> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/identity-privacy-policy/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/identity-privacy-policy/oten-identity-privacy-policy.md).

# Oten Identity - Privacy Policy

When you use our identity services, you trust us with your personal information. We recognize that this is a significant responsibility. Our priority is to protect your data with the highest standards of security and transparency, while giving you full control over your identity.

This Privacy Policy is designed to help you clearly understand:

* What information we collect;
* Why we collect it;
* How we use and protect it;
* How you can access, manage, export, or delete your information at any time.

Your trust matters to us. We are committed to building a secure, privacy-first identity platform that empowers individuals and organizations.

Effective May 28, 2026

### 1. Introduction

#### 1.1 Introduction

This Privacy Policy explains how Oten Switzerland GmbH ("Oten", "we", "our", or "us") collects, uses, stores, shares, and protects personal data when organizations and their authorized users access or interact with our cloud-based identity and access management platform ("Oten IDP"). By using our Services, you acknowledge that you have read, understood, and agreed to this Policy.

#### 1.2 Nature of the Service

Oten IDP operates as a cloud-based Identity-as-a-Service (IDaaS) platform serving enterprise organizations across Southeast Asia and the Middle East. All user accounts, provisioned by organizational administrators, are registered and managed directly on Oten IDP. When users authenticate to external applications using "Sign in with Oten," they are redirected to Oten IDP to sign in and their identity is confirmed under Oten's control.

Oten IDP enables secure authentication, single sign-on (SSO), identity verification, role-based access control, and multi-factor authentication (MFA) using methods such as Passkey (WebAuthn/FIDO2), OTP, or device-based authentication.

#### 1.3 Services Covered Under This Policy

This Privacy Policy applies to identity-related services provided by Oten IDP, including:

* Account registration and identity management;
* Authentication, Single Sign-On (SSO), and token issuance;
* Multi-Factor Authentication (MFA) via Passkey, WebAuthn, OTP;
* Role, authorization, and access policy management;
* Activity logs, session tracking, and security monitoring;
* API and SDK-based authentication services for integrated applications.

<table data-header-hidden><thead><tr><th valign="top"></th></tr></thead><tbody><tr><td valign="top"><em>Note: The Oten Developer Portal, which allows developers to register applications, declare permission scopes, and publish integrations, operates as a separate product with its own Terms of Service and Privacy Policy. This Privacy Policy applies only to Oten IDP.</em></td></tr></tbody></table>

#### 1.4 Categories of Users Covered

* Enterprise users, including Organization Administrators and Workspace Administrators, who manage access for business environments;
* End-users of third-party applications authenticated via Oten SSO, whose accounts are provisioned by their organization;
* Developers who integrate their applications with Oten IDP through OAuth, OIDC, or other supported protocols (authentication operations only; app registration is handled via the Oten Developer Portal).

#### 1.5 Identity Ownership and Consent Principle

Oten is the primary provider of identities within Oten IDP. All authentication flows begin with a user-initiated action. When users authenticate to external applications, Oten presents a Consent Screen clearly listing data to be shared. Data is shared only with the user's explicit permission.

Controller/Processor roles: Oten acts as the Data Controller for identities processed within Oten IDP on behalf of organizational tenants. Where an enterprise customer manages its own user directory and instructs Oten to process identity data, Oten acts as a Data Processor under the customer's instructions.

#### 1.6 Geographic Scope of Service

Oten IDP is currently available to organizations and their users across Southeast Asia and the Middle East. Future expansion to other jurisdictions may occur, at which time this Policy will be updated accordingly.

#### 1.7 Oten's Role in Data Protection

* Oten acts as a Data Controller for identity data processed within Oten IDP on behalf of organizational tenants;
* Oten acts as a Data Processor when issuing identity tokens or sharing user data with third-party applications upon user consent, or when processing under enterprise customer instructions.

