Privacy Policy

1. Introduction

2 Factor Services ("we," "our," or "us") provides one-time password (OTP) authentication services via Email and WhatsApp Business API. This Privacy Policy explains how we collect, use, store, and protect information when you use our services.

By using 2 Factor Services, you agree to the collection and use of information in accordance with this policy. We are committed to protecting your privacy and handling your data with transparency and security.

2. Information We Collect

2.1 Account Information

When you register for 2 Factor Services, we collect:

• Business name and contact details
• Email address and phone number
• Billing information (processed securely via Stripe)
• API keys and integration settings

2.2 End-User Data (Your Customers)

To deliver OTP services, we process the following data on your behalf:

• Email addresses - For email OTP delivery
• Phone numbers - For WhatsApp OTP delivery (international format)
• IP addresses - For fraud detection and rate limiting
• Device fingerprints - Browser type, OS, and timestamp
• Authentication logs - Success/failure status (without OTP codes)

2.3 Technical Data

• API request logs (timestamp, endpoint, response time)
• Error logs for debugging purposes
• Webhook delivery attempts and responses

3. How We Use Information

We use collected information solely for:

• Service Delivery: Sending OTP codes via Email and WhatsApp channels
• Security: Fraud detection, rate limiting, and abuse prevention
• Service Improvement: Monitoring delivery rates and optimizing routes
• Legal Compliance: Meeting regulatory requirements and responding to legal requests
• Communication: Service updates, security alerts, and support responses

4. Data Storage & Security

4.1 Encryption

All data is protected using industry-standard encryption:

• In Transit: TLS 1.3 for all API communications and webhooks
• At Rest: AES-256 encryption for all stored data
• OTP Codes: Hashed immediately after verification; plaintext never stored

4.2 Infrastructure

• SOC 2 Type II certified data centers
• GDPR-compliant servers located in EU, US, and APAC regions
• Regular penetration testing and security audits
• Role-based access control (RBAC) for all internal systems

4.3 Data Retention

We retain data only as long as necessary:

• OTP Codes: Never stored in plaintext; verification hashes deleted after 24 hours
• Delivery Logs: Retained for 90 days for debugging and compliance
• Authentication Metadata: Retained for 1 year (success/failure status only)
• Account Data: Retained until account deletion, then purged within 30 days

5. WhatsApp Business API Specifics

Our WhatsApp OTP service operates through the official WhatsApp Business API:

• All messages are end-to-end encrypted by WhatsApp
• We do not have access to message content after delivery
• Phone numbers are shared with Meta/WhatsApp solely for message delivery
• Users can opt-out by blocking our business number or replying "STOP"
• We comply with WhatsApp Business Policy and Commerce Policy

6. Email Delivery Specifics

Our Email OTP service uses enterprise email infrastructure:

• DKIM, SPF, and DMARC authentication enabled
• Dedicated IP addresses with warming and reputation monitoring
• Spam score optimization to ensure inbox delivery
• No third-party email content scanning or advertising

7. Data Sharing & Third Parties

We do not sell your data. We share data only with:

• Meta Platforms, Inc. - For WhatsApp message delivery (phone numbers only)
• Amazon Web Services - For cloud hosting and email delivery infrastructure
• Stripe, Inc. - For payment processing (billing data only)
• Legal Authorities - When required by valid court order or subpoena

All third parties are bound by data processing agreements (DPAs) and GDPR Standard Contractual Clauses (SCCs).

8. Your Rights (GDPR & CCPA)

Depending on your jurisdiction, you have the right to:

• Access: Request a copy of your personal data
• Correction: Update inaccurate or incomplete data
• Deletion: Request deletion of your data ("Right to be Forgotten")
• Portability: Receive data in a machine-readable format
• Objection: Opt-out of certain data processing activities
• Restriction: Limit how we use your data

To exercise these rights, contact our Data Protection Officer at privacy@2factorservices.com. We respond to all requests within 30 days.

9. Cookies & Tracking

Our website uses minimal cookies:

• Essential Cookies: Required for site functionality and security (cannot be disabled)
• Analytics Cookies: Anonymous usage statistics (optional, can be disabled)

We do not use tracking pixels, advertising cookies, or third-party analytics that share data.

10. Children's Privacy

2 Factor Services does not knowingly collect data from children under 13. If you believe we have inadvertently collected such data, contact us immediately for deletion.

11. Data Breach Procedures

In the unlikely event of a data breach:

• We will notify affected users within 72 hours of discovery
• We will report to relevant supervisory authorities as required by GDPR
• We will provide detailed remediation steps and security recommendations

12. International Data Transfers

Data may be processed in multiple jurisdictions. We ensure adequate protection through:

• EU Standard Contractual Clauses (SCCs)
• Data Processing Agreements (DPAs) with all subprocessors
• Regional data residency options for enterprise customers

13. Changes to This Policy

We may update this Privacy Policy periodically. Significant changes will be:

• Posted on this page with an updated "Last updated" date
• Notified via email to account holders 30 days before implementation
• Announced in our service status dashboard