Privacy Policy

Version 1.4

Asgardeo takes Your privacy seriously. This privacy policy applies to the Asgardeo platform including but not limited to,,,, and and any other site to which a link to these terms may appear. We’ve set out below the details of how we collect, use, share and secure the personal data that You provide. Asgardeo is owned by WSO2 LLC. (“WSO2”) and whenever the terms “we” “us” or “our” appear in this policy, we’re talking about WSO2 and its subsidiary companies. When we use “You” and “Your” in this policy, we mean the person or entity visiting our site or using the services on it.

California residents may view WSO2's California-specific privacy policy at htps://



  • When You are browsing through Asgardeo, there is some generic information that we can see automatically, even without a user registration. This includes Your IP address, Your browser type, language, location, device info, the time and frequency You access our site, and the URL You came from. 
  • Our website may also place certain cookies to help You access our sites and to track and analyze Your actions on our website such as navigation, number of visits and search items to gain a better understanding of our visitors and their movements through the site. Please see our Cookie policy on how we use and store cookies. 
  • This type of generic information won’t reveal Your identity as a visitor but is still useful to us to analyse the user regions, frequently visited portions of our site and develop device specific improvements.
  • When You use Asgardeo to create and run applications, we store data such as application logs. We also aggregate non-personally identifiable information about how You use Asgardeo. This information is important to us to analyse the ways in which Asgardeo is used to develop applications, to understand what users’ needs are and to make our service better suited to those needs. Such usage data never identifies You personally.


  • When You register on Asgardeo, pay for our services or register for an event, newsletter or activity on our site, we ask that You give us all or some of the following information about Yourself:
    • E-mail address
    • Username
    • Mobile number
    • First name and Last name
    • Country
    • Your payment details (if You are paying for a service)
  • Some of the services on Asgardeo, may make it mandatory that You provide some personal details. This is because we won’t be able to process Your payments or provide You with certain services without them. You’re completely free to opt out of this, but that means that You may not be able to fully access those services.
  • When privileged actions like user addition, unlocking a user, assigning a role to a user are performed these actions are logged for audit purposes.
  • To make sure Asgardeo complies with security, compliance, auditing and legal obligations, Asgardeo will log HTTP requests which include the HTTP Request Lines.


We may obtain information from other sources and combine that with information we collect through our services. For example, if You create or log into Your account through one of our integration partners (such as Google, Github or Microsoft), we will have access to basic information from that sign-on service, such as Your email and account information.

When You create applications using Asgardeo, You may choose to integrate with various third party services (like messaging services, email or calendar services). In those scenarios, Asgardeo’s access to the third party service will be limited to performing the functions that You specify. Asgardeo doesn’t store any data that resides on these third party services nor does it access that data in any way outside of Your instructions. Asgardeo’s use of information received from Google APIs will adhere to the Google API Services User Data Policy.


We use the data we collect to,

  • Confirm Identity. To confirm there is a unique identity behind the requests. Email address is used to confirm there is a contactable identity related to the actions You perform and uniquely identify those.
  • Provide the services You ask for. These include providing You with authentication and location based services.,. Asgardeo maintains regional data centers in the US and EU to store and process Your personal data. You may choose the regional data center You prefer. Details on data residency and sharing of personal data can be found <>. If You need support, we use Your contact details to get in touch with You. If You want to pay for a service, we use Your payment details to process that payment.
  • To improve and customize Your content. We try to provide a focused user experience, based on the familiarity level of the user with Asgardeo and the use cases they try to implement. For example if You are a first time user, You will be taken to a quick start guide. Also Your name details will be used in all the email communications and within Asgardeo to refer to the identity. We may check on what You have clicked on and what kind of activities or scenarios You run on Asgardeo, to find out what is most commonly used, and in what ways You use our services. We use this feedback to make our service better.
  • Analyse how Asgardeo is being used. We rely on analytics of Your browser based activity and applications to improve the performance of our platform. Among examples: we use analytics to evaluate design decisions, find bugs in the systems, and recommend actions and features to users. These are collected in an anonymous manner.
  • To Update You on our services. If there are updates to Your service, important information You need to know, or if we think You would be interested in our technology and what we’re doing with it, we’ll get in touch with You using Your contact details. If the registration is done using a third party, we retrieve the same mandatory details from them and store them on our server. Any other optional parameters provided by You will also be stored and used as per the use case configuration of the applications, in compliance with the provided consent. You can unsubscribe from our marketing emails at any time by either clicking on the unsubscribe link at the bottom of the email or by contacting us on the Asgardeo user portal. However, You may still receive important information about Your service, security or payments.
  • Legal Protection and compliance: Access logs may serve as evidence in legal disputes such as to establish when specific actions were taken and to provide a record of interactions between users and the Services. Further we will be recording Your country to help us identify the jurisdiction You belong to so that we can handle Your data, and provide services adhering to applicable laws
  • Security and Intrusion Detection: Access logs can help identify suspicious or unauthorized activities conducted on the Service and assist with forensic analysis, such as help detect patterns of behavior that might indicate and provide insights into hacking attempts, brute-force attacks, or other malicious activity.


