This section explains how personal data may be processed inside the TOTPX Web App and API platform.
Last updated: 27 May 2026
This Web App Privacy Information applies to the authenticated areas of the TOTPX platform, including the TOTPX Web App, dashboards, developer areas, company accounts, employee accounts, APIs, device management, product management, Shared Access, Presence Verification, billing areas and related platform services.
This section supplements the General Privacy Information and focuses on data processing that occurs inside the logged-in platform and through API-based usage.
When a user registers for TOTPX or receives an invitation to an existing account, we may process account data such as email address, account name, user role, account status, registration timestamp, language settings, security settings and login-related metadata.
This processing is necessary to create and manage accounts, provide access to the platform, assign permissions and maintain account security.
During login and authentication, we may process login timestamps, IP addresses, browser information, session identifiers, authentication cookies, failed login attempts, password reset events, 2FA/MFA settings and other security-related metadata.
This data is used to authenticate users, prevent unauthorized access, detect suspicious activity and protect user accounts and tenant data.
TOTPX may support social login providers such as Facebook, GitHub, Microsoft or similar providers. If a user chooses social login, the selected provider may send us account-related information according to the permissions granted by the user.
This may include provider user ID, email address, display name, profile information and authentication metadata. The user can usually manage provider permissions through the respective provider account.
TOTPX supports multi-tenant company accounts. Company administrators may manage users, employees, roles, subscriptions, products, devices, API settings, security settings and organization-specific configuration.
Tenant-related processing may include company name, billing information, business address, subscription state, tenant identifiers, admin assignments, employee assignments and organization metadata.
If a company account invites employees or assigns roles, we may process invitation email addresses, invitation status, role information, permission settings, accepted invitations, revoked invitations and administrative changes.
This processing is required to provide access control, tenant isolation, organization administration and security auditability.
Within TOTPX, products may act as templates for devices. Product-related data may include product name, type, purpose, scope, token configuration, algorithm, digit length, period, model information, verification status, owner references and related metadata.
This processing is necessary to provide product management, device creation, API consistency and platform-level configuration.
Devices are concrete instances created from products or other platform flows. Device-related data may include device identifiers, custom identifiers, factory identifiers, status, purpose, ownership references, token configuration, action URLs, activation status, verification status and integration-related metadata.
Device data is processed to provide token verification, device management, integration workflows, filtering, lifecycle handling and support.
Depending on configuration, TOTPX may process token-related data such as generated secrets, imported seeds, custom secrets, seed format, token period, algorithm, digit length and verification window settings.
Users are responsible for protecting secrets, seeds, API keys and device credentials. Secrets should not be disclosed publicly, stored in unsecured client-side code or shared through insecure communication channels.
The platform may generate or display QR codes, integration URLs, action URLs, otpauth-related data, device links or API-related snippets. Such data may contain device identifiers, token configuration or integration metadata.
Customers are responsible for ensuring that QR codes, URLs and integration data are shared only with authorized persons or systems.
When the Verify API is used, we may process API keys, device identifiers, submitted tokens, timestamps, request metadata, request headers, IP addresses, user-agent information, response status, error codes and verification results.
This processing is necessary to verify submitted tokens, return verification responses, enforce security rules, detect misuse and support troubleshooting.
TOTPX may support lightweight IoT request formats for embedded systems and constrained devices. Such requests may contain shortened parameter names, device identifiers, tokens, timestamps, optional response format settings and technical request metadata.
Tiny IoT requests are processed for the same core purposes as standard API requests: token verification, security, abuse prevention, rate limiting and troubleshooting.
API access may require API keys, access tokens, tenant identifiers or other credentials. We may process credential metadata, creation timestamps, last-used timestamps, status, scope, usage context and revocation information.
This data is processed to authenticate API clients, enforce permissions, provide security controls and support key rotation or revocation.
TOTPX may process request frequency, IP addresses, device identifiers, tenant identifiers, invalid token attempts, failed requests and traffic patterns to enforce rate limits and detect misuse.
Where necessary, requests may be throttled, blocked, delayed or rejected to protect the platform and other users.
Verification logs may include request time, device identifier, tenant reference, verification result, error code, request metadata and security-related information. Depending on plan and settings, logs may be available to customers for troubleshooting, reporting or audit purposes.
Retention of verification logs may depend on subscription plan, customer settings, security requirements and legal or operational needs.
