API Reference

Complete REST API documentation for Q-OTP integration

Authentication

All API requests require authentication using an API key. Include your API key in the request header:

Authorization: Bearer YOUR_API_KEY

Base URL

https://api.q-otp.me/v1

{
  "phone_number": "+1234567890",
  "channel": "sms", // sms, whatsapp, telegram, rcs
  "code_length": 6,
  "expiry_seconds": 300,
  "template": "Your verification code is: {code}"
}

{
  "success": true,
  "request_id": "req_abc123xyz",
  "status": "sent",
  "channel_used": "sms",
  "expires_at": "2025-11-01T14:35:00Z"
}

curl -X POST https://api.q-otp.me/v1/otp/send \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "phone_number": "+1234567890",
    "channel": "sms",
    "code_length": 6,
    "expiry_seconds": 300
  }'

const response = await fetch('https://api.q-otp.me/v1/otp/send', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer YOUR_API_KEY',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    phone_number: '+1234567890',
    channel: 'sms',
    code_length: 6,
    expiry_seconds: 300
  })
});

const data = await response.json();
console.log(data);

{
  "request_id": "req_abc123xyz",
  "code": "123456"
}

{
  "success": true,
  "valid": true,
  "request_id": "req_abc123xyz",
  "verified_at": "2025-11-01T14:32:15Z"
}

curl -X POST https://api.q-otp.me/v1/otp/verify \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "request_id": "req_abc123xyz",
    "code": "123456"
  }'

{
  "success": true,
  "request_id": "req_abc123xyz",
  "status": "delivered", // pending, sent, delivered, failed
  "channel": "sms",
  "attempts": 0,
  "max_attempts": 3,
  "expires_at": "2025-11-01T14:35:00Z"
}

curl -X GET https://api.q-otp.me/v1/otp/status/req_abc123xyz \
  -H "Authorization: Bearer YOUR_API_KEY"

Error Codes

Rate Limits

API requests are limited based on your plan:

• Starter: 100 requests/minute
• Business: 500 requests/minute
• Enterprise: Custom limits

Documentation

Complete guide to integrating Q-OTP

Getting Started

Welcome to Q-OTP! This guide will help you integrate secure OTP authentication into your application in just a few minutes.

1. Create Your Account

Sign up for a Q-OTP account and obtain your API credentials from the dashboard. You'll receive:

• API Key for authentication
• Account ID for tracking
• Webhook secret for event notifications

2. Choose Your Integration Method

REST API (Recommended)

Direct integration using our RESTful API. Works with any programming language that can make HTTP requests.

// Basic flow
1. Send OTP → POST /otp/send
2. User receives code via SMS/WhatsApp/etc
3. Verify code → POST /otp/verify

Official SDKs

We provide official SDKs for popular platforms:

• Node.js: npm install @q-otp/node-sdk
• Python: pip install q-otp
• PHP: composer require q-otp/php-sdk
• Ruby: gem install q_otp
• Go: go get github.com/q-otp/go-sdk

3. Send Your First OTP

Here's a complete example using Node.js:

const QOTP = require('@q-otp/node-sdk');

const client = new QOTP({
  apiKey: 'your_api_key_here'
});

// Send OTP
async function sendOTP(phoneNumber) {
  try {
    const result = await client.otp.send({
      phoneNumber: phoneNumber,
      channel: 'sms',
      codeLength: 6,
      expirySeconds: 300 // 5 minutes
    });
    
    console.log('OTP sent:', result.requestId);
    return result.requestId;
  } catch (error) {
    console.error('Error:', error.message);
  }
}

// Verify OTP
async function verifyOTP(requestId, code) {
  try {
    const result = await client.otp.verify({
      requestId: requestId,
      code: code
    });
    
    if (result.valid) {
      console.log('✓ Code verified!');
      return true;
    } else {
      console.log('✗ Invalid code');
      return false;
    }
  } catch (error) {
    console.error('Error:', error.message);
  }
}

4. Configure Webhooks

Set up webhooks to receive real-time notifications about delivery status, verification attempts, and more.

// Webhook endpoint example (Express.js)
app.post('/webhooks/qotp', (req, res) => {
  const event = req.body;
  
  switch (event.type) {
    case 'otp.delivered':
      console.log('OTP delivered successfully');
      break;
    case 'otp.failed':
      console.log('OTP delivery failed');
      break;
  }
  
  res.sendStatus(200);
});

Best Practices

• Security: Never expose your API key in client-side code
• Rate Limiting: Implement your own rate limiting to prevent abuse
• Expiry Time: Use 5-10 minutes for OTP expiry
• Code Length: 6 digits is the industry standard
• Channel Fallback: Enable automatic fallback to alternative channels
• Retry Logic: Implement exponential backoff for failed requests

Testing

Use our sandbox environment for testing without consuming real credits:

const client = new QOTP({
  apiKey: 'test_api_key',
  environment: 'sandbox'
});

// Test phone numbers that always succeed
const testNumbers = [
  '+15555550100', // Always delivers
  '+15555550101', // Always fails
  '+15555550102'  // Random behavior
];

Need Help?

Our support team is here to help:

• 📧 Email: support@q-otp.me
• 💬 Live Chat: Available 24/7 in the dashboard
• 📚 Knowledge Base: Comprehensive articles and guides
• 🐛 Report Issues: GitHub Issues

About Q-OTP

Building the future of secure authentication

Our Mission

At Q-OTP, we believe that secure authentication should be simple, reliable, and accessible to every business. Founded in 2022, we've grown to serve thousands of companies worldwide, delivering millions of OTP codes every day with industry-leading reliability.

Why We Built Q-OTP

Traditional OTP solutions are complex, expensive, and often unreliable. We experienced these challenges firsthand while building authentication systems for our previous ventures. That frustration led us to create Q-OTP—a service that just works, without the complexity.

Our Values

• Security First: We treat your users' data with the same care we'd want for our own
• Reliability: 99.99% uptime isn't just a promise—it's our commitment
• Transparency: Clear pricing, no hidden fees, and honest communication
• Developer Experience: Building great tools that developers love to use
• Global Reach: Making secure authentication accessible worldwide

The Team

We're a distributed team of engineers, designers, and security experts passionate about making the internet safer. Our founding team has decades of combined experience building authentication systems at companies like Google, Amazon, and Microsoft.

Our Technology

Q-OTP runs on a global infrastructure with:

• Direct connections to 200+ carriers worldwide
• Multi-region deployment across 5 continents
• SOC 2 Type II certified data centers
• End-to-end encryption for all OTP codes
• Real-time monitoring and automatic failover

Milestones

Investors & Partners

We're backed by leading venture capital firms and strategic partners who share our vision for a more secure internet. Our partners include major telecom carriers, cloud providers, and security organizations.

Join Us

We're always looking for talented people to join our mission. Check out our open positions or reach out at careers@q-otp.me.

Careers at Q-OTP

Join us in building the future of authentication

Why Work With Us

At Q-OTP, you'll work on technology that protects millions of users every day. We're a fast-growing company with a mission to make the internet more secure, and we're looking for talented people to help us get there.

