Privacy Policy
1. Information We Collect
OwlGrid ("OwlGrid", "we", "us", or "our") collects information necessary to provide and secure our verification infrastructure services. When you use our API, we collect:
- Verification Metadata: the recipient's phone number (encrypted at rest — see Section 3), the delivery channel used (WhatsApp, SMS, or Telegram), delivery status, and timestamps.
- Account Information: your business name, contact email, and organization details for service management.
- Technical Logs: API request headers, IP addresses, and user-agent strings, used to monitor performance and prevent fraudulent activity.
We do not collect or store the content of the applications using our API — only the metadata required to route and verify one-time-passcode requests.
2. How We Use Your Information
We process personal data to provide, secure, and improve the OwlGrid verification service, in line with Egypt's Personal Data Protection Law No. 151 of 2020 ("Law 151/2020"), which is the primary law governing our processing of personal data for this Egypt-only service. Specific uses include:
- Routing and delivering one-time-passcodes on your behalf.
- Detecting and preventing fraud, abuse, and unauthorized access.
- Maintaining the security, availability, and integrity of our infrastructure.
- Complying with applicable legal and regulatory obligations.
3. Data Security and Encryption
We ground this section in how our systems are actually built:
- Phone numbers and provider secrets are encrypted at rest using AES-256-GCM. We never store a phone number in plain text.
- Phone number lookups (for deduplication and rate limiting) use a separate HMAC-SHA256 index key, so a phone number can never be recovered from the index alone.
- Verification codes (OTPs) are never stored in plain text. We hash each code with HMAC-SHA256 keyed by a server-side pepper, separate from both the phone number and account keys above.
- API keys are one-way hashed with SHA-256 and shown to you in full only once, at creation.
- Account passwords are hashed with Argon2id, an industry-standard password hashing algorithm.
WhatsApp channel disclosure: when a verification code is delivered over WhatsApp, it is sent through Meta's WhatsApp Cloud API. Meta decrypts messages on receipt in order to deliver them — the WhatsApp channel leg of delivery is therefore not end-to-end encrypted in the way personal WhatsApp messages between individuals are. See Section 7 for more on Meta's role as a sub-processor.
4. Data Retention
Verification codes have a short, project-configurable expiry window — 5 minutes by default, adjustable per project between 1 minute and 1 hour. Once a code expires or is successfully verified, it is no longer usable, regardless of how long the underlying record is retained for logging and fraud-prevention purposes.
This is independent of Meta's own retention. For messages delivered via the WhatsApp channel, Meta may retain message content on its own systems for up to 30 days, under Meta's own Cloud API data policies. That 30-day window is separate from, and not shortened or extended by, OwlGrid's own verification-code expiry above.
5. Your Rights
Under Egypt's Personal Data Protection Law No. 151 of 2020, you have the right to access, rectify, and request erasure of your personal data, and to object to certain processing. To exercise these rights, use our Data Deletion Instructions or contact us directly (Section 9).
6. Data Deletion
We provide a dedicated mechanism for requesting the erasure of your data from our systems. For step-by-step guidance, see our Data Deletion Instructions page.
7. Third-Party Providers
We work with the following delivery partners to route verification codes on your behalf:
- Meta (WhatsApp Cloud API): acts as a data processor / sub-processor for verification codes delivered over the WhatsApp channel. See Sections 3 and 4 for Meta's specific encryption and retention disclosures.
- Telegram Gateway: used for the Telegram channel. This integration is fully OwlGrid-managed — no customer credentials are shared with Telegram.
8. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the revised policy on this page and updating the "Last updated" date above.
9. Contact Us
OwlGrid
Banafseg 4, Villa 161, New Cairo, Cairo Governorate, Egypt
For questions regarding this policy or our data practices, please contact our compliance team:
support@owlgrid.dev