Ottu Privacy Policy
Last Updated: [11 Jan 2026]
1. Introduction
This Privacy Policy explains how Ottu ("we," "our," or "us") collects, uses, protects, and shares information when you interact with our services.
Ottu provides a merchant payment enablement and payment orchestration platform that allows merchants to connect their own merchant IDs (MIDs) with multiple payment gateways and manage payment flows. Ottu does not act as a merchant of record and does not receive, hold, or transfer funds on behalf of merchants or their customers.
In addition, Ottu offers a dedicated PCI DSS Level 1 certified payment gateway component ("OttuPG"), which merchants may use to securely process cardholder data (CHD) and benefit from payment industry security standards.
We are committed to maintaining the highest levels of transparency, privacy, and data security across all our services.
2. Scope of This Policy
This Privacy Policy applies to:
● The Ottu merchant payment enablement and orchestration platform (including dashboards and APIs)
● The OttuPG PCI DSS Level 1 payment gateway component
● Any related applications, SDKs, iframes, APIs, dashboards, websites, documentation, or integrations provided by Ottu
This policy does not apply to third-party payment gateways, acquiring banks, or external services integrated through Ottu. Those entities operate under their own privacy and security policies.
3. Our Role in the Payment Flow
To clarify Ottu's role in the payment ecosystem:
● Direct merchant–acquirer relationship. Merchants contract directly with their acquiring bank(s) or payment service providers and obtain their own Merchant IDs (MIDs). Ottu provides the technology to connect these MIDs to the merchant's online channels.
● No funds held by Ottu. Ottu does not receive, hold, or transfer funds on behalf of merchants or cardholders. Funds flow directly between the merchant and their acquiring bank or payment service provider.
● Technology and compliance enablement. For payment transactions, Ottu acts as a technical service provider and, where applicable, as a data processor on behalf of the merchant, who remains responsible as the data controller for the transaction.
4. Information We Collect
Ottu is designed with strong security and data-protection practices. We collect only the information necessary for the reliable operation, support, and improvement of our services, and to meet our legal and regulatory obligations.
4.1. Merchant and Business Information
We may collect information about merchants and their business contacts, including:
● Business name, contact person's name, and professional contact details (email, phone number)
● Billing, invoicing, and contractual information
● Technical configuration details required for integration with payment gateways and other services
4. Information We Collect
Ottu is designed with strong security and data-protection practices. We collect only the information necessary for the reliable operation, support, and improvement of our services, and to meet our legal and regulatory obligations.
4.1. Merchant and Business Information
We may collect information about merchants and their business contacts, including:
● Business name, contact person's name, and professional contact details (email, phone number)
● Billing, invoicing, and contractual information
● Technical configuration details required for integration with payment gateways and other services
4.2. Platform Users (Merchant Staff)
When individuals use our dashboards, portals, or admin interfaces on behalf of a merchant, we may process:
● Name, business email address, and role or permissions within the merchant account
● Account credentials and authentication data (such as password hashes, 2FA configuration, and access logs)
● Actions taken within the platform (e.g., configuration changes, payout settings, user management) for security and audit purposes
4.3. Cardholders and End Customers
When a merchant uses Ottu to process payments, we may process, on the merchant's behalf, information about their customers (cardholders), such as:
● Name, email address, and phone number (if provided by the merchant)
● Billing and shipping address details (if applicable)
● Order identifiers, transaction amounts, currency, and related order or cart metadata
● Payment status and gateway responses
For cardholder data (CHD) such as card numbers and security codes, see "Payment Information (OttuPG Only)" below.
4.4. Technical and Operational Data
We may collect technical and operational data generated when you use our services, including:
● IP addresses, device information, and browser metadata
● System logs, performance diagnostics, and error reports
● Integration events and service usage analytics
● Security-related
4.5. Payment Information (OttuPG Only)
For merchants using the orchestration platform without OttuPG, Ottu processes only the data required by the selected payment gateways.
For merchants using OttuPG, the following may be processed within our PCI DSS Level 1 certified environment:
● Cardholder data (CHD) required to execute payment transactions, such as card number, expiry date, and security code (CVV/CVC)
● Transaction metadata and identifiers
● Payment status, gateway responses, and risk or fraud-related signals (where applicable)
All CHD is handled exclusively within the PCI DSS Level 1 certified infrastructure of OttuPG and is never stored or accessible outside the PCI DSS-controlled zone.
