Privacy Policy

User Login is an authentication gateway. We help partner applications verify your identity using Google Sign-In. We do not provide the core functionality of those applications themselves.

When you sign in with Google, we may receive the following information from Google:

• Email address
• Full name
• Google profile picture URL (only in verified member-invitation flows, when available)

We also process technical information needed to operate the service, such as request logs, OAuth state parameters, invitation tokens, and the redirect URL of the application that initiated sign-in.

We use Google user data only to:

• Authenticate you during sign-in
• Redirect you back to the requesting application with your verified identity
• Verify that an invited user's Google email matches the invited email address
• Operate, secure, and troubleshoot the authentication service

We do not use Google user data for advertising, sell Google user data, or use it for purposes unrelated to authentication and invitation verification.

After successful sign-in, we redirect you to the application that requested authentication and append identity information (such as email and name) to the redirect URL as query parameters so that application can recognize you.

For member invitations, we may also include an invitation verification result and, when applicable, your Google profile picture URL.

We may share information with service providers that help us operate User Login, including:

• Google, for OAuth authentication
• Resend, for sending invitation emails when an application creates an invite
• Infrastructure providers that host our servers

We do not sell your personal information. We may disclose information if required by law or to protect the rights, safety, and security of our service and users.

User Login is designed as a pass-through authentication service. We do not maintain a general user account database for sign-in flows. Identity information is transmitted to the requesting application during redirect.

Invitation tokens are signed JSON Web Tokens with a limited lifetime (default 7 days unless configured otherwise). Server logs may retain technical metadata for a limited period for security and operational purposes.

User Login's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

You can choose not to use User Login. If you decline Google Sign-In, you will be returned to the requesting application without completing authentication.

You can review and manage your Google account permissions at myaccount.google.com/permissions.

We use industry-standard measures to protect authentication flows, including HTTPS, signed invitation tokens, and access controls for administrative APIs. No method of transmission or storage is completely secure.

User Login is not directed to children under 13, and we do not knowingly collect personal information from children under 13.

We may update this Privacy Policy from time to time. We will revise the effective date at the top of this page when changes are posted. Continued use of the service after changes become effective constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or our use of Google user data, contact us at xprmnt.dev@gmail.com.