Transparency Report
Last updated: January 2026
This document provides a comprehensive overview of how fabi-sc-id handles your data. We believe in transparency and want you to understand exactly what happens when you use our service.
Our Commitment
We built fabi-sc-id with privacy as a core principle, not an afterthought. Every decision we make considers the impact on your personal data. We collect only what is necessary, protect it with industry-standard security measures, and give you full control over your information.
Data We Collect
Account Information
When you create an account, we collect:
- Username — Your unique identifier on our platform
- Email address — Used for account verification, password recovery, and important security notifications
- Password — Stored using a modern, secure hashing algorithm designed to be resistant to brute-force attacks
Optional Profile Information
You may choose to provide additional information to enrich your profile:
- Display name
- First and last name
- Biography
- Date of birth — Only stored if explicitly provided and used solely for features that require age-related information
- Avatar image
- Timezone and language preferences
All optional fields remain under your control. You can add, modify, or remove them at any time.
Automatically Collected Information
To protect your account and provide our services, we automatically collect:
- Login history — Timestamps, approximate location (country/city), and basic device information for security monitoring
- Session data — Information about your active sessions to enable secure access across devices
We use IP-based geolocation to determine approximate location. This data is processed on our servers using a local database — your IP address is never sent to external geolocation services.
How We Protect Your Data
Encryption
Sensitive data is encrypted using strong encryption standards:
- Passwords — Hashed using a memory-hard algorithm specifically designed to resist password cracking attempts
- Security credentials — Two-factor authentication secrets and passkey data are encrypted at rest
- Backup codes — Stored as one-way hashes, making them impossible to recover but verifiable when you use them
Secure Infrastructure
- All connections are encrypted using HTTPS
- We enforce modern security headers to protect against common web vulnerabilities
- Session tokens are cryptographically secure and expire automatically
Access Control
- We implement rate limiting to prevent abuse and brute-force attacks
- Failed login attempts are monitored and may trigger additional security measures
- Administrative actions are logged for accountability
Third-Party Applications
Connecting Applications
When you connect a third-party application to your account, you control exactly what information that application can access. During the authorization process, you will see:
- Which permissions the application is requesting
- Which permissions are required versus optional
- A clear description of what each permission allows
Privacy-Preserving Design
We take extra steps to protect your privacy when you use third-party applications:
- Unique identifiers — Each application receives a different identifier for your account. This prevents applications from tracking you across different services.
- Scope-based access — Applications can only access the specific data you authorize
- Revocable consent — You can disconnect any application at any time from your account settings
Available Permissions
Applications may request access to:
| Permission | What It Includes |
|---|---|
| Basic authentication | Confirms your identity without sharing personal details |
| Profile information | Username, display name, and avatar |
| Email address | Your verified email address |
| Extended profile | Additional details like name and biography |
| Date of birth | Your birth date, if provided |
Webhook Notifications
Some applications may receive notifications when certain events occur (for example, when you disconnect the application). These notifications:
- Never contain your real account identifier
- Are signed cryptographically to prevent tampering
- Are validated to prevent abuse
Data Retention
We retain your data only as long as necessary:
| Data Type | Retention Period |
|---|---|
| Active account data | As long as your account exists |
| Login history | 90 days |
| Password reset requests | 1 hour (then deleted) |
| Email verification tokens | 24 hours (then deleted) |
| Inactive accounts | Deleted after 1 year of inactivity (email warning sent 30 days before deletion) |
| Unverified accounts | Deleted after 7 days |
Automatic Cleanup
We run regular cleanup processes to remove expired data. This includes:
- Expired sessions and tokens
- Old login history entries
- Abandoned account registrations
Your Rights and Controls
Access Your Data
You can export all your personal data at any time from your account settings. The export includes:
- Your profile information
- Login history
- Connected applications
- Passkey metadata
- Verified domains
- Applications you have created
Modify Your Data
You have full control to update or remove any information in your profile at any time.
Delete Your Account
You can delete your account at any time. When you do:
- Connected applications are notified that you have disconnected
- All your personal data is permanently removed from our systems
If your account was suspended for policy violations, your email address and username may be retained to prevent re-registration and for legal compliance purposes.
Disconnect Applications
You can review and revoke access for any connected application from your account settings. When you disconnect an application:
- The application is notified
- All tokens for that application are invalidated
- The application can no longer access your data
Security Notifications
We automatically notify you via email when important security events occur:
- Password changes
- Email address changes
- Two-factor authentication changes
- New passkey registrations
- Account deletion
- Inactivity warning (30 days before automatic deletion)
These notifications help you detect unauthorized access to your account.
Two-Factor Authentication
We offer multiple options for securing your account with two-factor authentication:
- Authenticator apps — Time-based one-time passwords using any standard authenticator app
- Security keys and passkeys — Hardware-based authentication for enhanced security
- Backup codes — One-time use recovery codes for emergency access
We strongly recommend enabling at least one form of two-factor authentication.
For Developers
If you are building an application that integrates with fabi-sc-id:
Application Data
When you register an application, we store:
- Application name and description
- Authorized domains and callback URLs
- Requested permission scopes
- Webhook configuration (if applicable)
API Access
- API keys are hashed before storage — we cannot recover your original key
- Keys can be revoked at any time
- Access is logged for security purposes
Content Guidelines
We employ limited automated content moderation to detect obvious abuse and policy violations. This processing occurs entirely on our infrastructure without sending data to external services.
External Services
We have designed our infrastructure to minimize external dependencies:
- Email delivery — Handled by our own mail servers
- Geolocation — Processed on our servers using a local database, without external API calls
- Content moderation — Performed on-premises using local processing
No user data is transmitted to external third-party services as part of our core service operation. We do not use third-party analytics, trackers, or advertising.
Changes to This Report
We may update this transparency report to reflect changes in our practices. Significant changes will be communicated through appropriate channels.
Questions
If you have questions about how we handle your data, please contact us at support@id.fabi-sc.com.