Privacy Policy

• No KYC. We don’t collect government IDs, addresses, or real names.
• We store only what’s needed to run your account: an authentication identifier, balance, rental history, and SMS messages received on numbers you rent.
• We don’t sell, rent, or trade your data.
• Payments are processed by our payment provider; we don’t see your card or wallet details beyond what they share with us.

We collect only the data needed to operate the Service:

• Account identifier. Either your Discord user ID (if you sign in with Discord OAuth) or your email address (if you use email one-time passwords). For email sign-in we also temporarily store OTP codes for verification.
• Balance and transactions. Your current balance and a record of top-ups and rental charges.
• Rental history.Numbers you’ve rented, the service they were rented for, timestamps, and status (waiting, received, expired, cancelled).
• Received SMS. The text of SMS messages delivered to numbers you rented, retained for a limited time so we can display them to you.
• API key metadata. A hashed reference to any API key you generate, plus usage timestamps. We do not store the plaintext key after creation.
• Technical logs. Server logs (IP, user agent, request path) used for security, debugging, and abuse prevention. Retained for a short period and not used for advertising or profiling.
• Support correspondence. Messages you send through tickets or other support channels.

• Government IDs, photos, or KYC documents — we don’t do KYC.
• Your real name or postal address.
• Card numbers, bank details, or crypto wallet seeds — payments are handled by our payment provider.
• Behavioural tracking across other websites.

We use the data above only to:

• Authenticate you and keep your session secure.
• Assign numbers, deliver SMS to your dashboard, and bill against your balance.
• Provide support and respond to your requests.
• Detect and prevent fraud, abuse, and violations of our Terms.
• Comply with legal obligations where applicable.

We do not use your data for advertising and we don’t build behavioural profiles.

We use only the cookies and local-storage entries required to keep you signed in and to remember UI preferences (e.g. theme). We don’t use third-party advertising or cross-site tracking cookies.

Crypto payments are processed by OxaPay. When you initiate a top-up, we share a payment reference and amount with OxaPay so they can return a confirmed deposit to your balance. We don’t see your wallet seeds or private keys. Refer to OxaPay’s own privacy policy for how they handle that data.

SMS messages sent to numbers you rent pass through our upstream SMS infrastructure providers and are stored long enough for you to retrieve and copy the code. We treat this content as sensitive: it’s accessible to you via your account, and to authorized operators only when strictly necessary for support, fraud investigation, or legal compliance.

Do not use OhMyOTP numbers for messages you would consider private — these are temporary, shared-pool numbers and are not suitable for confidential communication.

We rely on a small set of providers to operate the Service:

• SMS / number providers (carrier-grade upstream suppliers).
• Payment processor (OxaPay).
• Email delivery (Resend, for sign-in OTPs and transactional email).
• Hosting and infrastructure providers.

These providers receive only the data they need to perform their role. We do not sell, rent, or trade your personal information.

Account-level data (identifier, balance, transactions) is retained while your account exists. Received SMS messages are retained for a limited window — long enough to be useful, short enough to minimize exposure. Server logs are retained for a short period for security and debugging. Backups may persist for additional time before they roll off.

When you delete your account, we delete or anonymize personal data we’re not required to retain (for example, certain transaction records may be kept to satisfy accounting or anti-fraud requirements).

We use industry-standard practices to protect data in transit (TLS) and at rest. Authentication uses signed tokens with short lifetimes. Despite our efforts, no system is perfectly secure — please use a strong, unique password for the email associated with your account and rotate API keys if you suspect compromise.

• Access & export. You can see your balance, transactions, and rental history from your dashboard at any time.
• Delete API keys. Rotate or revoke API keys from Settings.
• Account deletion.Contact support to request deletion. We’ll remove personal data except where retention is legally required.

The Service may be operated and hosted in jurisdictions different from where you reside. By using the Service you consent to your data being transferred to and processed in those jurisdictions, subject to this Policy.

The Service is not intended for users under 18 (or the age of majority in your jurisdiction). We do not knowingly collect data from anyone under that age. If you believe a child has provided us data, contact us and we’ll remove it.

We may update this Policy from time to time. Material changes will be reflected in the effective date above and, where appropriate, communicated on the website. Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

Privacy questions? Reach us through support tickets once signed in, or via the contact channels published on ohmyotp.com.