Legal · auth.ng

Privacy Policy

How auth.ng, a brand of Bolrach Technologies Limited, collects, uses, and protects your personal data, and what say you have over it.

Last updated: July 3, 2026 · A brand of Bolrach Technologies Limited

1. Who we are

auth.ng is a brand of Bolrach Technologies Limited, and Bolrach Technologies Limited is the data controller for the personal data we process through auth.ng. When you create an auth.ng account, verify your identity, or sign in to a relying-party app using auth.ng, you're trusting us with information about you. This policy explains what we collect, why we collect it, and what say you have over it.

This policy is written with the Nigeria Data Protection Act 2023 (NDPA) and the General Application and Implementation Directive (GAID) 2025 in mind, and it applies to everyone who uses auth.ng, wherever they're signing in from.

2. What we collect

We keep this list short on purpose. We only ask for what an identity account actually needs:

  • Contact details: your email address and phone number, used to reach you and to sign you in.
  • Name: the name you register with, and the name on any identity check you complete.
  • One profile photo: a single photo you choose to represent your account. It's optional.
  • Device and session data: things like device type, approximate location, browser, IP address, and sign-in timestamps, so we can show you your active sessions and flag anything unusual.
  • Verification status: whether you've completed identity verification, when, and at what level. Not the underlying documents or biometrics themselves, more on that below.

We don't collect anything beyond this without telling you first, and we don't buy data about you from anyone else.

3. How we use it

Everything we do with your data ties back to one of these:

  • Authenticating you, letting you sign in and stay signed in securely across devices.
  • Securing your account, detecting suspicious sign-ins, and sending you alerts when something looks off.
  • Verifying your identity when you choose to complete a verification step.
  • Sharing, with your explicit approval, only the specific claims a relying-party app asks for (say, "email verified: yes"), never your full profile.
  • Improving reliability and catching abuse, using aggregated, de-identified patterns where we can.

We don't use your data to build advertising profiles, and we don't sell it. Full stop.

4. Lawful bases we rely on

Under the NDPA, every use of personal data needs a lawful basis. Here's ours:

  • Consent, for optional things like adding a profile photo, completing identity verification, or connecting a new app to your account.
  • Legitimate interest, for account security, fraud detection, and keeping the service running the way you'd expect.
  • Legal obligation, where we're required to retain certain records or respond to a lawful request from a regulator or court.

Where we rely on consent, you can withdraw it at any time from your account settings.

5. Identity data and minimization

This is the part we care about most, so we'll be direct about it. When you verify your identity through auth.ng, the raw evidence you submit (a document photo, a selfie, a liveness check) is processed in memory during the verification step and then discarded. We do not keep a copy of your ID document, and we do not store a biometric template of your face.

What we keep instead is a verified status (yes or no, and at what level) and a hashed reference that lets us confirm you're the same verified person on a later check, without storing the identifier that produced it. We never store a raw national ID number, and we do not currently integrate with NIMC or any national identity database. Verification today is based on the documents and checks you provide directly.

If that changes in the future, we'll update this policy and tell you before any new data source is added.

6. Sharing with apps and third parties

When you use "Sign in with auth.ng" on a relying-party app, you see a consent screen listing exactly which claims that app is asking for, things like your email, your name, or your verification status. Nothing is shared until you approve it, and you can review or revoke any connected app at any time from your account.

  • Apps only ever receive the specific claims you approved, never your raw identity documents or hashed reference.
  • We use a small number of infrastructure and hosting providers to run auth.ng, bound by confidentiality and data protection terms.
  • We do not sell, rent, or trade your personal data to anyone, for any reason.
  • We only disclose data to a regulator or law enforcement body when we're legally required to.

7. International transfers

Identity verification is handled within Nigeria. Where we use infrastructure providers outside Nigeria for hosting or reliability, any transfer of personal data is protected by appropriate safeguards consistent with the NDPA, and we keep the footprint of that transfer as small as we reasonably can.

8. Security

We build auth.ng like the security of an identity system is the whole point, because it is.

  • Data is encrypted in transit and at rest.
  • Access to production data is limited to people who need it, and every access is logged.
  • We keep audit logs of sign-ins, verification events, and consent grants so activity on your account is traceable.
  • Sessions and devices are tracked, so you can see and end any session you don't recognize.

No system is perfectly unbreakable, and we won't claim otherwise. If something goes wrong, we'll tell you and the appropriate regulator, without delay.

9. Retention

We keep your account data for as long as your account is active. If you delete your account, we remove your personal data within a reasonable window, except where we're required to retain limited records for legal, security, or fraud-prevention reasons, in which case we keep only what's necessary and for no longer than needed.

10. Your rights

Under the NDPA, you have the right to:

  • Access the personal data we hold about you.
  • Correct anything that's inaccurate or out of date.
  • Delete your account and the personal data tied to it.
  • Withdraw consent for anything we process on that basis.
  • Revoke any connected app's access to your data, at any time.

Most of these you can do yourself from your account settings. For anything else, reach out through the contact details below.

11. Cookies

auth.ng uses a small number of cookies to keep you signed in and to keep the service secure. We cover exactly what we use and why in our Cookie Policy.

12. Children

auth.ng is not directed at children, and we don't knowingly collect personal data from anyone under the age of 18. If you believe a child has created an account, contact us and we'll remove it.

13. Changes to this policy

We'll update this page as auth.ng grows, and we'll change the "Last updated" date whenever we do. For any change that meaningfully affects how we use your data, we'll let you know directly, not just by editing this page quietly.

14. Contact and Data Protection Officer

Questions about this policy, or about your data, can go to our Data Protection Officer at [email protected]. For anything related to your account itself, use Terms, Data Processing, or Acceptable Use for the related policies, or open a support ticket from your account. auth.ng does not offer phone support.

Questions about this document?

auth.ng is a brand of Bolrach Technologies Limited. Contact [email protected]. Support is by ticket and knowledge base.