Privacy Policy

Last updated: 2026-01-01

SecuryTik ("we", "us") operates the websites at securytik.com, samm.securytik.com, and auth.securytik.com, and provides the SAMM ISP management platform. This policy explains what data we collect from you, why we collect it, and how we use and protect it.

1. What data we collect

We collect only the minimum information needed to run your account and the services you use.

• Account data — your email address and, if you set one, a salted Argon2id hash of your password. We never store your password in plain text.
• Two-factor authentication — an encrypted (Fernet) TOTP secret and Argon2id-hashed recovery codes, generated only when you enable 2FA.
• Session metadata — IP address, user-agent string, and refresh-token hash for each active sign-in, used for security alerts and refresh-token rotation.
• SAMM device records — for each SAMM install you register: an opaque device-token hash, the device's install UUID, the device name you supplied, registration timestamp, and heartbeat timestamps.
• Subscription state — which SecuryTik / SAMM plan your account is on and its renewal status.

2. Sign in with Google

If you sign in via Google, Google sends us only the data covered by these three OAuth scopes:

• openid — associates you with your personal info on Google.
• .../auth/userinfo.email — your primary Google Account email address.
• .../auth/userinfo.profile — your basic personal info (name, locale, picture) where you have made it publicly available.

We use this data only to create or link your SecuryTik account. We do not request, store, or have access to any other Google data — no Gmail, Drive, Calendar, Contacts, or anything else. We never sell or share Google-derived data with third parties.

3. How we use your data

We use the data above for the following purposes only:

• To authenticate you when you sign in and to keep your session active.
• To send transactional emails: account activation, sign-in alerts on new devices, password resets and changes, and 2FA enrolment confirmations.
• To enforce SAMM device limits per your subscription plan.
• To respond to your support requests when you contact us.
• To detect and prevent abuse (e.g. refresh-token theft).

4. Who sees your data

Your data is stored on infrastructure operated by SecuryTik. We do not sell your data, ever. We share it only with the following processors, and only as needed to operate the service:

• Cloudflare — terminates TLS for traffic to our domains.
• Titan Email — delivers our transactional emails.
• Google — provides the OAuth sign-in option (described above).

5. Data retention

We keep your account and its associated data for as long as your account exists. Heartbeat logs are kept for diagnostics and trimmed periodically. When you delete your account, we delete your account row, your linked subscriptions, your device records, and all related session and 2FA material; backups containing residual copies are aged out within 30 days.

6. Your rights

You can:

• See and edit the data we hold about you at auth.securytik.com/profile.
• Revoke any SAMM device at auth.securytik.com/profile/devices.
• Revoke our access to your Google account from your Google Account permissions page.
• Request a copy of your data, or request that we delete your account, by emailing [email protected].

7. Security

Passwords are hashed with Argon2id. TOTP secrets are encrypted at rest with Fernet. Public traffic to all SecuryTik domains terminates at Cloudflare with HTTPS; internal services bind to loopback only. We send a sign-in alert to your email when a new device or IP signs in, and a notice when your password is changed.

8. Children

Our services are not directed to children under 13, and we do not knowingly collect personal data from children under 13.

9. Changes to this policy

We will update this page as our practices evolve, and we will update the "Last updated" date at the top. Material changes will be notified by email.

10. Contact

Questions about this policy? Email [email protected] or write to SecuryTik, Beirut, Lebanon.