4.6. Data Subject Rights
Individuals whose personal data we process have certain rights in relation to their personal data, subject to applicable data protection laws. These rights may include:
● Right to Rectification: The right to request correction of inaccurate or incomplete personal data.
● Right to Erasure: The right to request deletion of your personal data where there is no lawful basis for continued processing.
● Right to Restrict Processing: The right to request restriction of processing under certain circumstances.
● Right to Object: The right to object to processing of your personal data where such processing is based on legitimate interests or for direct marketing purposes.
● Right to Withdraw Consent: Where processing is based on consent, the right to withdraw such consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
● Right to lodge a Complaint: The right to lodge a complaint with the relevant data protection authority if you believe your data protection rights have been infringed.
To exercise any of the above rights, individuals may contact us using the details provided in the Contact Us section of this Privacy Policy. We may require verification of identity before processing such requests, in accordance with applicable laws.
5. Legal Adaption Basis
Where data protection laws such as the GDPR apply, we process personal data based on the following legal grounds:
● Performance of a contract: to provide the services that merchants subscribe to, including operation of our platform and OttuPG.
Regarding roles:
● For most payment transactions and cardholder data, the merchant is the data controller, and Ottu acts as a data processor, processing personal data on the merchant's instructions.
6. How We Use Information
We use collected information to:
● Operate and maintain the Ottu platform and related services
● Provide secure and compliant payment services through OttuPG
● Configure, monitor, and optimize payment routing and integrations
● Improve system performance, reliability, and user experience
● Detect, prevent, and respond to security threats, abuse, or fraudulent activity
● Support merchants in troubleshooting integrations and technical issues
● Comply with applicable financial, regulatory, and data-protection requirements
We do not sell, rent, or trade your personal data with third parties.
7. Data Security
We implement industry-leading technical and organizational measures to safeguard all data entrusted to us, including:
● Encrypted communication channels (TLS/HTTPS)
● Network segmentation and hardened infrastructure
● Access controls based on least privilege and role-based access
● Continuous monitoring, logging, and threat detection
● Regular internal and external security audits and assessments
OttuPG Compliance
OttuPG is PCI DSS Level 1 certified, the highest standard for payment security globally. All cardholder data is processed strictly within this certified environment, following rigorous controls defined by international card scheme and PCI DSS requirements.
8. Data Retention
We retain information only for as long as needed to meet operational, legal, and regulatory obligations.
● Technical logs and diagnostic data may be retained for security, audit, and compliance purposes.
● Cardholder data processed through OttuPG is retained only for the period Set by the PCI DSS process and required to complete the transaction, support chargebacks or disputes, and meet PCI DSS and scheme-related reporting obligations.
Once applicable retention periods expire, data is securely deleted in accordance with our data retention and destruction policies.
9. Sharing of Information
We may share personal data with:
● Payment gateways, acquiring banks, and payment processors selected by the merchant, for the purpose of executing payment transactions.
● Infrastructure and service providers who host our platforms, store data, provide logging, monitoring, email delivery, and security services.
We do not share cardholder data with third parties except as necessary to process transactions via PCI-DSS certified and scheme-approved channels.
10. Use of Cookies and Tracking Technologies
Our services may use cookies, web beacons, and similar tracking technologies.
● On our public websites and documentation pages, we may use cookies and analytics tools to understand usage, improve content, and support marketing efforts (where permitted).
● On our merchant dashboards and payment pages, we use cookies primarily for session management, security, and do not use them to build marketing profiles of cardholders.
No tracking technologies collect cardholder data, full payment card numbers, or security codes.
11. Third-Party Services
Merchants may integrate external services or payment gateways through Ottu Platform. These third parties operate independently and are responsible for their own data-handling practices.
We encourage merchants to review the privacy and security policies of any third-party services they use.
Ottu is not responsible for the privacy practices, security measures, or content of third-party services.
12. Updates to This Policy
We may update this Privacy Policy as our services evolve or as legal requirements change. The "Last Updated" date at the top of this document will indicate the latest revision.
Your continued use of our services after any update constitutes acceptance of the revised Privacy Policy, to the extent permitted by applicable law.
13. Contact Us
If you have any questions or require further information regarding this Privacy Policy, please contact us at:
🌐 https://www.ottu.com