What We Offer

• Competitive Compensation: Market-leading salary plus equity in a growing company
• Remote First: Work from anywhere with flexible hours
• Health & Wellness: Comprehensive health insurance, mental health support, and fitness stipends
• Learning Budget: $2,000/year for courses, conferences, and professional development
• Equipment: Latest MacBook Pro or custom PC, plus $500 for home office setup
• Time Off: Unlimited PTO policy plus company-wide closure during holidays
• Team Retreats: Annual all-hands meetings in awesome locations

Open Positions

Engineering

Product & Design

Business

Our Hiring Process

1. Application: Submit your resume and tell us why you're interested
2. Initial Call (30 min): Get to know each other and discuss the role
3. Technical/Skills Assessment: Relevant to your role (take-home or live)
4. Team Interviews (2-3 calls): Meet potential teammates
5. Final Call: Meet a founder and discuss offer details

Total process time: 1-2 weeks. We move fast and provide feedback at every stage.

Don't See Your Role?

We're always looking for talented people. Send us a note at careers@q-otp.me and tell us how you'd like to contribute.

Security

Trust and security are at the core of everything we do

Security Certifications

• SOC 2 Type II: Independently audited for security, availability, and confidentiality
• ISO 27001: Certified information security management system
• GDPR Compliant: Full compliance with EU data protection regulations
• HIPAA Ready: Business Associate Agreements available for healthcare customers

Infrastructure Security

Data Encryption

• At Rest: AES-256 encryption for all stored data
• In Transit: TLS 1.3 for all API communications
• OTP Codes: Never stored in plain text, hashed with bcrypt

Network Security

• DDoS protection via Cloudflare
• Web Application Firewall (WAF) with custom rules
• Network segmentation and isolation
• Regular penetration testing

Access Controls

• Multi-factor authentication for all team members
• Role-based access control (RBAC)
• Audit logs for all administrative actions
• Zero-trust architecture

Application Security

API Security

• Rate limiting to prevent abuse
• API key rotation and expiry
• Webhook signature verification
• Input validation and sanitization

Secure Development

• Security code reviews for all changes
• Automated security scanning in CI/CD pipeline
• Dependency vulnerability monitoring
• Regular security training for engineers

Data Privacy

We take your data privacy seriously:

• We never sell or share customer data
• OTP codes are automatically deleted after expiry
• Phone numbers are hashed for anonymity
• Data retention policies configurable per account
• Right to deletion and data portability

Incident Response

In the unlikely event of a security incident:

1. Detection: 24/7 monitoring and alerting
2. Containment: Immediate action to prevent spread
3. Investigation: Root cause analysis
4. Communication: Transparent updates to affected customers
5. Remediation: Fix vulnerabilities and prevent recurrence

Bug Bounty Program

We welcome security researchers to help us keep Q-OTP secure. Report vulnerabilities to security@q-otp.me and receive recognition (and rewards) for valid findings.

Scope

• api.q-otp.me
• dashboard.q-otp.me
• q-otp.me

Out of Scope

• Social engineering attacks
• Denial of service attacks
• Physical attacks
• Reports from automated tools without validation

Security Contact

For security inquiries or to report a vulnerability:

• 📧 Email: security@q-otp.me
• 🔐 PGP Key: Download public key

We aim to respond to all security reports within 24 hours.

Compliance

Meeting global regulatory requirements

Certifications & Standards

SOC 2 Type II

Q-OTP has successfully completed SOC 2 Type II audit, demonstrating our commitment to security, availability, processing integrity, confidentiality, and privacy. Our SOC 2 report is available to customers under NDA.

Last audit: September 2024 • Auditor: Deloitte & Touche LLP

ISO 27001:2013

Our information security management system (ISMS) is certified to ISO 27001, the international standard for information security.

Certificate number: ISO27001-2024-XXX • Valid until: September 2027

PCI DSS (Coming Soon)

We are currently undergoing PCI DSS Level 1 certification to support payment authentication use cases.

Expected completion: Q2 2025

Regional Compliance

Europe - GDPR

Q-OTP is fully compliant with the General Data Protection Regulation (GDPR):

• Data Processing Agreements (DPA) available for all customers
• EU data residency options
• Right to access, rectification, and deletion
• Data portability
• Breach notification within 72 hours
• Privacy by design and default

EU Representative: Q-OTP Ireland Ltd, Dublin, IE

United States

CCPA/CPRA: California Consumer Privacy Act compliant
HIPAA: Business Associate Agreements available for healthcare customers
TCPA: Telephone Consumer Protection Act compliant for SMS delivery

United Kingdom

UK GDPR: Fully compliant with UK data protection laws
UK Representative: Q-OTP UK Ltd, London, GB

Canada

PIPEDA: Personal Information Protection and Electronic Documents Act compliant

Asia-Pacific

Australia - Privacy Act 1988: Compliant
Singapore - PDPA: Personal Data Protection Act compliant
Japan - APPI: Act on Protection of Personal Information compliant

Industry Standards

Telecommunications

• CTIA: Cellular Telecommunications Industry Association guidelines
• A2P 10DLC: Registered for Application-to-Person messaging in the US
• SHAKEN/STIR: Caller ID authentication protocol support

Financial Services

• PSD2: Payment Services Directive 2 SCA requirements
• FINRA: Financial Industry Regulatory Authority guidelines
• SWIFT CSP: Customer Security Programme aligned

Data Processing

Data Residency

We offer data residency options in multiple regions:

Sub-Processors

We work with carefully vetted sub-processors:

• AWS: Infrastructure hosting (SOC 2, ISO 27001)
• Twilio: SMS fallback delivery (SOC 2, ISO 27001)
• Meta: WhatsApp Business API (ISO 27001)
• Datadog: Monitoring and logging (SOC 2, ISO 27001)

Full sub-processor list available at q-otp.me/subprocessors

Audit & Reporting

Available compliance documentation:

• SOC 2 Type II Report (under NDA)
• ISO 27001 Certificate
• Data Processing Agreement (DPA)
• Business Associate Agreement (BAA)
• Penetration Test Reports (under NDA)
• Security Questionnaires (custom)

Request compliance documentation at compliance@q-otp.me

Continuous Compliance

Our compliance program includes:

• Quarterly internal audits
• Annual third-party security assessments
• Continuous monitoring and logging
• Regular employee training
• Incident response procedures
• Vendor risk management

Help Center

Find answers to common questions

Getting Started

How do I get started with Q-OTP?

Getting started is easy:

1. Sign up for an account at q-otp.me/signup
2. Verify your email address
3. Get your API key from the dashboard
4. Make your first API call (see our API Reference)

Do I need a credit card to sign up?

No! You can start with our free tier which includes 100 OTP sends per month. Add a payment method when you're ready to scale.

Integration

Which programming languages do you support?

Q-OTP works with any language that can make HTTP requests. We provide official SDKs for:

• Node.js / JavaScript
• Python
• PHP
• Ruby
• Go
• Java
• C# / .NET

How long does integration take?

Most developers complete a basic integration in under 30 minutes. A production-ready implementation with error handling, webhooks, and fallbacks typically takes 2-4 hours.

Can I test without sending real SMS?

