Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Privacy & security: Our privacy act statement

Our privacy act statement

The service is provided by the U.S. General Services Administration to offer the public secure and private online access to participating government programs. With one account, users can sign into multiple government agencies. Our goal is to make managing federal benefits, services, and applications easier and more secure.

By accessing the service, you acknowledge and agree to this Privacy Policy and the Rules of Use. We will post any changes to these terms to this page. If the changes affect our handling of your personal information or are otherwise deemed significant, we will notify you by email. If we cannot reach you by email, we reserve the right to contact you by other means, including postal mail. If at any time you no longer agree to this Privacy Policy or any other relevant terms of the service, you may delete your account.

The Authority - Who authorizes the collection of this data?

The information you provide is collected pursuant to 6 USC § 1523 (b)(1)(A)-(E), the E-Government Act of 2002 (Pub. L. 107–347, 44 U.S.C. 3501 note), and 40 USC § 501.

The Purpose - Why do we need your information? partners with agencies that need secure and private access to their applications and services. Each agency may request different levels of security depending on their needs. When you create and sign in to a account, you’re provided with an electronic identity assurance credential. We need your personally identifying information, or PII, to generate that credential. Imagine this credential like a key that only you can use. The key securely opens the door to a partner agency’s service or application. We also need information to ensure that your identity information is accurate - and not someone else’s.

What information do we need?

  • For authentication to establish a secure account, we need your name, email address, and an authentication method. Your authentication method could be a phone number where we share a SMS code, USB Security Key or other options.
  • Identity proofing requires more sensitive information such as a social security number, address, phone number connected to your address, and U.S. based state ID or driver’s license. Your mobile or telephony carrier (any branded carrier) may disclose your mobile number, name, address, email, network status, customer type, customer role, billing type, mobile device identifiers (IMSI and IMEI) and other subscriber status and device details, if available, to our third party service provider, solely to verify your identity for the duration of the business relationship.
  • To mitigate fraud, we also analyze the device used to access, identity, and behavior such as how you interact with forms on the page.

Routine Uses - With whom is the information routinely shared?

  • To third party identity proofing services, as necessary to identity proof an individual for access to a service.
  • To an expert, consultant, or contractor of GSA in the performance of a Federal duty to which the information is relevant.
  • To the Government Publishing Office (GPO), when needs to mail a user an address confirmation form or if a user requests mailed notifications of account changes or of proofing attempts.

This list is not comprehensive. Please see system of records notice GSA/TTS-1 for all entities and individuals.

What happens to the information you share?

All records are stored electronically in a database in GSA’s Amazon Web Services (AWS) environment. You can modify, or amend, either your email address or phone number on your account page.

Your personal information, including profiles, log-in files, password files, audit trail files and extracts, system usage records, and agency billing data used to assess charges for system use, will be maintained for at least six years following the altering of a password or deletion of your account, unless longer retention is required for business use, such as for law enforcement matters or other legal actions in accordance with National Archives and Records Administration (NARA) guidance. must be able to provide users access to information and services at partner agencies and therefore may have a business need to retain the information longer than the six-year retention period.

There may be circumstances where we are required to share certain data. Please refer to the routine uses above for more information on those circumstances.

Even when we share the information with law enforcement, with the exception of email, we cannot access PII because the information is encrypted in a manner that is unretrievable to the team.

The partner agency requests specific, personal information to grant you access to your account. You decide if you want to share that information and you can revoke consent at any time. Sharing your information is voluntary. All records are stored electronically in a database in GSA’s Amazon Web Services (AWS) environment. You can modify, or amend, either your email address or phone number on your account page.

However, failure to provide complete and accurate information may delay access to the partner agency. does not make any eligibility or suitability determinations; that is the responsibility of the government websites that use the service.

Other than as specified in this Privacy Policy and our Rules of Use, we will never share your information without your consent. Your validated personal data is encrypted and the only way to share it with a partner agency is if you, the authorized user, enter your password and explicitly grant consent to share the information. When accessing systems at the IRS, you consent to share data from each attempt you make to assert your identity as well as any future security impacting account activities. This data is encrypted in a manner only the IRS can see.

When you create an account or visit a new partner agency website after you have created your account, you will see the option to consent to share your information with the partner agency. You are required to give consent yearly for each agency.

Remember you can update your personal information, revoke consent, or delete your account entirely at any time through your account page.

Fraud mitigation - How do we stop bad actors?

Fraud is someone pretending to be you and attempting to access a partner agency using your information. protects your data from bad actors. Our product works with trusted third-party vendors to make sure it is you - and not someone pretending to be you - accessing your account. These vendors look for changes and risks in user behavior that might indicate a fraud attempt.

Records - Where can you find more information?

Please see the system of records notice (GSA/TTS–1) at

Website Analytics – Other data we collect

Other data, like the pages you visit and the length of your session, are aggregated into reports to help us better understand how the site is being used and how we can make it more helpful. The data is anonymized. No personally identifying user information is tied to this data and it is only shared anonymously with the team.

We collect device information and behavioral analytics to assess for risk of misuse. This information is stored in an obfuscated manner. is able to assess device and behavioral risk from this obscured data store, but neither nor its providers can read the information.

Privacy Impact Assessment

View our privacy impact assessment at

Back to top