OTPBase
Get started

Privacy Policy

Effective: the day you create an account.

⚖️ Notice: drafted by the operator as a plain-English statement of practice. Not legal advice. Sections marked (LR) require lawyer review before you operate in jurisdictions that explicitly require formal counsel-drafted notices (most notably the EU under GDPR Art. 13 and California under CCPA §1798.130).

1. What OTPBase actually is

OTPBase is a transient relay for one-time verification codes (OTPs). You connect your inboxes, your phone, or your TOTP apps. Codes from those sources arrive on a single page that you can view from any browser or via API. Codes are then deleted on a clock — see § 4.

OTPBase is not an email provider, an identity provider, an MFA service, an archival service, an analytics service, or a marketing platform. It does not create the codes. It briefly conveys them.

2. Who is the data controller

The operator is reachable at support@otpbase.com.

3. What data we collect

| Category | What | Why | |---|---|---| | Account | email, hashed password, locale, plan, trial expiry | so you can log in and we can bill you | | Inbox credentials | (only if you connect an IMAP account) hostname, username, encrypted credential | to poll the inbox you asked us to poll | | Mobile devices | a hashed bearer token + the device name you set | to authenticate the iOS Shortcut you create | | Codes | the parsed code, the message it came from, the sender, timestamps | the entire reason the product exists | | Audit log | login events, IP, user-agent — for at most 90 days | to spot account compromise | | Operational logs | request paths, status codes, error stack traces — scrubbed of secrets — for at most 14 days | to diagnose outages |

We do not collect: tracking cookies (other than the strictly-necessary session cookie), advertising identifiers, fingerprints, behavioural analytics, contact lists, geolocation. We do not run third-party trackers or A/B testing services.

4. How long we keep it — the lifecycle that matters

| Data | Visible to you in the UI/API for | Physically deleted from disk after | |---|---|---| | A code | 15 minutes (your account can shorten this) | 1 hour (your account can shorten this) | | Burn-after-reading codes | until the moment you copy them, then 30 seconds | 1 hour, same as above | | Original message body | the same 15-minute window as the code | the same 1-hour window | | IMAP fetch state (UID watermarks) | until you remove the inbox | when you remove the inbox | | Audit log entries | n/a — admin only | 90 days | | Operational error logs | n/a — admin only | 14 days | | Account record | until you delete your account | 30 days after deletion (then hard-deleted) |

The 1-hour physical deletion is enforced by a scheduled task that runs every minute. There is no archive. No backup retains a code past its hard-delete time — backups are taken on a daily cadence and the day's snapshot is itself purged on a 30-day rotation; any single code is therefore in at most one nightly snapshot before disappearing entirely, and only if the snapshot ran while the code was still alive.

5. Where we store it

The OTPBase application + database run on a server we operate ourselves (not a managed cloud database). The server is in a single data centre and the database is not replicated to other regions. Daily encrypted backups are written to Cloudflare R2.

6. Who else sees your data

OTPBase processes your data through these third parties — and only these.

| Vendor | What we send | Why | Their notice | |---|---|---|---| | Resend (transactional email) | your email address + verification/password-reset tokens | so you can verify your email, recover your password, get billing receipts | https://resend.com/legal/privacy-policy | | Cloudflare (CDN + DNS + R2) | request metadata (IP, path) + encrypted backup blobs | DDoS protection + offsite backups | https://www.cloudflare.com/privacypolicy/ | | Google reCAPTCHA Enterprise (anti-bot at register/login only) | a token derived from your browser interaction + your IP | block bot signups | https://policies.google.com/privacy | | PayPal / Stripe (your choice, billing only) | your name + email + the amount; we never see your card number | take payment | their respective notices | | Sentry (error tracking) | sanitized stack traces; no codes, no tokens, no email bodies | so we get paged when production breaks | https://sentry.io/privacy/ |

We do not send your codes, your passwords, your inbox contents, your TOTP secrets, or your API tokens to any third party.

We do not sell, rent, license, or barter your data. We do not share data with advertisers. There is no advertising on OTPBase.

7. Encryption

  • At rest — every credential, every parsed code, every original message body is wrapped in AES-256-GCM with a master key that lives only in our environment, never in the database. If our DB is dumped, the dump is a wall of ciphertext.
  • In transit — TLS 1.2+ on every connection.
  • Optional E2EE mode — you can set a personal view password that we store only as an Argon2id hash. With it on, your codes are re-encrypted in your browser with a key derived from that password, and the server side genuinely cannot read the plaintext.

8. Your rights (LR — wording for GDPR/CCPA jurisdictions needs counsel review)

Under GDPR (if you are in the EEA/UK), CCPA (California), PIPL (China) and most equivalent laws, you have the right to:

  • Access — ask us what we have on you. Reply in 30 days.
  • Correct — change wrong personal data. Most fields you can change yourself in /profile.
  • Delete — ask us to delete your account. We will delete within 30 days; certain audit-log entries we retain for legal-compliance up to 90 days.
  • Port — ask for a JSON export of your account.
  • Object / restrict — tell us to stop processing for marketing (we don't do marketing) or for analytics (we don't do analytics).
  • Lodge a complaint with your national data-protection authority.

Exercise any of these by emailing support@otpbase.com.

9. Children

OTPBase is not directed at people under 16 (EEA) or under 13 (US). We do not knowingly accept signups from minors.

10. Breach notification (LR)

If we discover that ciphertext + master key, or plaintext credentials, may have been accessed by a party not authorised, we will notify affected accounts by email within 72 hours of discovery and notify the relevant supervisory authority on the same timeline.

11. Changes to this policy

We will email you at least 14 days before any material change. The current version is always at https://otpbase.com/legal/privacy.

Operator contact: support@otpbase.com Postal address: [fill in before launch] (LR)

← Back to home