Yes! Use our sandbox environment with test phone numbers. See our Documentation for test numbers that simulate different scenarios.

Delivery Channels

Which channels are supported?

We support four delivery channels:

• SMS: Traditional text messages (universal support)
• RCS: Rich Communication Services (Android devices)
• WhatsApp: Via WhatsApp Business API
• Telegram: Via Telegram Bot API

How does automatic fallback work?

If your primary channel fails, we automatically retry with your configured fallback channel. For example: WhatsApp → RCS → SMS ensures maximum deliverability.

Can I customize OTP messages?

Yes! You can customize:

• Message template with {code} placeholder
• Sender ID (where supported)
• OTP code length (4-8 digits)
• Expiry time (30 seconds to 30 minutes)

Pricing & Billing

How does pricing work?

Pricing is simple and transparent:

• Starter: Pay-as-you-go, charged per OTP sent
• Business: Volume discounts with tiered pricing
• Enterprise: Custom pricing based on your needs

See our Pricing page for details.

Are there any hidden fees?

No hidden fees. You only pay for OTPs successfully delivered. Failed deliveries are not charged.

Can I get a refund?

We offer a 100% money-back guarantee within the first 30 days if you're not satisfied.

Technical Questions

What's your uptime guarantee?

We guarantee 99.99% uptime for all plans, backed by our SLA. That's less than 53 minutes of downtime per year.

How fast are OTPs delivered?

Median delivery time is under 1 second globally. 95th percentile is under 3 seconds.

What are the rate limits?

• Starter: 100 requests/minute
• Business: 500 requests/minute
• Enterprise: Custom limits

Do you support webhooks?

Yes! Set up webhooks to receive real-time notifications about OTP delivery status, verification attempts, and more.

Security

How are OTP codes secured?

OTP codes are:

• Generated using cryptographically secure random numbers
• Never stored in plain text (hashed with bcrypt)
• Transmitted over TLS 1.3
• Automatically deleted after expiry

Are you GDPR compliant?

Yes! We're fully GDPR compliant. See our Compliance page for details.

Support

How can I get help?

• Email: support@q-otp.me (24/7)
• Live Chat: Available in the dashboard
• Phone: Enterprise customers only
• Documentation: docs.q-otp.me

What's your response time?

• Starter: Within 24 hours
• Business: Within 4 hours
• Enterprise: Within 1 hour (24/7)

Still have questions?

Can't find what you're looking for? Contact our support team and we'll be happy to help!

System Status

Real-time operational status of Q-OTP services

Core Services

Regional Status

Performance Metrics

Recent Incidents

✓ No incidents in the last 90 days

Scheduled Maintenance

No scheduled maintenance at this time. We'll notify customers 72 hours in advance of any planned maintenance.

Historical Uptime

Subscribe to Updates

Get real-time notifications about service status:

• Email: Subscribe at status.q-otp.me/subscribe
• RSS Feed: status.q-otp.me/rss
• Status API: api.q-otp.me/v1/status
• Slack: Add our Slack integration

Note: This is a simulated status page. Real-time status available at status.q-otp.me

Cookie Policy

Last updated: November 1, 2025

What Are Cookies

Cookies are small text files that are stored on your device when you visit our website. They help us provide you with a better experience by remembering your preferences and understanding how you use our service.

How We Use Cookies

We use cookies for the following purposes:

Strictly Necessary Cookies

These cookies are essential for the website to function properly. They enable core functionality such as security, network management, and accessibility.

Analytics Cookies

These cookies help us understand how visitors interact with our website by collecting anonymous information. We use this data to improve our service.

Marketing Cookies

These cookies track your online activity to help advertisers deliver more relevant advertising or to limit how many times you see an ad.

Your Cookie Choices

You have several options for managing cookies:

Browser Settings

Most web browsers allow you to control cookies through their settings. You can typically:

• View cookies stored on your device
• Delete cookies
• Block all cookies
• Block third-party cookies
• Receive a warning before cookies are stored

Opt-Out Tools

• Google Analytics: Browser Add-on
• Facebook: Ad Preferences
• Network Advertising: NAI Opt-Out

Do Not Track

We respect Do Not Track (DNT) browser settings. When DNT is enabled, we do not track your browsing activity across third-party websites.

Impact of Blocking Cookies

If you choose to block cookies:

• Some features of our website may not work properly
• You may need to manually adjust preferences each visit
• You may see less relevant advertising
• We won't be able to remember your login status

Third-Party Cookies

We use the following third-party services that may set cookies:

• Google Analytics: Website analytics
• Cloudflare: Content delivery and security
• Intercom: Customer support chat
• Stripe: Payment processing

These third parties have their own privacy policies governing their use of information.

Updates to This Policy

We may update this Cookie Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "last updated" date.

Contact Us

If you have questions about our use of cookies, please contact us:

• Email: privacy@q-otp.me
• Address: Q-OTP Inc., 123 Security Street, San Francisco, CA 94105, USA

GDPR Compliance

How Q-OTP complies with the General Data Protection Regulation

Our Commitment to GDPR

Q-OTP is fully committed to complying with the General Data Protection Regulation (GDPR) and protecting the privacy rights of individuals in the European Economic Area (EEA). This page outlines how we meet GDPR requirements.

Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

1. Right to Access

You have the right to request access to your personal data. We will provide you with:

• A copy of your personal data
• Information about how we process it
• Details about data recipients
• Data retention periods

How to exercise: Email privacy@q-otp.me with subject "Data Access Request"

Response time: Within 30 days

2. Right to Rectification

You can request correction of inaccurate or incomplete personal data.

How to exercise: Update information in your dashboard or email privacy@q-otp.me

Response time: Within 30 days

3. Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data when:

• It's no longer necessary for the purpose it was collected
• You withdraw consent
• You object to processing
• Data was unlawfully processed

How to exercise: Email privacy@q-otp.me with subject "Data Deletion Request"

Response time: Within 30 days

Note: We may retain some data if required by law or for legitimate business purposes.

4. Right to Restriction of Processing

You can request that we limit how we use your data when:

• You contest the accuracy of the data
• Processing is unlawful but you don't want erasure
• We no longer need the data but you need it for legal claims
• You've objected to processing pending verification

5. Right to Data Portability

You can request your data in a structured, commonly used, machine-readable format and transmit it to another controller.

Supported formats: JSON, CSV, XML

How to exercise: Use the "Export Data" feature in your dashboard or email us

6. Right to Object

You can object to processing based on:

• Legitimate interests
• Direct marketing
• Scientific/historical research

7. Rights Related to Automated Decision Making

You have the right not to be subject to decisions based solely on automated processing, including profiling.

Our position: We do not make automated decisions that significantly affect you without human intervention.

