loader

Privacy Policy

EasyOtp Privacy Policy

EasyOTP Privacy Policy

Operated by Braintech Corporation Private Limited

Effective Date: August 2025

1. Introduction

EasyOTP, operated by Braintech Corporation Private Limited ('Braintech', 'we', 'our', 'us'), respects your privacy and is committed to protecting personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our products and services, including EasyOTP authentication (OTP, Magic Link, QR), A2P messaging, and Scan validation flows (collectively, 'Services').

2. Data We Collect

We collect the following categories of information:

• Personal Information: Phone number (required), email (optional), name (optional).
• Device Information: Device ID, OS version, IP address, time zone, country.
• Authentication Data: OTPs, magic links, QR login events, consent logs.
• Usage Information: App interactions, session data, approvals, login timestamps.
• Vendor Information: Details of vendors you authenticate with via EasyOTP.
• A2P Messaging Data: Message sender, recipient, delivery logs, metadata (not message body).
• Cookies & Tracking: Cookies, SDK telemetry, crash analytics, and website interaction logs.

3. Purpose of Processing

We process personal data for the following purposes:

• To provide secure authentication (OTP, Magic Link, QR login).
• To deliver authorized A2P (application-to-person) notifications.
• To verify user consent before sharing phone numbers with vendors.
• To maintain account security, fraud prevention, and abuse detection.
• To comply with legal, regulatory, and contractual obligations.
• To improve EasyOTP services, analytics, and user experience.
• To provide customer support and troubleshooting.
• To enforce our Terms & Conditions and Data Processing Agreements.

4. Legal Basis for Processing

Our processing bases include:

• GDPR (EU/EEA): Consent, contract necessity, legal obligation, legitimate interest.
• DPDP (India): Explicit consent, lawful processing of personal data.
• CCPA/CPRA (California): Notice, right to opt-out of 'sale' or 'sharing'.
• HIPAA (where applicable): Business Associate Agreement (BAA).
• Other regions: Compliance with applicable privacy and telecom laws.

5. Consent Management

• Consent is collected digitally in-app at the time of QR scan or other methods of authentication.
• Users may withdraw consent at any time in-app.
• Withdrawals are logged, and affected vendors are notified via webhook and/or email.
• Vendors must terminate sessions and stop processing upon consent withdrawal.

6. Data Sharing & Disclosure

We share personal data only under controlled conditions:

• With Vendors you authenticate with, after obtaining consent.
• With subprocessors (cloud hosting, analytics, communication platforms).
• With regulators, courts, or law enforcement when legally required.
• During mergers, acquisitions, or corporate restructuring (with notice).

7. Data Residency & Transfers

• Data is stored regionally: US (US users), EU (EU/EEA users), India (Indian users), Singapore (rest of world).
• Cross-border transfers are protected by Standard Contractual Clauses (SCCs) and equivalent safeguards.
• Vendors may receive User phone numbers cross-region with user consent.
• Regional data residency and compliance are detailed in our Data Residency & Security Statement.

8. Security Measures

We implement:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• SOC2/ISO27001-aligned controls and audits.
• Access control, monitoring, and role-based security.
• Incident response procedures and breach notification commitments.

9. User Rights

Depending on applicable laws, users have rights to:

• Access personal data we hold.
• Correct inaccurate or incomplete data.
• Request deletion of data ('right to be forgotten').
• Portability of their phone number and consent records.
• Withdraw consent for data sharing.
• Opt-out of sale or sharing (under CCPA).
• File complaints with supervisory authorities.

10. Data Retention

• Authentication and consent logs are retained for as long as the account is active.
• OTPs and magic links are ephemeral and deleted after expiry.
• QR scans are logged only for the duration of the session.
• Vendor access logs are retained for compliance (up to 7 years if legally required).
• A2P delivery metadata is retained for 12 months unless longer retention is required.

11. Children's Data

• EasyOTP is not directed at children under 16 (EU/EEA) or 13 (US/India).
• We do not knowingly collect data from minors.
• Parents/guardians may contact us to delete minor accounts.

12. Cookies & Tracking

• We use cookies and SDKs to support app functionality, authentication, analytics, and fraud prevention.
• Details are provided in our Cookie & Tracking Notice.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material updates will be notified via app updates, email, or vendor dashboard notifications.

14. Contact Us

If you have questions or requests, please contact:

Braintech Corporation Private Limited
Email: contact@easyotp.com
Website: https://easyotp.com

15. Version Control

Version

Date

Description of Changes

Approved By

1.0

Aug 2025

Initial comprehensive Privacy Policy covering all products (Auth, A2P, Scan).

Legal/Compliance