General Privacy

General Privacy Information

This general privacy section explains who is responsible for TOTPX, which legal bases apply and which rights data subjects have.

Last updated: 27 May 2026

1. Controller

The controller responsible for the processing of personal data in connection with TOTPX is:

AnyWareX e.U.
Mitte 26
9125 Kühnsdorf
Austria
Email: office@totpx.com
Phone: +43 681 2045 1414

2. Scope of this General Privacy Information

This General Privacy Information applies to the TOTPX website, the TOTPX Web App, the TOTPX APIs, developer services, support communication, product communication, social login providers, future mobile applications, recruitment processes, integrations and connected services.

Additional privacy sections may apply to specific areas, such as the public website, the Web App, social media services or recruitment processes. These additional sections supplement this General Privacy Information and should be read together with it.

3. Definitions

Personal data means any information relating to an identified or identifiable natural person. This may include names, email addresses, IP addresses, user IDs, account data, device identifiers, billing information or online identifiers.

Processing means any operation performed on personal data, such as collection, storage, use, transmission, restriction, deletion or anonymization.

Controller means the entity that determines the purposes and means of processing personal data. Processor means a service provider that processes personal data on behalf of the controller.

Consent means a freely given, specific, informed and unambiguous indication of your wishes. Legitimate interest means an interest in processing that is lawful, appropriate and balanced against the rights and freedoms of the affected person.

4. General principles of processing

We process personal data only where there is a valid legal basis and where the processing is necessary for a defined purpose. We aim to process personal data transparently, fairly and in a manner that is understandable for users.

The processing of personal data is guided by the following principles:

  • Lawfulness, fairness and transparency: data is processed only where permitted and in a transparent manner.
  • Purpose limitation: data is collected for specified purposes and not used in a way incompatible with those purposes.
  • Data minimization: only data that is necessary for the relevant purpose should be processed.
  • Accuracy: reasonable steps are taken to keep relevant data accurate and up to date.
  • Storage limitation: data is not stored longer than necessary.
  • Integrity and confidentiality: data is protected through appropriate technical and organizational measures.

5. Purposes of processing

Personal data may be processed for the following purposes:

  • providing and operating the TOTPX website, Web App and APIs;
  • creating and managing user accounts, company accounts and employee access;
  • providing token verification, device management, Shared Access and Presence Verification features;
  • processing subscriptions, invoices, payments and billing-related communication;
  • responding to contact requests, support requests, partnership inquiries and abuse reports;
  • maintaining IT security, detecting misuse, preventing fraud and protecting the platform;
  • monitoring system performance, debugging errors and improving platform stability;
  • complying with contractual, legal, accounting and tax obligations;
  • improving the service, user experience and documentation where legally permitted.

6. Categories of personal data

Depending on how TOTPX is used, the following categories of personal data may be processed:

6.1 Account data

This may include email address, account name, login data, account status, language settings, security settings, user roles, invited users and account-related timestamps.

6.2 Company and tenant data

For company accounts, we may process company name, business address, billing details, tax information, subscription data, employee assignments, roles, permissions and tenant settings.

6.3 Technical data

This may include IP address, browser type, browser version, operating system, device information, session data, referrer information, timestamps, log entries and security-related metadata.

6.4 Device and product data

TOTPX may process product templates, device identifiers, device names, purposes, token settings, device status, ownership information, integration settings and related metadata.

6.5 Verification and API data

When the Verify API or related services are used, we may process identifiers, tokens, timestamps, API keys, request metadata, response status, error codes, verification events and security events.

6.6 Shared Access and Presence Verification data

For Shared Access and Presence Verification, we may process access grant identifiers, validity periods, revocation status, master device references, scan events, presence-related verification events and related logs.

6.7 Communication data

This may include emails, contact form submissions, support messages, product inquiries, partnership requests, abuse reports, feedback, survey responses and related communication history.

6.8 Billing and payment data

This may include invoice data, subscription status, payment provider references, transaction identifiers, tax information, billing address and payment-related communication. Payment details may also be processed by external payment providers under their own privacy policies.

7. Sources of personal data

Personal data may be collected from different sources, including:

  • directly from users during registration, communication or platform use;
  • from company administrators who invite or manage employees;
  • from social login providers if a user chooses to sign in through such a provider;
  • from API clients, devices, integrations or third-party systems configured by customers;
  • from payment providers in connection with subscriptions and invoices;
  • from security systems, logs and monitoring tools necessary to protect the service.

8. Legal bases for processing

Depending on the context, processing may be based on one or more of the following legal bases:

  • Consent: for optional features, marketing communication, analytics or similar processing where consent is required.
  • Contract performance: where processing is necessary to provide the TOTPX services or manage subscriptions.
  • Pre-contractual measures: where processing is necessary to respond to inquiries or prepare a possible contract.
  • Legal obligations: where processing is required for tax, accounting, compliance or other legal obligations.
  • Legitimate interests: for security, fraud prevention, troubleshooting, platform stability, service improvement and business communication.

9. Legitimate interests

Where processing is based on legitimate interests, those interests may include:

  • secure and reliable operation of the website, Web App and APIs;
  • protection against misuse, attacks, fraud and unauthorized access;
  • analysis of technical errors and service interruptions;
  • enforcement of API limits, rate limits and platform rules;
  • communication with customers, developers and partners;
  • improvement of product quality, documentation and user experience;
  • establishment, exercise or defense of legal claims.

10. Email contact and communication

If you contact us by email, we process the data contained in your message to handle the request. This may include your email address, name, company, message content, attachments, metadata and any subsequent communication.

If the communication relates to a contract, account, subscription or technical support request, processing may be necessary for contract performance or pre-contractual measures. In other cases, processing may be based on our legitimate interest in responding to inquiries.