We don’t sell, trade, or otherwise share Your information with outside parties . However, we do share Your information with our subsidiaries, affiliates, service providers, and partners who assist us in operating our website, conducting our business, or servicing You.

We sometimes need to give our service providers who help us run our website and services access to the data we have in order for them to perform those services. They are only authorized to use information that is strictly relevant for them to perform their tasks, and we ensure that they are under obligations of confidentiality to us so that Your data is secure. For a full list of third-party service providers used by Asgardeo ( processors), please visit here .

We do share Your information within the WSO2 group, because our affiliate entities also help provide our services such as support, marketing, account management, and technical operations. WSO2 LLC is located in the United States of America. Our affiliates are WSO2 (UK) Limited (located in the United Kingdom), WSO2 Lanka (Private) Limited (located in Sri Lanka), WSO2 Brasil Tecnologia E Software Ltda (located in Brazil) and WSO2 Germany GmbH ( located in Germany) and other entities we may add on our Contact Us page from time to time.

Cross Border Data Transfer 

WSO2 operates globally, with businesses both inside and outside of the European Economic Area ("EEA") and the UK. We may transfer Your Personal Data to countries other than the one in which You live, including transfers to the United States. We maintain regional data centres in the USA. Additionally, third-party service providers who handle data on our behalf may be based in locations around the world. For these reasons, Your personal information may be transferred to other countries both inside and outside of the UK and the EEA. As privacy laws in other countries may not be equivalent to those in Your home country, we make arrangements to transfer data overseas only where we are satisfied that adequate levels of protection are in place to protect any information held in that country or that the service provider acts at all times in compliance with applicable privacy laws. Where required under applicable laws, we will take measures to ensure that personal information handled in other countries will receive at least the same level of protection as it is given in Your home country.

In July 2023, EU regulators approved the United States as a third-party country to which EU personal data may be transferred, under an Adequacy Decision. Subsequent to this, the EU-US Data Privacy Framework was set up (which replaces the previous Privacy Shield Framework). When we transfer personal information to the US, we do so on the following basis:

WSO2 complies with the EU-U.S. Data Privacy Framework (“DPF”) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. WSO2 has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit .

WSO2 accountability for personal information it receives under the EU-U.S. DPF and subsequently transfers to a third party is described in the EU-U.S. DPF Principles. In particular, WSO2 remains responsible and liable under the EU-U.S. DPF Principles if third-party agents that it engages to process the Personal Information on its behalf do so in a manner inconsistent with the Principles, unless WSO2 proves that it is not responsible for the event giving rise to the damage.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, WSO2 commits to resolve DPF Principles-related complaints about our collection and use of Your personal information. EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact us as specified in the Dispute Resolution Mechanism section.

Additionally, with regard to Your personal data transferred from the EU, EEA, and the United Kingdom to other WSO2 affiliate entities located around the world WSO2 also maintains Data Transfer Agreements containing the New EU Standard Contractual Clauses set out by the European Commission in June 2021 and their UK equivalent, which guarantee uniform levels of protection to Your data as specified by the EU and the UK. WSO2 remains fully liable to you with regard to all onward transfers to WSO2 global entities and WSO2 service providers listed in this Privacy Policy.

We may also release Your information when we believe release is necessary to comply with the law subject to our (Governmental and law enforcement Data Access Policy), enforce our privacy policy or protect our or others’ rights, property, or safety.