How We Process Your Data

Legal Basis for Processing

Data Retention

We retain personal data only as long as necessary:

• OTP codes: Deleted immediately after expiry or verification
• Phone numbers: Hashed, retained for fraud prevention (90 days)
• Account data: Until account deletion + 30 days
• Billing data: 7 years (legal requirement)
• Logs: 30 days (90 days for Business/Enterprise)

International Transfers

We transfer data outside the EEA using approved mechanisms:

• EU Standard Contractual Clauses (SCCs)
• Adequacy decisions for transfers to approved countries
• Data residency options to keep data within the EU

Data Protection Officer (DPO)

We have appointed a Data Protection Officer to oversee GDPR compliance:

Contact: dpo@q-otp.me
Mail: DPO, Q-OTP Ireland Ltd, Dublin, IE

Data Processing Agreement (DPA)

If you're a business customer processing personal data through our service, we act as your data processor. We provide:

• Standard DPA incorporating SCCs
• Technical and organizational measures (TOMs)
• Sub-processor list and notification process
• Data breach notification procedures

Request DPA: legal@q-otp.me

Security Measures

We implement appropriate technical and organizational measures:

• Encryption at rest and in transit
• Access controls and authentication
• Regular security audits and penetration testing
• Staff training on data protection
• Incident response procedures
• Business continuity planning

Data Breach Notification

In case of a personal data breach, we will:

1. Notify supervisory authority: Within 72 hours of becoming aware
2. Notify affected individuals: Without undue delay if high risk
3. Document the breach: Facts, effects, and remedial action taken

Children's Privacy

Our service is not directed to children under 16. We do not knowingly collect data from children. If we become aware of such collection, we will delete it immediately.

Supervisory Authority

You have the right to lodge a complaint with your local supervisory authority:

Lead Authority (Ireland):
Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Website: dataprotection.ie

Updates to GDPR Compliance

We continuously monitor GDPR developments and update our practices accordingly. Check this page regularly for updates.

Contact Us

For any GDPR-related questions or to exercise your rights:

• Email: privacy@q-otp.me
• DPO: dpo@q-otp.me
• Mail: Q-OTP Ireland Ltd, GDPR Compliance, Dublin, IE

Terms & Conditions

Last updated: November 1, 2025

For questions regarding these terms, contact: giugli@q-otp.me

1. Acceptance of Terms

These Terms and Conditions ("Terms", "Agreement") constitute a legally binding agreement between you ("Customer", "Client", "you") and Q-OTP Limited, a company registered in the British Virgin Islands ("Q-OTP", "we", "us", "our"), governing your access to and use of the Q-OTP authentication services, website, and related services (collectively, the "Services").

By creating an account, accessing, or using any part of our Services, you acknowledge that you have read, understood, and agree to be bound by these Terms. If you do not agree to these Terms, you must not access or use our Services.

Business Entity Representation: If you are entering into this Agreement on behalf of a company, organization, or other legal entity, you represent and warrant that you have the authority to bind such entity to these Terms, and references to "you" shall refer to such entity.

2. Service Description

2.1 Core Services

Q-OTP provides cloud-based one-time password (OTP) authentication services, including but not limited to:

• Generation and delivery of one-time password codes via multiple channels (SMS, RCS, WhatsApp Business API, Telegram)
• OTP verification and validation services
• RESTful API access for service integration
• Web-based dashboard for account management and analytics
• Webhook notifications for delivery status and events
• Multi-factor authentication infrastructure

2.2 Service Availability

We strive to maintain 99.99% uptime as outlined in our Service Level Agreement (SLA), available to Business and Enterprise plan customers. We reserve the right to modify, suspend, or discontinue any aspect of the Services at any time, with reasonable notice for material changes.

2.3 Beta Features

We may offer certain features designated as beta, preview, or early access. These features are provided "as is" without warranty and may be discontinued at any time without notice.

3. Account Registration and Security

3.1 Account Creation

To use our Services, you must:

• Be at least 18 years of age or the age of majority in your jurisdiction
• Provide accurate, current, and complete information during registration
• Maintain and promptly update your account information
• Have the legal capacity to enter into binding contracts

3.2 Account Credentials

You are responsible for:

• Maintaining the confidentiality of your API keys, passwords, and other credentials
• All activities that occur under your account, whether authorized or unauthorized
• Immediately notifying us at giugli@q-otp.me of any unauthorized access or security breach
• Implementing appropriate security measures to protect your credentials

3.3 Account Termination

We reserve the right to suspend or terminate your account if:

• You violate these Terms or any applicable laws
• Your account is involved in fraudulent or abusive activity
• Payment obligations are not met within 30 days of the due date
• You provide false or misleading information
• Your use poses a security risk to our Services or other users

4. Acceptable Use Policy

4.1 Permitted Use

You may use our Services only for lawful purposes and in accordance with these Terms. Specifically, you agree to use our Services solely for:

• Legitimate business authentication and verification purposes
• Two-factor authentication (2FA) implementations
• User identity verification in compliance with applicable regulations
• Transaction authorization and confirmation

4.2 Prohibited Activities

You explicitly agree NOT to:

• Spam or Unsolicited Messages: Send unsolicited commercial messages, spam, or messages without proper recipient consent
• Illegal Content: Transmit any content that is illegal, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, or otherwise objectionable
• Fraud: Use our Services for any fraudulent, deceptive, or manipulative purposes
• Phishing: Impersonate any person or entity, or falsely state or misrepresent your affiliation with any entity
• Malicious Code: Introduce viruses, trojans, worms, or other malicious code
• System Interference: Interfere with, disrupt, or create an undue burden on our Services or networks
• Unauthorized Access: Attempt to gain unauthorized access to our systems, networks, or data
• Reverse Engineering: Reverse engineer, decompile, disassemble, or otherwise attempt to derive source code from our Services
• Rate Limit Evasion: Circumvent or attempt to circumvent any rate limits or access restrictions
• Reselling: Resell or redistribute our Services without explicit written authorization
• Competitive Intelligence: Use our Services to build competitive products or services
• TCPA Violations: Violate the Telephone Consumer Protection Act (TCPA) or equivalent telecommunications regulations

4.3 Compliance with Laws

You must comply with all applicable local, state, national, and international laws and regulations, including but not limited to:

• Data protection and privacy laws (GDPR, CCPA, etc.)
• Telecommunications regulations (TCPA, CTIA guidelines, etc.)
• Anti-spam legislation (CAN-SPAM, etc.)
• Export control laws
• Anti-money laundering (AML) and Know Your Customer (KYC) regulations

4.4 Consent Requirements

You represent and warrant that you have obtained all necessary consents, permissions, and authorizations from end users to send OTP messages to their phone numbers or messaging accounts. You are solely responsible for maintaining documentation of such consents.

5. Pricing and Payment Terms

5.1 Service Plans

We offer multiple service plans as described on our Pricing page. Plan features, limits, and pricing are subject to change with 30 days' notice for existing customers.

