Privacy Policy
Effective April 22, 2026
This policy explains what information Auth57 Labs collects when you use our website or products, how we use it, and the choices you have.
1. Who we are
Auth57 Labs is a product of Automatic Delight, a US-based product studio. Where this policy says "we," "us," or "Auth57," it refers to Automatic Delight operating as Auth57 Labs.
2. What this covers
This policy applies to our public websites at auth57.io and auth57labs.com, our APIs (including api.auth57.io and the Model Context Protocol server), and any related services operated by Auth57 Labs.
3. What we collect
| Category | Examples | Why |
|---|---|---|
| Account data | Email address, account plan | To create and manage your account |
| Billing data | Name, billing address, card last-4 (via Stripe) | To process subscription payments |
| API usage | API key prefix, endpoint, state/program/drug queried, response time, timestamp | Rate limiting, debugging, plan enforcement |
| Site analytics | Page, referrer, country, device class (aggregated) | Understand which pages work |
| Communications | Any message you send us | Support and sales |
We do not use advertising cookies or third-party ad trackers. Site analytics are collected via Vercel Web Analytics in an aggregated, non-identifying form.
4. How we use it
- To provide and operate the services you've signed up for
- To bill you and handle subscription changes
- To enforce rate limits, detect abuse, and investigate security incidents
- To send transactional email (signup confirmation, billing, account-critical alerts)
- To improve the dataset and product based on how the APIs are actually used
- To meet legal obligations (tax, audit, valid law-enforcement request)
We do not sell your personal information. We do not share it for third-party marketing.
5. HIPAA and PHI
Auth57 Labs processes only published regulatory data — state Medicaid provider manuals, CMS rules, payer preferred-drug lists, and similar source documents. None of this is Protected Health Information (PHI) under HIPAA.
We do not accept, ingest, or store patient identifiers, clinical records, or any other PHI through our APIs or applications. Customers agree in the Terms not to transmit PHI to Auth57 systems. Because Auth57 is not a Business Associate under HIPAA, no Business Associate Agreement (BAA) is required.
If your use case requires handling PHI (e.g. you're building a clinical application on top of Auth57), the PHI-handling responsibility and any BAAs sit with your own infrastructure, not ours.
6. Subprocessors
We use the following third-party services to operate Auth57. Each handles a narrow slice of the data above and is bound by its own privacy commitments.
| Service | What for | Data handled |
|---|---|---|
| Vercel | Application hosting, edge CDN, web analytics | Request metadata, aggregated analytics |
| Supabase | Primary database, authentication | Account data, API usage logs |
| Stripe | Payment processing | Billing details (we do not store full card numbers) |
| Fastmail | Business email for Auth57 Labs | Email correspondence |
| Resend | Transactional email delivery | Your email address, email content we send you |
| Anthropic | Model provider for the MCP server's server-side tools (where used) | Tool input/output; we do not transmit PHI |
We do not transfer personal data to subprocessors beyond what each service needs to do its job.
7. Where data is stored
Account and usage data are stored in Supabase (United States regions) and mirrored to Vercel Edge Config for low-latency authentication. Backups are encrypted at rest. All traffic to and from Auth57 services is served over TLS.
8. How we protect it
- Encryption in transit (HTTPS/TLS) and at rest
- Row-level security on database tables where user-scoped data lives
- Least-privilege access — only engineering staff who need production data have it, and access is logged
- API keys are credential material — we recommend you rotate them periodically and never commit them to public repositories
No system is perfectly secure. If we learn of a breach that affects you, we will notify you promptly and explain what happened and what we're doing about it.
9. How long we keep it
- Account data: for the life of your account, plus up to 24 months after cancellation for billing / tax / audit purposes.
- API usage logs: 24 months, rolling, then aggregated and de-identified.
- Support email: 24 months, then archived or deleted on request.
10. Your rights
Regardless of where you live, you can email hello@auth57labs.com and request that we:
- Show you what personal data we have about you
- Correct something that's wrong
- Delete your account and associated data (subject to legal retention obligations)
- Export a copy of your account data in a portable format
- Stop processing your data for specific purposes
California residents have these rights under the CCPA/CPRA. EU and UK residents have these rights under GDPR. We respond to verified requests within 30 days.
11. Cookies and tracking
We use a small number of strictly necessary cookies to keep you signed in and to remember your preferences. Vercel Web Analytics uses a first-party cookie to measure aggregate page performance. We do not use third-party advertising cookies, and we do not sell analytics data.
12. Children
Auth57 is a B2B service. It's not directed at children, and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us personal information, please contact us and we will delete it.
13. International users
Auth57 services are operated from the United States. If you access Auth57 from outside the US, you understand that your information will be transferred to, stored in, and processed in the US.
14. Changes to this policy
We update this policy when our practices change. The "Effective" date at the top shows when the current version took effect. Material changes will be announced via email to active account holders before taking effect.
15. Contact
Questions, concerns, or legal notices about privacy should go to hello@auth57labs.com.