We will only collect and process personal data about You where we have lawful bases. Lawful bases include consent (where You have given consent on one of our forms), contract (where processing is necessary for the performance of a contract with You) and legitimate interests (such as to protect You, us, or others from security threats, comply with laws that apply to us and to administer our business through consolidated reporting, or marketing our services etc.) See the “WHAT ARE YOUR RIGHTS TO YOUR PERSONAL INFORMATION?” section below if You wish to withdraw Your consent or object to any processing of Your personal data.


We implement industry standard security safeguards designed to protect Your data. We encrypt all data at rest (including credentials/tokens to external systems). All our data transfers are done securely through encrypted channels using Transport Layer Security (TLS) technology. We regularly monitor our systems for possible vulnerabilities and attacks and conduct testing. However, we cannot warrant the security of any information that You send us. There is no complete guarantee that data may not be accessed, disclosed, altered or destroyed by breach of any of our physical, technical or administrative safeguards.


We store the information we collect about You for as long as is necessary for the purpose(s) for which we originally collected it. For instance, we may retain Your information during the time in which You have an account to use our website or services. We also may retain Your information during the period of time needed for WSO2 to pursue our legitimate business interests, comply with our legal obligations, resolve disputes, and enforce our agreements. At the end of these periods, we ensure that Your data is deleted securely using an industry standard methodology.

WSO2 acknowledges Your right to access Your data. If information pertaining to You as an individual has been submitted to us then You have the right to access, correct, or edit Your data. If You wish, we can provide all the personal information on our records to You or to someone You nominate in a portable format as well.

You can ask us to stop using all or some of Your personal data (e.g., if we have no legal right to keep using it) or to limit our use of it (e.g., if Your personal data is inaccurate or unlawfully held).

You may also choose to delete Your data from our website or service at any time You choose, and unsubscribe from any Asgardeo mailing lists You are on. You can unsubscribe from our emails by clicking on the unsubscribe link which is at the bottom of every marketing email we send. You can click on Your account within the Asgardeo user portal, which will let You do certain functions like updating Your profile, managing consents, managing sessions, and, adding security to Your account or You can submit a request to us through the “Submit a Request form”.We only ever retain Your personal data after You have ceased using our services, or sent us a request to unsubscribe or delete Your data if it is reasonably necessary to comply with our legal obligations (including law enforcement requests), meet regulatory requirements, resolve disputes, maintain security, prevent fraud and abuse, or fulfill Your request to “unsubscribe” from further messages from us.


When You choose to integrate certain functionalities with sites or applications outside of WSO2, You are bound by the terms of the particular site or application.


We reserve the right to amend this Privacy Policy at any time. We will not send individual email notifications on the updates. Any amendments will be posted on this page. You are therefore encouraged to visit this page periodically.

By using our website and services, You consent to our Privacy Policy and any revisions thereto. If You do not agree with our privacy policy or any changes we make to it, You may delete Your profile.

In compliance with the DPF Principles, we commit to resolving complaints about our collection or use of your personal information. EU and UK individuals with inquiries or complaints regarding our DPF policy should first reach out to us using the information in the “Information About Data Controllers, Processors and How to Contact Us” section below.


WSO2 has committed to refer unresolved DPF complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgement of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit for more information or to file a complaint. The services of JAMS are provided at no cost to you. Under certain conditions, more fully described on the DPF website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

Within the USA, we are also subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

Information about data controllers, processors, and how to Contact us

In relation to this website, the Controller of Your data is WSO2 LLC, USA. However, where we provide products or services that we have indicated are subject to their own terms, we may only be a Processor of Your data with regard to such products or services. 

If You are located within the European Union or the European Economic Area, WSO2 Germany GmbH, based in Germany, is the EU representative of WSO2 LLC. You may contact our Data Protection Officer by submitting the form “ Send Request” or by post at: WSO2 Germany GmbH, Maximiliansplatz 22, c/o Bird & Bird LLP, 80333 Munich. If You are located in the United Kingdom, WSO2 (UK) Limited based in the UK will be the representation of WSO2 LLC. You may contact our Data Protection Officer by submitting the form “ Send Request” or by post at: WSO2 (UK) Limited, Appledram barns, Birdham Road, Chichester, West Sussex, UK, PO20 7EQ.

If You have any issues with regard to Your data on our website, then in addition to informing us, You also have the right to write directly to the independent data protection monitoring organization in Your country. 

Effective January 16, 2024