Privacy policy

At WSO2, we recognize that privacy is important. This privacy policy applies to the ThunderID sites and services offered at https://thunderid.dev/, and any other site to which a link to these terms may appear. We've set out below the details of how we collect, use, share and secure the personal information you provide. "You" or "Your" means the person visiting the ThunderID sites (the "Sites") or using any services on it. "We," "us," and "our" means WSO2 LLC.

What information do we collect?​

1) Information you share with us

You do not share any information to use when you visit the Sites.

2) Information collected automatically from your devices

We also collect certain standard information that Your browser sends to every website you visit, such as your IP address, browser type and language, access times, and referring website addresses. Our website may also place certain cookies to help you access our sites and to track and analyze Your actions on our website such as navigation, number of visits, downloads, and search items to gain a better understanding of our visitors and their movements through the site. Please see our Cookie Policy (available via the cookie settings on this site) on how we use and store cookies.

3) Information received from third parties

We may also receive Your personal data from other sources, including service providers, partners, and publicly available sources. Examples of these sources are event organizers of events we sponsor, sponsored content providers, and our partners, who pass on prospective customers to us.

Why do we collect your information?​

The information we collect from you may be used to:

• Carry out analysis: We sometimes require Your personal data to analyze the ways in which our products and services are used or downloaded, what features are effective or popular, whether our marketing campaigns reach our intended audiences, and to track lead generation for our sales process.
• Compliance with legal obligations: Sometimes, we may have a legal obligation to collect, use or record Your personal data, such as when you make a payment or submit a data subject request.
• Support and improve ThunderID offerings: We sometimes may process Your personal data to perform the services we have advertised in our Sites.

How do we process your data?​

We will only collect and process personal data about You where we have lawful bases for doing so. In the majority of cases, processing will be justified on the basis that:

• The processing is necessary for us to comply with a relevant legal obligation; or
• The processing is in our legitimate commercial interests and necessary for us to administer our business, subject to Your interests and fundamental rights.

If You have any questions about the lawful bases upon which we collect and use Your personal data or wish to withdraw consent or object, You can submit a request via dpo@wso2.com or through the details listed in the "How to contact us" section below.

Who is your information shared with?​

We do not sell, trade, or otherwise share your information with outside parties. However, we do share Your information with our subsidiaries, affiliates, service providers, and partners who assist us in operating our website, conducting our business, or servicing you.

We sometimes need to give our service providers who help us run our website and services access to the data we have in order for them to perform those services. They are only authorized to use information that is strictly relevant for them to perform their tasks, and we ensure that they are under obligations of confidentiality to us so that your data is secure.

We may share your data with our subsidiaries or affiliates within our corporate group. WSO2's parent company is WSO2 LLC and is located in the United States of America. Our affiliates are WSO2 UK Limited (located in the United Kingdom), WSO2 Lanka (Private) Limited (located in Sri Lanka), and WSO2 Brasil Tecnologia E Software Ltda (located in Brazil) and any other affiliates set out in our Contact Us page. We share information within this group because these entities also carry out support, marketing, account management, and technical operations for WSO2 that are relevant to the provision of the website and services.

Cross border data transfers

WSO2 operates globally, with businesses both inside and outside of the European Economic Area ("EEA") and the UK. We may transfer Your Personal Data to countries other than the one in which You live, including transfers to the United States and other countries where we or our affiliates, subsidiaries or service providers (among others) maintain facilities. We maintain regional data centres in the USA. Additionally, third-party service providers who handle data on our behalf may be based in locations around the world. For these reasons, Your personal information may be transferred to other countries both inside and outside of the UK and the EEA. As privacy laws in other countries may not be equivalent to those in Your home country, we only make arrangements to transfer data overseas where we are satisfied that adequate levels of protection are in place to protect any information held in that country or that the service provider acts at all times in compliance with applicable privacy laws. Where required under applicable laws, we will take measures to ensure that personal information handled in other countries will receive at least the same level of protection as it is given in your home country.

Where we transfer Your personal information to countries and territories outside of Europe and the UK which have been formally recognized as providing an adequate level of protection for personal information, we rely on the relevant "adequacy decisions" and "adequacy regulations" from the European Commission and UK authorities. Where the transfer is not subject to an adequacy decision, we take appropriate safeguards to ensure that Your personal information will remain protected in accordance with applicable laws. These safeguards include implementing the European Commission's Standard Contractual Clauses as issued on 4 June 2021 under Article 46(2) GDPR for transfers originating in the EU and the UK Addendum under Article 46(2) of the UK GDPR for the transfer of data originating in the UK.

We may also release Your information when we believe release is necessary to comply with the law subject to our Governmental and law enforcement Data Access Policy, enforce our privacy policy or protect our or others' rights, property, or safety.

Further, WSO2 will be processing personal data from data subjects in Brazil in the circumstances stated in this policy. Such Personal data is processed in accordance with Brazilian Data Protection Law (LGPD) (As amended by Law No. 13,853/2019). International Data Transfer of Personal Data from Brazil to other jurisdictions will be governed by the Standard Contractual Clauses (SCCs) introduced in an annex to the International Data Transfer Regulation (Resolution CD/ANPD No. 19/2024). Data subjects in Brazil may exercise their rights under the LGPD in line with the section "Your Rights to Your Data and How to Manage Your Preferences."

Dispute resolution

We commit to resolving complaints about our collection or use of Your personal information. EU and UK individuals with inquiries or complaints should first reach out to us using the information in the "Information About Data Controllers, Processors and How to Contact Us" section below.

WSO2 has committed to refer unresolved complaints to JAMS, an alternative dispute resolution provider located in the United States. If You do not receive timely acknowledgement of Your complaint from us, or if we have not addressed Your complaint to Your satisfaction, please contact or visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to You.

