PRIVACY NOTICE
Version: July 2025
GENERAL
This website is operated by NEXTID SOFTWARE SOLUTIONS – FZCO (“we” or “us”) that provides a cloud-based communications solution <(“Service”). We recognize the importance of your privacy and are committed to protecting your personal data.
This privacy notice (“Notice”) explains the principles on how we collect, use, store and disclose personal data when you visit or otherwise interact with the website otp.dev („Website“), contact us through the Website or other communication channels, you or the legal entity you work for or represent wants to conclude or has concluded a contract with us, including register an account, subscribe to our newsletter, or take any other actions on our Website, which entail us receiving and processing your personal data.
We process your personal data as described in this Notice and in accordance with applicable legislation, including the European Union’s General Data Protection Regulation (2016/679) (“GDPR”) and the national data protection legislation, as applicable towards the controller stated in Section 2 of this Notice.
Please note that this Notice does not apply regarding the data which we process for to the provision of the Service to the client. As we act as a data processor, the processing of such data is governed by the data processing agreement concluded with our client, a data controller. The data controller is responsible for such data processing operations and is obliged to provide you information about such data processing.
In case you disclose any personal data regarding any third person(s) (e.g., your employee, management board member, co-worker, etc.) to us, you are obligated to refer them to this Notice.
CONTROLLER
For the personal data processing purposes brought out in Section 4 of this Notice, the controller of your personal data is:
NEXTID SOFTWARE SOLUTIONS – FZCO
Registry code: 12829749
Address: Pärnu mnt 139e/2, Tallinn 11317, Estonia
E-mail: help@otp.dev
In case of personal data protection related inquiries, please contact us by writing to: help@otp.dev.
CATEGORIES AND SOURCES OF PERSONAL DATA
- Main data: first name, last name, e-mail address, phone number, authentication and profile data received from third parties (e.g., Google LLC) according to your instructions and choices if you register or log in using such third parties (“Main Data”).
- Source: Personal Data you directly provide to us, is provided to us by the legal entity you work for or represent or is provided to us by third parties according to your instructions and choices.
- For concluding and managing contractual relationships with you or the legal entity you work for or represent, we may process the following Personal Data: Main Data, billing information, industry you work at, legal entity’s name you work for or represent, registry code and your job title (“Contract Data”).
- Source: Personal Data you directly provide to us, is provided to us by the legal entity you work for or represent or is provided by payment service provider.
- If you interact with us via the Website, live chat, social media platforms or e-mails, we may process the following Personal Data: Main Data, Contract Data, your username of the platform through which you interact with us, date and time of the message, contents of your message. („Communication Data“).
- Source: Personal Data you directly or a third party provides to us.
- Marketing data: Main Data, position. Additionally, we may supplement the Personal Data that you have provided to us directly with information that has been obtained from publicly available resources (i.e. LinkedIn, e-mail search, country specific commercial registrars) (“Marketing Data”).
- Source: Information you directly provide to us and the information we have obtained from publicly available resources.
- When you use the Service, we may process the following data, which may include your Personal Data: user ID, user role, action made in product, attributes to that action, error logs (“Usage Data”).
- Source: While you are using the Service, the product infrastructure itself generates or automatically collects the Usage Data.
- Upon visiting the Website, our server may process the following data: IP address, access-provider, general location, referring and exit URL, date, time, language settings used, access tokens, session key, browser type and version, operating system, your navigation on the Website, amount and state of transferred data (“Technical Data”).
- Source: While you are browsing through the Website, the Website itself generates or collects the Technical Data from your device automatically.
- Cookie data. We implement cookies on the Website, for optimising the Website and its functionalities. The cookies may collect your Personal Data. For further information on the purposes and functions of the cookies, please see our cookie notice.
If you do not provide the required information, we may not be able to contact you, provide our Services or fulfil any other purposes provided in Section 4 of this Notice.