5.2 Fees and Charges

• Subscription Fees: Monthly or annual subscription fees based on your selected plan
• Usage-Based Fees: Charges based on the number of OTP messages successfully delivered
• Overage Fees: Additional charges if you exceed plan limits
• Channel-Specific Pricing: Different rates may apply for SMS, WhatsApp, RCS, and Telegram delivery

5.3 Payment Terms

Payment is due according to the billing cycle selected during account setup:

• Prepaid Plans: Payment due before service activation
• Postpaid Plans: Payment due within 15 days of invoice date
• Payment Methods: We accept major credit cards, wire transfers, and ACH (for US customers)
• Currency: All fees are quoted and payable in United States Dollars (USD) unless otherwise agreed in writing

5.4 Late Payments

Late payments are subject to:

• Service suspension after 15 days past due
• Interest charges of 1.5% per month (18% per annum) or the maximum rate permitted by law, whichever is less
• Account termination after 30 days past due
• Recovery of collection costs and legal fees

5.5 Refund Policy

Refunds are provided under the following conditions:

• New Customers: 30-day money-back guarantee from initial signup
• Service Outages: Pro-rated credits for verified service outages exceeding SLA commitments
• Billing Errors: Corrections within 60 days of incorrect charge
• No Refunds: Usage-based fees for successfully delivered messages are non-refundable

5.6 Taxes

Fees are exclusive of all applicable taxes, duties, and similar assessments. You are responsible for all taxes except those based on our net income. If we are required to collect or pay taxes, such amounts will be invoiced to and paid by you.

6. Intellectual Property Rights

6.1 Our Intellectual Property

The Services, including all software, technology, content, trademarks, service marks, trade names, logos, and other proprietary designations ("Q-OTP IP"), are owned by or licensed to Q-OTP and are protected by copyright, trademark, patent, trade secret, and other intellectual property laws.

6.2 Limited License

Subject to these Terms, we grant you a limited, non-exclusive, non-transferable, non-sublicensable, revocable license to:

• Access and use the Services for your internal business purposes
• Use our API and SDKs solely in connection with the Services
• Use our documentation for integration purposes

6.3 Restrictions

You may not:

• Copy, modify, or create derivative works of our Services or Q-OTP IP
• Rent, lease, lend, sell, sublicense, assign, distribute, publish, or transfer the Services
• Remove, alter, or obscure any proprietary notices on the Services
• Use our trademarks without prior written permission

6.4 Your Content

You retain all rights to content you submit through our Services ("Customer Content"). You grant us a worldwide, non-exclusive, royalty-free license to use, process, and transmit Customer Content solely to provide the Services to you.

6.5 Feedback

Any feedback, suggestions, or ideas you provide regarding our Services ("Feedback") will be owned by Q-OTP. You hereby assign all rights, title, and interest in such Feedback to us.

7. Data Protection and Privacy

7.1 Data Processing

We process personal data in accordance with our Privacy Policy and applicable data protection laws. For customers processing personal data of EU/EEA residents, we act as a data processor and provide Data Processing Agreements (DPA) upon request.

7.2 Data Security

We implement industry-standard security measures including:

• Encryption of data at rest (AES-256) and in transit (TLS 1.3+)
• Regular security audits and penetration testing
• Access controls and authentication mechanisms
• SOC 2 Type II and ISO 27001 certified infrastructure

7.3 Data Retention

We retain data according to the following schedule:

• OTP Codes: Immediately deleted upon expiry or verification
• Phone Numbers: Hashed and retained for 90 days for fraud prevention
• Logs: 30-90 days depending on subscription plan
• Account Data: Duration of account plus 30 days
• Billing Records: 7 years for tax and accounting purposes

7.4 Data Breach Notification

In the event of a data breach affecting personal data, we will notify affected customers at giugli@q-otp.me within 72 hours of discovery, in accordance with applicable laws.

8. Service Level Agreement (SLA)

8.1 Uptime Commitment

For Business and Enterprise customers, we commit to:

• 99.99% Uptime: Measured monthly, excluding scheduled maintenance
• Scheduled Maintenance: Maximum 4 hours per month with 72-hour notice
• Emergency Maintenance: As needed with immediate notification

8.2 SLA Credits

If we fail to meet the uptime commitment:

8.3 SLA Exclusions

The SLA does not apply to outages caused by:

• Your applications, equipment, or network connectivity
• Third-party carrier issues beyond our control
• Force majeure events (see Section 14)
• Your violation of these Terms
• Beta or preview features

8.4 Claiming SLA Credits

To claim SLA credits, you must submit a request to giugli@q-otp.me within 30 days of the incident, including evidence of the outage. Credits will be applied to future invoices and cannot be redeemed for cash.

9. Warranties and Disclaimers

9.1 Limited Warranty

We warrant that the Services will perform substantially in accordance with our documentation under normal use. Our sole obligation under this warranty is to use commercially reasonable efforts to correct reported non-conformities or provide a workaround.

9.2 Disclaimer of Warranties

EXCEPT AS EXPRESSLY PROVIDED IN SECTION 9.1, THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO:

• IMPLIED WARRANTIES OF MERCHANTABILITY
• FITNESS FOR A PARTICULAR PURPOSE
• NON-INFRINGEMENT
• TITLE
• ACCURACY OR COMPLETENESS OF DATA
• UNINTERRUPTED OR ERROR-FREE OPERATION

9.3 Third-Party Services

We rely on third-party telecommunications carriers and messaging platforms (SMS, WhatsApp, RCS, Telegram). We do not warrant the availability, reliability, or performance of these third-party services and disclaim all liability for their failures or limitations.

9.4 No Guarantee of Delivery

While we strive for high delivery rates, we do not guarantee that all OTP messages will be delivered due to factors beyond our control, including but not limited to: carrier restrictions, device availability, network congestion, spam filtering, and regulatory compliance requirements.

10. Limitation of Liability

10.1 Cap on Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, OUR TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THESE TERMS OR THE SERVICES SHALL NOT EXCEED THE GREATER OF:

• THE AMOUNTS PAID BY YOU TO Q-OTP IN THE 12 MONTHS PRECEDING THE EVENT GIVING RISE TO LIABILITY, OR
• FIVE HUNDRED UNITED STATES DOLLARS (USD $500)

10.2 Exclusion of Damages

IN NO EVENT SHALL Q-OTP BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO:

• Loss of profits, revenue, or business opportunities
• Loss of data or information
• Cost of substitute goods or services
• Business interruption
• Loss of goodwill or reputation
• Personal injury or property damage

EVEN IF Q-OTP HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

10.3 Exceptions

The limitations in this Section 10 do not apply to:

• Your breach of Section 4 (Acceptable Use Policy)
• Your breach of Section 6 (Intellectual Property Rights)
• Your indemnification obligations under Section 11
• Gross negligence or willful misconduct by Q-OTP
• Death or personal injury caused by our negligence
• Any liability that cannot be excluded or limited under applicable law

10.4 Basis of the Bargain

You acknowledge and agree that the limitations and exclusions of liability set forth in this Section 10 reflect a reasonable allocation of risk between the parties and form an essential basis of the bargain between us. The Services would not be provided without these limitations.