#### 1.8 Legal Compliance

We are committed to complying with applicable data protection laws in all jurisdictions where we operate, including the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, Singapore Personal Data Protection Act (PDPA) 2012, Thailand Personal Data Protection Act B.E. 2562 (2019), Indonesia Personal Data Protection Law (UU PDP 2022), Malaysia Personal Data Protection Act (PDPA 2010), Philippines Data Privacy Act of 2012 (Republic Act 10173), and other applicable regional data protection regulations.

#### 1.9 Acceptance of Policy

By accessing or using Oten IDP, you agree that your personal data will be collected and processed in accordance with this Policy.

### 2. Information We Collect

#### 2.1 Overview

We collect only the information necessary to create and maintain a secure digital identity, perform authentication, protect our services, and enable access management for organizations. We apply principles of data minimization, purpose limitation, and transparency to all data collection.

#### 2.2 Categories of Personal Data We Collect

**2.2.1 Account Registration Information**

When your organization provisions an Oten account for you, we collect:

* Full name;
* Email address and/or mobile phone number;
* Username or display name;
* Password (stored as a salted, hashed value; never in plain text);
* Optional profile information (e.g., avatar, preferred language, time zone, gender — all voluntary and not required for authentication).

For enterprise workspaces, we may also collect organization name, business contact details, and information necessary to configure a workspace and designate administrators.

**2.2.2 Authentication and Security Data**

* Public keys and cryptographic material produced during Passkey/WebAuthn registration and use;
* Multi-factor authentication artifacts (e.g., OTP codes, authenticator app secrets, device trust status);
* OAuth 2.0 / OpenID Connect artifacts, including authorization codes, access tokens, ID tokens (JWT), and refresh tokens;
* Session identifiers, authorization scopes, nonce and state values, and anti-abuse signals.

<table data-header-hidden><thead><tr><th valign="top"></th></tr></thead><tbody><tr><td valign="top"><em>Biometric handling: We do not collect raw, unwatermarked biometric templates. For the Biometric Verification and Liveness feature via Oten Pass, Oten IDP securely receives and stores the watermarked liveness video for administrative review, and processes derived, non-reversible Biometric Templates (Biometric Vectors) for future verification. See Section 2.13 for the full biometric data flow.</em></td></tr></tbody></table>

**2.2.3 Device and Technical Data**

* Device type, operating system, and browser version;
* IP address and approximate geolocation derived from IP (no GPS-level location);
* Timestamps, session duration, error codes, and login indicators;
* Limited identifiers used for threat detection and rate limiting.

**2.2.4 Log and Activity Data**

* Authentication attempts and outcomes;
* Session creation and termination;
* Token issuance, revocation, and API calls;
* Administrator actions (e.g., role assignments, policy changes);
* Alerts related to anomalies or suspected abuse.

**2.2.5 Consent and Authorization Data**

* The application authorized and scopes requested;
* Attributes agreed to share;
* Timestamp of consent and whether consent was remembered;
* Subsequent revocation events.

#### 2.3 Data Flows for Third-Party Application Sign-In

When you use "Sign in with Oten," you are redirected to Oten to authenticate. Your account may be provisioned via Just-in-Time (JIT) provisioning under your organization's configuration. After sign-in and consent, Oten issues tokens containing only the attributes you have approved.

#### 2.4 Enterprise and Administrator Data

* Organization and workspace configuration (tenant name, domains, SSO settings);
* Administrator identities, roles, and actions taken in the admin console;
* Membership lists and role assignments;
* Billing contact details and subscription tier (for paid plans).

#### 2.5 Developers and Application Metadata

Developers register applications and declare permission scopes on the Oten Developer Portal, a separate product with its own Terms and Privacy Policy. Oten IDP consumes application metadata to execute authentication and authorization flows.

