Privacy & Policy

Privacy & Policy

Effective Date: 07 July 2025

Last Reviewed:  01 September 2025

1. PURPOSE

This Privacy Policy (the “Policy”) sets out the principles and procedures adopted by OTC & Partners (“OTC & Partners”, “we”, “us”, or “our”) to ensure the proper handling of personal data (“Personal Data”). The Policy applies to Personal Data that we collect, use, store, disclose, and protect when you:

  • visit our website,
  • interact with our team,
  • communicate with us through any channel, 
  • engage with our legal services, or
  • use our onboarding application. 

2. SCOPE

This Policy applies to all data referring to an identified or Identifiable Natural Person that is collected, received, stored, processed, or transmitted by OTC & Partners in the course of its business operations and forms an integral part of our commitment to complying with the applicable data protection laws. 

3. DEFINITIONS

    • Data Subject – The identified or Identifiable Natural Person to whom Personal Data relates. This includes, but is not limited to; visitors, clients, potential  or partners. 
    • Identifiable Natural Person – A natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity.
    • Personal Data – Any information referring to an identified or Identifiable Natural Person, this includes, but is not limited to; Identification documents (e.g., passports, national IDs); contact details (e.g., emails, phone numbers, addresses); and onboarding documents.  
    • Personal Data Breach – A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data collected, received, transmitted, stored or otherwise processed. This includes, but is not limited to; unauthorized access by third parties or internal staff, accidental sending of data to the wrong recipient, loss or theft of devices or physical files containing Personal Data, or malware attacks, ransomware, or system intrusions affecting data integrity or availability. 
  • Processing – Any operation performed on personal data which may include but is not limited to its collection, storage, use, transfer or deletion.

4. DATA COLLECTION AND USE

4.1 We collect and process Personal Data only where the processing is lawful, fair, and necessary for one or more specific, explicit, and legitimate purposes; including, but not limited to:

  • Client Onboarding and Compliance;
  • Platform Access and Communication; or
  • Identity verification (e.g., via tools like Sumsub)

4.2 We do not sell Personal Data under any circumstances. Data is not shared with third parties or used for any purpose outside the original scope, unless:

  • The Data Subject has provided freely given, specific, informed, and unambiguous consent; or
  • The disclosure is otherwise permitted or required by applicable law, including for regulatory compliance, legitimate interests, or legal claims.

5. DATA STORAGE AND SECURITY

We implement appropriate technical and organizational measures in order to safeguard personal data against any form of unauthorized access, alterations, loss or destruction which include, but are not limited to:

  • Encryption of Personal Data at rest and in transit;
  • Use of technical safeguards such as multi-factor authentication (MFA), secure access logs and intrusion detection systems;
  • Access control mechanisms based on roles, responsibilities and legitimate business needs;
  • Regular audits and reviews of data security practices; and
  • Vetting and use of third-party service providers (such as Sumsub and Google Workspace) which implement security measures consistent with the applicable law and international standards.

6. RETENTION PERIODS

6.1 We retain personal data only for as long as necessary for the purposes it was collected. Standard retention periods include:

DATA TYPE RETENTION PERIOD
Onboarding contracts 2 years after termination
Identification Documents (e.g., KYC) 2 years after contract ends
Job Applications 1 year from date of last contact
Financial/Tax Records 6 – 8 years (as per legal requirements)
Communication Records 2 years (unless required longer by context)

 

6.2 After the applicable retention period has expired, all Personal Data is either securely deleted, destroyed, or anonymized, ensuring that the data can no longer be accessed, reconstructed, or used to identify any individual.

7. DATA ACCESS AND RIGHTS

7.1 We uphold the rights of Data Subjects and shall respond to all reasonable and lawful requests without undue delay and within one (1) month of receipt.

a. Right of Access to Personal Data:

Upon written request, a Data Subject has the right to obtain from OTC & Partners, free of charge, a copy of the Personal Data undergoing processing in electronic form and any available information as to its source.

b. Right to Rectification of Personal Data:

A Data Subject has the right to request the correction of inaccurate or otherwise outdated Personal Data in order to keep information truthful and current. We will ensure that the said data is rectified promptly upon receiving the valid request and any associated supporting documents as and when required.

c. Right to Erasure of Personal Data: 

Upon request, a Data Subject has the right to require the firm to erase their Personal Data wherein:

  • The Personal Data is no longer necessary for the purposes it was collected and/or processed;
  • A Data Subject has withdrawn consent to the processing where said consent was the legal basis for processing;
  • The processing is unlawful or the erasure of Personal Data is required in order to comply with applicable laws and regulations; or
  • A Data Subject objects to the processing and there are no overriding legitimate grounds for us to continue processing.

d. Right to Transparency and Awareness of Data Use:

Upon request, a Data Subject has the right to obtain written confirmation regarding: 

  • Whether or not their Personal Data is being processed;
  • Purposes of such processing;
  • Categories of Personal Data involved; or
  • Receiving party or category of the receiving party (including third parties or international organizations where applicable).

7.2 Such Requests by the Data Subject can be sent to: [info@otcandpartners.com]

8. PERSONAL DATA BREACHES

In the event of a Personal Data Breach, we will take immediate and appropriate steps to:

  • Assess and contain the breach through identifying its nature, cause, scope and impact on Personal Data;
  • Mitigate any risks arising from the breach, including steps to protect and secure affected systems or data in order to prevent further unauthorized access;
  • Maintain a register of breaches which documents relevant details regarding the breach and any remedial actions taken; and
  • Notify affected Data Subjects, where applicable and without undue delay.

9. POLICY REVIEWS

This policy is reviewed annually and updated as needed to reflect changes in regulations or operational practices. Details of which are highlighted at the top of this document.

Contact:

For questions or requests, please contact [info@otcandpartners.com].

Subscribe Your Email for Newsletter & Promotion

Press ESC key to close search