Privacy Policy

This Privacy Policy explains how OTPOCKET ("we," "our," or "us") collects, uses, and protects your information when you use our SMS verification services. We are committed to protecting your privacy and ensuring the security of your data.

1. Information We Collect

1.1 Personal Information

When you create an account, we collect:

• Email address for account identification and communication
• Password (encrypted and securely stored using industry-standard hashing)
• Account creation timestamp and last login information
• Legal agreement acceptance timestamps and IP addresses
• Country/region information for compliance purposes
• Language preferences for service delivery

1.2 Service Usage Data

We collect information about your use of our services:

• OTP session requests, completions, and timestamps
• Payment transactions, receipts, and billing information
• SIM card usage patterns and availability status
• Service performance metrics and error logs
• Device information and browser details for security
• IP addresses and geolocation data (country/region level)

1.3 SMS Messages and Communication Data

For private SIM services, we temporarily store SMS messages received on your assigned SIM cards. These messages are:

• Only visible to you during your active session
• Automatically deleted after session completion (maximum 24 hours)
• Never shared with third parties without explicit consent
• Encrypted during transmission and storage using AES-256 encryption
• Subject to strict access controls and audit logging

1.4 Technical Data

We automatically collect certain technical information:

• Browser type, version, and language settings
• Operating system and device information
• Referral sources and website navigation patterns
• Session duration and interaction timestamps
• Error reports and crash analytics (anonymized)

2. How We Use Your Information and Legal Basis

2.1 Service Provision (Contract Performance)

We use your information to provide our services based on our contract with you:

• Provide SMS verification services as requested
• Process payments and manage your account
• Deliver OTP codes and messages to you
• Maintain service security and prevent abuse
• Provide customer support and technical assistance

2.2 Legal Compliance (Legal Obligation)

We process data to comply with legal requirements:

• Anti-money laundering (AML) and know-your-customer (KYC) requirements
• Tax reporting and financial record keeping
• Data protection law compliance and audit requirements
• Telecommunications regulations and SIM card management
• Cross-border data transfer compliance

2.3 Legitimate Interests

We process data based on legitimate business interests:

• Service improvement and development
• Fraud prevention and security monitoring
• Business analytics and performance metrics
• System maintenance and technical optimization
• Legal defense and dispute resolution

2.4 Communication (Consent and Legitimate Interest)

We may use your email for:

• Essential service notifications (contract performance)
• Security alerts and account safety (legitimate interest)
• Marketing communications (with your consent)
• Policy updates and legal notices (legal obligation)
• Customer support responses (contract performance)

3. Information Sharing

3.1 We Do Not Sell Your Data

We do not sell, trade, or rent your personal information to third parties. Your data remains private and secure.

3.2 Limited Sharing

We may share information only in these circumstances:

• With your explicit consent
• To comply with legal obligations
• To protect our rights and prevent fraud
• With trusted service providers (under strict confidentiality)

4. Data Security

4.1 Security Measures

We implement industry-standard security measures:

• End-to-end encryption for all data transmission
• Secure storage with encrypted databases
• Regular security audits and updates
• Access controls and authentication systems

4.2 Data Retention and Deletion

We retain your data only as long as necessary based on legal and business requirements:

• Account Information: Until account deletion + 30 days (for security purposes)
• SMS Messages: Maximum 24 hours after session completion
• Payment Records: 7 years (as required by financial regulations)
• Usage Logs: 2 years (for security and service improvement)
• Marketing Data: Until consent withdrawal + 30 days
• Legal Compliance Data: As required by applicable laws

4.3 Automated Deletion

We have automated systems that:

• Delete SMS messages after 24 hours automatically
• Remove inactive account data after 2 years of inactivity
• Purge temporary session data immediately after use
• Archive and securely delete data according to retention schedules

5. Your Rights Under Data Protection Laws

5.1 GDPR Rights (EU/EEA Users)

If you are in the European Union or European Economic Area, you have the following rights:

