

Guardivion is a universal, device-based authentication platform. We provide multi-factor authentication (MFA) and passwordless sign-in to organisations ("Customers") and their end users. Guardivion [TO BE CONFIRMED — legal entity name once incorporated] ("Guardivion", "we", "us") is the data controller for account, billing, and website data, and acts as a data processor for the authentication data we handle on behalf of Customers. For processor activities, see our Data Processing Agreement.

2. How authentication works

Guardivion is designed around data minimisation. End users authenticate from the Guardivion mobile app using a cryptographic key pair generated and held inside the device's hardware-backed keystore and unlocked with the device's biometric or PIN; authentication requests are delivered as push notifications. Administrators sign in to the web portals with a password and a time-based one-time passcode (TOTP).

3. Data we collect

Organisation & account data

Administrator credentials

End-user device data

Authentication & audit data

We do not collect

4. How we use data

6. Sharing & sub-processors

We share data only with the service providers needed to operate the platform (hosting, infrastructure, push-notification delivery, email), each bound by data-protection terms. A current sub-processor list is available on request — contact us at [email protected]. We disclose data to authorities only when legally required and, where permitted, after notifying the affected Customer.

7. Retention

Retention periods:

8. Your rights

Depending on your jurisdiction (GDPR — including the Republic of Ireland and other EEA states; UK GDPR — including Northern Ireland, England, Wales, and Scotland), you may access, correct, delete, port, or restrict processing of your personal data, and object to certain processing. End users should contact their organisation's administrator first; Guardivion will support the Customer in fulfilling the request. You may also contact us at [email protected].

9. Security

We protect data in transit over HTTPS/TLS. Sensitive values are stored only as hashes — passwords and API keys with Argon2id, and session tokens and activation tokens with SHA-256. End-user private keys are isolated in device hardware and never reach our servers. Database-level encryption at rest is deployment-dependent ([TO BE CONFIRMED]). See the Security Overview.

10. International transfers

Where data is transferred outside the EEA/UK, we intend to rely on Standard Contractual Clauses and the UK International Data Transfer Addendum, with technical safeguards such as encryption and data minimisation ([TO BE CONFIRMED] — confirm transfer mechanism and hosting regions).

11. Contact

Privacy enquiries: [email protected]. [TO BE CONFIRMED] (postal address / EU-UK representative, if applicable).