Privacy and compliance considerations
Stytch Device Fingerprinting collects telemetry data and stores a visitor ID to local storage. This page outlines some considerations for privacy and compliance of your application.
You may consult your legal and compliance team to determine the exact impact on your business. The information on this page does not, and is not intended to, constitute legal advice; instead, all information is for general informational purposes only.
General considerations
Generally speaking, users should be notified of the types of data being collected, how this data is used, and what information is stored on the device.
The exact requirements for these notifications vary based on the jurisdiction of the user and your service.
Data collected
Stytch Device Fingerprinting collects various forms of data about the user's device. The only personally-identifiable data (PII) is the IPGEO information, described below.
IPGEO information
By default, Stytch returns IP address, Autonomous System Number (ASN), and geolocation information in the response of the Fingerprint Lookup API (/lookup). You should consult with your compliance team to understand if you need to update your privacy policy to collect this data.
IPGEO information is opt-out. You may contact Stytch to remove this information from the payload.
Data stored on the user's device
Stytch Device Fingerprinting stores the visitor ID to the local storage of the user's browser.
External metadata
The Fingerprint Lookup API provides an external_metadata parameter that can help you correlate fingerprints based on your own records of that user.
If you provide external metadata, specifically external_id, consider the privacy implications. For example, if you set external_id to be a user's email address or other PII, then that information is shared with Stytch and may require updates to your privacy policy or other disclosures.