Privacy Policy

Intentional Engines Inc. operates Intentional ID, a passkey-based authentication service that consumer apps use to sign in users without passwords. This policy explains how we handle data across intentional-engines.com, the auth provider at /id, and the admin dashboard at /admin.

We collect only what authentication requires: an email address, an optional display name, and public-key material from your passkey. No tracking cookies. No sale of data — ever.

When you create or use an Intentional ID account we collect:

• Email address— used as your account identifier and for transactional emails (verification codes, account changes).
• Display name— optional; shown to you and (for invited identity-group members) to members of your household.
• Passkey public key + credential ID— generated by your device during WebAuthn registration. The private key never leaves your device.
• Device metadata— user-agent string at registration to help you recognize the device later.

We do not collect names, phone numbers, payment information, or browser fingerprints. We do not use tracking cookies.

Intentional ID uses WebAuthn (passkeys)— a cryptographic standard where your device signs a challenge with a private key that never leaves it. We store only the public key.

During a typical sign-in we set short-lived data in Redis:

• Challenge(5 min) — random bytes signed by your passkey to prove possession.
• Verification code(10 min) — 6-digit code sent to your email for recovery or new-device flows.
• Auth code(60 sec, single-use) — a one-time code exchanged by the consumer app for a session cookie.
• Master session(7 days) — a Redis-backed session on intentional-engines.comso you don't re-authenticate every time you sign into a consumer app.

We use Upstash Redis as the primary data store for accounts, sessions, and audit logs. All Upstash instances are encrypted at rest and accessed only from our serverless functions with short-lived API tokens.

Email addresses are stored in plaintext because Intentional ID uses email to deliver verification codes and identity-group invitations. Passkey public keys are stored in plaintext (they are public by design).

We send transactional email only via Resend: verification codes, identity-group invitations, and account change notifications. We do not send marketing email. Resend sees the destination email address, subject, and body for each message it delivers.

You can invite family members to a shared identity group (household). When you invite someone we store the invitee's email, the inviter's ID, the role, and a signed invitation token. Invitations expire after 7 days.

The admin dashboard at intentional-engines.com/admin is restricted to authorized administrators. Admin actions (user lookups, session invalidations, invitation approvals) are logged to an audit log with IP address and user-agent for security review.

Audit log entries are retained for 180 days and accessed only for security incident response.

• Vercel— hosts this application and serverless functions. Provides anonymous analytics via Vercel Analytics (no cookies, no individual tracking).
• Upstash— Redis storage for accounts, sessions, audit logs.
• Resend— transactional email delivery.
• Sentry— error monitoring (technical data only — error messages, page URLs, stack traces).
• ntfy.sh— operational push notifications to the admin team for sensitive events (new signups, failed admin logins). Contains event type and a short description only.

Consumer apps (SeeMyZakat, Intentional Capital, and others) do not have direct access to your passkey. To authenticate a user, a consumer app:

1. Redirects to intentional-engines.com/id/auth/login.
2. You sign in with your passkey. If you already have a master session, this is silent.
3. We generate a one-time auth code (60-second TTL) bound to the consumer app.
4. The consumer app exchanges the auth code server-side for a session and receives your user ID, email, and display name.

The consumer app never sees your passkey material, master session, or other consumer apps' sessions.

• Account record— until you request deletion.
• Passkey credentials— until you remove the passkey or delete your account.
• Master session— 7 days rolling.
• Challenges— 5 minutes.
• Verification codes— 10 minutes.
• Auth codes— 60 seconds, single-use.
• Audit log— 180 days.
• Invitations— 7 days.

• HTTPS-only via HSTS. Strict CSP, X-Frame-Options DENY, Permissions-Policy.
• Session cookies: httpOnly, Secure, SameSite, AES-256-GCM encrypted, signed.
• Rate limiting on all sensitive endpoints (login, verify, registration, invitation).
• Admin endpoints gated behind a separate admin session + IP allowlist for the most sensitive operations.

You may:

• Request a copy of the data we hold about you.
• Correct or update your email or display name.
• Remove individual passkeys.
• Delete your entire Intentional ID account.

Send requests via the contact form with the subject “Data Request”. We respond within 7 business days.

California residents have the right to know, the right to delete, the right to opt out of the sale of personal information, and the right to non-discrimination. We do not sell or share personal information. To exercise any right, use the contact form.

Questions? Send us a message.