#### 2.6 Data We Do Not Collect

To be transparent about the boundaries of our data processing, we explicitly do not collect:

* Unwatermarked raw biometric templates;
* National ID numbers or passport scans;
* Personal communications unrelated to identity operations;
* Financial transaction histories unrelated to billing;
* Behavioral tracking data for advertising or profiling;
* Sensitive categories of personal data such as racial or ethnic origin, political opinions, religious beliefs, health data, or sexual orientation. Note: gender may be collected as an optional profile field where provided voluntarily by the user (see Section 2.2.1).

#### 2.7 Legal Bases for Processing

* Consent – for sharing identity attributes with third-party applications and for processing special categories of data where applicable;
* Performance of Contract – to provide authentication, SSO, and account management;
* Legitimate Interests – to secure our platform, prevent fraud, and improve service reliability, where such interests are not overridden by data subject rights;
* Legal Obligation – to comply with applicable laws in jurisdictions where we operate.

#### 2.8 Retention and Deletion

See Section 6 for full retention schedules by data category.

#### 2.9 Data Minimization and Optional Information

Optional profile fields are voluntary and not required for core authentication features. You may update or remove optional data at any time through your account settings.

#### 2.10 Geographic Scope and Data Residency

Personal data may be stored or processed in cloud data centers in various regions. We do not currently offer customer-selectable data residency. Transfers across borders are conducted in compliance with applicable data protection regulations and subject to appropriate safeguards as described in Section 4.5.

#### 2.11 Children's Data

Our services are not intended for individuals under the age of 13 (or a higher minimum age where required by applicable local law). We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us immediately at <dpo@oten.com> and we will take immediate steps to delete such data. Organizations using Oten IDP are responsible for ensuring compliance with child data protection regulations applicable in their jurisdiction and for ensuring only eligible users are enrolled.

#### 2.12 Changes to This Chapter

We may update this Chapter to reflect service changes or regulatory guidance. We will indicate the effective date and provide a more prominent notice for material changes.

#### 2.13 Biometric Data Flow (Cross-Product: Oten Pass ↔ Oten IDP)

When an organization enables the Biometric Verification and Liveness feature, the following data flow occurs between Oten Pass and Oten IDP:

* Step 1 — Capture and On-Device Processing (Oten Pass): The user explicitly initiates a liveness verification flow. Oten Pass records a short video using the device camera and applies a secure, permanent digital watermark at the point of capture before any transmission. A non-reversible Biometric Template (a mathematical biometric vector) is computed on the device. This Biometric Template cannot be used to reconstruct the user's original facial image, the original video, or any raw biometric data.
* Step 2 — Transmission: The watermarked video and the on-device Biometric Template are transmitted securely via SSL/TLS from Oten Pass to Oten IDP. Raw, unwatermarked video is never transmitted or stored.
* Step 3 — Storage and Admin Review (Oten IDP): Oten IDP stores the watermarked video and the Biometric Template. Authorized administrators of the organization may review submitted videos via the Oten Identity Admin Application.
* Step 4 — Matching (Oten IDP): During subsequent verification, Oten IDP performs identity matching by comparing Biometric Templates on the server.
* Step 5 — Deletion: The watermarked video is permanently and irreversibly deleted on the 91st day from its creation date. The Biometric Template is permanently deleted 90 days from its creation date, regardless of account status.

Cross-reference: For the Oten Pass client-side handling of biometric data (device permissions, local authentication, and watermarking), see the [Oten Pass Privacy Policy, Section 5.](https://docs.oten.com/pass-privacy-policy#id-5.-biometric-data-processing)

### 3. How We Use Personal Data

#### 3.1 Purpose of Data Processing

We process personal data solely to provide, secure, and improve Oten IDP, following principles of transparency, purpose limitation, and data minimization. We will not use your data for purposes incompatible with those stated in this Policy without your prior consent.

#### 3.2 Identity Verification and Account Management

* Create and maintain Oten IDP accounts provisioned by organizations;
* Authenticate users to Oten and to third-party applications;
* Manage profile settings, preferences, and remembered consents;
* Provide customer support and communicate about service changes.