LEGAL BASES AND PURPOSES OF PROCESSING PERSONAL DATA
Our legal basis to process your Personal Data depends on the objective and context in which we collect the Personal Data. The following depicts a descriptive list of processing purposes that are linked to the specific data categories and legal basis for processing:
| Processing purpose | Legal basis | Personal Data used for the processing purpose |
|---|---|---|
| Handling pre-contractual negotiations and communications and concluding the contract, including providing a free trial or a demo, conducting authentication | If you as a natural person wish to become our client: taking and implementing the pre-contractual measures of the potential contract to be concluded between you and us If the legal entity you work for or represent wishes to become our client: our legitimate interest in taking and implementing pre-contractual measures of the potential contract to be concluded between the legal entity and us |
Main Data, Contract Data, Communication Data |
| Performing the contract and managing contractual relationship, including receiving fees and payments, providing customer support | If you as a natural person are already our client: performing the contract concluded between us If the legal entity you work for or represent is already our client: our legitimate interest in performing the contract concluded between the legal entity and us |
Main Data, Contract Data, Communication Data |
| Sending you information about our Service’s updates via e-mail | Our legitimate interest in informing our clients about the Service’s updates | Main Data |
| Responding to your enquiries and requests submitted via the Website, live chat, social media platforms or e-mail, including submissions regarding receiving a demo | If you are interested in our Service: legitimate interest in ensuring effective relationship management with potential clients and other interested parties If you as a natural person wish to become or are already our client: taking and implementing the pre-contractual measures of the potential contract to be concluded between you and us or performing the contract concluded between us If the legal entity you work for or represent wishes to become or is already our client: our legitimate interest in taking and implementing pre-contractual measures of the potential contract to be concluded between the legal entity and us or performing the contract concluded between the legal entity and us |
Main Data, Contract Data, Communication Data |
| Analysing your use of our Service | Our legitimate interest in improving, upgrading, and enhancing our Service | Usage Data |
| Gathering information about you from publicly available resources and registrars for creating client segments and for the purposes of customising the information we provide to you about our business | Our legitimate interest in promoting our business activities and ensuring effective relations management with potential clients and other interested parties | Marketing Data |
| Sending newsletters and other marketing information regarding our services via email | Consent given upon subscribing to our newsletter | Marketing Data |
| Administering newsletter subscription list | Our legitimate interest in ensuring valid legal basis for sending newsletters and recording given and withdrawn consents (subscriptions) | Marketing Data |
| Making available the basic functions of the Website, including the Service and administering it, including gathering information about visitor’s navigation | Our legitimate interest in providing the Website and the Service and understanding use patterns to be able to improve the Website and enhance the user experience | Technical Data |
| Diagnosing and repairing problems with the Website and the Service | Our legitimate interest in providing data security and preventing fraudulent actions related to the Website and the Service; ensuring the functioning of the Website and the Service | |
| Storing information containing Personal Data in our backup systems | Our legitimate interest in ensuring the continuity and security of data processing operations | All data categories named in Section 3.1 |
| Complying with legal or regulatory obligations or requests | Performance of our legal obligations | |
| Disclosing data to public sector authorities, supervisory and law enforcement authorities | Performance of our legal obligations | |
| Disclosing data to our service providers, co-operation partners, professional advisors, group entities | Our legitimate interest in utilising the IT infrastructure and ensuring our proper economic activity | |
| Arranging the sale or merger of our company and providing information for conducting the legal or other audit and the data exchange thereof; disclosing data to legal successors and/or potential acquirers of the company | Our legitimate interest in facilitating proper due diligence process and business continuity by ensuring a successful merger, acquisition or restructuring of the company | |
| Disclosing data to our legal service providers and establishing, exercising, or defending legal claims, whether in court proceedings or in an administrative or out-of-court procedure in relation to our, our clients’ or employees’ rights | Our legitimate interest in facilitating effective establishment, exercise, or defence of legal claims |
We may process your Personal Data for other purposes, provided that we disclose the purposes and use to you at the relevant time, and that you either consent to the proposed use of the Personal Data, other legal grounds exist for the new processing purposes, or the new purpose is compatible with the original purpose brought out above.
No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.
- a) Phone numbers: The primary mobile identifier used for communication.
- b) User location data: Information about where the user is located when using a mobile app or service.
- c) Device identifiers: Unique IDs associated with the user's device, which can help track usage and behavior.
- d) Usage data: Information on how users interact with an application, including app usage frequency and features accessed.
We will not share your opt-in to an SMS campaign with any third party for purposes unrelated to providing you with the services of that campaign. We may share your Personal Data, including your SMS opt-in or consent status, with third parties that help us provide our messaging services, including but not limited to platform providers, phone companies, and any other vendors who assist us in the delivery of text messages.
RECIPIENTS OF PERSONAL DATA AND DATA TRANSFERS
We disclose your Personal Data to third parties only in accordance with this Notice and to who have undertaken to observe confidentiality or are subject to statutory confidentiality. Your Personal Data will be disclosed to our employees who due to their tasks must process your Personal Data.
