Privacy Policy

Effective date: Nov 24, 2025

If you'd like to request an archived version of this document, please contact us at [email protected].

This Privacy Policy explains how Silverhand Inc. ("Silverhand", "Logto", "we", "us", "our") collects and uses personal data when you use Logto Cloud or any related Logto services ("Services"). By using the Services, you agree to this Privacy Policy.

1. Roles Under GDPR

We act in two roles:

1.1 Controller

We are a controller for personal data related to your Logto Cloud account, billing, and direct interactions with us.

1.2 Processor

We act as a processor for personal data you store or process through the Services for your own end-users. This processing is governed by our Data Processing Addendum.

The DPA is incorporated into our Terms of Service and does not require a separate signature.

For clarity, “Account Data” and “Customer Data” have the meanings given in our Terms of Service and Data Processing Addendum. Logto does not act as a joint controller with customers for Customer Data.

2. Personal Data We Process as Controller

We process personal data necessary to operate your Logto Cloud account, including:

  • name
  • email address
  • tenant or workspace details
  • billing and payment information
  • IP address at login for security
  • usage events related to the operation and improvement of Logto Cloud
  • support communication history

We do not profile users or use personal data for advertising.

We process personal data under the following legal bases:

Contract (GDPR Art. 6(1)(b))

To create and maintain your account, deliver the Services, and provide support.

Legitimate Interests (GDPR Art. 6(1)(f))

To maintain the security, performance, and reliability of the Services, and to understand how Logto Cloud is used in order to improve the product.

Where required for tax, accounting, fraud prevention, or regulatory compliance.

We do not rely on consent for any processing. If we introduce optional features requiring consent, we will request it explicitly.

4. How We Use Personal Data (Controller)

We use personal data to:

  • operate and secure Logto Cloud
  • authenticate and authorize access
  • manage subscriptions and billing
  • provide customer support
  • send operational and security-related notices
  • improve performance, stability, and user experience of the Services

We do not use personal data for behavioral advertising or marketing profiling.

5. Personal Data We Process as Processor

When you use Logto to authenticate your own users, we process personal data strictly according to your configuration and instructions under the DPA. This may include:

  • identifiers such as email, username, or phone number
  • authentication and authorization data
  • IP address at login for security
  • logs required for audit and fraud prevention

We do not use your end-users’ data for our own purposes.

6. Service Providers and Subprocessors

We use service providers ("subprocessors") to host infrastructure, deliver operational functionality, and understand how Logto Cloud is used so we can improve the product. These subprocessors may process limited personal data on our behalf.

Our up-to-date subprocessor list is available at: https://trust.logto.io/.

Each subprocessor is vetted for security and contractual commitments consistent with GDPR.

Only the subprocessors listed in our Data Processing Addendum process Customer Data when we act as a processor. All other subprocessors listed on the Trust Center process only Account Data, which we handle as a controller.

7. International Data Transfers

Customer Data is stored in the region selected when creating a Tenant. Customer Data does not leave the selected region except where required to provide security operations, support, or where instructed by the Customer under the DPA.

If Account Data or support-related information is transferred outside the EEA, UK, or Switzerland, we ensure lawful safeguards such as:

  • the European Commission Standard Contractual Clauses (SCCs)
  • the UK International Data Transfer Addendum

These protections are detailed in our DPA.

8. Data Retention

We retain Account Data for the duration of your Logto Cloud account and for up to 30 days after closure unless longer retention is required by law or necessary to maintain accurate business and security records.

End-user Customer Data processed under the DPA follows the Customer’s configuration, retention settings, and deletion instructions.

9. Data Subject Rights

If you are located in the EEA, UK, or Switzerland, you have the right to:

  • access your personal data
  • request correction or deletion
  • request restriction of processing
  • object to processing
  • request portability
  • lodge a complaint with your local supervisory authority

To exercise any rights or to contact our Data Protection Officer, email us at: [email protected].

We will respond within one month.

10. Cookies and Local Storage

Logto Cloud uses minimal first-party cookies and local storage keys required for authentication, security, basic functionality, and product analytics. These cookies do not enable cross-site tracking and are not used for advertising.

Logto does not use third-party cookies or tracking pixels.

11. Security

We implement industry-standard technical and organizational measures, including:

  • TLS encryption for data in transit
  • encryption of all stored data
  • private networking and firewall isolation
  • strong password hashing (Argon2)
  • role-based access control
  • enforced row-level security for tenant isolation
  • continuous logging and monitoring
  • regular vulnerability assessments
  • SOC 2 Type II audited controls

Further details are available at: https://logto.io/trust-and-security.

12. Information Sharing

We do not sell or rent personal data.

We share personal data only with:

  • subprocessors listed on our Trust Center
  • payment providers to process transactions
  • authorities when legally required

All other processing is strictly internal.

13. Changes to This Policy

We may update this Privacy Policy when necessary. We will notify customers of material changes as required by law or contract.

14. Contact

For all privacy, GDPR, or data protection inquiries, including contacting our Data Protection Officer: [email protected].