Product Privacy Policy

Introduction

Effective starting: 2025-09-18

This Privacy Policy explains what information the "FusionAuth Product" collects about you and/or your users, why we collect it, what we do with that information, how we share it, and how we handle the content you place in our products and services. It also explains the choices available to you regarding our use of your personal information and how you can access and update this information.

What personal information do we collect from the people that visit our blog or website?

For more information about the information we collect on our website and blog, please consult our Privacy Policy.

Scope of Product Privacy Policy

This Privacy Policy applies to the information stored or collected through your use of the FusionAuth Product.

FusionAuth variations include:

• FusionAuth Cloud
• FusionAuth Downloads

By registering for or using the FusionAuth Product you consent to the collection, transfer, processing, storage, disclosure and other uses described in this Privacy Policy.

When does the FusionAuth Product collect information?

The FusionAuth Product collects information only in the exact manner that you have specified. By using the APIs and web interfaces of the FusionAuth Product, you might be collecting and storing your information or information of your users in the FusionAuth Product.

Cookies and Other Tracking Technologies: The FusionAuth Product uses cookies to manage sessions for our web application interfaces and for some identity data including JWTs and Refresh tokens. Cookies are small data files stored on your hard drive or in device memory. These cookies are never shared with any third party unless you specifically share them. FusionAuth employees or the corporate entity never has access to any cookies generated by our products. You can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from websites you visit.

What information do you collect?

The FusionAuth Product will collect and store any information that you specifically send via the product APIs or web interfaces. You are completely in control of the information that is collected and stored. At any time, you can delete any information permanently from the FusionAuth Product via the APIs or web interfaces.

How do we use this information?

FusionAuth does not process for business use any information stored in the FusionAuth Product unless instructed to by you. Data stored in the FusionAuth Product might be used internally in order to provide you with support or enhancements. Any use of the data stored in the FusionAuth Product for support or enhancements will be secured according to industry best practices.

How do we protect your information?

If FusionAuth is providing you with hosting for the FusionAuth Product, your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all sensitive/credit information you supply is encrypted via TLS v 1.2 or newer.

Third-party disclosure

We do not sell, trade, or otherwise transfer to outside parties any Personally Identifiable Information that is collected or stored within the FusionAuth Product.

Third-party links

We do not include or offer third-party products or services on our website.

Changes to our Product Privacy Policy

We may change this Product Privacy Policy from time to time. If we make any changes, we will notify you by revising the "Effective Starting" date at the top of this Privacy Policy. If we make any material changes, we will provide you with additional notice (such as by adding a notice on the FusionAuth home page, login screens, or by sending you an email notification). We encourage you to review our Privacy Policy whenever you use the FusionAuth Product to stay informed about our information practices and the ways you can help protect your privacy. If you disagree with any changes to this Product Privacy Policy, you will need to stop using the FusionAuth Product and deactivate your account(s).

How does the FusionAuth Product handle Do Not Track signals?

The FusionAuth Product handles Do Not Track signals however you have instructed them to via your use of the APIs or web interfaces.

Our policy towards children

The FusionAuth Product is specifically designed to manage and protect information for children under 13. The FusionAuth Product conforms to COPPA and other regulations and it is your sole responsibility to ensure that your use of the FusionAuth Product is compliant.

International users

The FusionAuth Product is specifically designed to manage and protect the information of the citizens of the European Union or other regions with laws governing data collection and use. However, it is your sole responsibility to ensure that your use of the FusionAuth Product is compliant.

Fair Information Practices

The Fair Information Practices Principles form the backbone of privacy law in the United States and the concepts they include have played a significant role in the development of data protection laws around the globe. Understanding the Fair Information Practice Principles and how they should be implemented is critical to comply with the various privacy laws that protect personal information.

In order to be in line with Fair Information Practices we will take the following responsive action, should a data breach occur we will notify you via email within 72 hours.