11. Contact forms, product inquiries and partnership requests

If contact forms, request-access forms, product inquiry forms or partnership forms are provided, we may process the information entered into the form and technical metadata connected with the submission. This data is used to process the inquiry, prevent misuse and ensure the security of our systems.

12. Support requests and abuse reports

When support requests or abuse reports are submitted, we may process account identifiers, technical logs, device identifiers, API request details, screenshots, error messages, communication history and other information needed to understand and resolve the request.

Support and abuse report data may be retained for a reasonable period to document the handling of the request, protect the platform and defend against misuse or legal claims.

13. Newsletter, product updates and optional communication

If newsletters, product updates or marketing communication are offered, they will generally be sent only with consent or where otherwise legally permitted. You may unsubscribe or withdraw consent at any time. The withdrawal of consent does not affect the lawfulness of processing before withdrawal.

14. User interviews, testing and surveys

We may invite selected users to interviews, surveys, feedback sessions or product tests in order to improve TOTPX. Participation is voluntary. Depending on the format, we may process contact data, feedback, answers, recordings, transcripts or usage-related information.

Where recordings or detailed feedback are collected, this will generally be based on consent. Such data will be retained only as long as needed for the relevant product improvement purpose or as otherwise communicated.

15. Processors and recipients

We may use external service providers that process personal data on our behalf or as independent controllers, depending on the service. Categories of recipients may include:

  • hosting providers and infrastructure providers;
  • email and communication providers;
  • payment and subscription providers;
  • support and customer communication tools;
  • monitoring, logging and security providers;
  • content delivery networks and DNS providers;
  • analytics or product improvement tools, if implemented;
  • legal, tax or accounting advisors where required.

Where processors are used, we aim to conclude appropriate data processing agreements as required by applicable data protection law.

16. International data transfers

Some service providers or technical systems may be located outside the European Union or the European Economic Area. Where personal data is transferred to countries without an adequacy decision, we aim to use appropriate safeguards such as Standard Contractual Clauses or other legally recognized transfer mechanisms.

Where a transfer is based on consent, you will be informed where required and may withdraw consent for future processing.

17. Data retention and deletion

Personal data is retained only as long as necessary for the relevant purpose, contractual relationship, legal obligation, security requirement or legitimate interest.

Typical retention considerations include:

  • Account data: generally retained while the account exists and for a reasonable period after deletion where required.
  • Company and billing data: retained according to contractual, tax and accounting obligations.
  • Support requests: retained as long as needed to process the request and document support history.
  • API and verification logs: retained according to plan, security needs, troubleshooting needs and product settings.
  • Audit and security logs: retained as needed to protect the platform, investigate misuse and document security-relevant events.
  • Newsletter data: retained while the subscription is active or until consent is withdrawn.
  • Recruitment data: retained according to the separate recruitment privacy information, once applicable.

Data may be deleted, anonymized or restricted once the relevant purpose no longer applies and no legal or security reason requires further storage.

18. Technical and organizational security measures

We use technical and organizational measures intended to protect personal data against unauthorized access, loss, misuse, manipulation, disclosure or destruction.

Such measures may include:

  • encrypted communication;
  • authentication and access control;
  • role-based permissions;
  • logging and monitoring;
  • rate limiting and abuse detection;
  • backup and recovery procedures;
  • system hardening and infrastructure protection;
  • separation of access rights where appropriate;
  • security reviews and technical maintenance.

19. Platform security, verification events and audit logs

Because TOTPX is a token verification and API-first security platform, certain processing is necessary to protect the integrity of the service. This may include processing login events, API requests, verification events, device-related metadata, Shared Access events, Presence Verification events, failed requests, rate-limit events and audit logs.

These records may be used to detect misuse, investigate incidents, troubleshoot integrations, enforce limits, protect customers and maintain the reliability of the platform.

20. Automated decision-making

TOTPX may automatically process technical events in order to verify tokens, reject invalid requests, enforce rate limits, detect suspicious activity or protect the service. These technical decisions are generally necessary for providing the service and securing the platform.

We do not intend to use automated decision-making that produces legal effects concerning you or similarly significantly affects you, unless it is necessary for the service, legally permitted or based on consent.

21. Data subject rights

Depending on applicable law, you may have the following rights:

  • Right of access: to request information about whether and how personal data is processed.
  • Right to rectification: to request correction of inaccurate or incomplete data.
  • Right to erasure: to request deletion where legal requirements are met.
  • Right to restriction: to request limitation of processing in certain cases.
  • Right to data portability: to receive certain data in a structured, commonly used and machine-readable format.
  • Right to object: to object to processing based on legitimate interests in certain circumstances.
  • Right to withdraw consent: to withdraw consent with effect for the future.

Requests may be sent to office@totpx.com. We may need to verify your identity before responding to certain requests.

22. Right to complain to a supervisory authority

You have the right to lodge a complaint with a competent data protection supervisory authority if you believe that the processing of your personal data violates applicable data protection law.

Depending on your location and the circumstances, the competent authority may be the authority in your country of residence, place of work or the place of the alleged infringement.

23. Children and minors

TOTPX is intended for business, developer, platform and security use cases. The service is not directed to children. If we become aware that personal data of a child has been processed without the required legal basis, we will take appropriate steps to delete or restrict such data.

24. Changes to this Privacy Information

We may update this Privacy Information if the product, infrastructure, legal requirements, service providers or data processing activities change. The current version will be made available on the website or within the TOTPX App.

Where changes materially affect users, we will make reasonable efforts to provide notice through the website, app or email.

This General Privacy Information is intended as the final launch draft for the general privacy section of TOTPX. It should be legally reviewed before commercial publication.