Legal

Privacy Policy

Last updated: April 2026  ·  Questions? privacy@groupfactor.io

Overview

Plain English, no surprises

Group Factor ("we", "us", or "our") operates the Group Factor service at groupfactor.io. This policy explains what data we collect, why we collect it, and how we handle it.

We are a small team building a straightforward product. We collect only the data we need to operate the service, we do not sell it, and we do not use it for advertising. That is the short version — the sections below fill in the details.

Data collection

What data we collect

Account information

  • Your name and email address, provided when you register.
  • A bcrypt hash of your password — we never store your password in plain text.
  • Your phone number, if you choose to enable personal SMS forwarding (optional).
  • If you sign in with Google, we receive your name, email address, and profile picture from Google's OAuth service. We do not receive your Google password.

Billing information

  • Payment processing is handled entirely by Stripe. We never see or store your card number, CVC, or full billing address.
  • We store only your Stripe customer ID, subscription ID, and subscription status so we know whether your account is active.

Team phone numbers and SMS messages

  • Each team is assigned a dedicated phone number provisioned through Twilio.
  • When an SMS arrives at a team number, the message content is held in memory so that team members can view the code. This content is never written to disk and is automatically discarded after 10 minutes.
  • We do not log, archive, or retain the text of SMS messages beyond this 10-minute window.

TOTP secrets

  • If your team uses Group Factor's authenticator feature, you paste the service's base32 TOTP secret into the app. This secret is stored encrypted in our database. The encryption key is held separately from the database.

Session data

  • When you sign in, we create a server-side session and store a session identifier in an httpOnly cookie in your browser. The cookie expires after 7 days of inactivity.
  • We record the time and approximate circumstances of sign-in events for security purposes (e.g. to detect unusual access).
Data use

How we use your data

We use the data we collect only to operate and improve the Group Factor service. Specifically:

  • To authenticate you and maintain your session.
  • To provision and manage your team's phone number via Twilio.
  • To display incoming 2FA codes to the members of your team.
  • To generate TOTP codes from any stored secrets.
  • To send transactional emails — such as account confirmation, password reset, and billing receipts — via Mailgun. We do not send marketing emails without your explicit consent.
  • To process subscription payments via Stripe.
  • To diagnose errors and improve the reliability of the service.

We do not use your data for advertising, profiling, or any purpose unrelated to operating Group Factor.

Third parties

Who we share data with

We share data with the following sub-processors to deliver the service. Each processes data under its own privacy policy and, where applicable, under a data processing agreement with us.

Twilio
Provides the phone numbers assigned to your teams and delivers inbound SMS messages to our service. When a 2FA code is sent to your team's number, it passes through Twilio's infrastructure. See Twilio's Privacy Policy.
Stripe
Handles all payment card processing and subscription billing. Your card details are entered directly into Stripe's hosted fields and are never transmitted to our servers. See Stripe's Privacy Policy.
Mailgun
Delivers transactional emails (account confirmation, password reset, billing receipts) on our behalf. Your email address is transmitted to Mailgun in order to send these messages. See Mailgun's Privacy Policy.
Railway
Hosts the Group Factor application and database infrastructure. Your account data and TOTP secrets reside on servers managed by Railway. See Railway's Privacy Policy.
Google
If you choose to sign in with Google, Google's OAuth 2.0 service authenticates your identity and shares your name, email address, and profile picture with us. This exchange is optional — you can always create an account with email and password instead. See Google's Privacy Policy.

We do not sell your data to any third party, and we do not share it with parties other than those listed above.

Retention

How long we keep your data

  • SMS message content is never persisted. It is held in memory for a maximum of 10 minutes and then discarded automatically.
  • Account data (name, email, hashed password, phone number, TOTP secrets, team configuration) is retained for as long as your account is active. If you request account deletion, we will permanently delete your data within 30 days, except where retention is required by law.
  • Billing records are governed by Stripe's retention policies and applicable financial regulations. We retain the minimum billing references needed to verify your subscription history.
  • Session data expires automatically after 7 days of inactivity and is removed when you sign out.
Cookies

Cookies and similar technologies

Group Factor uses a single first-party session cookie to keep you signed in:

  • The cookie is httpOnly and Secure, meaning it cannot be read by JavaScript and is only transmitted over HTTPS.
  • It expires after 7 days of inactivity.
  • It contains only an opaque session identifier — no personal data is stored in the cookie itself.

We do not use tracking cookies, advertising cookies, analytics beacons, or any third-party cookies. There is no cookie consent banner because there is nothing to consent to beyond the session cookie required to operate the service.

Security

How we protect your data

  • All traffic between your browser and our service is encrypted in transit via HTTPS (TLS).
  • Passwords are hashed using bcrypt with a suitable work factor before storage. We cannot recover your password — only reset it.
  • Sessions are stored server-side. Signing out immediately invalidates your session.
  • TOTP secrets are stored encrypted at rest, with the encryption key held separately from the database.
  • SMS message content is never written to disk, eliminating it from any database backup or log.

No system is perfectly secure. If you believe you have found a security vulnerability, please contact us at privacy@groupfactor.io before disclosing it publicly.

Your rights

Accessing and deleting your data

You have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data — most account details can be updated directly in Settings.
  • Delete your account and associated data. You can initiate account deletion from within the app, or by contacting us.
  • Export a copy of your data on request.

To exercise any of these rights, email us at privacy@groupfactor.io. We will respond within 30 days.

Eligibility

Children's privacy

Group Factor is a business tool intended for use by adults. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

Legal

Governing law

This Privacy Policy is governed by the laws of the jurisdiction in which Group Factor operates. Any disputes arising from this policy will be resolved in accordance with those laws.

Updates

Changes to this policy

If we make material changes to this policy, we will notify you by email (to the address on your account) or by a prominent notice in the app before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Continuing to use Group Factor after changes take effect constitutes acceptance of the revised policy.

Contact

Get in touch

If you have any questions about this Privacy Policy or how we handle your data, please email us at privacy@groupfactor.io. We are a small team and we read every message.