Privacy policy

Privacy policy (Datenschutzerklärung)

This privacy policy applies to the Octotp website and services. We operate from Germany and comply with the GDPR.

1. Controller

[Company name – to be added]
[Address – to be added]
[Contact – to be added]

2. Data we collect

Website:

• Analytics: We may use privacy-friendly analytics (e.g. Plausible, PostHog) that do not use cookies. We collect anonymized page views and referrers.
• Contact: If you contact us, we store your message and contact details to respond.
• Logs: Server logs (IP, timestamp, requested URL) for security and debugging. Retained for a limited period.

API and dashboard:

• Account data: Email, password (hashed), company name.
• API usage: Project IDs, token creation/validation counts, recipient identifiers (email/phone) hashed or processed for the verification flow.
• Billing: If you subscribe, we use Stripe. Payment data is processed by Stripe; we do not store full card numbers.

3. Legal basis (GDPR Art. 6)

• Contract (Art. 6(1)(b)): Account, API usage, billing.
• Legitimate interest (Art. 6(1)(f)): Analytics, logs, security.
• Consent (Art. 6(1)(a)): Where we ask for explicit consent (e.g. optional cookies).

4. Third parties

• Stripe: Payment processing. Stripe Privacy Policy
• Analytics provider: Plausible or PostHog – privacy-focused, minimal data.
• Hosting: Cloudflare, Azure, or similar – data may be processed in the EU.

5. Your rights

Under GDPR you have the right to:

• Access (Art. 15): Request a copy of your data.
• Rectification (Art. 16): Correct inaccurate data.
• Erasure (Art. 17): Request deletion of your data.
• Restriction (Art. 18): Limit processing in certain cases.
• Portability (Art. 20): Receive your data in a machine-readable format.
• Object (Art. 21): Object to processing based on legitimate interest.
• Complaint (Art. 77): Lodge a complaint with a supervisory authority (e.g. your local data protection authority).

Contact us at [privacy contact – to be added] to exercise these rights.

6. Data retention

• Account data: Until you delete your account.
• API logs: As needed for operations; typically limited retention.
• Analytics: Aggregated, anonymized; no personal data stored long-term.

7. International (English summary)

We process data in accordance with the GDPR. If you are outside the EU, we still apply GDPR-level protections where applicable. For questions, contact us at the address above.

Please replace placeholder values (company name, address, contact, analytics provider) with your actual details. Consider having a lawyer review the final policy.