WolfieAuth WolfieAuth
Terms Privacy Panel ๐Ÿ‡ต๐Ÿ‡ฑ Polski

WolfieAuth โ€” Terms of Use

Version: 1.0 Effective date: 24 April 2026 Service URL: https://auth.wolfieguard.com

ยง1. Definitions

  1. Service โ€” the authentication (SSO) platform WolfieAuth available at https://auth.wolfieguard.com, providing centralized login to third-party applications (WordPress, Perfex CRM, and other OpenID Connect-compatible apps).
  2. Provider / Data Controller โ€” Pawel Witek, operating under the WolfieGuard brand. Contact: office@wolfieguard.com.
  3. User โ€” a natural person holding an account in the Service and using its authentication features.
  4. Account โ€” a database record containing the user's email, password (as an Argon2id hash), security settings (2FA), and expressed consents.
  5. Client Application โ€” a third-party app integrated with the Service via the OpenID Connect protocol (OIDC), used by the User to sign in to other systems.
  6. GDPR โ€” Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 (General Data Protection Regulation).

ยง2. Scope of the Service

  1. The Service provides Single Sign-On authentication based on the OpenID Connect standard.
  2. Using one Service account, the User can sign in to any number of Client Applications without creating separate accounts in each.
  3. The Service provides:
    • identity authentication (password + optional TOTP 2FA),
    • session management (view, revoke),
    • login history overview,
    • preference and password changes (UI language),
    • consent withdrawal and account deletion (ยง9).
  4. The Service does not provide hosting, email, or other cloud services โ€” it is exclusively an identity provider.

ยง3. Registration and account creation

  1. Accounts in the Service are created in one of the following ways: a) by the Provider (for employees or trusted clients), b) in the future, when enabled โ€” directly by the User.
  2. A prerequisite for creating an account is acceptance of these Terms and the Privacy Policy.
  3. The User must provide a valid email address. Email is used for identification, security communications, and โ€” subject to a separate opt-in consent โ€” marketing messages.

ยง4. Consents for data processing

  1. When creating an account (or at first login, if the account was created by the Provider), the User expresses the following consents:

4.1. Required consent โ€” data processing for service delivery

I consent to the processing of my personal data (email, password hash, IP address, browser information, geolocation country, login history, 2FA settings) by Pawel Witek (WolfieGuard) for the purpose of providing the WolfieAuth authentication service (SSO), in accordance with Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest โ€” service security, abuse detection, audit log).

This consent is required. Without it, an account cannot be created.

4.2. Optional consent โ€” marketing communications

I consent to receiving marketing communications via email from Pawel Witek (WolfieGuard) at the address provided, including: information about new features, product and service offerings from WolfieGuard, newsletters, invitations to beta programs, and other promotional material. Granting this consent also constitutes consent under Art. 10 of the Polish Electronic Services Act and Art. 172 of the Polish Telecommunications Act.

This consent is optional. The User may use the Service without granting it. It may be withdrawn at any time โ€” in the User panel (Settings โ†’ Consents โ†’ Withdraw), by clicking the unsubscribe link in any marketing email, or by emailing office@wolfieguard.com. Withdrawal does not affect the lawfulness of processing based on the consent before its withdrawal.

4.3. Optional consent โ€” analytics and product improvement

I consent to the processing of my data (login patterns, usage frequency, Client Applications used) in aggregated and pseudonymized form for the purpose of improving the Service, product analytics, and abuse-prevention research.

Optional, fully withdrawable.

  1. Every consent is recorded in the database together with:
    • date and time of granting,
    • version of the Terms and Privacy Policy at the time,
    • IP address,
    • browser user-agent,
    • source (signup form / in-panel prompt / acceptance of a version update).
  2. Consent history (including withdrawals) is retained for the entire lifetime of the account plus 3 years after deletion โ€” to allow proof of lawful processing under the accountability principle (Art. 5(2) GDPR).

ยง5. Use of the Service

  1. The User undertakes to:
    • use the Service in compliance with law and good manners,
    • promptly report loss of account access or suspected unauthorized access,
    • not share their password with third parties,
    • use a strong, unique password and (recommended) enable 2FA.
  2. The Provider may block an account or deny service if the following is detected:
    • automated intrusion attempts (brute force),
    • abuse (spam, phishing, infringement of third-party rights),
    • violation of these Terms.
  3. The Provider may apply quantitative limits (rate limits) on login attempts and new Client Application registrations.

