Data Protection Policy

This Data Protection Policy outlines OTPOCKET's comprehensive approach to protecting personal data in compliance with international data protection laws, including GDPR, PDPA Philippines, and other Asian data protection regulations. We are committed to the highest standards of data protection and privacy.

1. Data Protection Principles

1.1 Core Principles

We adhere to the following fundamental data protection principles:

• Lawfulness, Fairness, and Transparency: Processing personal data lawfully, fairly, and transparently
• Purpose Limitation: Collecting data only for specified, explicit, and legitimate purposes
• Data Minimization: Processing only data that is adequate, relevant, and necessary
• Accuracy: Keeping personal data accurate and up-to-date
• Storage Limitation: Retaining data only as long as necessary
• Security: Implementing appropriate technical and organizational measures
• Accountability: Taking responsibility for compliance and demonstrating it

1.2 Privacy by Design and Default

We implement privacy by design and default principles throughout our systems and processes:

• Data protection considerations integrated into system design
• Default settings that maximize privacy protection
• Regular privacy impact assessments for new features
• Continuous monitoring and improvement of privacy measures

2. Legal Basis for Processing

2.1 Contract Performance

We process personal data to perform our contract with you:

• Providing SMS verification services as requested
• Processing payments and managing your account
• Delivering OTP codes and messages
• Providing customer support and technical assistance

2.2 Legal Obligation

We process data to comply with legal requirements:

• Anti-money laundering (AML) and know-your-customer (KYC) requirements
• Tax reporting and financial record keeping
• Data protection law compliance and audit requirements
• Telecommunications regulations and SIM card management

2.3 Legitimate Interest

We process data based on legitimate business interests:

• Service improvement and development
• Fraud prevention and security monitoring
• Business analytics and performance metrics
• System maintenance and technical optimization

2.4 Consent

We process data with your explicit consent for:

• Marketing communications and promotional materials
• Non-essential cookies and tracking technologies
• Optional data sharing with third parties
• Special categories of personal data (where applicable)

3. Data Subject Rights

3.1 Right to Information and Access

You have the right to:

• Know what personal data we process about you
• Access your personal data in a structured, machine-readable format
• Receive confirmation of whether we process your personal data
• Obtain information about the purposes and legal basis of processing

3.2 Right to Rectification and Erasure

You have the right to:

• Correct inaccurate or incomplete personal data
• Request deletion of your personal data ("right to be forgotten")
• Restrict processing of your personal data
• Object to processing based on legitimate interests

3.3 Right to Data Portability

You have the right to:

• Receive your personal data in a structured, commonly used format
• Transmit your data to another controller
• Have your data transmitted directly by us to another controller

3.4 Right to Withdraw Consent

You can withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

4. Data Security Measures

4.1 Technical Safeguards

We implement comprehensive technical security measures:

• Encryption: AES-256 encryption for data at rest and in transit
• Access Controls: Multi-factor authentication and role-based access
• Network Security: Firewalls, intrusion detection, and monitoring
• Secure Development: Security testing and code review processes
• Regular Updates: Timely security patches and system updates

4.2 Organizational Safeguards

We maintain strong organizational security measures:

• Staff Training: Regular data protection and security training
• Access Management: Principle of least privilege access
• Incident Response: Comprehensive breach response procedures
• Vendor Management: Due diligence and contractual safeguards
• Audit and Monitoring: Regular security audits and compliance checks

5. Data Breach Response

5.1 Breach Detection and Assessment

We have systems in place to:

• Detect potential data breaches through monitoring and alerts
• Assess the scope and impact of any breach
• Determine the risk to data subjects' rights and freedoms
• Classify breaches according to severity and regulatory requirements

5.2 Notification Procedures

In the event of a data breach, we will:

• Regulatory Notification: Notify relevant authorities within 72 hours (GDPR) or as required by local law
• Data Subject Notification: Notify affected individuals without undue delay if high risk
• Internal Response: Activate incident response team and containment measures
• Documentation: Maintain detailed records of all breach-related activities

6. International Data Transfers

6.1 Transfer Mechanisms

We ensure lawful international transfers through:

• Adequacy Decisions: Transfers to countries with adequate protection
• Standard Contractual Clauses: EU-approved contractual safeguards
• Binding Corporate Rules: Internal data protection policies
• Certification Schemes: Approved certification mechanisms
• Derogations: Specific derogations where appropriate

6.2 Data Localization Compliance

We comply with data localization requirements in:

• Philippines: Critical personal information stored locally when required
• Singapore: Data residency requirements for certain data types
• Malaysia: Personal data stored within Malaysia when mandated
• Thailand: Sensitive personal data localization compliance
• Indonesia: Electronic system operator data localization

7. Data Protection Impact Assessments

7.1 When We Conduct DPIAs

We conduct Data Protection Impact Assessments for:

• New processing activities that may result in high risk
• Systematic monitoring of data subjects on a large scale
• Processing of special categories of personal data
• Automated decision-making with legal or significant effects
• Processing of personal data of vulnerable individuals

7.2 DPIA Process

Our DPIA process includes:

• Systematic description of processing operations
• Assessment of necessity and proportionality
• Risk assessment and mitigation measures
• Consultation with data subjects and stakeholders
• Regular review and updates of assessments

8. Data Protection Officer

8.1 DPO Contact Information

Our Data Protection Officer can be contacted at:

• Email: support@otpocket.app
• Response Time: Within 72 hours for urgent matters

8.2 DPO Responsibilities

Our DPO is responsible for:

• Monitoring compliance with data protection laws
• Providing advice on data protection impact assessments
• Acting as a contact point for data subjects and authorities
• Training staff on data protection requirements
• Maintaining records of processing activities

9. Regulatory Compliance

9.1 Applicable Laws

We comply with the following data protection laws:

• GDPR: General Data Protection Regulation (EU/EEA)
• PDPA Philippines: Data Privacy Act of 2012 (Republic Act No. 10173)
• Singapore PDPA: Personal Data Protection Act 2012
• Malaysia PDPA: Personal Data Protection Act 2010
• Thailand PDPA: Personal Data Protection Act B.E. 2562
• Indonesia PDPA: Law No. 27 of 2022 on Personal Data Protection

9.2 Regulatory Authorities

We work with the following regulatory authorities:

• Philippines: National Privacy Commission (NPC)
• Singapore: Personal Data Protection Commission (PDPC)
• Malaysia: Personal Data Protection Department (PDPD)
• Thailand: Personal Data Protection Committee (PDPC)
• Indonesia: Personal Data Protection Agency (PDPA)
• EU: Relevant EU data protection authorities

10. Contact Information

For questions about this Data Protection Policy or to exercise your rights, please contact us:

• Support: support@otpocket.app