CAN-SPAM Act

The CAN-SPAM Act is a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have emails stopped from being sent to them, and spells out tough penalties for violations.
‍
The FusionAuth Product can be used to send emails to you and your users. Therefore, it is your sole responsibility to ensure that your use of the FusionAuth Product is compliant with the CAN-SPAM Act.

Data Privacy Framework

FusionAuth is headquartered in the United States. To provide and operate our services, it is necessary for us to process your personal information in the United States and potentially other countries where we have operations or service providers.

FusionAuth complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. FusionAuth has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles with respect to the processing of personal data received from the European Union, United Kingdom, and Switzerland in reliance on the DPF. If there is any conflict between the terms in this privacy policy and the Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

The Federal Trade Commission has jurisdiction over FusionAuth’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

FusionAuth commits to resolve complaints about our collection or use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our Data Privacy Framework policy should first contact FusionAuth at privacy@fusionauth.io

In compliance with the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. FusionAuth commits to refer unresolved complaints about our handling of Non-HR personal data to JAMS, an independent dispute resolution provider based in the United States. Non-HR data includes all personal data that FusionAuth processes on behalf of its customers.

If you submit a DPF Principles-related complaint and either (1) do not receive timely acknowledgment from FusionAuth, or (2) are not satisfied with how FusionAuth addressed your complaint, please visit https://www.jamsadr.com/DPF-Dispute-Resolution to learn more or file a complaint. JAMS provides these dispute resolution services at no cost to you.

Additionally, if you are an EU, UK or Swiss data subject, you may invoke binding arbitration in certain cases, as further described in Annex I of the EU-U.S. Data Privacy Framework Agreement, the UK Extension to the EU-U.S. Data Privacy Framework Agreement and the Swiss-U.S. Data Privacy Framework Agreement. For further information, please visit the Data Privacy Framework web site at https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction or contact our privacy team.

How We Share Your Personal Information

Authorities. We may disclose your personal information to law enforcement and government authorities as we believe in good faith to be necessary or appropriate for the compliance and protection purposes described above.

Third Parties and others. We do not sell, disclose, trade, or otherwise transfer to outside parties your Personally Identifiable Information.

Your Rights and Choices

Access and Data Rights: Depending on your location, you may have certain rights regarding your personal information:

• The right to know what personal information we process about you
• The right to access your personal information
• The right to rectify/correct your personal information
• The right to restrict the use of your personal information
• The right to erasure/deletion of your personal information
• The right to data portability
• The right to object to processing
• The right to withdraw consent
• The right to opt-out of the sale or sharing of their personal information

To make a request, please email us at privacy@fusionauth.io

For EU, UK, and Swiss individuals, these rights are guaranteed under the Data Privacy Framework. We will respond to requests to exercise these rights within 30 days.

You have several options to control how your online activity and device data are collected through our Services:

• Browser Cookie Controls You can manage cookies through your browser settings, including removing or rejecting them. While browsers typically accept cookies by default, you can modify these settings. Visit your browser's help section for specific instructions on cookie management.
• Privacy-Enhancing Tools You can limit our Services' ability to set advertising-related cookies by:
  
  • Using browsers with enhanced privacy features
  • Installing privacy-focused browser extensions that block third-party trackers
  • Configuring your privacy tools to prevent tracking cookies

Analytics Data Collection We use Google Analytics to help us better understand how people engage with the Services by collecting information and creating reports about how users use our Services. For more information on Google Analytics, click here. For more information about Google’s privacy practices, click here. You can opt out of Google Analytics by downloading and installing the browser plug-in available at: https://tools.google.com/dlpage/gaoptout.

Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

Onward Transfer Responsibility: When transferring personal information to third parties or agents, FusionAuth remains responsible under the DPF Principles for the processing of that information. FusionAuth shall remain liable if a third party or agent processes such personal information in a manner inconsistent with the Principles, unless FusionAuth proves that it is not responsible for the event giving rise to the damage.

Contacting us

11080 Circle Point Rd.
Suite 405
Westminster, CO 80020
Email: sales@fusionauth.io

‍