#### 3.3 Authentication, MFA, and Single Sign-On

* Verify credentials and cryptographic assertions (e.g., Passkey/WebAuthn);
* Issue and validate OAuth/OIDC tokens;
* Enforce SSO, session continuity, and logout;
* Support multi-factor authentication.

#### 3.4 Security, Fraud Prevention, and Threat Detection

* Detecting suspicious or anomalous sign-in patterns;
* Preventing credential stuffing, brute force attempts, and token abuse;
* Monitoring service health and error conditions;
* Investigating and remedying security incidents.

#### 3.5 Enterprise Administration Features

* Operate admin consoles and apply role-based access controls;
* Record administrative actions for accountability and audit;
* Support billing and subscription management;
* Provide usage summaries to authorized administrators.

#### 3.6 Aggregated, De-Identified Service Improvement

We analyze aggregated and/or de-identified metrics to improve reliability, performance, and security of Oten IDP. These analyses do not identify individuals and are not used for advertising.

#### 3.7 Compliance with Legal Requirements

We may process and preserve data to comply with applicable laws, enforce our Terms of Service, and protect rights, safety, and property of Oten, our users, and third parties.

#### 3.8 No Use for Advertising or Behavioral Profiling

We do not use personal data for targeted advertising, behavioral profiling, or the creation of marketing profiles. We do not sell, rent, or trade personal data to any third party for their marketing purposes. This applies across all Oten IDP services and all user categories.

#### 3.9 Automated Processes and User Control

We employ automated systems for authentication, token validation, and abuse prevention. These systems may prompt for additional verification steps but do not make automated decisions with significant legal or similarly significant effects on users without providing an opportunity for human review or user action. Users may contact their organization administrator or Oten support to request human review of any automated action.

### 4. Data Sharing and Disclosure

#### 4.1 General Principle

We only share personal data where necessary to provide our services, comply with legal obligations, or where the user has explicitly consented. We do not sell, rent, or share personal data for advertising purposes.

#### 4.2 Sharing Based on User Consent

* Users are presented with a Consent Screen clearly identifying the application requesting access and the specific information fields requested;
* We only share the data fields the user has explicitly approved on the Consent Screen;
* Users may revoke previously granted consents at any time through their account settings;
* We will seek separate, explicit consent before sharing any sensitive categories of personal data.

#### 4.3 Sharing with Service Providers (Sub-Processors)

We may engage third-party sub-processors to host, store, process, or secure data on our behalf. All sub-processors are bound by written Data Processing Agreements (DPAs) that:

* Prohibit use of personal data beyond the defined service scope;
* Require implementation of appropriate technical and organizational security measures;
* Impose confidentiality obligations on their personnel;
* Require notification to Oten in the event of a security incident involving Oten data.

A current list of our sub-processors is available upon written request submitted to <dpo@oten.com>.

#### 4.4 Sharing with Third-Party Applications via SSO

When you use "Sign in with Oten," we share only the authentication assertions and profile attributes you have approved on the Consent Screen. Third-party applications do not receive backend access to your Oten IDP account, credentials, or any data not explicitly authorized.

#### 4.5 Cross-Border Data Transfers

Personal data may be processed or stored in data centers in different regions to support our operations across Southeast Asia and the Middle East. Where personal data is transferred across international borders, we apply the following safeguards:

* Standard Contractual Clauses (SCCs) issued or recognized by the relevant supervisory authority, where applicable;
* Contractual and technical safeguards requiring the receiving party to maintain equivalent data protection standards;
* Compliance with the requirements of the UAE Federal Decree-Law No. 45 of 2021 for transfers involving UAE personal data;
* Compliance with applicable transfer requirements under Singapore PDPA, Thailand PDPA, Indonesia UU PDP, Malaysia PDPA, and Philippines Data Privacy Act, as applicable to the specific data transfer.

We do not currently offer customer-selectable data residency. Organizations with specific residency requirements should contact us at <dpo@oten.com> to discuss available options.

#### 4.6 Legal Compliance and Protection of Rights

We may disclose personal data to comply with valid legal obligations, court orders, or lawful governmental requests. We will:

* Review each request to verify its legal validity and scope;
* Limit disclosure to the minimum data legally required;
* Notify the affected organization unless prohibited by law or court order.

#### 4.7 Business Transactions

In the event of a merger, acquisition, reorganization, or sale of all or substantially all of Oten's assets, personal data may be transferred to the successor entity. We will provide affected organizations and users with reasonable advance notice before personal data becomes subject to a materially different privacy policy, and will ensure the successor entity provides equivalent data protection.

#### 4.8 No Sharing for Advertising or Profiling

We do not sell or rent personal data to third parties. We do not share data with data brokers or advertising networks. We do not create marketing or behavioral profiles from Oten IDP user data. This applies without exception to all user categories including end-users, enterprise administrators, and developers.

#### 4.9 Scope Limitation

Certain commercial, billing, or application publishing functions are provided through the Oten Developer Portal, a separate product with its own Terms and Privacy Policy. This Policy applies exclusively to Oten IDP.

### 5. How We Store and Secure Information

#### 5.1 Storage

We store personal data on reputable cloud infrastructure across various regions, applying consistent privacy and security controls regardless of storage location. All storage infrastructure is subject to the sub-processor requirements described in Section 4.3.

#### 5.2 Technical and Organizational Safeguards

* Encryption of data in transit (TLS 1.2 or higher) and at rest using industry-standard algorithms;
* Access controls based on least-privilege principles and role-based permissions, with regular access reviews;
* Network and application safeguards including environment segregation, web application firewalls, and protective monitoring;
* Logging and monitoring to detect and alert on suspicious or anomalous activity;
* Vulnerability management program including regular security testing and penetration testing;
* Secure development lifecycle practices including change management, code review, and peer review;
* Employee and contractor safeguards including written confidentiality obligations, role-appropriate access provisioning, and mandatory security awareness training.

#### 5.3 Protection of Credentials and Tokens

We do not store passwords in plain text. All passwords are stored using strong, salted hashing algorithms. Where Passkeys/WebAuthn are used, we rely on public-key cryptographic proofs and do not receive or store raw biometric data from the device.

#### 5.4 Third-Party Service Providers

Service providers acting as sub-processors operate under written DPAs that prohibit use of personal data for their own purposes, require appropriate technical security measures, and impose confidentiality obligations consistent with this Policy.

#### 5.5 Security Incident Notification

We maintain documented processes to identify, assess, contain, and respond to security incidents. In the event of a personal data breach:

* We will notify the relevant supervisory authority within 72 hours of becoming aware, where required by applicable law;
* We will notify affected organizations without undue delay so they can fulfill their obligations to affected individuals;
* We will provide organizations with the information necessary to assess the impact and take appropriate protective action;
* We will cooperate fully with any investigation by competent supervisory authorities.

#### 5.6 Data Retention and Secure Deletion

When data reaches the end of its retention period or is subject to a deletion request, we follow a secure deletion process to ensure data is removed from active systems. Residual copies may persist in encrypted backups for a limited time before being overwritten in accordance with our backup rotation schedule. See Section 6 for full retention schedules.

#### 5.7 Your Role in Protecting Your Account

You should use strong, unique credentials; enable multi-factor authentication; keep devices and applications up to date; regularly review connected applications and consents; and notify us immediately at <contact@oten.com> if you suspect unauthorized access to your account.

### 6. Data Retention

#### 6.1 General Retention Principles

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, to provide our services, and to comply with applicable legal obligations. Because Oten IDP serves enterprise organizations in a B2B context, Your Organization (as Data Controller) has authority over retention configurations for member data within the scope permitted by applicable law. Oten retains data according to Your Organization's instructions, subject to the minimum and maximum periods described in this Section.

<table data-header-hidden><thead><tr><th valign="top"></th></tr></thead><tbody><tr><td valign="top"><em>Planned feature: Oten IDP will introduce Organization-level Data &#x26; Privacy controls, allowing Org Admins to configure retention periods for activity logs, determine what data is shared with integrated applications, and manage deletion schedules for member data. This section will be updated when those controls become available.</em></td></tr></tbody></table>

#### 6.2 Account Archival and the Grace Period

When an Organization Administrator archives a member account (available today via the Oten IDP Admin Console), the following sequence applies:

* Immediate effect: The account is archived instantly. The member can no longer sign in or use Oten-connected services. The account is hidden from active directory views but is not yet permanently deleted.
* Grace period — 30 days: For 30 days following archival, the account remains recoverable. The Organization Administrator or the affected member may initiate account restoration through the Recover Account flow within this window. All personal data and activity history are preserved during this period.
* Purge on day 31: If no restoration is initiated, Oten automatically purges all Personally Identifiable Information (PII) associated with the account on the 31st day. Active sessions, tokens, passkeys, Biometric Templates, and profile data are permanently and irreversibly deleted.
* Post-purge: After purge, Oten retains only pseudonymized audit data (e.g., anonymized event records with no linkable identity) for security, compliance, and accountability purposes. This data cannot be used to identify the former member.

<table data-header-hidden><thead><tr><th valign="top"></th></tr></thead><tbody><tr><td valign="top"><em>Important distinction: 'Archival' means access is suspended and data is preserved for potential recovery. 'Purge' means PII is permanently deleted and cannot be recovered. Organizations should communicate this distinction to members before initiating archival.</em></td></tr></tbody></table>

#### 6.3 Retention Periods by Data Category

* User Account and Profile Information: Retained while the account is active. Purged on day 31 following account archival as described in Section 6.2.
* Authentication and Security Credentials (session tokens, passkey public keys, OTP secrets): Active credentials are retained only for the duration required for session and authentication integrity. Expired tokens are automatically invalidated. Credentials are purged as part of the account purge cycle (Section 6.2).
* Activity Logs and Security Event Records: Retained for the period configured by Your Organization. Where Your Organization has not configured a specific retention period, Oten retains activity logs for the period required under applicable compliance obligations of the relevant jurisdiction. Pseudonymized audit records are retained beyond the account purge for security and compliance purposes as described in Section 6.2.
* Facial Video Recordings (received from Oten Pass): Stored for a maximum of 90 days from their creation date. Permanently and irreversibly deleted on the 91st day, with no possibility of recovery. This applies regardless of account status.
* Biometric Templates (Biometric Vectors): Permanently deleted 90 days from their creation date, regardless of account status or organizational configuration.
* Consent Records: Retained while the consent is active. Upon revocation, the revocation event is recorded and retained for the applicable legal limitation period for accountability purposes.
* Billing and Transactional Records: Retained in accordance with applicable financial, tax, and accounting regulations of the relevant jurisdiction.

#### 6.4 Legal and Regulatory Retention Obligations

We may retain certain data beyond the standard periods above where required by applicable law, court order, or regulatory requirement. In such cases, retained data is segregated from active systems and access is restricted to personnel with a documented legitimate need.

#### 6.5 Backup Copies

Residual copies of deleted data may temporarily remain in encrypted backup archives maintained for business continuity purposes. These backups are subject to the same access controls as live data. Backup archives are overwritten on a regular rotation cycle. During this period, the data within backups is not accessible for operational use and is not restored except in a declared business continuity event.

#### 6.6 Post-Purge Confirmation

Upon request, Oten will provide Your Organization with written confirmation that account data purge has been completed in accordance with Section 6.2, subject to the backup timeline described in Section 6.5.

### 7. How You Can Access and Control Your Information

#### 7.1 User Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

* Right of access – to obtain confirmation of whether we process your data and to receive a copy;
* Right to rectification – to correct inaccurate or incomplete personal data;
* Right to erasure – to request deletion of your data where it is no longer necessary or where consent has been withdrawn;
* Right to restriction – to restrict processing in certain circumstances;
* Right to data portability – to receive your data in a structured, commonly used, machine-readable format;
* Right to withdraw consent – at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
* Right to manage consents – to review and revoke authorizations granted to third-party applications;
* Right to object – to processing based on legitimate interests.

#### 7.2 Accessing and Updating Your Information

You may review and update your profile information at any time via your Oten account dashboard. Certain changes to account configuration, role assignments, or organizational settings must be requested through your organization's administrator.

#### 7.3 Managing Authentication and Consent

You may review and revoke previously granted permissions to third-party applications at any time via the Connected Applications section of your account settings. Revocation takes effect immediately and prevents further token issuance to the revoked application.

#### 7.4 Account Archival and Deletion

Because accounts within Oten IDP belong to Your Organization, account archival and deletion must be initiated by Your Organization's Administrator. Members may not unilaterally delete their own Oten IDP account.

When an account is archived by an Org Admin:

* The account is suspended immediately — the member cannot sign in or access connected services;
* A 30-day grace period begins during which the account can be fully restored via the Recover Account flow;
* On day 31, if not restored, Oten automatically purges all PII associated with the account. This is permanent and irreversible;
* Pseudonymized audit records are retained after purge for compliance purposes and cannot be linked back to the former member.

See Section 6.2 for the full archival and purge sequence. Members who believe their account has been archived in error should contact their Organization Administrator.

#### 7.5 Administrator and Enterprise Controls

Identity and access configurations, including user provisioning, de-provisioning, and role assignments, are managed by organization administrators. Requests related to these configurations should be directed to your organization's administrator.

#### 7.6 Exercising Your Rights

To exercise any of the rights listed in Section 7.1, you may:

* Use the self-service tools available in your Oten account settings where applicable;
* Submit a request to your organization's administrator for matters under organizational control;
* Submit a request directly to Oten at <dpo@oten.com> for matters under Oten's control as Data Controller.
* Note: Biometric verification records (liveness videos and Biometric Templates) are governed by Your Organization and cannot be independently deleted by individual members. Deletion is automatic after 90 days. Requests for early deletion must be submitted through Your Organization's IT administrator.

We may request reasonable verification of your identity before processing a request. We will respond within the timeframe required by applicable law (e.g., 30 days under UAE PDPL, 30 days under Singapore PDPA, 30 days under Thailand PDPA).

#### 7.7 Support and Escalation

All users — including members — may contact Oten for general support inquiries, technical issues, or questions about how data is processed, at <contact@oten.com>.

For data rights requests specifically: because member accounts are owned and controlled by Your Organization, requests relating to account data, activity logs, account archival, or account restoration must be directed to Your Organization's administrator. Oten does not override organizational decisions on member accounts.

If you have submitted a data rights request to Your Organization's administrator and have not received a response within 30 days, you may notify Oten at <dpo@oten.com>. Oten will follow up with Your Organization on your behalf. Oten cannot override Your Organization's authority as Data Controller, but will work to ensure your request is addressed appropriately.

#### 7.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the competent data protection supervisory authority in your jurisdiction. See Section 10 for jurisdiction-specific authority contact information. We encourage you to contact us first at <dpo@oten.com> to attempt to resolve any concerns directly.

#### 7.9 Limitations

Requests may be limited where: fulfilling the request would violate the rights of a third party; we are required by law to retain the data; the request would interfere with security measures or an ongoing security investigation; or the request is manifestly unfounded or excessive.

### 8. Cookies and Tracking Technologies

#### 8.1 Use of Cookies

Oten IDP uses cookies and similar tracking technologies on its web interface to support operation, security, and functionality. We do not use cookies for advertising or behavioral profiling.

#### 8.2 Types of Cookies

* Strictly Necessary Cookies: Required for the Services to function, including session cookies, CSRF protection tokens, and security identifiers. These cannot be disabled without impairing core functionality.
* Functional Cookies: Used to remember user preferences such as language settings and display options. Not essential to core authentication but improve the user experience.
* Analytics Cookies: Collect aggregated, anonymized data about Service usage to improve reliability and performance. No third-party advertising analytics are used.

#### 8.3 Cookie Retention

Session cookies expire when you close your browser. Persistent cookies remain for the period specified at the time of setting or until deleted by the user. You can manage cookie preferences through your browser settings.

#### 8.4 Third-Party Cookies

We do not permit third-party advertising networks to place cookies through our Services. Infrastructure provider cookies, where used, are strictly necessary and governed by sub-processor agreements described in Section 4.3.

#### 8.5 Your Choices

Disabling strictly necessary cookies will impair your ability to use Oten IDP Services. Non-essential functional and analytics cookies may be managed or opted out of through your browser settings without affecting core authentication functionality.

### 9. Our Policy Towards Children

#### 9.1 Eligibility

Our Services are not intended for individuals under the age of 13 (or a higher minimum age where required by applicable local law, such as 16 in certain jurisdictions). We do not knowingly collect personal data from children below the applicable minimum age.

#### 9.2 Unintentional Collection

If we discover or are notified that we have unintentionally collected personal data from a child below the applicable minimum age, we will: immediately suspend access to the relevant account; take prompt steps to securely delete all associated personal data; notify the relevant organization administrator; and, where required by law, notify the relevant supervisory authority.

#### 9.3 Organizational Responsibility

Organizations using Oten IDP are responsible for: ensuring compliance with child data protection regulations applicable in their jurisdiction; ensuring that only users meeting the minimum age requirement are provisioned accounts on Oten IDP; and obtaining any parental or guardian consent required under applicable law before provisioning accounts for minors above the minimum age threshold.

#### 9.4 Biometric Data and Age

Organizations are responsible for ensuring compliance with applicable laws regarding biometric data collection for users of any age in their jurisdiction. This includes obtaining any additional consent or parental authorization required under local law for users who may be considered minors. Oten does not independently verify the age of individual users provisioned by Organizations — this responsibility rests with the Organization as Data Controller.

### 10. Regional Disclosures

This Chapter provides additional privacy information and rights specific to users in regions with applicable data protection legislation. In the event of any conflict between a regional disclosure in this Chapter and the general provisions of this Policy, the regional disclosure shall prevail to the extent required by applicable law.

### 11. Changes to This Policy and Contact Information

#### 11.1 Policy Changes

We may update this Privacy Policy to reflect changes in our services, business practices, or applicable legal requirements. We are committed to the following principles when making changes:

* We will not reduce your rights under this Policy without your prior explicit consent;
* We will always indicate the effective date of the current version at the top of this Policy;
* We maintain an archive of previous versions available upon request at <dpo@oten.com>.

#### 11.2 Notification of Material Changes

For material changes — meaning changes that significantly affect your rights or the way we process your data — we will provide advance notice by at least one of the following methods:

* Email notification to registered organization administrators at least 30 days before the change takes effect;
* Prominent notice displayed on the Oten IDP dashboard prior to the change taking effect;
* In-product alert upon login during the notice period.

For non-material changes (e.g., clarifications, corrections, or administrative updates), we will update the effective date and publish the revised Policy without individual notice.

#### 11.3 Contact Information

Oten Switzerland GmbH

Blegistrasse 15, 6340 Baar, Zug, Switzerland

General enquiries: <contact@oten.com>

Phone: +41 77 291 61 22

For account-related issues or data rights requests under organizational control, please also contact your Organization's IT administrator.

You also have the right to lodge a complaint with the competent data protection supervisory authority in your jurisdiction. See Section 10 for jurisdiction-specific authority information.
