Privacy Policy

Last updated: 15 February 2026

OTWarden ("we", "us", "our") is operated as a sole trader business based in the United Kingdom. We are committed to protecting your privacy and handling your data responsibly.

1. What Data We Collect

When you use OTWarden, we collect:

• Account information: Email address, name, and password (stored as a secure hash — we never see your actual password)
• Watchlist data: The vendors, products, and sectors you choose to monitor
• Payment information: Processed entirely by Stripe. We never see or store your card details. We store only your Stripe customer ID to manage your subscription.
• Usage data: Alert history (which advisories were sent to you and when)
• Technical data: IP address (for rate limiting and security only — not tracked or profiled)

2. How We Use Your Data

We use your data solely to:

• Send you ICS vulnerability alerts matching your watchlist
• Send weekly digest emails (Professional and Team plans)
• Manage your account and subscription
• Protect against abuse (rate limiting, fraud prevention)

We do not sell, rent, or share your personal data with third parties for marketing purposes. Ever.

3. Third-Party Services

We use the following third-party services:

• Stripe — Payment processing. Stripe's privacy policy: stripe.com/privacy
• Brevo (formerly Sendinblue) — Email delivery. Brevo's privacy policy: brevo.com/legal/privacypolicy
• Cloudflare — DNS and security. Cloudflare's privacy policy: cloudflare.com/privacypolicy

4. Data Storage and Security

Your data is stored in an encrypted database on servers located in the United Kingdom. We use industry-standard security measures including:

• Password hashing (bcrypt)
• HTTPS encryption for all connections
• CSRF protection on all forms
• Rate limiting on authentication endpoints

5. Data Retention

We retain your data for as long as your account is active. If you cancel your subscription or request account deletion:

• Your account will be deactivated
• You can request full deletion of your data by emailing [email protected]
• We will delete your data within 30 days of a deletion request

6. Your Rights

Under UK data protection law (UK GDPR), you have the right to:

• Access — Request a copy of the data we hold about you
• Rectification — Correct any inaccurate data
• Erasure — Request deletion of your data
• Portability — Request your data in a machine-readable format
• Object — Object to processing of your data

To exercise any of these rights, email [email protected].

7. Cookies

We use only essential session cookies required for the website to function (login sessions). We do not use tracking cookies, analytics cookies, or advertising cookies.

8. Changes to This Policy

We may update this policy from time to time. We will notify active subscribers by email of any material changes.

9. Contact

For any privacy-related questions or requests, contact us at [email protected].