Privacy Policy

Last updated: 2026-04-16

Summary

anonlog.in is a free, public identity service. It is designed to collect as little personal information as possible. No email address is required, no analytics or advertising trackers are used, and no personal data is sold or shared with third parties for marketing.

What we store

To operate the Service we store:

  • Account record: your chosen login name and a one-way hash of your password (Argon2id). The plaintext password is never stored.
  • TOTP credential: your TOTP shared secret, encrypted at rest with authenticated encryption.
  • Recovery codes: one-way hashes of recovery codes you generated. The plaintext codes are shown to you once and never stored.
  • Web sessions: hashed session tokens and basic session metadata (created, last seen, expiry) so we can let you sign in and let you revoke sessions.
  • API keys and OAuth clients: the public prefix and a one-way hash of the secret you create. Plaintext secrets are shown to you once and never stored.
  • Audit log: authentication events (login attempts, TOTP attempts, registrations, session revocations, key issuance) including timestamp, IP address, and User-Agent string. This log exists so you can detect misuse of your account and so the operators can keep the Service running and secure.
  • OAuth/OIDC tokens: short-lived authorization codes, access tokens, and refresh tokens you have issued to your own clients, retained for the lifetime of the grant.

What we do not collect

  • No email address, phone number, real name, or billing information.
  • No third-party analytics, advertising, fingerprinting, or tracking pixels.
  • No cookies other than those strictly required for authentication, CSRF protection, and short-lived flash messages.

Logs

The Service writes operational logs (HTTP request lines, error traces, and security-relevant events) which may include IP addresses, request paths, and User-Agent strings. These logs are used to operate, debug, and protect the Service. They may be retained for a reasonable period and then deleted or rotated.

How we use this data

  • To authenticate you and let your OAuth clients authenticate you.
  • To show you your sessions, audit log, and credentials so you can manage them.
  • To rate-limit, detect abuse, and keep the Service available.
  • To comply with applicable law if we are legally required to do so.

Sharing

We do not sell your data. We do not share your data with third parties for marketing. We may disclose data if required by valid legal process or to investigate suspected abuse of the Service.

When you authorize an OAuth client (whether your own or a third party’s), that client receives the identity claims you have approved (such as your sub identifier and login name). What that client does with those claims is governed by that client, not by this Service.

Security

Passwords are hashed with Argon2id. TOTP secrets are encrypted at rest with authenticated encryption. Session tokens, recovery codes, API key secrets, and OAuth client secrets are stored only as one-way hashes. However: no system is perfectly secure, and the Service is provided “as is” without warranty (see the Terms of Service). You are responsible for the security of your password, TOTP device, and recovery codes.

Your choices

  • You can review and revoke active sessions and API keys from your dashboard at any time.
  • You can delete OAuth clients you have created at any time.
  • You can stop using the Service at any time. To request deletion of your account, contact the operators.

Changes to this Policy

The operators may update this Privacy Policy at any time by posting a revised version at this URL. Continued use of the Service after a change constitutes acceptance of the updated Policy.