Short version: OTPLink reads your emails locally in your browser to find OTP codes and sign-in links. Your emails are never sent to our servers, never stored, and never shared. We collect only what is strictly necessary to provide the service.
This Privacy Policy explains how OTPLink collects, uses, and protects your personal data when you use the OTPLink browser extension ("the Extension"). It is written in compliance with:
Please read this policy carefully. If you have questions, contact us at hello@otp-link.com.
OTPLink is operated by [OPERATOR FULL LEGAL NAME] trading as OTPLink ("we", "us", "our"). We are the data controller for any personal data processed in connection with the Extension, as defined under Article 4(7) of the UK GDPR.
Service provider (as required by the Electronic Commerce (EC Directive) Regulations 2002, as retained by the European Union (Withdrawal) Act 2018, Regulation 6):
Operator: [OPERATOR FULL LEGAL NAME]
Trading name: OTPLink
Email: hello@otp-link.com
Address: [ADDRESS — to be added before public launch]
ICO registration number: [TO BE ADDED — registration in progress]
We are required to register with the Information Commissioner's Office (ICO) as a data controller under the Data Protection Act 2018 and we are in the process of doing so. Once registered, our ICO registration number will be displayed above. We will not go live publicly until registration is complete.
OTPLink's use of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. We limit our use of data received via the Gmail API strictly to providing and improving the user-facing features of the Extension.
Specifically, data accessed via the Gmail API is never used for:
No human at OTPLink — including any employees or contractors — reads, accesses, or views the content of your emails or any data accessed via the Gmail API. All email processing is performed automatically and entirely within your browser, with no human involvement.
We process the minimum personal data necessary to provide the Extension's functionality. This is limited to:
We do not process the content of your emails. When the Extension queries your inbox for OTP codes or sign-in links, that processing occurs entirely within your browser and the data is discarded immediately after use. No email content is ever transmitted to us, logged, or stored.
When you connect your inbox, the Extension also receives a Google or Microsoft ID token (a short-lived signed JWT proving your identity) which is sent once to our Supabase-hosted authentication service solely to create or retrieve your OTPLink account. The ID token contains only your email address and a unique identifier — it does not grant any access to your inbox and is not stored by us after verification.
We rely on the following lawful bases to process your personal data:
We do not process any special category data as defined under Article 9 of the UK GDPR (such as health data, biometric data, or data revealing racial or ethnic origin).
Your personal data is used exclusively for the following purposes:
We will not use your data for marketing, profiling, automated decision-making, or any purpose other than those listed above.
All personal data associated with your use of the Extension is stored locally on your device using chrome.storage. No personal data is transmitted to or stored on servers operated by OTPLink.
Retention periods are as follows:
You can delete all locally stored data at any time by disconnecting your account within the Extension settings, or by uninstalling the Extension from your browser. Because we hold no personal data on our own servers, there is no server-side retention period.
PECR (Regulation 6) — local storage: The storage of OAuth tokens and preferences on your device using chrome.storage falls within the scope of the Privacy and Electronic Communications Regulations 2003 (PECR), Regulation 6. We rely on strict necessity for this storage: OAuth tokens are strictly necessary to authenticate your inbox access (the service you have requested cannot function without them); Extension preferences are strictly necessary to maintain the settings you have chosen between sessions. We do not store any data on your device beyond what is strictly necessary for these purposes.
We implement appropriate technical and organisational security measures to protect personal data as required by Article 32 of the UK GDPR. Since all personal data is stored locally on your device, the primary security boundary is your browser and operating system. OAuth tokens are protected by your browser's chrome.storage security model and are never exposed to web pages or third-party scripts. We minimise the data we process and do not hold copies of tokens on any external infrastructure.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach, as required by Article 33 of the UK GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34. Given that all data is stored locally on your device, the most likely scenario for a breach involving your data would be a security compromise of your own device, which would be outside our control.
OTPLink requests the following browser permissions, each for a specific and necessary purpose:
The Extension integrates with the following third-party services to provide its core functionality:
We are not responsible for the privacy practices of Google or Microsoft. We recommend reviewing their policies independently. We do not use any analytics, advertising, or tracking services, and we do not sell or share your data with any third parties.
When the Extension makes API calls to Google or Microsoft, your OAuth token is transmitted to servers operated by those companies, which may be located outside the United Kingdom. We have no control over where those servers are located. Both Google and Microsoft maintain appropriate safeguards for international data transfers under the UK GDPR, including:
Please refer to Google's and Microsoft's respective privacy policies for further detail on their transfer mechanisms. We recommend reviewing these independently.
You can revoke OTPLink's access to your inbox at any time, independently of us, through your Google or Microsoft account settings:
You can also disconnect your account from within the Extension at any time, which immediately removes all locally stored tokens from your device.
Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:
Because we do not store personal data on our own servers, many of these rights can be exercised directly by disconnecting your account or uninstalling the Extension. For data held by Google or Microsoft, you should exercise your rights directly with those organisations.
To exercise any of these rights, contact us at hello@otp-link.com. We will respond within one calendar month as required by Article 12(3) of the UK GDPR. In complex cases, we may extend this period by a further two months; we will inform you of any such extension and the reason for it within the first month. If we are unable to comply with your request, we will explain our reasons in writing and inform you of your right to complain to the ICO or seek a judicial remedy (Article 12(4)).
OTPLink is not directed at children or young people. You must be at least 16 years old to use the Extension.
Under Article 8 of the UK GDPR, as implemented by Section 9 of the Data Protection Act 2018, the minimum age for consent to processing in the context of information society services is 13 in the United Kingdom. We have set our minimum age to 16 to comply with the default position under the EU GDPR and to provide a higher standard of protection across all jurisdictions.
We do not knowingly process personal data relating to individuals under 16. If you are the parent or guardian of a child who has used the Extension without consent, please contact us at hello@otp-link.com and we will take appropriate action, including deletion of any associated data.
We do not currently operate a technical age-verification mechanism. Responsibility for monitoring the software installed on shared or family devices rests with parents and guardians.
If you have concerns about how we handle your personal data that we are unable to resolve to your satisfaction, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the supervisory authority for data protection in the United Kingdom:
Information Commissioner's Office
Website: ico.org.uk
Telephone: 0303 123 1113
Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
If you are located in the European Union, you also have the right to lodge a complaint with your local data protection supervisory authority.
We may update this Privacy Policy from time to time to reflect changes in law, technology, or our practices. We will update the "Last updated" date at the top of this page when we do. Where changes are material (for example, changes to the data we collect or to our lawful basis for processing), we will take reasonable steps to bring them to your attention. If you do not accept the updated policy, you should stop using the Extension and uninstall it. Non-material clarifications and corrections will be made without separate notification.
If you have questions or concerns about this Privacy Policy or the way we handle your personal data, please contact us:
OTPLink
Email: hello@otp-link.com
Address: [ADDRESS — to be added before public launch]