01 Overview
Analog Auth, Inc. ("Analog Auth," "we," "us," or "our") provides an address-based identity verification service. We confirm that a user is a real person at a real U.S. residential address by sending a physical verification letter through the United States Postal Service (USPS).
This Privacy Policy explains how we collect, use, disclose, and protect personal information when you interact with our verification service, our website at analogauth.com, and our API ("Services"). It applies to end users who undergo verification, platform customers who integrate our API, and visitors to our website.
The short version: We collect only what's necessary to deliver a letter and confirm you received it. We don't sell your data. We don't use it for advertising. Once verification is complete, we minimize what we retain.
02 Data We Collect
Information provided during verification
When a platform sends a verification request through our API, we receive the following from the end user:
- Full name
- U.S. mailing address (street, city, state, ZIP code)
- The verification code entered upon receipt of the letter
Information collected automatically
During the verification flow, we automatically collect technical signals used to detect fraud and assess risk:
| Data Type | Purpose |
|---|---|
| IP address | Geolocation consistency check, VPN/proxy/Tor detection, rate limiting |
| Device fingerprint | Bot detection, duplicate account prevention |
| Browser & OS metadata | Headless browser and automation framework detection |
| Request timestamps | Velocity analysis, plausibility of mail delivery timing |
| Geolocation (IP-derived) | Proximity validation against claimed address |
Information from third-party services
We use external services to validate and enrich verification data:
- USPS Address Validation API — to confirm deliverability and classify address type (residential, commercial, PO Box)
- GeoIP providers — to determine the geographic location associated with an IP address
- Device reputation services — to identify known bot signatures and suspicious network behavior
Website visitors & waitlist
If you visit our website or join our waitlist, we collect your email address, optional company name, and optional use case description. We also collect standard web analytics data (pages visited, referral source, browser type).
03 How We Use Your Data
We use the information we collect exclusively for the following purposes:
- Verification delivery. To validate your address, generate a unique code, print and mail a verification letter via USPS, and confirm receipt of that code.
- Fraud prevention. To run our risk pipeline — including input validation, velocity checks, address intelligence, geolocation consistency, and device reputation analysis — in order to block bots, fake accounts, and fraudulent requests before incurring postage costs.
- Confidence scoring. To compute a composite risk score and post-verification confidence score, which we return to the requesting platform.
- Service improvement. To analyze aggregate, de-identified patterns in verification data for the purpose of improving our fraud detection and system reliability.
- Communication. To send waitlist updates, service announcements, or respond to inquiries.
What we never do: We do not sell personal data. We do not use personal data for advertising. We do not build behavioral profiles beyond what is necessary for fraud detection during the verification flow.
04 Who We Share Data With
Platform customers
The platform that initiated your verification receives a verification result containing: a verified/not-verified status, a confidence score (0–1), and whether the address was confirmed. Platforms do not receive your raw IP address, device fingerprint, or risk pipeline details.
Service providers
We share limited data with third-party providers who help us operate the service:
- USPS and mail fulfillment partners — to print and deliver the verification letter (name and address only)
- GeoIP and device reputation vendors — to perform fraud checks (IP address and device signals only)
- Cloud infrastructure providers — to host and operate our systems (encrypted at rest and in transit)
Legal requirements
We may disclose information if required by law, regulation, legal process, or enforceable governmental request, or to protect the rights, safety, or property of Analog Auth, our users, or the public.
Business transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected users of any change in ownership or control.
05 Data Retention
We retain data only as long as necessary for its stated purpose:
| Data | Retention Period |
|---|---|
| Verification codes (hashed) | Deleted after code expiration or successful verification |
| Address data (normalized) | Retained for duplicate detection and address intelligence; deleted upon request |
| IP addresses & device fingerprints | Retained for up to 90 days for fraud analysis, then deleted or anonymized |
| Verification results | Retained for the duration of the platform's contract, then deleted |
| Waitlist information | Retained until API access is granted or you request removal |
Aggregate, de-identified data that cannot reasonably be linked to an individual may be retained indefinitely for analytics and service improvement.
06 Security
We implement administrative, technical, and physical safeguards to protect personal information, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Verification codes are stored as bcrypt hashes — we never store them in plaintext
- API authentication via hashed keys with per-platform scoping
- Rate limiting and velocity controls at multiple pipeline stages
- Access controls limiting employee access to personal data on a need-to-know basis
- Infrastructure hosted on SOC 2–compliant cloud providers
No system is perfectly secure. While we work to protect your information, we cannot guarantee absolute security. If we become aware of a breach affecting your personal data, we will notify affected individuals and relevant authorities as required by applicable law.
07 Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information:
- Access. Request a copy of the personal data we hold about you.
- Correction. Request correction of inaccurate personal data.
- Deletion. Request deletion of your personal data, subject to legal retention obligations and legitimate fraud-prevention needs.
- Portability. Request your data in a structured, machine-readable format.
- Opt out. Remove yourself from our waitlist or marketing communications at any time.
To exercise any of these rights, contact us at privacy@analogauth.com. We will respond within 30 days. We may need to verify your identity before processing certain requests.
California residents
Under the California Consumer Privacy Act (CCPA), California residents have additional rights including the right to know what personal information is collected, the right to delete, and the right to opt out of the sale of personal information. We do not sell personal information.
08 Children's Privacy
Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@analogauth.com.
09 Cookies & Tracking
Our website uses minimal cookies and tracking technologies:
- Essential cookies. Required for basic website functionality (session management, security).
- Analytics. We may use privacy-respecting analytics to understand aggregate traffic patterns. We do not use third-party advertising trackers.
The verification API itself does not use cookies. Device and browser signals collected during verification are processed server-side and are not stored on your device.
10 Policy Changes
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective" date at the top of this page and, where appropriate, notify platform customers and registered users via email. Continued use of our Services after changes are posted constitutes acceptance of the updated policy.
11 Contact Us
If you have questions about this Privacy Policy or our data practices, reach out:
- Email: privacy@analogauth.com
- Mail: Analog Auth, Inc., Attn: Privacy, [Address]
We aim to respond to all inquiries within 30 calendar days.