11. Indemnification

11.1 Your Indemnification Obligations

You agree to indemnify, defend (at our option), and hold harmless Q-OTP, its affiliates, and their respective officers, directors, employees, agents, and representatives from and against any and all claims, damages, obligations, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from or related to:

• Your use or misuse of the Services
• Your violation of these Terms
• Your violation of any applicable laws or regulations
• Your violation of any third-party rights, including intellectual property rights or privacy rights
• Customer Content submitted through the Services
• Claims that your use of the Services infringes third-party rights
• Your failure to obtain required consents from end users

11.2 Indemnification Process

We will:

• Promptly notify you in writing of any claim subject to indemnification
• Cooperate with you in the defense of such claim
• Allow you to control the defense and settlement, provided that you may not settle any claim without our prior written consent if such settlement imposes obligations on us or admits liability on our behalf

11.3 Our Indemnification Obligations

We will indemnify and hold you harmless against any third-party claim that the Services, when used in accordance with these Terms, infringe any copyright, trademark, or patent registered in the United States, European Union, or United Kingdom, provided that:

• You promptly notify us in writing of such claim
• We have sole control of the defense and settlement
• You provide reasonable cooperation in the defense

This indemnification does not apply if the claim arises from:

• Your modification of the Services
• Your combination of the Services with third-party products or services
• Your use of the Services after we notify you to discontinue use due to infringement
• Your use of a non-current version of the Services

12. Confidentiality

12.1 Definition

"Confidential Information" means all non-public information disclosed by one party ("Disclosing Party") to the other party ("Receiving Party"), whether orally or in writing, that is designated as confidential or that reasonably should be considered confidential given the nature of the information and circumstances of disclosure.

12.2 Obligations

The Receiving Party agrees to:

• Maintain the confidentiality of Confidential Information using at least the same degree of care it uses for its own confidential information, but no less than reasonable care
• Not disclose Confidential Information to third parties except to employees, contractors, and advisors who need to know and who are bound by confidentiality obligations
• Use Confidential Information solely to exercise rights or perform obligations under these Terms

12.3 Exceptions

Confidential Information does not include information that:

• Is or becomes publicly available through no breach of these Terms
• Was rightfully known to the Receiving Party before disclosure
• Is rightfully received from a third party without breach of confidentiality obligations
• Is independently developed without reference to Confidential Information

12.4 Compelled Disclosure

If the Receiving Party is compelled by law to disclose Confidential Information, it shall provide prompt notice to the Disclosing Party (unless prohibited by law) and reasonable assistance in obtaining protective orders or limiting disclosure.

13. Term and Termination

13.1 Term

These Terms commence when you create an account and continue until terminated by either party in accordance with this Section 13.

13.2 Termination for Convenience

• By You: You may terminate these Terms at any time by canceling your account through the dashboard or by providing written notice to giugli@q-otp.me
• By Us: We may terminate these Terms with 30 days' written notice to your registered email address

13.3 Termination for Cause

Either party may terminate these Terms immediately upon written notice if:

• The other party materially breaches these Terms and fails to cure within 15 days of written notice
• The other party becomes insolvent, files for bankruptcy, or makes an assignment for the benefit of creditors

13.4 Suspension

We may immediately suspend your access to the Services without notice if:

• We believe your account poses a security risk
• You are in breach of Section 4 (Acceptable Use Policy)
• Your payment is more than 15 days overdue
• We are required to do so by law or court order

13.5 Effects of Termination

Upon termination:

• All rights and licenses granted to you will immediately cease
• You must immediately cease all use of the Services
• You remain obligated to pay all outstanding fees
• No refunds will be provided for prepaid fees, except as required by law
• We will delete your account data within 30 days, except data we are required to retain by law

13.6 Survival

The following sections will survive termination: 5 (Pricing and Payment), 6 (Intellectual Property), 7.3 (Data Retention), 9.2 (Disclaimers), 10 (Limitation of Liability), 11 (Indemnification), 12 (Confidentiality), 15 (Dispute Resolution), and 16 (General Provisions).

14. Force Majeure

Neither party shall be liable for any failure or delay in performance under these Terms (except for payment obligations) to the extent such failure or delay is caused by circumstances beyond its reasonable control, including but not limited to:

• Acts of God, natural disasters, epidemics, pandemics
• War, terrorism, riots, civil unrest
• Government actions, embargoes, sanctions
• Strikes, labor disputes
• Internet or telecommunications infrastructure failures
• Third-party carrier or platform outages
• Cyberattacks beyond our security measures

The affected party shall promptly notify the other party and use commercially reasonable efforts to resume performance. If the force majeure event continues for more than 30 days, either party may terminate these Terms upon written notice.

15. Dispute Resolution and Governing Law

15.1 Governing Law

These Terms shall be governed by and construed in accordance with the laws of the British Virgin Islands, without regard to its conflict of law provisions.

15.2 Jurisdiction and Venue

Any dispute, controversy, or claim arising out of or relating to these Terms, or the breach, termination, or invalidity thereof, shall be exclusively subject to the jurisdiction of the courts of the British Virgin Islands.

You hereby irrevocably consent to the personal jurisdiction and venue of such courts and waive any objection to such jurisdiction or venue on the grounds of inconvenient forum or otherwise.

15.3 Informal Dispute Resolution

Before initiating any formal legal proceedings, the parties agree to first attempt to resolve any dispute informally by contacting giugli@q-otp.me and providing a detailed description of the dispute and the desired resolution. We will attempt to resolve the dispute informally within 60 days.

15.4 Arbitration (Optional)

If informal resolution fails, the parties may mutually agree to submit the dispute to binding arbitration in accordance with the BVI IAC Arbitration Rules. The arbitration shall be conducted in English, with one arbitrator mutually agreed upon by the parties. The arbitrator's decision shall be final and binding.

15.5 Exceptions

Either party may seek injunctive or other equitable relief in any court of competent jurisdiction to prevent the actual or threatened infringement, misappropriation, or violation of intellectual property rights or confidentiality obligations.

15.6 Class Action Waiver

YOU AND Q-OTP AGREE THAT EACH MAY BRING CLAIMS AGAINST THE OTHER ONLY IN YOUR OR ITS INDIVIDUAL CAPACITY AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS OR REPRESENTATIVE PROCEEDING.

16. General Provisions

16.1 Entire Agreement

These Terms, together with our Privacy Policy, DPA (if applicable), and any Order Forms or SOWs executed by the parties, constitute the entire agreement between you and Q-OTP regarding the Services and supersede all prior or contemporaneous understandings and agreements, whether written or oral.

16.2 Amendments

We may modify these Terms at any time by posting the revised Terms on our website and sending notice to your registered email address. Material changes will be effective 30 days after posting, except for changes required by law which may be effective immediately. Your continued use of the Services after the effective date constitutes acceptance of the modified Terms.

16.3 Waiver

No waiver of any provision of these Terms shall be deemed or constitute a waiver of any other provision, nor shall any waiver constitute a continuing waiver unless otherwise expressly provided in writing.

16.4 Severability

If any provision of these Terms is held to be invalid, illegal, or unenforceable, such provision shall be modified to the minimum extent necessary to make it valid and enforceable, or if that is not possible, severed from these Terms. The remaining provisions shall continue in full force and effect.

16.5 Assignment

You may not assign or transfer these Terms or any rights or obligations hereunder without our prior written consent. We may assign these Terms in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of our assets, upon notice to you. Any attempted assignment in violation of this section is void.

16.6 No Third-Party Beneficiaries

These Terms do not and are not intended to confer any rights or remedies upon any person or entity other than the parties hereto and their permitted successors and assigns.