ยง6. Data handling and security

  1. User passwords are stored solely as Argon2id hashes (64 MB memory, 3 iterations) โ€” the Provider does not know User passwords.
  2. Client Application secrets (client_secret) are stored in a database protected by the container password โ€” the Provider can rotate them without knowing the current secret.
  3. All authentication events (login, logout, password change, consent change, administrator impersonation) are recorded in an HMAC-SHA256-signed audit log.
  4. Communication between the browser and the Service uses TLS 1.3 exclusively, with HSTS.
  5. The Service employs multi-layered anomaly detection (new-country login, impossible travel, brute force) with email alerts to the Provider.

ยง7. Impersonation (signing in as a user)

  1. The Service administrator (SUPER_ADMIN role) may sign in to the account of any User (except another SUPER_ADMIN) for the purpose of technical support or diagnostics.
  2. Impersonation occurs in one of two modes:
    • Transparent โ€” the User receives an automated email notifying them that an administrator has signed in to their account.
    • Stealth โ€” the fact of impersonation is recorded only in the audit log visible to SUPER_ADMIN; the User is not notified. This mode is reserved for security investigations.
  3. Every impersonation โ€” regardless of mode โ€” is auditable (the audit log contains: administrator, user, time, IP, mode).
  4. The Provider undertakes to use impersonation only in justified cases.

ยง8. Client Applications

  1. Users with appropriate privileges (ADMIN / SUPER_ADMIN) may register OIDC-compliant Client Applications.
  2. Each registered Application receives a unique client_id and client_secret.
  3. The client_secret is shown once at registration and rotation. A lost secret can be rotated, which invalidates the previous one.
  4. Registering an Application does not constitute a security guarantee for that Application โ€” the Provider is not responsible for how Client Applications use issued tokens.
  5. The User registering an Application bears responsibility for correctly securing the client_secret and redirect_uri.

ยง9. User rights (GDPR)

The User is entitled to the following rights:

  1. Right of access (Art. 15 GDPR) โ€” request information on processed personal data and obtain a copy. Available in the panel: Settings โ†’ Export data.
  2. Right to rectification (Art. 16 GDPR) โ€” correction of inaccurate data. Available in the panel.
  3. Right to erasure ("right to be forgotten", Art. 17 GDPR) โ€” request deletion of the account. Available in the panel: Settings โ†’ Delete account. After deletion: personal data is anonymized (email replaced by a hash), but the audit log remains (as required for proof of lawful processing โ€” for 3 years post-deletion).
  4. Right to restriction of processing (Art. 18 GDPR).
  5. Right to data portability (Art. 20 GDPR) โ€” JSON export of all data.
  6. Right to object (Art. 21 GDPR) โ€” in particular against direct marketing.
  7. Right to withdraw consent (Art. 7(3) GDPR) โ€” at any time, without effect on prior processing.
  8. Right to lodge a complaint with the President of the Personal Data Protection Office (uodo.gov.pl).

To exercise rights 1โ€“7, the User uses the Service panel or sends a request to office@wolfieguard.com. The Provider responds within 30 days.

ยง10. Membership in WolfieAuth as identity provider

  1. Creating an account on WolfieAuth means becoming a member of WolfieAuth as an identity provider (in the sense of an OpenID Connect Provider). The User obtains a single identity (the OIDC sub claim) that they can use to authenticate to every Client Application registered against WolfieAuth โ€” both Provider-owned applications and third-party applications integrated against WolfieAuth.
  2. Membership entails:
    • the right to use the WolfieAuth Service for free at the Free tier (3 seats, 1 application, 1,000 user logins/month โ€” the per-tier limits are updated on the live /api/billing/wolfieauth-platform/plans endpoint),
    • the option to subscribe to a paid tier (currently Starter, Pro, and limited-availability Alpha) for higher seat / application / login limits,
    • the right to register own OIDC Client Applications and act as their organization administrator.
  3. The User may belong to many organizations simultaneously. The "home organization" determines billing context; other memberships grant cross-application access without changing the home org.
  4. WolfieAuth never shares the User's password with Client Applications. Authentication happens through standard OIDC flows; Client Applications receive only signed claims (sub, email, name, role, plan/feature claims) โ€” never the password.
  5. The User can leave (close their account) at any time. Closing the account removes the User from every membership and triggers the retention sweep (see ยง6 / Privacy Policy ยง4).