Within the USA, we are also subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

Security of your data​

We implement security safeguards designed to protect your data such as HTTPS. We regularly monitor our systems for possible vulnerabilities and attacks. However, we cannot warrant the security of any information that you send us. There is no guarantee that data may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.

How long do we keep your data?​

We may retain your information for a period of time consistent with the original purpose of collection. For instance, we may retain your information during the time in which you have an account to use our website or services. We also may retain your information during the period of time needed for WSO2 to pursue our legitimate business interests, conduct audits, comply with our legal obligations, resolve disputes, and enforce our agreements. At the end of these periods, we ensure that your data is deleted or pseudonymized securely using an industry-standard methodology.

Your rights to your data and how to manage your preferences​

WSO2 acknowledges your right to access your data. If information pertaining to you as an individual has been submitted to us, then you have the right to access, correct, or edit your data. If you wish, we can provide all the personal information on our records to you or to someone you nominate in a portable format as well. Our contact details are provided at the bottom of the page, or you may submit a request through dpo@wso2.com. All you have to do is to request, and we are happy to help.

You can ask us to stop using all or some of your personal data (e.g., if we have no legal right to keep using it) or to limit our use of it (e.g., if your personal data is inaccurate or unlawfully held).

We only ever retain your personal data even after you have ceased using our services, requested to unsubscribe or delete your data only if reasonably necessary to comply with our legal obligations (including law enforcement requests), meet regulatory requirements, resolve disputes, maintain security, prevent fraud and abuse, or fulfill your request to "unsubscribe" from further messages from us.

Third-party offerings and services​

At our discretion, we may include or offer third-party products or services on our Site. These third-party sites have separate and independent privacy policies. We have no responsibility or liability for the content and activities of these linked sites. We encourage you to review the privacy statements of those websites to understand how your data is secured by them. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.

Information about our website​

This privacy policy applies only to information collected through the Sites and not to information collected offline.

Information about data controllers, processors, and how to contact us​

In relation to this website, the Controller of your data is WSO2 LLC, USA. However, where we provide products or services that we have indicated are subject to their own terms, we may only be a Processor of your data with regard to such products or services.

If you are located within the European Union or the European Economic Area, WSO2 Germany GmbH, based in Germany, is the EU representative of WSO2 LLC. You may contact our Data Protection Officer by sending an email to dpo@wso2.com or by post at: WSO2 Germany GmbH, Maximiliansplatz 22, c/o Bird & Bird LLP, 80333 Munich.

If you have any issues with regard to your data on our website, then in addition to informing us, you also have the right to write directly to the independent data protection monitoring organization in your country.

Warranties​

YOUR USE OF THE SITES AND SERVICE IS AT YOUR SOLE RISK. THE SERVICE IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS. WSO2 AND ITS SUBSIDIARIES, AFFILIATES, OFFICERS, EMPLOYEES, AGENTS, PARTNERS, AND LICENSORS EXPRESSLY DISCLAIM ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

YOU EXPRESSLY UNDERSTAND AND AGREE THAT WSO2 AND ITS SUBSIDIARIES, AFFILIATES, OFFICERS, EMPLOYEES, AGENTS, PARTNERS, AND LICENSORS SHALL NOT BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES (EVEN IF WSO2 HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), RESULTING FROM:

1. THE USE OR THE INABILITY TO USE THE SERVICE;
2. THE COST OF PROCUREMENT OF SUBSTITUTE GOODS AND SERVICES RESULTING FROM ANY GOODS, DATA, INFORMATION OR SERVICES PURCHASED OR OBTAINED OR MESSAGES RECEIVED OR TRANSACTIONS ENTERED INTO THROUGH OR FROM THE SERVICE;
3. UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR TRANSMISSIONS OR DATA;
4. ANY OTHER MATTER RELATING TO THE SERVICE.

Indemnification​

YOU AGREE TO HOLD HARMLESS AND INDEMNIFY WSO2 AND ITS SUBSIDIARIES, AFFILIATES, OFFICERS, AGENTS, EMPLOYEES, ADVERTISERS, LICENSORS, SUPPLIERS, OR PARTNERS FROM AND AGAINST ANY THIRD PARTY CLAIM ARISING FROM OR IN ANY WAY RELATED TO YOUR VIOLATION OF APPLICABLE LAWS, RULES OR REGULATIONS IN CONNECTION WITH THE SITE, INCLUDING ANY LIABILITY OR EXPENSE ARISING FROM ALL CLAIMS, LOSSES, DAMAGES (ACTUAL AND CONSEQUENTIAL), SUITS, JUDGMENTS, LITIGATION COSTS, AND ATTORNEYS' FEES, OF EVERY KIND AND NATURE. IN SUCH CASE, WSO2 WILL PROVIDE YOU WITH WRITTEN NOTICE OF SUCH CLAIM, SUIT OR ACTION; WILL PROVIDE YOU THE OPPORTUNITY TO CONTROL THE DEFENSE AND/OR SETTLEMENT OF SUCH CLAIM, SUIT OR ACTION; AND WILL PROVIDE YOU REASONABLE ASSISTANCE IN SUCH DEFENSE OR SETTLEMENT, UPON REASONABLE REQUEST.

Changes to our privacy policy​

We reserve the right to amend this privacy policy at any time. We will not send individual email notifications on the updates. Any amendments will be posted on this page. You are therefore encouraged to visit this page periodically.

By using the Sites, you consent to our privacy policy and any revisions thereto. If you do not agree with our privacy policy or any changes we make to it, you may delete your profile.

Effective May 20th, 2026​