• Right of Access: Request copies of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time

5.2 PDPA Rights (Philippines Users)

If you are in the Philippines, you have the following rights under the Data Privacy Act of 2012:

• Right to be Informed: Know how your data is collected and used
• Right to Access: Request access to your personal data
• Right to Object: Object to processing of your personal data
• Right to Erasure or Blocking: Request deletion or blocking of your data
• Right to Damages: Claim damages for violations of your privacy rights
• Right to Data Portability: Obtain a copy of your data in a structured format
• Right to File a Complaint: Lodge complaints with the National Privacy Commission

5.3 Asian Data Protection Rights

For users in other Asian jurisdictions, you may have additional rights under local data protection laws including:

• Singapore PDPA rights (Personal Data Protection Act)
• Malaysia PDPA rights (Personal Data Protection Act 2010)
• Thailand PDPA rights (Personal Data Protection Act B.E. 2562)
• Indonesia data protection rights (Law No. 27 of 2022)
• Vietnam data protection rights (Decree No. 13/2023/ND-CP)

5.4 How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Officer at:

• Email: support@otpocket.app
• Subject line: "Data Rights Request - [Your Request Type]"
• Include your account email and specific request details
• We will respond within 30 days (or as required by applicable law)

6. Cookies and Tracking

We use essential cookies to maintain your session and improve service functionality. We do not use tracking cookies or third-party analytics that compromise your privacy.

7. Third-Party Services

We may use trusted third-party services for payment processing and infrastructure. These services are bound by strict confidentiality agreements and only process data necessary for service provision.

8. International Data Transfers and Cross-Border Compliance

8.1 Data Transfer Mechanisms

Your data may be processed in different countries. We ensure compliance with applicable data protection laws through:

• EU-US Data Privacy Framework: Adequacy decisions for EU-US transfers
• Standard Contractual Clauses (SCCs): EU-approved contractual safeguards
• Binding Corporate Rules: Internal data protection policies
• Consent: Explicit consent for specific transfers
• Legitimate Interest: Necessary transfers for service provision

8.2 Asian Data Localization Requirements

For users in Asian jurisdictions, we comply with local data localization requirements:

• Philippines: Critical personal information stored locally when required
• Singapore: Data residency requirements for certain data types
• Malaysia: Personal data stored within Malaysia when mandated
• Thailand: Sensitive personal data localization compliance
• Indonesia: Electronic system operator data localization

8.3 Data Processing Locations

Our primary data processing locations include:

• Primary servers: Singapore (Southeast Asia region)
• Backup servers: Multiple secure locations globally
• CDN and edge servers: Regional distribution for performance
• Payment processing: PCI DSS compliant facilities

9. Children's Privacy

Our services are not intended for children under 13. We do not knowingly collect personal information from children. If we become aware of such collection, we will take steps to delete the information promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through our platform or email. Your continued use of our services constitutes acceptance of the updated policy.

11. Data Protection Officer and Compliance

11.1 Data Protection Officer (DPO)

We have appointed a Data Protection Officer to oversee our data protection compliance:

• Email: support@otpocket.app
• Responsibilities: GDPR compliance, PDPA compliance, data protection training
• Response Time: Within 72 hours for urgent matters
• Languages: English, Filipino, and major Asian languages

11.2 Regulatory Compliance

We comply with the following data protection regulations:

• GDPR: General Data Protection Regulation (EU/EEA)
• PDPA Philippines: Data Privacy Act of 2012 (Republic Act No. 10173)
• Singapore PDPA: Personal Data Protection Act 2012
• Malaysia PDPA: Personal Data Protection Act 2010
• Thailand PDPA: Personal Data Protection Act B.E. 2562
• Indonesia: Law No. 27 of 2022 on Personal Data Protection

11.3 Data Breach Notification

In the event of a data breach that may result in a high risk to your rights and freedoms, we will notify you and relevant authorities within 72 hours (GDPR) or as required by local law.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

• Support: support@otpocket.app