ยง11. Fees, paid tiers and payment processing

  1. The Service is free at the Free tier (3 seats, 1 application, 1,000 user logins/month). No credit card required.
  2. Higher tiers (Starter $29/mo, Pro $99/mo, Alpha one-time $100) carry monthly or one-time fees plus per-overage charges (additional seats $5/mo each, additional logins $0.20โ€“$1.00 per 1,000 depending on tier). Current pricing always lives at https://auth.wolfieguard.com/billing/wolfieauth-platform.
  3. Payments are processed by Stripe (Stripe Payments Europe, Limited โ€” Ireland), the Provider's payment processor of record. By initiating a paid subscription the User accepts Stripe's Terms of Service and Privacy Policy (https://stripe.com/legal) for the payment leg of the transaction. The Provider does not store full card details โ€” Stripe holds them under PCI-DSS compliance; the Provider only stores Stripe customer / subscription identifiers and the last four digits of the card for display.
  4. Subscription renewals are charged automatically by Stripe to the User's stored payment method until cancelled. Cancellations take effect at the end of the current billing period; the User retains access until that date.
  5. The Provider may also offer paid tiers for Client Applications hosted on WolfieAuth that the User registers as administrator. Money for those subscriptions flows to the organization's connected Stripe account (Stripe Connect Standard); the Provider takes a 5% platform fee retained from each transaction.
  6. VAT-compliant invoices are issued for every paid subscription:
    • For Polish VAT-registered customers, invoices are issued through the National e-Invoice System (KSeF) per Polish law (ustawa o VAT art. 106na et seq.), in addition to the standard PDF.
    • For non-Polish customers, a standard PDF invoice is issued, in English, with VAT applied per the OSS/MOSS rules where applicable.
  7. Refund policy: subscription fees are non-refundable mid-period; the Provider may issue goodwill refunds on a case-by-case basis. One-time charges (e.g. Alpha) are non-refundable except where required by mandatory consumer law (14-day withdrawal right under Polish law for natural-person consumers โ€” ustawa o prawach konsumenta art. 27).
  8. Future paid tiers may be introduced with at least 30 days' notice; existing subscribers' prices are locked at the rate they signed up at unless explicitly notified.

ยง12. Terms changes

  1. The Provider reserves the right to amend these Terms with at least 14 days' notice.
  2. Users are informed of changes:
    • by email,
    • by an in-panel notice,
    • by publication of the new version on the page.
  3. At the first login after a change, the User must re-accept the new version of the Terms. Refusal results in the account being locked (without deletion โ€” the account can be unlocked by re-accepting, or a deletion request may be filed per ยง9(3)).
  4. A history of all Terms versions will be made available at https://auth.wolfieguard.com/terms/history (planned).

ยง13. Provider liability

  1. The Provider endeavors to keep the Service continuously available, but does not guarantee 100% uptime.
  2. The Provider is not liable for:
    • damages resulting from the User losing their password,
    • improper security of Client Applications by their owners,
    • service interruptions caused by force majeure, DDoS attacks, or network infrastructure failures.
  3. The Provider's maximum liability for damages related to the Service is limited to PLN 1000 โ€” except in cases of willful misconduct or gross negligence.

ยง14. Final provisions

  1. Matters not covered by these Terms are governed by:
    • GDPR,
    • Polish Electronic Services Act (18 July 2002),
    • Polish Personal Data Protection Act (10 May 2018),
    • Polish Civil Code.
  2. The competent court for dispute resolution is the court with jurisdiction over the Provider's place of business.
  3. These Terms take effect on 24 April 2026.

Contact for Terms and data protection matters: Pawel Witek (WolfieGuard) Email: office@wolfieguard.com

These Terms were prepared as a GDPR-compliant template. Before production deployment for external users, consultation with legal counsel is recommended โ€” particularly regarding ยง12 (limitation of liability) and the Provider's contact details.

auth.wolfieguard.com ยท office@wolfieguard.com