Privacy Policy

Last updated: June 3, 2025

Introduction

Stytch, Inc. ("Stytch", "we", "us", or "our") has prepared this Privacy Policy to explain what personal information we collect, how we use and share that information, and your choices concerning our privacy and information practices.

Applicability of this Privacy Policy

Stytch provides its customers with an all-in-one software platform for authentication and identity management. This Privacy Policy applies to personal information that we collect in connection with our website(s), including https://stytch.com, and any products and/or services that link to this Privacy Policy (collectively, the "Services").

This Privacy Policy does not apply to personal information that we process on behalf of our customers as their service provider or processor (e.g., personal information of our customers' end users). Such personal information shall instead be governed by the terms and conditions of the separate customer agreement or terms of service that Stytch has in place with such customer. If you are such an individual and would no longer like your information to be used by Stytch and/or one of our customers or you would like to access, correct, or request deletion of your information in Stytch's possession or control, please contact the Stytch customer that you interact with directly.

In addition, our Services are designed for businesses and are not intended for personal, family, or household use. Accordingly, we treat all personal information covered by this Privacy Policy as pertaining to individuals acting as business representatives, rather than in their personal capacity.

Personal Information We Collect

Information you provide to us:

  • Business Contact Information: If you are a representative of one of our actual or prospective customers, suppliers or business partners, we may collect personal information about you (such as your name, contact details and role) when entering into an agreement with your company and during the course of our relationship with your company.
  • Feedback or correspondence, such as information you provide when you contact us with questions, feedback, reviews, or otherwise correspond with us online.
  • Usage information, such as information about how you use the Services and interact with us.
  • Marketing information, such as information you provide to us when requesting a demo, downloading a whitepaper, or subscribing to a mailing list and your preferences for receiving communications about our activities, services, and publications, and details about how you engage with our communications.
  • Other information that we may collect which is not specifically listed here, but which we will use in accordance with this Privacy Policy or as otherwise disclosed at the time of collection.

Job Applicants

When you visit the careers portion of our website, we collect personal information that you provide to us in connection with your job application. This includes business and personal contact information, professional credentials and skills, educational and work history, and other information of the type that may be included in a resume. This may also include diversity information that you voluntarily provide. We use this information to facilitate our recruitment activities and process employment applications, such as by evaluating a job candidate for an employment activity, and monitoring recruitment statistics. We may also use and share this information to provide improved administration of the website, and as otherwise necessary: (a) to comply with relevant laws or to respond to subpoenas or warrants served on us; (b) to protect and defend the rights or property of us or others; or (c) in connection with a legal investigation.

Information we obtain from third parties

We may maintain pages on social media platforms, such as Facebook, Twitter, Instagram, and other third-party platforms. When you visit or interact with our pages on those platforms, the platform provider's privacy policy will apply to your interactions and their collection, use and processing of your personal information. You or the platforms may provide us with information through the platform, and we will treat such information in accordance with this Privacy Policy. We may obtain your personal information from other third parties, such as marketing partners, publicly-available sources and data providers.

Automatic data collection

We and our service providers may automatically log information about you, your computer or mobile device, and your interaction over time with our Services, our communications and other online services, such as:

  • Device data, such as your computer's or mobile device's operating system type and version, settings, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, radio/network information (e.g., WiFi, LTE, 4G), and general location information such as city, state or geographic area.
  • Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, browsing history, navigation paths between pages or screens, information about your activity on a page or screen, access times, and duration of access.
  • Email Open/Click Information. We may use pixels in our email campaigns that allow us to collect your email and IP address as well as the date and time you open an email or click on any links in the email that we may send to you.

Tools for automatic data collection:

  • Cookies: text files that websites store on a visitor’s device to uniquely identify the visitor’s browser or to store information or settings in the browser for the purpose of helping you navigate between pages efficiently, remembering your preferences, enabling functionality, helping us understand user activity and patterns, and facilitating online advertising.
  • Local storage technologies: technologies that provide cookie-equivalent functionality but can store larger amounts of data, including on your device outside of your browser in connection with specific applications.
  • Web beacons: also known as pixel tags or clear GIFs, which are used to demonstrate that a webpage or email was accessed or opened, or that certain content was viewed or clicked.

Categories of Personal Information Collected

With regards to California’s CCPA/CPRA, the following categories of personal information are collected and shared with third parties/service providers

  • Identifiers: Name, email address, IP address, device identifiers
  • Personal information under Cal. Civ. Code § 1798.80(e): Contact information, payment information
  • Protected classification characteristics: Age, gender (only if voluntarily provided in job applications)
  • Commercial information: Products or services purchased, purchasing history
  • Internet or network activity: Browsing history, interaction with our website/services
  • Geolocation data: General location based on IP address
  • Professional or employment-related information: Job history, professional qualifications (for job applicants)
  • Inferences: Profile reflecting preferences and characteristics

How We Use Your Personal Information

Service Operations. We use your personal information to provide, operate, maintain, secure and improve our Services as well as communicate with you about our Services, including by sending announcements, updates, security alerts, support, and administrative messages. Additionally personal information is used when responding to your requests, questions and feedback.

