This policy explains what data the ugiAuthenticator browser extension and web panel (authenticator.ugilabs.com) collect, how it is used, and how it is stored.
Data collected
TOTP account data: Issuer name, account name, and secret key. Required to generate two-factor authentication codes.
Account info (optional): If you use cloud sync, your email and encrypted password hash are stored on the server.
Session token: API access token for sync is kept on your device (extension storage).
Data storage
Local: The extension stores accounts in your browser local storage. Data stays only on your device.
Server (optional): When sync is enabled, secret keys are encrypted with AES-256-GCM on the server. No TOTP data is sent if you do not use sync.
How data is used
Collected data is used only for:
Generating TOTP verification codes
Syncing accounts between extension and web panel (on user request)
Account registration and sign-in
Your data is not used for ads, profiling, or sold to third parties.
Permissions (browser extension)
storage: Save accounts locally
clipboardWrite: Copy TOTP codes to clipboard
activeTab + scripting: Read QR codes on the active page at user request
authenticator.ugilabs.com: Optional cloud sync API
The jsQR library is loaded from jsDelivr CDN during QR scanning. Google Fonts are used for UI typography. Otherwise, your data is not shared with third parties.
Data security
Secret keys are encrypted on the server, API communication uses HTTPS, rate limiting protects against login abuse, and session tokens are rotated regularly.
Deleting data
You can delete accounts from the extension, clear local storage, or permanently delete your account from the Settings page.
Children's privacy
Our service is not directed at children under 13 and we do not knowingly collect data from them.
Changes
This policy may be updated. Significant changes will be published on this page.
Contact
For privacy questions, contact us via ugilabs.com.