Privacy Policy
Last updated: March 16, 2026
Version: 1.0
Contia Authenticator is a two-factor authentication (2FA) app that generates time-based one-time passwords (TOTP) for your online accounts. Your authentication secrets and passcode are stored exclusively on your device and are never transmitted to any server. This policy explains what data we collect, how we use it, and the rights you have over your information.
1. Data Controller
The data controller responsible for your personal data is:
Contia Development
Daniel Block
Dietrich-Kohl-Weg 7
26131 Oldenburg Germany
Email: info@contia.de
2. Data We Collect
We collect two categories of data:
Stored on your device only
| Data | Where stored | Purpose |
|---|---|---|
| TOTP secrets (QR/manual entry) | iOS Keychain (encrypted) | Generate one-time codes |
| Passcode hash | iOS Keychain (encrypted) | App unlock protection |
| User preferences | Local device storage | Remember your settings |
| Device UUID | Local device storage | Identify the installation (see below) |
This data never leaves your device except as described in the next section.
Sent to our servers on each app start
| Data | Purpose |
|---|---|
| Device UUID (anonymous, randomly generated) | Identify the installation to keep the service operational |
| App version | Ensure compatibility with our backend service |
| Device language | Deliver responses in the correct language |
App identifier (de.contia.authenticator) |
Verify the request originates from this app |
This data is transmitted to coapi.de, our backend infrastructure, via an encrypted HTTPS connection. Our servers are hosted within the European Union (Germany). No data is transferred to countries outside the European Economic Area. No TOTP secrets, passcode, or account information is ever transmitted. The device UUID is randomly assigned and contains no personal information.
3. Legal Basis for Processing (GDPR)
We process the data sent to our servers on the basis of legitimate interests (Article 6(1)(f) GDPR): specifically, the technical operation and security of the app service. The UUID, version, and language data are the minimum necessary for the app to function correctly. The service call on app start also falls within the scope of § 25 TTDSG (German Telecommunications-Digital-Services-Data-Protection Act). It is strictly technically necessary and therefore does not require separate consent under § 25(2) TTDSG.
Data stored locally on your device is processed solely on your device. This processing is governed by your operating system's security model (iOS Keychain) and is not subject to GDPR as a remote data transfer.
4. Camera & Biometric Permissions
Camera
The camera is used only to scan QR codes when you add a new authenticator entry. No images or video are recorded, stored, or transmitted. Camera access is requested at the moment you choose to scan a QR code and can be revoked at any time in iOS Settings.
Face ID & Touch ID
Biometric authentication is processed entirely by iOS. The app never sees or stores your biometric data — it only receives a pass or fail result from the operating system. Biometric unlock is optional and can be disabled in the app's Security settings.
5. Data Sharing
We do not sell, rent, or share your personal data with any third party for advertising or commercial purposes. The only transfer of data is the technical service call described in Section 2, which is to our own infrastructure (coapi.de).
6. Data Retention
- Data stored on device: Retained until you delete the app or manually remove individual entries. You can delete all data by uninstalling the app.
- Server-side data (UUID, version, language): Retained for 12 months after the last app start for service operation purposes, then deleted.
7. Security
TOTP secrets and your passcode hash are stored in the iOS Keychain, which is encrypted by the operating system and protected by your device passcode. All communication with our servers uses TLS encryption. We do not have access to your TOTP secrets at any time.
Your passcode is never transmitted to any server. It is stored exclusively as a one-way hash in the iOS Keychain on your device. Even we cannot read or recover it.
8. Your Rights (GDPR)
As a data subject under the GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Restriction — request that we limit processing of your data
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interests
- Automated decision-making — the right not to be subject to solely automated decisions that produce legal or similarly significant effects. We do not carry out any automated decision-making or profiling.
To exercise any of these rights, contact us at info@contia.de. We will respond within 30 days. You also have the right to lodge a complaint with the supervisory authority in your country. The authority competent for Contia Development is the Landesbeauftragter für den Datenschutz Niedersachsen (www.lfd.niedersachsen.de).
9. Apple System Analytics
Apple may independently collect crash reports and usage analytics through iOS system services, regardless of which app is running. This data collection is separate from anything Contia Authenticator does and is governed by Apple's Privacy Policy. You can control Apple's analytics collection in iOS Settings → Privacy & Security → Analytics & Improvements.
10. Children's Privacy
Contia Authenticator does not knowingly collect personal information from any user, including children under the age of 13. The only data transmitted to our servers — a randomly generated device UUID, app version, and device language — is fully anonymous and cannot be linked to any individual or age group. Because no personal data is collected from anyone, the special requirements of the Children's Online Privacy Protection Act (COPPA) and equivalent laws do not apply.
11. Changes to This Policy
We may update this privacy policy from time to time. The "Last updated" date at the top of this page will reflect any changes. We encourage you to review this policy periodically. Continued use of the app after changes constitutes acceptance of the updated policy.
12. App Tracking Transparency
Contia Authenticator does not track you across other companies' apps or
websites. No advertising identifiers (such as IDFA) are accessed, used, or shared. No
behavioral profile is built. This is consistent with the app's App Store privacy nutrition
label and the declaration in its PrivacyInfo.xcprivacy manifest.
13. California Privacy Rights (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA) grants you additional rights:
- Right to Know — the right to request disclosure of the personal information we have collected about you
- Right to Delete — the right to request deletion of your personal information
- Right to Non-Discrimination — we will not discriminate against you for exercising your rights
We do not sell your personal information to any third party. Because no sale of personal data occurs, there is no "Do Not Sell My Personal Information" opt-out to provide. To exercise your rights, contact us at info@contia.de.
15. Contact
For any privacy-related questions or requests, contact:
info@contia.de
© 2026 Contia Development. All rights reserved.
App Name: Contia Authenticator
Bundle ID: de.contia.authenticator