Privacy Policy

Last updated: May 8, 2026

Aldero (“Aldero”, “we”, “us”) provides a backend platform — authentication, billing, notifications, and status pages — that businesses (“tenants”) integrate into their applications. This policy explains what information we collect, how we use it, and the choices you have.

1. Information We Collect

When you use a service powered by Aldero, we may collect:

• Account identifiers — email address, display name, hashed password.
• Phone number, when you enroll in SMS-based multi-factor authentication.
• Authentication events — login timestamps, IP address, user-agent, session identifiers.
• Device information — device tokens for push notifications, where applicable.
• Diagnostic data — request logs, error traces, and rate-limit counters.

2. How We Use Information

• To authenticate users and authorize access to tenant applications.
• To send transactional messages: verification codes, password resets, security alerts, and account notifications.
• To prevent fraud, abuse, and unauthorized access.
• To comply with legal obligations.

3. SMS Messaging and Consent

If you enroll in SMS-based multi-factor authentication, you provide express consent to receive automated, transactional text messages from Aldero at the phone number you provide. Messages contain one-time verification codes used to authenticate you to Aldero and to applications that use Aldero for authentication. Codes are short-lived, single-use, and only sent in response to your own login or enrollment actions. Your consent is not a condition of any purchase.

SMS program details:

• Program: Aldero account verification and security alerts.
• Frequency: varies based on your activity, typically a few messages per month.
• Message and data rates may apply.
• Reply STOP at any time to cancel and opt out of further messages.
• Reply HELP for help, or contact support@aldero.io.
• Carriers are not liable for delayed or undelivered messages. Supported carriers include AT&T, Verizon, T-Mobile, US Cellular, Sprint, Boost, and others.

Mobile information sharing: No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. This includes phone numbers, SMS opt-in status, SMS consent records, and the content of any messages exchanged. Information sharing with subprocessors strictly limited to delivering the SMS service (e.g., the messaging provider that transmits the SMS on our behalf) is excluded from this restriction.

We do not sell, rent, or otherwise transfer your mobile phone number, SMS consent data, or opt-in status to any third party for any purpose other than delivering the SMS service you have requested.

4. Sharing of Information

We share information only with:

• The tenant whose application you authenticate against — they receive your authentication state and any profile data you have explicitly provided to them.
• Infrastructure providers acting on our behalf (AWS, Telnyx for SMS, SES for email, push providers for device notifications), under contractual confidentiality obligations.
• Authorities, if required by law.

We do not sell personal information. We do not share phone numbers, opt-in data, or message content for marketing or advertising.

5. Data Retention

Account records persist as long as the account is active. Authentication logs are retained for up to 90 days for security and audit purposes, after which they are deleted or anonymized. SMS delivery records are retained for up to 12 months for compliance.

6. Your Choices

• You may disable SMS multi-factor authentication at any time from your account security settings, or by replying STOP to any verification message.
• You may request deletion of your account and associated personal data by contacting us.
• You may correct or update your profile data through the account settings of the tenant application.

7. Security

We use encryption in transit (TLS) and at rest, hashed credentials (bcrypt), per-tenant signing keys for tokens, and industry-standard access controls. No system is perfectly secure; if you believe your account has been compromised, contact us immediately.

8. Changes

We may update this policy. Material changes will be reflected in the “Last updated” date at the top of this page.

9. Contact

Questions about this policy: privacy@aldero.io.