Shared Access may process master device references, access grant identifiers, grant-specific secrets, validity periods, revocation state, assigned users or groups, temporary permissions and usage metadata.
This processing is necessary to provide temporary access, revoke permissions, audit access relationships and support shared verification scenarios.
Presence Verification may involve presence token events, QR scan events, device references, timestamps, verification status, request metadata and context information provided by the customer or integration.
Presence Verification is intended to support contextual or physical-presence scenarios. Customers remain responsible for determining whether the chosen setup is suitable for their intended purpose.
TOTPX may process audit logs for administrative actions, including user invitations, role changes, device changes, product changes, subscription changes, API key changes, security setting changes and access grant changes.
Audit logs help maintain transparency, security, troubleshooting and accountability within company accounts and platform operations.
Security-related processing may include failed logins, suspicious API traffic, unusual request patterns, credential exposure indicators, repeated invalid token attempts, blocked requests and account protection events.
Such data is used to detect abuse, protect customer accounts, prevent unauthorized access and maintain platform security.
We may process telemetry, application logs, infrastructure metrics, performance data, error reports, background job logs and service health information.
This data is used for troubleshooting, resource optimization, service reliability, capacity planning, security monitoring and system maintenance.
If paid services are used, we may process subscription data, invoices, billing address, tax information, payment provider references, transaction identifiers, plan information, renewal dates, cancellation status and payment-related communication.
Payment processing may be handled by external providers such as PayPal. Payment providers process payment data under their own terms and privacy policies.
If PayPal or another payment provider is selected, payment-related data may be transmitted to or received from the provider. This may include name, email address, billing details, payment status, transaction ID, subscription ID, amount, currency and payment event metadata.
TOTPX does not need to store full card details if payment is handled by an external provider.
Subscription-related processing may include active plan, billing cycle, plan upgrades, downgrades, cancellations, add-ons, feature limits, invoices, payment status and subscription history.
This data is required to provide paid features, enforce plan limits, issue invoices and manage access to platform functions.
If users contact support, we may process message content, email address, account reference, tenant reference, device identifiers, API request examples, screenshots, logs, error messages and communication history.
Support data is used to respond to requests, troubleshoot issues, document solutions and improve product quality.
The Web App may display in-app messages, notices, onboarding information, billing alerts, security notifications, maintenance notices or product updates. Related processing may include user role, account state, subscription state, feature usage and message delivery status.
Where export functions are available, users may export account data, company data, product data, device data, verification logs, audit logs, invoices or other supported records.
Export functions may generate downloadable files and related export logs. Customers are responsible for securely storing exported files.
Users may request deletion of accounts where available. Company account closure may require admin authorization and may affect employees, devices, products, API keys, access grants, subscriptions and logs.
Some data may need to be retained for legal, billing, tax, security, audit or abuse-prevention reasons even after account deletion or subscription termination.
Retention periods may differ depending on data type, plan, settings and legal requirements.
TOTPX is designed as a multi-tenant platform. Tenant isolation, role-based permissions and access-control mechanisms are used to restrict access to account, company, device and verification data.
Company administrators are responsible for assigning appropriate roles and removing access when users no longer require it.
Customers may connect TOTPX to external systems, devices, APIs, webhooks, action URLs or automation flows. Data transmitted through such integrations depends on the customer's configuration.
Customers are responsible for ensuring that external endpoints, devices and integrations are lawful, secure and properly authorized.
Customers may enter or import data relating to employees, users, guests, device holders, access recipients or other third parties. In such cases, the customer may be responsible for providing required privacy information to those persons.
TOTPX may act as processor or service provider for certain customer-controlled data, depending on the specific context and contractual arrangement.
If infrastructure providers, payment providers, support tools or other service providers outside the EU or EEA are used, appropriate safeguards may be applied where required, such as Standard Contractual Clauses or other recognized transfer mechanisms.
Security measures may include encrypted communication, authentication systems, role-based access control, tenant separation, monitoring, backups, access restrictions, rate limiting, audit logs and abuse detection.
Users and customers must also protect their own credentials, API keys, devices, secrets, networks and integration endpoints.
Users may have rights of access, rectification, deletion, restriction, data portability, objection and withdrawal of consent where applicable. Requests may be sent to office@totpx.com.
For company accounts, some requests may need to be handled by the company administrator if the data is controlled by the customer organization.
TOTPX may update this Web App Privacy Information if features, APIs, integrations, providers, legal requirements or data processing activities change. The current version will be made available through the website or the TOTPX App.