Must we disclose Auth0 in our privacy policy?

Yes. Auth0 processes personal data on your behalf, making it a data processor under GDPR and CCPA. You are required to disclose Auth0's use in your privacy policy, explain what data it collects, and identify it as a third-party service provider handling authentication data.

What specific data does Auth0 collect?

Auth0 collects login credentials, user profile information (name, email, account preferences), IP addresses, and device information (browser type, operating system, device identifiers). This data is used to authenticate users, maintain security, detect fraud, and provide account recovery options.

Do we need a cookie consent banner for Auth0?

Auth0 itself does not set cookies according to available documentation. However, your website may use session cookies or security tokens for authentication purposes. You should review your specific Auth0 implementation and consult legal counsel to determine if cookie consent is necessary under your jurisdiction's regulations.

Who is the data processor and where is data stored?

Auth0 is owned and operated by Okta Inc., a United States-based company. Auth0 processes and stores user data in the United States. If you operate in the EU, data transfers may require appropriate safeguards such as Standard Contractual Clauses (SCCs) to comply with GDPR requirements.

Authentication

Privacy policy clauses for Auth0

Auth0 is an authentication and user management platform that secures user logins across websites and applications. We use Auth0 to verify user identity, manage login credentials, and maintain secure user sessions, protecting both your account and our platform from unauthorized access.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Auth0 collects

Your privacy policy must disclose each of the following data types when you use Auth0.

User profile data

IP address

Device info

When does Auth0 trigger privacy obligations?

Auth0 triggers privacy obligations the moment you integrate its SDK or redirect users to Auth0-hosted login pages. Here's what starts immediately:

Data flows that activate compliance:

Auth0 collects login credentials, user profile data (email, name, custom attributes), IP addresses, and device information. These flows begin before consent is gathered—Auth0 processes data to authenticate users, which creates a legal basis requirement under GDPR Article 6 and CCPA Section 1798.100.

Jurisdiction thresholds:

Privacy policy clauses for Auth0

What data Auth0 collects

When does Auth0 trigger privacy obligations?

Where data goes

Common compliance pitfalls

Missing or outdated Data Processing Agreement

Incomplete Privacy Policy disclosure about Auth0's role

Forgetting Auth0's cross-border data transfer obligations

Sample privacy policy clause

What regulators look for

Frequently asked questions

Must we disclose Auth0 in our privacy policy?

What specific data does Auth0 collect?

Do we need a cookie consent banner for Auth0?

Who is the data processor and where is data stored?

Don't ship without Bandit.