Marketing and advertising. We may send you direct marketing communications as permitted by law, including notifying you of special promotions, offers and events via email and in-app notifications. You may opt out of our marketing communications as described in the "Your Choices" section below.

Research and development. We may use your personal information for research and development purposes, including to analyze and improve our Services and our business. As part of these activities, we may create aggregated, de-identified, or other anonymous data from personal information we collect. We make personal information into anonymous data by removing information that makes the data personally identifiable to you. We may use this anonymous data and share it with third parties for our lawful business purposes.

Compliance and protection. We may use personal information to comply with applicable laws, lawful requests, and legal process; protect our, your or others' rights, privacy, safety or property; audit our internal processes for compliance with legal and contractual requirements; enforce the terms and conditions that govern our Services; and prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity.

We will not sell or share your Data as such terms are defined in the California Privacy Rights Act (“CPRA”) except as provided in this Policy.

How We Share Your Personal Information

Service providers. We may share your personal information with third party companies and individuals that provide services on our behalf or help us operate our Services (such as lawyers, bankers, auditors, insurers, and providers that assist with hosting, analytics, email delivery, marketing, and database management). We require these service providers to process personal information in accordance with our instructions and protect the security and confidentiality of the personal information they process.

Authorities and others. We may disclose your personal information to law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes described above.

Business transfers. We may sell, transfer or otherwise share some or all of our business or assets, including your personal information, in connection with a business transaction (or potential business transaction) such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution. In such a case, we will make reasonable efforts to require the recipient to honor this Privacy Policy.

Affiliates. We may share personal information with our current and future affiliates, meaning an entity that controls, is controlled by, or is under common control with Stytch. Our affiliates may use the personal information we share in a manner consistent with this Privacy Policy.

Cross-border Data Transfers

Stytch is headquartered in the United States. Stytch is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). To provide and operate our services, it is necessary for us to process your personal information in the United States and potentially other countries where we have operations or service providers.

If we transfer personal information across borders such that we are required to apply appropriate safeguards to personal information under applicable data protection laws, we will do so. Please contact us for further information about any such transfers or the specific safeguards applied.

Data Privacy Framework

Stytch is headquartered in the United States. To provide and operate our services, it is necessary for us to process your personal information in the United States and potentially other countries where we have operations or service providers.

Stytch complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Stytch has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles with respect to the processing of personal data received from the European Union, United Kingdom, and Switzerland in reliance on the DPF. If there is any conflict between the terms in this privacy policy and the Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Stytch commits to resolve complaints about our collection or use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our Data Privacy Framework policy should first contact Stytch at:

privacy[at]stytch.com

Stytch, Inc. Attn. Legal Department

555 Montgomery Street, Suite 1700

San Francisco, CA 94111

In compliance with the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Stytch commits to refer unresolved complaints about our handling of Non-HR personal data to JAMS, an independent dispute resolution provider based in the United States. Non-HR data includes all personal data that Stytch processes on behalf of its customers.

If you submit a DPF Principles-related complaint and either (1) do not receive timely acknowledgment from Stytch, or (2) are not satisfied with how Stytch addressed your complaint, please visit https://www.jamsadr.com/DPF-Dispute-Resolution to learn more or file a complaint. JAMS provides these dispute resolution services at no cost to you.

Additionally, if you are an EU, UK or Swiss data subject, you may invoke binding arbitration in certain cases, as further described in Annex I of the EU-U.S. Data Privacy Framework Agreement, the UK Extension to the EU-U.S. Data Privacy Framework Agreement and the Swiss-U.S. Data Privacy Framework Agreement. For further information, please visit the Data Privacy Framework web site at https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction or contact our privacy team.

Your Rights and Choices

Access and Data Rights: Depending on your location, you may have certain rights regarding your personal information:

  • The right to know what personal information we process about you
  • The right to access your personal information
  • The right to rectify/correct your personal information
  • The right to restrict the use of your personal information
  • The right to erasure/deletion of your personal information
  • The right to data portability
  • The right to object to processing
  • The right to withdraw consent
  • The right to opt-out of the sale or sharing of their personal information

To make a request, please email us at privacy[at]stytch.com.

For EU, UK, and Swiss individuals, these rights are guaranteed under the Data Privacy Framework. We will respond to requests to exercise these rights within 30 days.