16.7 Independent Contractors

The parties are independent contractors. These Terms do not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the parties.

16.8 Notices

All notices under these Terms shall be in writing and shall be deemed given when:

• Delivered personally
• Sent by confirmed email to giugli@q-otp.me (for notices to Q-OTP) or to your registered email address (for notices to you)
• Received by registered or certified mail, return receipt requested
• Delivered by a recognized international courier service

Our Notice Address:
Q-OTP Limited
Attn: Legal Department
Email: giugli@q-otp.me
British Virgin Islands

16.9 Export Compliance

The Services and related technology may be subject to export laws and regulations of the United States, European Union, and other jurisdictions. You represent that you are not located in, under the control of, or a national or resident of any country to which such exports are prohibited. You agree to comply with all applicable export control laws.

16.10 Government End Users

If you are a U.S. government entity or using the Services on behalf of a U.S. government entity, the Services are "Commercial Items" as defined at 48 C.F.R. §2.101, consisting of "Commercial Computer Software" and "Commercial Computer Software Documentation."

16.11 Interpretation

The headings and captions used in these Terms are for convenience only and shall not affect the interpretation of these Terms. The words "include" and "including" shall be deemed to be followed by "without limitation." The word "or" is not exclusive.

16.12 Language

These Terms are drafted in English. Any translation is provided for convenience only. In the event of any conflict between the English version and any translation, the English version shall prevail.

16.13 Counterparts

These Terms may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic signatures shall have the same force and effect as original signatures.

17. Contact Information

For questions, concerns, or notices regarding these Terms or the Services, please contact us:

Q-OTP Limited
Email: giugli@q-otp.me
Legal Department
British Virgin Islands

Specific Inquiries:

• General Terms Questions: giugli@q-otp.me
• Technical Support: giugli@q-otp.me
• Billing Issues: giugli@q-otp.me
• Data Protection/Privacy: giugli@q-otp.me
• Security Concerns: giugli@q-otp.me
• Legal/Compliance: giugli@q-otp.me

By using Q-OTP services, you acknowledge that you have read, understood, and agree to be bound by these Terms and Conditions.
Last Updated: November 1, 2025

Privacy Policy

Last updated: November 1, 2025

For privacy inquiries, contact: giugli@q-otp.me

1. Introduction

Q-OTP Limited, a company registered in the British Virgin Islands ("Q-OTP", "we", "us", "our"), is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, process, disclose, and safeguard information when you use our OTP authentication services, website, and related services (collectively, the "Services").

This Privacy Policy applies to all users of our Services, including website visitors, account holders, and end users who receive OTP codes. By using our Services, you consent to the data practices described in this policy.

Data Controller: Q-OTP Limited acts as the data controller for personal data collected through our Services, except where we process data on behalf of our customers as a data processor (see Section 11).

2. Information We Collect

2.1 Information You Provide Directly

Account Information

When you create an account, we collect:

• Contact Details: Full name, email address, phone number
• Company Information: Company name, business address, tax identification number (if applicable)
• Account Credentials: Username, password (encrypted), security questions
• Profile Information: Job title, department, preferences

Authentication Data

In the course of providing our Services, we process:

• End User Phone Numbers: Phone numbers to which OTP codes are delivered
• OTP Codes: One-time passwords generated and transmitted (immediately deleted after use or expiry)
• Verification Events: Timestamps, success/failure status, attempt counts
• Channel Preferences: Selected delivery channels (SMS, WhatsApp, RCS, Telegram)

Billing Information

For paid services, we collect:

• Payment Details: Credit card information (processed and stored by our PCI-compliant payment processor Stripe; we store only tokenized references)
• Billing Address: Name, company, address, country, VAT/tax ID
• Transaction History: Invoice records, payment confirmations

Communications

When you contact us, we collect:

• Support Requests: Questions, feedback, complaints, attachments
• Communication Metadata: Date, time, subject, communication channel
• Survey Responses: Feedback on service quality and features

2.2 Information Collected Automatically

Usage Data

We automatically collect information about your use of our Services:

• API Usage: Endpoints accessed, request/response data, frequency, volume
• Dashboard Activity: Features used, pages visited, actions performed
• Performance Metrics: Delivery rates, latency, error rates
• Session Information: Login times, duration, logout events

Technical Data

We collect technical information from devices accessing our Services:

• Device Information: Device type, operating system, browser type and version
• Network Information: IP address, ISP, connection type
• Location Data: Approximate geographic location based on IP address
• Identifiers: User agent strings, device IDs, cookie identifiers

Cookies and Similar Technologies

We use cookies and similar tracking technologies to collect information about your browsing behavior. For detailed information, see our Cookie Policy.

2.3 Information from Third Parties

We may receive information from third parties:

• Authentication Providers: If you use OAuth or SSO to sign in
• Payment Processors: Payment confirmation and fraud detection data
• Carrier Partners: Delivery status reports, spam complaints
• Analytics Services: Aggregated usage statistics
• Public Sources: Publicly available business information

3. How We Use Your Information

3.1 Service Delivery

• Authenticate users and maintain account access
• Generate, deliver, and verify OTP codes
• Process API requests and webhook notifications
• Provide customer dashboard and analytics
• Ensure service availability and reliability

3.2 Service Improvement

• Monitor and analyze usage patterns and trends
• Optimize delivery routes and carrier selection
• Develop new features and capabilities
• Conduct research and development
• Test and troubleshoot new products

3.3 Communication

• Send service-related notifications (outages, maintenance, security alerts)
• Provide customer support and respond to inquiries
• Send account and billing information
• Deliver product updates and feature announcements (with consent)
• Send marketing communications (with opt-in consent)

3.4 Security and Fraud Prevention

• Detect and prevent fraud, abuse, and security threats
• Monitor for unusual activity or policy violations
• Verify user identity and authenticate access
• Investigate security incidents
• Comply with legal obligations and enforce our terms

3.5 Legal Compliance

• Comply with applicable laws and regulations
• Respond to legal requests and prevent illegal activity
• Enforce our Terms and Conditions
• Protect our rights, property, and safety
• Maintain records for tax and accounting purposes

3.6 Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

4. How We Share Your Information

4.1 We Do Not Sell Your Data

Q-OTP does not sell, rent, or trade personal information to third parties for their marketing purposes.

4.2 Service Providers and Partners

We share information with trusted third-party service providers who assist in delivering our Services:

All service providers are bound by confidentiality agreements and required to comply with applicable data protection laws.

4.3 Business Transfers

If Q-OTP is involved in a merger, acquisition, asset sale, bankruptcy, or reorganization, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website before your information becomes subject to a different privacy policy.

4.4 Legal Requirements

We may disclose information if required to do so by law or in response to:

• Valid legal process (subpoena, court order, search warrant)
• Government or regulatory requests
• Law enforcement investigations
• Protection of our rights, property, or safety
• Emergencies involving danger of death or serious physical injury

4.5 With Your Consent

We may share information with third parties when you explicitly consent to such sharing, such as when integrating with third-party applications or services.