In some cases, to fulfil our statutory or contractual obligations, or to safeguard our legitimate interests we may disclose your Personal Data to the recipients in the following categories, who process your Personal Data as separate controllers:
| Category | Purpose of disclosure |
|---|---|
| Public sector authorities, supervisory and law enforcement authorities | To fulfil our statutory obligation, a court order or in other cases where this is necessary to prevent and deter unlawful acts. For example: Estonian Tax and Customs Board, Estonian Data Protection Inspectorate. |
| Professional advisors (bound to confidentiality; to the extent that they do not act as processors) | To ensure our proper economic activity. For example: auditors, legal advisors, accounting service providers. |
| Service providers and co-operation partners (to the extent that they do not act as processors) | To ensure the fulfilment of contractual obligations and communication with service providers and co-operation partners and provide you with our services through our co-operation partners. For example: IT service providers. |
| Group entities (to the extent that they do not act as processors) | Group entities (to the extent that they do not act as processors)To utilize common technical infrastructure and perform internal administrative tasks. |
| Our legal successors and/or potential acquirers of the company | To successfully transfer our business or for the purposes of merger and/or acquisition. |
We may disclose Personal Data to third parties who act as data processors only for the performance of a contract entered into with us and who apply the required level of safeguarding measures while processing the Personal Data. These processors belong to the following categories:
| Category | Purpose of disclosure |
|---|---|
| IT-service providers | They operate the technical infrastructure which we need to host, store, manage and maintain the daily business functions. For example: Amazon Web Services. The respective services are provided within the European Union and the USA. |
| Analytics and marketing software services providers | They provide analytical insight and marketing tools for improving daily business functions. For example: Google Analytics, Hotjar. The respective services are provided within the European Union and the USA. |
| Customer relationship management and sales software services providers | They facilitate sales and administer our interactions with clients. For example: Pipedrive, HubSpot. The respective services are provided within the European Union. |
| Group entities (to the extent that they do not act as controllers) | To utilize common technical infrastructure and perform internal administrative tasks. |
To ensure that our service providers adhere to adequate data protection standards, we have concluded with all service providers, engaged in the processing of Personal Data on our behalf as processors, written data processing agreements. For service providers located outside the European Union or the European Economic Area (“EU/EEA”), we use safeguards (e.g., standard contractual clauses approved by the European Commission) to ensure that a level of protection of Personal Data comparable to that applicable in the EU/EEA is applied to your Personal Data. We monitor the compliance of our service providers with the above requirements. Upon your request we will make available further information on the safeguards applied.
PERSONAL DATA RETENTION PERIOD
- Main Data and Contract Data relating to transactions will be stored for seven years from the end of the financial year they relate to. Other Main Data and Contract Data will be stored up to 3,5 years after the deletion of the client’s account.
- In case the legal basis for processing your Personal Data is consent and you decide to withdraw the consent, we will stop processing Personal Data for the previously communicated purpose, however, we will retain a note regarding your withdrawal for the purposes of administering your decision and our data processing activities at least for a period of 3,5 years.
Following the retention period or if we no longer need the respective Personal Data for the purposes specified in Section 4 of the Notice, we shall destroy the respective Personal Data within a reasonable time, unless the retention of Personal Data is required to perform duties or requirements arising from the legislation or to protect against ongoing or threatened disputes.
After the expiry of the retention period determined in accordance with Section 6 of this Notice or the termination of the legal basis for processing purpose, we may retain the materials containing the Personal Data in the backup systems, from which the corresponding materials will be deleted after the end of the backup cycle. We ensure that during the backup period appropriate safeguards are applied and the backed-up materials are put beyond the use.
YOUR RIGHTS AS A DATA SUBJECT
We have a legal obligation to ensure that your Personal Data is kept accurate and up to date. We kindly ask you to assist us to comply with this obligation by ensuring that you inform us of any changes that have to be made to any of your Personal Data that we are processing.
