Privacy Policy

Last updated: April 20, 2026

This Privacy Policy explains how LightOTP, a service operated by Amal Group, collects, uses, and protects personal data when you use our website, dashboard, and API. It applies to our business customers (account holders) and to visitors of lightotp.com.

We are committed to complying with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the relevant German data-protection laws. If you have any question about this policy, contact us at [email protected].

Who we are

LightOTP is a WhatsApp OTP delivery service operated by Amal Group, with its registered office at Suedstrasse 49f, 03253 Doberlug-Kirchhain, Germany. For the purposes of this Privacy Policy, Amal Group is the "controller" of your personal data. You can reach us at [email protected] or +49 176 3662 3030.

Data we collect

Depending on how you use the service, we collect the following categories of data:

  • Account data: your name, email address, phone number, address, company name, and a salted hash of your password.
  • Demo data: the phone number you enter in the "Try OTP" form, used only to deliver the test code and not stored long-term for marketing.
  • Technical data: IP address, user-agent, request headers (including Accept-Language), and the challenge telemetry generated by Cloudflare Turnstile when you submit a form.
  • Usage data: API request metadata (timestamp, endpoint, response status, volume) that we need to operate and meter the service.

How we use your data

We use personal data to:

  • Create and maintain your account and API keys.
  • Deliver the OTP service.
  • Respond to inbound support requests.
  • Detect abuse, debug failures, and protect the service.
  • Improve reliability and documentation based on aggregated usage.

Sharing and subprocessors

We do not sell your personal data. We share it only with processors that help us run the service:

  • Meta Platforms — we deliver WhatsApp OTP messages through the WhatsApp Business API.
  • Cloudflare — bot protection (Turnstile) and, where used, content delivery and DNS.
  • Hosting and infrastructure providers acting under a written data-processing agreement.

International transfers

Some of our processors (notably Meta) are located outside the European Economic Area. Where that happens, we rely on transfer mechanisms approved under the GDPR — such as the European Commission's Standard Contractual Clauses or an adequacy decision — to make sure your data stays protected.

How long we keep data

We keep personal data for as long as it is necessary to operate the Service and support your account. We do not apply a fixed retention limit. You can ask us to delete your data at any time — see "Your rights" below for details.

Your rights under the GDPR

As a data subject in the EU or EEA, you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Ask us to correct inaccurate or incomplete data (Art. 16).
  • Ask us to delete your data (Art. 17), within the limits of our legal retention obligations.
  • Restrict or object to certain processing (Arts. 18 and 21).
  • Receive your data in a portable format (Art. 20).
  • Withdraw consent at any time where processing is based on consent (Art. 7(3)).
  • Lodge a complaint with a supervisory authority — for us, the competent authority is the Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg.

To exercise any of these rights, email [email protected]. We will respond within one month.

Cookies

We use only essential cookies:

  • A locale-preference cookie so the site remembers your language.
  • A short-lived challenge cookie set by Cloudflare Turnstile to verify that form submissions come from a human.

We do not use advertising or cross-site tracking cookies. If we add analytics in the future, we will update this policy and, where required, ask for your consent.

Phone numbers submitted for OTP delivery

When our customers send OTP messages through our API, they supply us with recipient phone numbers. For that data, our customer is the data controller and LightOTP acts as a data processor on their behalf. This processing is governed by a separate Data Processing Agreement (DPA), which we make available on request.

Children

LightOTP is a business service and is not directed at children under the age of 16. We do not knowingly collect personal data from children.

Changes to this policy

We may update this Privacy Policy as our service evolves. When we make material changes, we will update the "Last updated" date at the top of this page and notify account holders by email.

Contact us

If you have any question or want to exercise your data-protection rights, reach out to:

Amal Group

Suedstrasse 49f, 03253 Doberlug-Kirchhain, Germany

Email: [email protected]

Phone: +49 176 3662 3030