5. Data Security

5.1 Security Measures

We implement comprehensive security measures to protect your information:

Encryption

• At Rest: AES-256 encryption for all stored data
• In Transit: TLS 1.3 encryption for all network communications
• Database Encryption: Encrypted databases with key rotation
• Backup Encryption: All backups are encrypted

Access Controls

• Authentication: Multi-factor authentication for all staff
• Authorization: Role-based access control (RBAC)
• Principle of Least Privilege: Minimal access rights
• Regular Reviews: Quarterly access audits

Network Security

• Firewalls: Network segmentation and firewalls
• DDoS Protection: Enterprise-grade DDoS mitigation
• Intrusion Detection: Real-time monitoring and alerting
• Vulnerability Scanning: Automated security scans

Operational Security

• Background Checks: All employees undergo security screening
• Security Training: Annual security awareness training
• Incident Response: 24/7 security operations center
• Penetration Testing: Annual third-party security audits

5.2 Certifications and Compliance

• SOC 2 Type II: Independently audited for security controls
• ISO 27001: Information security management certification
• GDPR Compliant: EU data protection compliance
• PCI DSS: Payment card industry standards (in progress)

5.3 OTP-Specific Security

• OTP codes are generated using cryptographically secure random number generators
• Codes are hashed using bcrypt before storage
• Codes are automatically deleted immediately after verification or expiry
• Rate limiting prevents brute-force attacks
• Maximum attempt limits prevent code guessing

6. Data Retention

6.1 Retention Periods

6.2 Retention Criteria

We determine retention periods based on:

• The nature and sensitivity of the information
• Legal and regulatory requirements
• Potential security and fraud risks
• Business and operational needs
• Your preferences and requests

6.3 Deletion Process

Upon expiry of retention periods, data is:

• Securely deleted using industry-standard methods
• Overwritten to prevent recovery
• Removed from all backup systems within 90 days
• Certified deleted upon customer request

7. International Data Transfers

7.1 Global Operations

Q-OTP operates globally and may transfer personal data across borders to:

• British Virgin Islands (company headquarters)
• United States (infrastructure and service providers)
• European Union (EU data residency option)
• Asia-Pacific (regional infrastructure)

7.2 Transfer Mechanisms

For transfers from the EU/EEA to countries without adequacy decisions, we use:

• Standard Contractual Clauses (SCCs): EU Commission-approved data transfer agreements
• Binding Corporate Rules: Internal data protection policies (in development)
• Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission

7.3 Data Residency Options

Enterprise customers can choose data residency in:

• EU: Data stored exclusively in EU data centers (Ireland, Germany)
• US: Data stored exclusively in US data centers
• APAC: Data stored exclusively in Asia-Pacific data centers

8. Your Privacy Rights

8.1 General Rights

You have the following rights regarding your personal data:

Right to Access

Request a copy of your personal data and information about how it's processed.

How to exercise: Email giugli@q-otp.me with subject "Data Access Request"

Right to Rectification

Correct inaccurate or incomplete personal data.

How to exercise: Update via dashboard or email giugli@q-otp.me

Right to Erasure

Request deletion of your personal data (subject to legal retention requirements).

How to exercise: Email giugli@q-otp.me with subject "Data Deletion Request"

Right to Restriction

Limit how we use your data under certain circumstances.

How to exercise: Email giugli@q-otp.me

Right to Data Portability

Receive your data in a machine-readable format.

How to exercise: Use dashboard "Export Data" feature or email us

Right to Object

Object to processing based on legitimate interests or for direct marketing.

How to exercise: Email giugli@q-otp.me or click "Unsubscribe" in emails

8.2 Region-Specific Rights

EU/EEA Residents (GDPR)

• Right not to be subject to automated decision-making
• Right to withdraw consent
• Right to lodge a complaint with supervisory authority

Supervisory Authority: Data Protection Commission (Ireland)
Website: dataprotection.ie

California Residents (CCPA/CPRA)

• Right to know what personal information is collected
• Right to know if personal information is sold or shared
• Right to opt-out of sale/sharing of personal information
• Right to limit use of sensitive personal information
• Right to non-discrimination for exercising rights

Do Not Sell My Personal Information: We do not sell personal information. To exercise your rights, email giugli@q-otp.me

UK Residents (UK GDPR)

Same rights as EU/EEA residents under UK GDPR.

Supervisory Authority: Information Commissioner's Office (ICO)
Website: ico.org.uk

8.3 Verification and Response

To protect your privacy:

• We may request additional information to verify your identity
• We will respond to verified requests within 30 days (GDPR/UK GDPR) or 45 days (CCPA)
• Extensions may be necessary for complex requests (we will notify you)
• There is no fee for exercising your rights (unless requests are excessive)

9. Marketing and Communications

9.1 Marketing Preferences

We send marketing communications only with your consent:

• Opt-In: Explicit consent required before sending marketing emails
• Opt-Out: Unsubscribe link in every marketing email
• Preferences: Manage communication preferences in dashboard
• Respecting Choices: We honor opt-out requests within 48 hours

9.2 Transactional Communications

We may send service-related communications without opt-in:

• Account notifications (password resets, security alerts)
• Billing and payment confirmations
• Service outages and maintenance notices
• Terms and policy updates

10. Children's Privacy

Our Services are not directed to children under 16 (or applicable age of majority). We do not knowingly collect personal information from children. If we become aware of such collection, we will delete it immediately. If you believe we have collected information from a child, contact giugli@q-otp.me.

11. Data Processing for Customers

11.1 Customer as Controller

When you use our Services to send OTP codes to your end users, you are the data controller and we act as your data processor. You are responsible for:

• Obtaining necessary consents from end users
• Providing privacy notices to end users
• Complying with applicable data protection laws
• Responding to end user data subject requests

11.2 Data Processing Agreement (DPA)

For customers processing personal data under GDPR, we provide a Data Processing Agreement including:

• Standard Contractual Clauses (SCCs)
• Technical and organizational measures (TOMs)
• Sub-processor list and notification process
• Data breach notification procedures
• Assistance with data subject requests

Request DPA: Email giugli@q-otp.me

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes to our Services or business practices
• Legal or regulatory requirements
• Improvements to our privacy practices

When we make material changes:

• We will update the "Last Updated" date
• We will notify you via email (registered address)
• We will post a notice on our website
• Changes will be effective 30 days after notification (unless sooner required by law)

Your continued use of our Services after changes become effective constitutes acceptance of the updated Privacy Policy.

13. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Q-OTP Limited
Privacy Team
Email: giugli@q-otp.me
British Virgin Islands

Data Protection Officer (DPO):
Email: giugli@q-otp.me (Subject: "Attn: DPO")

EU Representative:
Q-OTP Ireland Ltd
Dublin, Ireland
Email: giugli@q-otp.me

Specific Inquiries:

• Data Subject Requests: giugli@q-otp.me (Subject: "Privacy Rights Request")
• Data Breaches: giugli@q-otp.me (Subject: "Security Incident")
• DPA Requests: giugli@q-otp.me (Subject: "DPA Request")
• Marketing Opt-Out: giugli@q-otp.me (Subject: "Unsubscribe")

We are committed to protecting your privacy and handling your data responsibly.
Last Updated: November 1, 2025