- Right to access: you have the right to request access to any data that can be considered your Personal Data. This includes the right to be informed on whether we process your Personal Data, what Personal Data categories are being processed by us, and the purpose of our data processing;
- Right to rectification: you have the right to request that we correct any of your Personal Data if you believe that we are processing inaccurate or incomplete Personal Data;
- Right to object: you are entitled to object to certain processing of Personal Data, including for example, the processing of your Personal Data for marketing purposes or when we otherwise base our processing of your Personal Data on our legitimate interest;
- Right to restrict Personal Data processing: you have the right to request that we restrict the processing of your Personal Data if: (i) you wish to dispute the accuracy of certain Personal Data we are processing, such right applies until we have had the opportunity to satisfy ourselves of the accuracy of the Personal Data; (ii) we have been processing your Personal Data unlawfully, but you only request the restriction of the use of the Personal Data in question instead of its deletion; (iii) we no longer need the Personal Data for the original purposes of processing, but you still need such Personal Data to assert, exercise or defend against legal claims; (iv) you have objected to our processing of certain of items of your Personal Data until a determination is made whether or not your concerns are outweighed by our legitimate interests in processing your Personal Data;
- Right to erasure: you may request your Personal Data to be erased if the Personal Data is no longer necessary for the purposes for which it was collected, or if you consider that the processing is unlawful, or if you consider that the Personal Data has to be erased to enable us to comply with a legal requirement;
- Right to data portability: if your Personal Data is being automatically processed with your consent or on the basis of a mutual contractual relationship, you may request that we provide you that Personal Data in a structured, commonly used and machine-readable format. Moreover, you may request that the Personal Data is transmitted to another controller. Bear in mind that the latter can only be done if that is technically feasible;
- Right to withdraw your consent: in cases where the processing is based on your consent, you have the right to withdraw your consent to such processing at any time;
- Right to contact the supervisory authority: if you are not satisfied with our response to your request in relation to Personal Data processing or you believe we are processing your Personal Data not in accordance with the law, you can submit your claim to the data protection authority, in Estonia to a Estonian Data Protection Inspectorate (in Estonian Andmekaitse Inspektsioon) at info@aki.ee (https://www.aki.ee/).
To exercise the above rights, please contact us as specified in Section 2 of this Notice. Please note that you should supply us with adequate information for us to respond to your requests concerning the rights listed in Section 7.2. Prior answering your request, we may ask you to provide additional information for the purposes of authenticating you and evaluating your request.
SECURITY OF PERSONAL DATA
Data Protection Policy
Data Access
- Access Control: Only authorized personnel have access to personal data based on their job responsibilities. Access is granted using role-based access controls (RBAC) and is reviewed regularly.
- Authentication: Strong authentication mechanisms, including multi-factor authentication (MFA), are implemented to verify user identities before granting access to personal data.
Data Protection
- Data Minimization: We collect and process only the data necessary for specific purposes.
- Anonymization and Pseudonymization: We use techniques to anonymize or pseudonymize data where appropriate to enhance privacy and security.
Data Encryption
- Encryption in Transit: Personal data is encrypted during transmission using secure protocols such as TLS.
- Encryption at Rest: Personal data is encrypted when stored on our servers using industry-standard encryption algorithms.
Data Backup
- Regular Backups: We perform regular backups of all critical data, including personal data, to secure and geographically distributed locations.
- Backup Testing: We regularly test backup procedures to ensure data can be restored promptly in case of data loss.
Data Storage
- Secure Storage: Personal data is stored in secure environments with robust physical and logical security measures.
- Data Retention: Personal data is retained only as long as necessary for the purposes for which it was collected, in accordance with our data retention policy.
External Access to Data
- Third-Party Processors: We ensure third-party processors comply with GDPR and other relevant data protection regulations through comprehensive due diligence and data processing agreements.
- Data Transfers: We implement appropriate safeguards, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), for transferring personal data outside the EU.
GDPR Compliance
- Data Protection Impact Assessments (DPIAs): We conduct DPIAs for processing activities that pose high risks to data subjects' rights and freedoms.
- Data Protection by Design and by Default: We incorporate data protection principles into the design of new systems and processes.
Incidents Management Process
- Data Breach Response: We have an incident response plan to address data breaches promptly, including containment, eradication, and recovery.
- Vulnerability Management: We regularly scan for and address security vulnerabilities in our systems and applications.
- Threat Monitoring: We continuously monitor for external threats using advanced security tools and threat intelligence services.
- Unauthorized Access Prevention: We use intrusion detection and prevention systems (IDPS) to detect and prevent unauthorized access to our systems and data.
- Data Theft Prevention: We implement robust security controls, such as encryption, access controls, and monitoring, to prevent data theft.
- Network Security: We implement firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) to protect our network from intrusions.
- Physical Security: We implement physical security measures, such as access controls, surveillance, and security personnel, to protect our facilities.
Physical Security
- Access Control: We use access control systems to restrict entry to our facilities to authorized personnel only.
- Surveillance: We have installed surveillance cameras in key areas to monitor and record activities.
- Security Personnel: We employ security personnel to oversee physical security measures.
Network Security
- Firewalls: We deploy firewalls to protect our network from unauthorized access and external threats.
- IDS/IPS: We implement intrusion detection and prevention systems to monitor and respond to potential security incidents.
- Secure Configurations: We ensure all network devices are securely configured and regularly updated to protect against vulnerabilities.
- VPNs: We use Virtual Private Networks (VPNs) to secure remote access to our network.