Privacy Policy – GPTAuth by Techosaurus

Effective date: 12 August 2025 · Last updated: 12 August 2025

Plain‑English Summary

GPTAuth is a secure process created by Techosaurus that helps verify who you are (via email + 2FA), records legitimate use of certain AI tools, and sends you requested emails. We intentionally collect and store the bare minimum: your email address (for authentication or sending), the subject line only of any email we send, your Customer Number, Service Number, and timestamps. We do not store the body/content of emails, IP addresses, browser/device details, analytics, or cookies. If you are using a Techosaurus‑branded CustomGPT, we may use your email to send service updates or marketing that’s relevant to similar services; you can opt out any time via a link in our emails, and using the service again opts you back in. If you are using a client‑branded CustomGPT that uses GPTAuth, please check that client’s own privacy policy because they may use your email for their own purposes outside GPTAuth.

1) Who We Are

GPTAuth is a verification, logging, and email delivery process developed and maintained by Techosaurus Ltd (“Techosaurus”, “we”, “us”). It is used in two ways:

Techosaurus‑branded CustomGPTs: Techosaurus acts as the Data Controller for GPTAuth processing.
Client‑branded CustomGPTs: Techosaurus acts as a Data Processor providing GPTAuth to our client, who is the Data Controller.

For controller/processor definitions, see Articles 4(7) and 4(8) UK GDPR.

2) Information We Collect

We only process what is necessary to authenticate users, track permitted usage, and deliver requested emails.

From the Authentication Process (`auth` PHP)

Email Address — to send a one‑time 2FA code and confirm ownership.
Customer Number and Service Number — to identify the relevant account/service.
Timestamps — when the authentication happened.
Authentication Result — success or failure.

From the Email Sending Process (`send` PHP)

Recipient Email Address — customer contact or the user email (depending on send type).
Subject Line — only the subject of the email sent.
Customer Number and Service Number — for verification and logging.
Timestamps — when the email was sent.

We do NOT collect or store: email body/content, IP addresses, user‑agent/browser/device details, cookies, or analytics.

3) Lawful Basis for Processing (UK GDPR)

For Techosaurus‑branded GPTAuth services, our lawful basis under Article 6(1)(f) UK GDPR is legitimate interests — specifically to securely verify user identity, prevent abuse, and deliver requested communications. This processing is balanced against your rights and expectations, limited to minimal data, and necessary to provide the service.

For client‑branded GPTAuth services, Techosaurus acts as a Data Processor on behalf of the client (the Data Controller). The client determines their lawful basis and responsibilities. Please refer to their privacy policy for details.

4) How We Use Your Information

Authenticate Users — verify email ownership via 2FA.
Track Legitimate Use — record successful authentication and email sends.
Deliver Emails — send messages you have requested; only subject line is logged.
Prevent Abuse — ensure only authorised users access a given CustomGPT.

Techosaurus‑branded CustomGPTs: we may use your email to send service updates or marketing relating to similar services under PECR “soft opt‑in” rules. You can opt out any time via the link in our emails; using the service again opts you back in. We make this transparent at the point of collection and link to this policy.

Client‑branded CustomGPTs: Clients may use your email for their own purposes. Please check their privacy policy as their processing may extend beyond GPTAuth’s scope.

5) Data Retention

Authentication logs: retained up to 12 months.
Email send logs (subject line only): retained up to 12 months.
2FA codes: deleted immediately after validation/expiry; never stored long‑term.

6) Sharing Your Information

Email Service Providers (e.g., SendGrid) solely to deliver authentication codes and requested messages.
CustomGPT Creators/Clients for legitimate authentication, logging, and delivery purposes.
Legal/Regulatory disclosures where required by law.

We do not sell or rent your personal information.

7) International Data Transfers

As part of delivering emails, your personal data may be transferred outside the UK (e.g., to the United States, where our email provider SendGrid operates). Such transfers are protected by legally recognised safeguards, including the UK‑US Data Bridge (where applicable) and/or Standard Contractual Clauses.

8) Security Measures

Encrypted HTTPS connections for all endpoints.
Secure API key handling and access control.
Hardened database permissions and least‑privilege principles.

No method of transmission or storage is 100% secure, but we continuously work to protect your data and minimize risk.

9) Marketing Communications (PECR)

For Techosaurus‑branded CustomGPTs, we may use your email to send service updates or marketing about similar Techosaurus tools/services under PECR’s soft opt‑in rules. We make this clear at the start of the interaction and link to this policy.

Opt‑out anytime: every email includes a clear unsubscribe link.
Easy and safe: the link leads to a form with your email pre‑filled; you confirm to unsubscribe (prevents misuse).
Immediate effect: unsubscribes take effect right away for marketing emails.
Opt‑back‑in on reuse: if you use the service again, you will be opted back in. We state this upfront in plain English.

If you are using a client‑branded CustomGPT, marketing communications (if any) are controlled by that client as the Data Controller. Please review their privacy policy and opt‑out options.

10) Your Rights

Under UK GDPR, you have the right to:

Access your personal data we process.
Rectify inaccurate or incomplete data.
Erasure (where applicable) of your data.
Restrict or object to processing in certain circumstances.
Data portability (where applicable).
Opt out of marketing at any time via our unsubscribe link or by contacting [email protected].

To exercise these rights, contact [email protected]. We may need to verify your identity before actioning your request.

11) Data Breaches & Complaints

In the event of a personal data breach, we will assess risk and, where required, notify the UK Information Commissioner’s Office (ICO) and affected individuals in accordance with UK law.

You also have the right to lodge a complaint with the ICO: ico.org.uk.

12) Cookies & Tracking

GPTAuth does not use cookies or analytics. We do not collect IP addresses, device identifiers, or browsing data.

13) Children’s Privacy

GPTAuth is not intended for, and should not be used by, individuals under 18 years of age.

14) Controller/Processor Roles (Recap)

Techosaurus‑branded CustomGPTs: Techosaurus is the Data Controller for GPTAuth processing.
Client‑branded CustomGPTs: Techosaurus is the Data Processor; the client is the Data Controller and sets their own privacy terms.

Clients using the Techosaurus solution may use your email for other purposes. Please check their own privacy policies for details.

15) Changes to This Policy

We may update this policy from time to time. Changes will be posted at https://tsrs.co.uk/gptauth/privacy with a new “Last updated” date.

16) Contact Us

Techosaurus – GPTAuth Privacy
Email: [email protected]
Website: https://www.techosaurus.co.uk