Last Updated: November 19, 2025
Version: 1.1
This Privacy Policy explains how OnlineOTP collects, uses, and protects your information.
1. Information We Collect
What you give us:
- Email address (for your account)
- Password (encrypted and never stored in plain text)
- Payment information (processed by Stripe - we never see your full credit card)
What we automatically collect:
- Your assigned phone numbers
- SMS messages sent to your numbers (displayed in dashboard and forwarded to email)
- Message metadata (sender number, timestamp, recipient number)
- Usage data (login times, IP addresses, browser type)
- Payment history
What we DON'T collect:
- Your personal phone number
- Unnecessary personal information
- Location data beyond IP address
- Biometric data
2. How We Use Your Information
We use your data to:
- Provide you with working phone numbers
- Receive and display SMS messages in your dashboard
- Forward SMS messages to your email
- Process your payments
- Send you important service updates
- Fix problems and improve the service
- Prevent fraud and abuse
We DON'T:
- Sell your data to anyone
- Use your data for advertising
- Share your info except as described here
- Read your messages for any purpose other than service operation
3. Who We Share Your Data With
Service providers we work with:
- Stripe - processes payments (see Stripe Privacy Policy)
- Twilio - provides phone numbers and receives SMS (see Twilio Privacy Policy)
- Resend - sends you email forwards and notifications
- Hosting provider - stores our database securely
We only share the minimum data necessary for these services to function.
Legal requirements:
- We may share data if required by law, court order, or to protect our rights
- We'll notify you if legally permitted to do so
Business transfers:
- If OnlineOTP is sold or merged, your data may transfer to the new owner
- We'll notify you at least 30 days before any such transfer
4. How Long We Keep Your Data
- Active account data: While your account is active
- Closed account data: 90 days after account closure, then deleted
- SMS messages: Stored in database while your account is active, deleted 90 days after account closure
- Payment records: 7 years (required for tax/accounting compliance)
- Usage logs: 12 months, then automatically deleted
You can request early deletion of your data anytime by emailing privacy@onlineotp.io.
5. How We Protect Your Data
We use industry-standard security measures:
- HTTPS/TLS encryption for all data transmission
- Encrypted password storage (bcrypt hashing)
- Secure servers and databases with access controls
- Regular security updates and patches
- Database backups encrypted at rest
- Limited employee access to user data
Important: No system is 100% secure. We do our best, but we can't guarantee absolute security. Use the service at your own risk.
6. Your Rights
You have the right to:
- Access your data (email us and we'll send it)
- Correct incorrect information (update in your dashboard)
- Delete your account and data (email privacy@onlineotp.io)
- Export your data (we'll send you a JSON file)
- Opt-out of non-essential emails (account security emails are required)
- Object to data processing (though this may limit service functionality)
How to exercise these rights: Email privacy@onlineotp.io with your request. We'll respond within 30 days.
7. Cookies & Tracking
We use minimal cookies for:
- Keeping you logged in (session cookies)
- Remembering your preferences
- Basic analytics to improve the service (aggregated, non-identifying data)
We do NOT use:
- Third-party advertising cookies
- Cross-site tracking
- Behavioral profiling
You can disable cookies in your browser, but the service may not work properly without them.
8. Data Storage & Processing
Your data is stored and processed by our hosting providers, which may be located in different countries. We use reputable cloud infrastructure providers with industry-standard security practices.
Your rights: Regardless of your location, you have the data rights described in section 6. We don't sell your personal information to anyone.
9. Age Requirement
OnlineOTP is intended for users 18 and older. By using the service, you confirm you meet this requirement.
10. SMS Message Privacy
SMS messages have inherent security limitations:
- SMS messages are not end-to-end encrypted by carriers
- Messages can be intercepted by telecom providers or network operators
- We forward messages to your email (also not encrypted by default)
What we do to protect your messages:
- Store messages securely in encrypted database
- Use HTTPS for all dashboard display
- Forward to your email promptly
- Never share message content with third parties
We recommend: Use SMS OTP as a backup option alongside app-based authenticators (Google Authenticator, Authy) when available for maximum security.
11. Third-Party Services
We integrate with third-party services that have their own privacy policies:
We're not responsible for their data practices. Please review their policies.
12. Changes to This Policy
We may update this policy occasionally. If we make significant changes:
- We'll email you at least 30 days before changes take effect
- We'll post the new policy here with a new date and version number
- We'll highlight what changed
Continued use after changes means you accept them. If you don't agree, please close your account before the changes take effect.
13. Data Breach Notification
If we experience a data breach that affects your personal information:
- We'll notify you by email within 72 hours of discovering the breach
- We'll explain what data was affected
- We'll describe what we're doing to address it
- We'll provide recommendations for protecting yourself
14. Do Not Track
Our service doesn't respond to "Do Not Track" browser signals because we don't track you across websites.
15. Contact Us & Questions
Questions about privacy? We're here to help:
16. Operator Information
By using OnlineOTP, you acknowledge and agree to this Privacy Policy.