Privacy Policy

1. The "Zero Persistent Storage" Guarantee

Mindful Auth is a "Bring Your Own Database" (BYODB) infrastructure provider.

• No Persistent PII Storage: We do not collect, process, or store personal identifiers belonging to your application's end-users (such as their names, email addresses, passwords, or biometric data) in any persistent database.
• Ephemeral & Security Metadata: To facilitate the authentication handshake and protect against automated attacks, Mindful Auth temporarily caches pseudonymous technical metadata in Cloudflare KV. This data is used for session management and security enforcement (e.g., Velocity Tracking) and is automatically deleted or rotated based on session expiration or security policies.
• Edge Processing: All authentication logic occurs at the network edge via Cloudflare Workers, ensuring that sensitive credentials never pass through Porfolio LLC's long-term storage.

2. Information We Collect

We distinguish between data collected from Developers and data processed for End-Users:

A. Developer Data (Stored Persistently)

• Account Information: Name and email address provided during account registration.
• Billing Information: Payment details processed securely by Stripe. We do not store credit card numbers on our servers.
• Technical Metadata: IP addresses and usage statistics related to the Mindful Auth Developer Dashboard for security and rate-limiting.

B. End-User Metadata (Processed Ephemerally & Encrypted)

To power our Six-Layer Defense System, we process the following technical metadata in an encrypted format:

• Session States: Temporary session objects (including sub identifiers, iat, exp, and security flags like is2FAEnabled) are required to maintain the user's logged-in state.
• Login Attempt Data: Encrypted records of login attempts, including hashed IP identifiers and timestamps, are used to prevent brute-force attacks and credential stuffing.
• Security Geolocation Data: Encrypted city and country information derived from the connection to detect suspicious login patterns and impossible travel scenarios.

Note: This data is stored in Cloudflare KV and is inaccessible to Porfolio LLC in any unencrypted or identifiable format.

3. How We Use Your Information

We use the data we collect and process solely to:

• Provide, maintain, and improve the Service and the Developer Dashboard.
• Process payments and handle tax compliance via Stripe.
• Manage active authentication sessions and enforce security tiers (e.g., concurrency limits, 2FA states).
• Security Enforcement: Utilize velocity and geolocation metadata to trigger Cloudflare Turnstile or block malicious login attempts.
• Send critical service notifications and security alerts to Developers.
• Protect the Service from fraudulent or malicious activity.

4. Third-Party Service Providers

We share the minimum necessary data with the following essential service providers:

• Stripe: For secure payment processing.
• Cloudflare: To host the infrastructure and store ephemeral metadata in Cloudflare KV.
• MaxMind GeoIP® Databases: To provide the geolocation data required for security monitoring and "impossible travel" detection.
• Discord: For community management and developer support.

We do not sell, rent, or trade any personal or technical information to third parties for marketing purposes.

5. Cookies and Tracking

• Developer Dashboard: We use essential cookies for account authentication and Stripe-related fraud prevention.
• End-User Authentication: Mindful Auth issues secure, encrypted cookies to end-users to maintain their session state. We do not use these cookies for cross-site tracking or advertising.

6. Data Security

We implement industry-standard security measures, including a Six-Layer Defense System and Per-Tenant Key Derivation. All end-user metadata stored in Cloudflare KV is encrypted and protected by Cloudflare's enterprise-grade security protocols.

7. Data Retention

• Developer Account Data: We retain your account information for as long as your account exists in our system. As Mindful Auth does not currently provide a self-service account deletion feature, developers wishing to cease using paid services must manually downgrade to the Free Tier. We may retain certain information (like billing history) as required by law or for legitimate business purposes (e.g., tax compliance) even if a developer becomes inactive.
• End-User Metadata: Ephemeral metadata in Cloudflare KV is purged automatically upon session expiration or based on security rotation policies.

8. International Data Transfers

The Service is powered by Cloudflare's global network. Developer data and ephemeral end-user metadata may be processed in the United States or any other country where Cloudflare or our service providers maintain facilities. By using the Service, you consent to this international transfer of data.

9. Law Enforcement and Data Requests

Porfolio LLC complies with valid legal requests. However, because Mindful Auth does not store end-user personal information (names, emails, or passwords), we are technically unable to provide such data to law enforcement or third parties, even under subpoena. Our response to such requests is limited to the developer account data we persistently maintain.

10. Children's Privacy

Mindful Auth is a B2B service intended for professional developers. We do not knowingly collect personal information from children under the age of 13 (or the applicable age in your jurisdiction).

11. Your Rights and Choices

Depending on your jurisdiction, you (the Developer) may have the right to access, correct, or request the closure and removal of your account data. To exercise these rights or request account deactivation, please contact us at legal@porfol.io.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our infrastructure. We will notify you of material changes via the Developer Dashboard.

13. Contact Information

If you have questions about this Privacy Policy, please contact Porfolio LLC at: