Privacy Policy
This is the privacy policy for Fob, a 2FA authenticator app made by Cleargate Labs LLC. It explains what we collect, what we don't, where the data lives, and how to control it. We wrote it to be readable, not to protect ourselves from a lawsuit. If anything here is unclear, email security@fob.codes and we'll fix the wording.
The short version
Here is what you need to know in one paragraph.
We collect your email address so you can sign in. Your 2FA secrets stay on your device. If you create a cloud backup, we store an encrypted copy of your vault that we cannot read, on AWS servers in Ohio. We don't run analytics, we don't track you across apps, we don't sell your data, and we don't share it with advertisers. You can export everything you have at any time. You can delete your account and the encrypted copy is gone. Three companies handle parts of this for us: Amazon Web Services (storage), Sentry (crash reports, which you can turn off), and Postmark (email delivery). That is the whole picture.
What we collect and where it lives
| Data | What it is | Where it's stored | Why we have it |
|---|---|---|---|
| Email address | Your sign-in identifier | AWS Cognito, us-east-2 (Ohio) | Account login, email verification, password reset |
| Encrypted vault | Your 2FA accounts, tags, and how they relate, encrypted on your device with AES-256-GCM before upload | AWS S3 and a metadata row in DynamoDB, us-east-2 | Restore your vault on a new device or after a device loss |
| TOTP secrets | The seeds Fob uses to generate your codes | Your device only, in Android Keystore via EncryptedSharedPreferences | Generate codes locally. They never leave your device in plaintext. |
| Waitlist email | Email you submitted at fob.codes before launch | DynamoDB, us-east-2 | Send you the Play Store invite when we launch |
| Diagnostic data | Crash reports and error logs, scrubbed of personal information at the SDK level | Sentry | Find and fix bugs. You can disable this in Settings. |
| Email delivery metadata | Your email address and the message body for verification and password-reset emails, at the moment of delivery | Postmark | Deliver transactional email. Postmark does not retain message content after delivery, per their policy. |
The encryption key for your vault is derived from your password using Argon2id. We never see your password. We never see the derived key. We see the encrypted vault and nothing else. The full architecture is at fob.codes/security.
What we don't collect
- No analytics tracking. No Google Analytics, no Mixpanel, no user-level Plausible, none of it.
- No advertising identifiers. We don't read your GAID or IDFA.
- No contact list access.
- No location data.
- No cross-device or cross-app tracking.
If a permission isn't needed for a feature you're using, Fob doesn't ask for it.
How we use what we collect
Your email is used to sign you in and to send you account email: verification codes, password reset links, and account-level notices (a security alert, a billing receipt, a notice of policy changes). We do not send marketing email to your account address. If you sign up for product news on fob.codes, that is a separate list and you can unsubscribe at any time.
Your encrypted vault is used for one thing: holding it so your other devices can pull it down and decrypt it locally. We don't read it. We can't read it.
Your TOTP secrets are used by your device to generate the six-digit codes you see in the app. They are never transmitted to our servers in any form.
Crash data is used to debug crashes. We look at the stack trace, we ship a fix, we move on. We don't profile users, we don't build behavioral models, and we don't sell aggregated insights. There is no second purpose hiding under "service improvement."
Third-party processors
Three companies process data for Fob. Here is what each one receives and why.
Amazon Web Services (AWS) hosts our infrastructure in the us-east-2 region (Ohio, USA). They receive your email address, your encrypted vault, backup metadata, and authentication records. AWS is a sub-processor and does not have access to the contents of your vault. Their privacy notice: aws.amazon.com/privacy
Sentry receives crash reports and error events from the Fob app. The Sentry SDK scrubs personal information before transmission, so what they receive is stack traces and device metadata (model, OS version, app version), not your email or your vault contents. You can disable Sentry entirely in Settings. Their privacy policy: sentry.io/privacy
Postmark delivers transactional email on our behalf: email verification codes, password reset links, and account notices. They receive the destination email address and the email body at the moment of delivery. Per their policy, they do not retain message content after delivery. Their privacy policy: postmarkapp.com/privacy-policy
We do not use Google Analytics, Meta Pixel, TikTok Pixel, Hotjar, FullStory, Segment, or any similar analytics or tracking processor. If we add a new processor later, we will update this page and email account holders if the change affects your data.
International data transfers
Fob is operated from the United States. If you access Fob from the European Economic Area, the United Kingdom, or Switzerland, your personal data will be transferred to the United States, where data protection laws differ from those in your jurisdiction.
For transfers to Amazon Web Services, our infrastructure provider, we rely on AWS's certification under the EU-US Data Privacy Framework, the UK Extension to the EU-US DPF, and the Swiss-US DPF, supplemented by the EU Commission's Standard Contractual Clauses for any sub-processors that don't participate in the framework. AWS's certification is verifiable at dataprivacyframework.gov.
For transfers to Sentry and Postmark, our other sub-processors, we rely on the EU Commission's Standard Contractual Clauses executed under our data processing agreements with each company.
Zero-knowledge architecture
Fob is built so that we cannot read your 2FA codes. This is a structural property, not a promise.
When you add an account, the secret is stored on your device in hardware-backed secure storage (Android Keystore). When you create a cloud backup, your device encrypts your full vault locally with AES-256-GCM, using a key derived from your password via Argon2id. The encrypted vault is what we store. The decryption key never leaves your device.
That means if we receive a court order, what we can hand over is an encrypted blob and your email address. We cannot hand over your codes, because we don't have them and have no way to get them. The math does not allow it.
For the full architecture, including encryption parameters and exactly what we can and cannot see, read fob.codes/security.
Your rights and how to use them
These rights apply to every Fob user, everywhere:
Export your vault. Settings > Export gives you a .fobvault encrypted vault export file, or an unencrypted plaintext export if you want raw access. Do this any time, for any reason. Your data is yours.
Delete your account. Settings > Delete account removes your encrypted vault from S3 and your metadata row from DynamoDB. Your local on-device vault is separate. Uninstalling the app destroys the local copy.
Turn off crash reporting. Settings > Diagnostics > off. No Sentry events leave your device after that.
Change your email. Settings > Account > Change email. We send a verification code to the new address before switching.
If you live in the EU, UK, or Switzerland (GDPR)
You also have the right to:
- access the personal data we hold about you
- correct it if it's wrong
- have it deleted
- receive a copy in a portable format
- restrict how we process it
- object to processing
- not be subject to a decision based solely on automated processing (we don't do this)
To use any of these rights, email security@fob.codes from the address on your account. We will respond within 30 days.
The legal basis for our processing is performance of a contract (storing and backing up your vault so the app works) and our legitimate interest in keeping the service running and secure (crash reporting). For email verification and password reset, the basis is performance of a contract.
For crash reporting under legitimate interest, our balancing test: the data is scrubbed of personal identifiers at the SDK level before transmission, retention is capped at 90 days, and you can opt out at any time in Settings > Diagnostics. We've weighed these safeguards against the privacy intrusion and concluded that our interest in finding and fixing bugs that affect every user is proportionate, and that the processing does not override the rights and freedoms of data subjects.
If you live in California (CCPA / CPRA)
Cleargate Labs LLC may not currently meet the statutory thresholds that make a business subject to the CCPA / CPRA, but we extend the rights below to all California users as a matter of policy.
You have the right to:
- know what personal information we collect about you
- delete it
- correct it
- opt out of the sale or sharing of personal information
We do not sell your personal information and we do not share it for cross-context behavioral advertising. There is nothing to opt out of, but the right exists. You can still use the other rights by emailing security@fob.codes.
Filing a complaint
If you believe we've mishandled your data, you can file a complaint with your local data protection authority. We would rather you tell us first so we can fix it, but the right is yours.
Retention
We keep things only as long as they are useful, then we delete them.
| Data | Kept for |
|---|---|
| Encrypted vault | Until you delete your account, or 24 consecutive months of inactivity (whichever comes first) |
| Email address | Same as above |
| Backup metadata (versions, timestamps) | Same as above |
| Waitlist email (pre-launch sign-up) | Until 90 days after Play Store launch, unless you become a product user |
| Crash and error events (Sentry) | 90 days, then deleted |
| Email delivery logs (Postmark) | 45 days, then deleted |
| Backups and archive copies | 30 days after deletion of source data |
Inactivity means no successful sign-in for 24 consecutive months. We send a heads-up email at 23 months. If you do not sign in, the encrypted vault and metadata are deleted. Your local on-device vault is unaffected by this.
Children's and minors' privacy
Fob is for users 18 and older. We do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and you believe your child has signed up, email security@fob.codes and we will delete the account.
We chose a single age floor of 18 instead of varying the threshold by state or country so that the rule is unambiguous and consistently enforced.
Changes to this policy
We will update this policy when our practices change. When we do, we will revise the effective date at the top of this page and email account holders if the change is material (a new processor, a new data type, a change in retention, a change in how we handle a right). For non-material changes (wording, typos, clarifications), we will update the page without a separate notice.
The current version of this policy lives at fob.codes/privacy. Older versions are available on request from security@fob.codes.
Contact
For privacy questions, requests, or complaints: security@fob.codes
For general support: support@fob.codes
The data controller is:
Cleargate Labs LLC
13725 Metcalf Ave, Suite 353
Overland Park, KS 66223
United States
Cleargate Labs LLC · Overland Park, KS · fob.codes