Privacy Policy

1. Introduction

Oathwall (“Oathwall,” “we,” “us,” or “our”) provides a single sign-on (SSO) and user management platform designed for game developers and software studios (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you access our website, developer dashboard, APIs, SDKs, and related hosted authentication pages.

Oathwall operates in two distinct roles with respect to personal data, and it is important to understand the difference:

• Data Controller: When we process information about our direct customers — the developers and studios who register an Oathwall account to use our Service (“Account Owners”).
• Data Processor: When we process information about the end users who authenticate into applications operated by our Account Owners (“End Users”). In this context, the Account Owner is the data controller, and we process personal data on their behalf under their privacy policy and applicable Data Processing Agreement.

If you are an End User attempting to understand how your data is used within a specific application, please consult that application’s privacy policy in the first instance. This policy describes the baseline processing performed by the Oathwall platform itself.

2. Scope

This Privacy Policy applies to personal data processed through:

• The Oathwall marketing website and public pages;
• The Oathwall developer dashboard and associated APIs;
• The Oathwall authentication flow, including hosted redirect pages and SSO callback endpoints;
• The Oathwall SDKs (including the Unity SDK) when integrated into third-party applications.

It does not apply to third-party identity providers (such as Google, Apple, Facebook, or Steam), which are governed by their own privacy policies, nor to applications built by Account Owners beyond the authentication boundary.

3. Information We Collect

3.1 Information from Account Owners

When a developer or studio registers for and uses the Oathwall dashboard, we collect:

• Account identifiers: account name, account code, owner email address, and plan selection.
• Authentication data: identity records created when the Account Owner signs into the dashboard through a supported SSO provider, including the provider identifier, provider-assigned user ID, name, email, and profile picture where supplied by the provider.
• Application configuration: application names, public application keys, deep-link schemes and packages, logo URLs, OAuth client IDs and client secrets, Apple Team IDs, Key IDs, and private keys supplied for Sign in with Apple.
• Billing information: when paid plans become available, billing data will be processed by our payment processor; Oathwall retains only limited records such as plan, billing status, and transaction identifiers.
• Usage and diagnostic data: request logs, IP addresses, user-agent strings, timestamps, and audit events associated with dashboard actions.

3.2 Information from End Users

When an End User authenticates into an application that uses Oathwall for SSO, we process the following on behalf of the Account Owner:

• Provider-supplied profile data: the provider key (e.g., Google, Apple, Facebook, Steam), provider-assigned user ID, email address, display name, and profile picture URL, to the extent released by the provider under the scopes configured by the Account Owner.
• Authentication artifacts: short-lived login tickets, OAuth flow state, access and refresh tokens, session identifiers, and linked-identity records used to support account merging across providers.
• Technical metadata: IP address, user-agent, device platform indicators, timestamps of sign-in and token refresh, and session status.

We do not request or store passwords for third-party identity providers. Oathwall never sees the End User’s credentials at the provider.

3.3 Information We Do Not Knowingly Collect

Oathwall is intended for use by adult developers and by applications whose operators have satisfied their own age-verification obligations. We do not knowingly collect personal data directly from children under the age of 13 (or the equivalent minimum age in the End User’s jurisdiction). Account Owners are responsible for ensuring their applications comply with COPPA, the UK Age Appropriate Design Code, and similar regimes.

4. How We Use Information

We use personal data for the following purposes:

• To provide, operate, and maintain the Service, including authenticating users and issuing session tokens;
• To enable Account Owners to manage their applications, providers, users, and sessions through the dashboard;
• To enforce plan limits, detect abuse, and protect the security and integrity of the Service;
• To communicate with Account Owners about service updates, security notices, and support matters;
• To generate aggregated and de-identified analytics about platform usage;
• To comply with legal obligations and enforce our Terms of Service.

We do not sell personal data, and we do not use End User personal data to build cross-application advertising profiles.

