Privacy Policy

Last updated: 23 March 2026

Who we are

Simple MFA is a software service that adds password and multi-factor authentication to BigCommerce storefronts. It is operated by James Plant, trading as Simple MFA ("we", "us", "our"), contactable at hello@simplemfa.app.

This policy explains what personal data we collect, why we collect it, how it is stored, and what rights you have over it. It applies to two groups of people: merchants who install Simple MFA on their BigCommerce store, and store customers whose login experience is handled by Simple MFA on behalf of those merchants.

Data we collect and why

Data Who it relates to Why we collect it
Email address Store customers To identify accounts, send magic link and password reset emails
Password hash Store customers To verify identity at login. Stored as a PBKDF2-SHA256 hash — the original password is never stored or recoverable
TOTP secret Store customers who enrol in MFA To generate and verify one-time codes. Stored AES-GCM encrypted at rest
IP address and user agent Store customers To detect suspicious login activity, enforce rate limits, and provide merchants with auth logs
BigCommerce customer ID Store customers To link Simple MFA credentials to the correct BigCommerce account
Store hash and OAuth access token Merchants To authenticate API calls to BigCommerce on the merchant's behalf
Waitlist email address Prospective users To notify you when Simple MFA is available. Only collected if you voluntarily submit the early access form

We do not collect payment card details. Billing is handled directly by BigCommerce via their Unified Billing platform.

Cookies and tracking

Simple MFA's hosted login pages set no cookies. After a successful login, BigCommerce sets its own session cookie on your store's domain — this is outside our control and is governed by BigCommerce's own privacy policy.

Our marketing website (simplemfa.app) may use privacy-friendly analytics (no cross-site tracking, no fingerprinting). No advertising cookies are used.

Where data is stored

All Simple MFA customer and merchant data is stored in Cloudflare D1, a serverless SQLite database hosted in the United States. Cloudflare is our primary data processor.

Transactional emails (magic links, password resets) are sent via Resend, whose infrastructure is also US-based.

BigCommerce stores its own platform data (customer profiles, orders, etc.) on Google Cloud Platform (GCP) in the United States.

We do not operate any servers in the European Union. For merchants and customers in the EU or UK, data transfers to the US are made under Standard Contractual Clauses (SCCs) as provided by our sub-processors, consistent with how BigCommerce itself handles EU data.

Data retention

  • Authentication logs (IP address, user agent, login outcome) are automatically deleted after 90 days.
  • Customer credentials (password hash, TOTP secret) are retained for as long as the merchant's store has Simple MFA installed. They are permanently deleted when a merchant uninstalls the app or requests deletion.
  • Waitlist emails are retained until you unsubscribe or request deletion.

Third-party sub-processors

  • Cloudflare, Inc. — infrastructure, database (D1), and serverless compute (Workers). Privacy policy
  • Resend — transactional email delivery. Privacy policy
  • BigCommerce Pty Ltd — platform data, OAuth, and billing. Privacy policy

Legal basis for processing (GDPR / UK GDPR)

Where GDPR or UK GDPR applies, we process personal data on the following legal bases:

  • Contract performance — processing necessary to provide the authentication service to merchants and their customers.
  • Legitimate interests — IP logging and rate limiting to prevent fraud and protect the security of accounts.
  • Consent — waitlist email collection, where you have voluntarily submitted your email address.

Your rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate data
  • Erasure ("right to be forgotten") — store customers may request deletion of their credentials from a merchant's admin panel; merchants may request full deletion by uninstalling the app or contacting us
  • Restrict or object to processing
  • Data portability — receive your data in a structured, machine-readable format
  • Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at hello@simplemfa.app. We will respond within 30 days.

If you are in the UK, you may also lodge a complaint with the Information Commissioner's Office (ICO). If you are in the EU, you may contact your local supervisory authority.

Security

We apply appropriate technical measures to protect personal data, including:

  • Passwords stored as PBKDF2-SHA256 hashes with per-user salt (100,000 iterations) — the original password cannot be recovered
  • TOTP secrets encrypted using AES-GCM before storage
  • All data in transit protected by TLS
  • Auth attempt rate limiting and IP-based threat detection

Children

Simple MFA is a business-to-business service. We do not knowingly collect personal data from children under 13. If you believe a child's data has been submitted, please contact us and we will delete it promptly.

Changes to this policy

We may update this policy from time to time. Material changes will be communicated to merchants via email or in-app notice. The date at the top of this page reflects the most recent revision.

Contact

For any privacy-related questions or requests: hello@simplemfa.app