At any time, you may choose (opt out) whether your personal information is (i) to be disclosed to a third party, other than to third parties who act as our agents to perform tasks on our behalf and under our instructions, or (ii) to be used for a purpose that is materially different from the purposes for which it was originally collected, pursuant to this policy, or subsequently authorized by you or (iii) unsubscribe our mailing lists, newsletters or disable your account. You may exercise your choice by sending us an opt-out request to: privacy[at]stych.com.

For sensitive personal information, we will obtain explicit consent (opt-in) before processing such information for a purpose other than those for which it was originally collected or subsequently authorized. You may opt out or opt in by contacting us at privacy[at]stytch.com.

You have several options to control how your online activity and device data are collected through our Services:

  • Browser Cookie Controls You can manage cookies through your browser settings, including removing or rejecting them. While browsers typically accept cookies by default, you can modify these settings. Visit your browser's help section for specific instructions on cookie management.
  • Privacy-Enhancing Tools You can limit our Services' ability to set advertising-related cookies by:
    • Using browsers with enhanced privacy features
    • Installing privacy-focused browser extensions that block third-party trackers
    • Configuring your privacy tools to prevent tracking cookies
  • Analytics Data Collection We use Google Analytics to help us better understand how people engage with the Services by collecting information and creating reports about how users use our Services. For more information on Google Analytics, click here. For more information about Google’s privacy practices, click here. You can opt out of Google Analytics by downloading and installing the browser plug-in available at: https://tools.google.com/dlpage/gaoptout.
  • Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

Onward Transfer Responsibility: When transferring personal information to third parties or agents, Stytch remains responsible under the DPF Principles for the processing of that information. Stytch shall remain liable if a third party or agent processes such personal information in a manner inconsistent with the Principles, unless Stytch proves that it is not responsible for the event giving rise to the damage.

Data Retention

We retain different types of information for different periods, depending on the purposes for processing the information, our legitimate business purposes as well as pursuant to legal requirements under the applicable law.

We may need to keep personal information for as long as necessary to support the purposes of processing under this policy and for additional legitimate business purposes, for example, for record-keeping, for cyber-security management purposes, legal proceedings, and tax issues.

We may keep aggregated non-identifiable information without limitation, and to the extent reasonable we will delete or de-identify potentially identifiable information when we no longer need to process the information.

In any case, as long as you use the Service, we will keep information about you, unless we are required by law to delete it, or if we decide to remove it at our discretion.

Other sites, mobile applications and services

Our Services may contain links to other websites, mobile applications, and other online services operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. In addition, our content may be included on web pages or in mobile applications or online services that are not associated with us. We do not control third party websites, mobile applications or online services, and we are not responsible for their actions. Other websites and services follow different rules regarding the collection, use and sharing of your personal information. We encourage you to read the privacy policies of the other websites and mobile applications and online services you use.

Security practices

We use reasonable organizational, technical and administrative measures designed to protect against unauthorized access, misuse, loss, disclosure, alteration and destruction of personal information we maintain. Unfortunately, data transmission over the Internet cannot be guaranteed as completely secure. Therefore, while we strive to protect your personal information, we cannot guarantee the security of personal information. In the event that we are required to notify you about a situation involving your data, we may do so by email or telephone to the extent permitted by law. To report security issues, please contact us at security[at]stytch.com.

Children

Our Services are not intended for children, and we do not collect personal information from them. We define “children” as anyone under 18 years old. If we learn we have collected or received personal information from a child without verification of parental consent, we will delete the information. If you believe we might have any information from or about a child, please contact us at privacy[at]stytch.com. Note that this may not apply to personal information that we process on behalf of our customers, and such personal information will be processed by Stytch in accordance with the separate customer agreement or terms of service that Stytch has in place with such customer.

Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on our Services. We may also provide notification of changes in another way that we believe is reasonably likely to reach you, such as via e-mail (if you have an account where we have your contact information) or another manner through our Services.

Any modifications to this Privacy Policy will be effective upon our posting the new terms and/or upon implementation of the new changes on our Services (or as otherwise indicated at the time of posting). In all cases, your continued use of the Services after the posting of any modified Privacy Policy indicates your acceptance of the terms of the modified Privacy Policy.

How to contact us

You can reach us by email at privacy[at]stytch.com or at the following mailing address:

Stytch, Inc. 555 Montgomery Street, Suite 1700 San Francisco, CA 94111

Get started
with Stytch

Start building for freeExplore our docs

Authentication & Authorization

For consumer applications

For B2B SaaS applications

Admin Portal

Connected Apps

Fraud & Risk Prevention

Fingerprinting

Active risk assessment

Fine-grained enforcement

Why Stytch

Stytch vs. Auth0

Stytch vs. Firebase

Stytch vs. Cognito

Stytch vs. Fingerprint

Company

About us

Careers

Contact

Resources

Pricing

Docs

Changelog

Product roadmap

API status

Blog

Community

Slack community

Technical support

Customer stories

© 2025 Stytch. All rights reserved.

Terms of use

Privacy Policy