5. Legal Bases for Processing (EEA / UK)

Where the EU or UK General Data Protection Regulation applies, we rely on the following legal bases:

• Contract: to provide the Service to Account Owners and to perform authentication requested by End Users.
• Legitimate interests: to secure the Service, prevent fraud and abuse, maintain audit logs, and improve our platform, balanced against the rights and freedoms of data subjects.
• Legal obligation: to comply with applicable laws, respond to lawful requests, and maintain required records.
• Consent: where required by law, for example for certain optional communications. Consent for SSO scopes is obtained at the identity provider.

6. How We Share Information

We share personal data only as described below:

• With identity providers: we transmit the minimum data required to initiate an OAuth or OpenID flow (such as client IDs, redirect URIs, and state) and receive the profile data released in return.
• With Account Owners: End User identity records, sessions, and related metadata are made available to the Account Owner whose application the End User authenticated into. Account Owners cannot access identities belonging to other accounts.
• With service providers: we use a limited set of subprocessors for hosting, database, email delivery, error monitoring, and (in the future) payment processing. Each is bound by appropriate contractual protections.
• For legal reasons: we may disclose information where required by law, valid legal process, or to protect the rights, property, or safety of Oathwall, our users, or others.
• In corporate transactions: if Oathwall is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred subject to the surviving entity honoring the commitments in this policy.

7. Data Retention

We retain personal data for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law. Specifically:

• Short-lived authentication artifacts (login tickets, OAuth flow state, merge keys) are retained for minutes and deleted or invalidated after use or expiry.
• Sessions and refresh tokens are retained for the lifetime of the session or until revoked by the End User, the Account Owner, or Oathwall.
• End User identity records are retained while the associated application and account remain active, and are deleted (or anonymized) when the Account Owner deletes the user, when the application is deleted, or on termination of the account, subject to any legal hold.
• Account Owner records are retained for the duration of the account relationship and for a reasonable period thereafter to meet legal, tax, and audit requirements.
• Logs and diagnostic data are retained for a limited period consistent with security and operational needs.

8. Security

We implement technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include transport encryption (TLS), isolation of tenant data by account, access controls on the dashboard and APIs, short-lived single-use authentication tickets, and token-type separation between dashboard and SSO contexts. Despite these measures, no system is completely secure, and we cannot guarantee the absolute security of information transmitted over the internet.

Account Owners are responsible for safeguarding their own dashboard credentials, API keys, and OAuth secrets, and for configuring their applications and providers in a secure manner.

9. International Data Transfers

Oathwall may process and store personal data in countries other than the one in which the data subject resides. Where personal data originating in the EEA, UK, or Switzerland is transferred to a country that has not been deemed to provide an adequate level of protection, we rely on appropriate safeguards, such as the European Commission’s Standard Contractual Clauses, and implement supplementary measures where needed.

10. Your Rights

Depending on your jurisdiction, you may have rights in relation to your personal data, including the right to access, correct, delete, restrict or object to processing, data portability, and withdrawal of consent. Residents of the European Economic Area, the United Kingdom, Switzerland, California, and certain other jurisdictions may have additional rights under local law.

If you are an Account Owner, you may exercise these rights by contacting us directly using the details in Section 13 or by using the controls available in the dashboard.

If you are an End User of an application built on Oathwall, please direct your request to the operator of that application (the Account Owner). They are the data controller for your account within their product. Where permitted, we will assist the Account Owner in responding to your request, or refer your request to them.

You also have the right to lodge a complaint with a supervisory authority in your jurisdiction.

11. Cookies and Similar Technologies

The Oathwall dashboard and hosted authentication pages use cookies and equivalent storage mechanisms that are strictly necessary to operate the Service, including session cookies (such as dashboard access and refresh tokens) and short-lived state cookies used during the OAuth flow. We do not use third-party advertising cookies on our dashboard or authentication pages.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date above and, where appropriate, notify Account Owners by email or through the dashboard. Your continued use of the Service after the effective date of the updated policy constitutes acceptance of the changes.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact:

For data subjects in the EEA or UK, we will identify and appoint a representative under Article 27 GDPR where legally required; their contact details will be listed here once appointed.