Privacy Policy

What Data We Collect

Data Type	Collected?	Details
2FA Secret Keys	NEVER	Processed locally in your browser only. Never transmitted to our servers.
TOTP Codes	NEVER	Generated in-browser. Never stored or logged.
IP Address	Temporarily	Standard web server logs — not linked to any keys. Used for security (rate limiting) only.
Page Visit Analytics	Yes	Anonymous traffic data via Cloudflare Web Analytics (no cookies, no fingerprinting, no personal data).
Cookies	None	We do not use cookies of any kind.

How the Tool Works

When you enter a 2FA secret key or visit a URL like api2fa.com/yoursecretkey, the following happens entirely in your browser:

The secret key is read from the URL or input field
A TOTP algorithm (SHA-1, 6 digits, 30-second period) runs locally in JavaScript
The 6-digit code is displayed — it refreshes every 30 seconds
No data is sent to our servers during this process

Cloudflare Analytics

We use Cloudflare Web Analytics to understand general traffic patterns (page views, country, browser type). This system does not use cookies, does not track individuals across sites, and does not collect any personally identifiable information. It is fully GDPR compliant.

Third-Party Services

API2FA is hosted on Cloudflare Pages. Cloudflare may process standard request data (IP addresses, request headers) as part of infrastructure operations. Please refer to Cloudflare's Privacy Policy for details.

Security Recommendations

While we never store your keys, we recommend:

Only use API2FA on trusted, private devices
Do not share 2FA secret key URLs in public places
If a key URL is compromised, immediately reset 2FA on the associated account

Changes to This Policy

We may update this Privacy Policy from time to time. We will note the "Last updated" date at the top of this page when changes are made.

Contact

Questions about privacy? Reach us on Telegram: t.me/api2fa