Privacy policy
1. Who We Are
Open Transaction Layer, Inc. ("OTL," "we," "us," or "our") is a Delaware non-stock nonprofit corporation that develops and promotes open protocol standards for coordinating onchain transactions. This Privacy Policy explains how we collect, use, and protect information when you visit our website at https://otl.network (the "Site").
For privacy-related inquiries, you may contact us at:
Email: legal@otl.network
Entity: Open Transaction Layer, Inc.
For purposes of the EU General Data Protection Regulation ("GDPR"), Open Transaction Layer, Inc. is the data controller responsible for the processing of personal data described in this Privacy Policy.
2. What Information We Collect
Our Site is informational in nature. We do not operate user accounts, login functionality, contact forms, or user-generated content submissions. Given this limited scope, the information we collect is minimal.
When you consent to analytics cookies, we collect anonymous usage data through Google Analytics, including pages visited, time spent on the Site, referral sources, general geographic region (country or city level), browser type and version, device type, operating system, and screen resolution. Google Analytics 4 does not log or store full IP addresses. No personal information such as your name, email address, or account identifiers is stored through analytics.
If you consent, Google Analytics places the following first-party cookies on your device:
- _ga — used to distinguish unique visitors. Persists for up to 2 years.
- _ga_* (container-specific) — used to maintain session state. Persists for up to 2 years.
If you decline cookies through our cookie preferences banner, no cookies are set and no data is transmitted to Google.
The Site provides a "reach out" email link as a contact mechanism. If you choose to send us an email, we will receive your email address, the content of your message, and any metadata your email client transmits (such as your name, if configured, and your IP address). We collect this information only because you have voluntarily initiated contact with us.
Our hosting provider generates standard access logs when you request pages from the Site. These logs contain your IP address, the date and time of your request, the CloudFront edge location that served your request, the HTTP method and URI path requested, HTTP status code, bytes transferred, referrer URL, and user-agent string. These logs are retained for no more than 30 days, after which they are automatically deleted. We use these logs solely for security monitoring, troubleshooting, and detecting abuse. We do not correlate log data with analytics data or attempt to identify individual visitors from log entries.
3. How and Why We Use Your Information
We process information for the following purposes:
We use Google Analytics to understand how visitors interact with the Site so that we can improve its content, structure, and performance. This processing is based on your consent, which you provide through our cookie preferences banner. Under the GDPR, the legal basis for this processing is Article 6(1)(a) (consent).
We use server logs to detect and respond to security threats, diagnose technical issues, and maintain the availability of the Site. Under the GDPR, the legal basis for this processing is Article 6(1)(f) (legitimate interests), specifically our interest in maintaining a secure and functioning website.
If you contact us via email, we use the information you provide to respond to your inquiry. Under the GDPR, the legal basis is Article 6(1)(f) (legitimate interests), namely our interest in communicating with individuals who reach out to us, or Article 6(1)(b) (pre-contractual steps) if your inquiry relates to participation in the initiative.
4. Cookie Preferences
When you first visit the Site, a cookie preferences banner will appear, giving you the choice to accept or decline analytics cookies. Cookies are categorized as follows:
- Strictly Necessary. The Site does not currently use strictly necessary cookies. No cookies are set unless you affirmatively consent to analytics.
- Analytics / Performance. Google Analytics cookies (_ga, _ga_*) are placed only if you click "Accept" on the cookie preferences banner. These cookies help us understand aggregate visitor behavior. They do not identify you personally.
You may change your cookie preferences at any time by clicking the "Cookie Preferences" link in the Site footer. If you decline analytics cookies, or later withdraw your consent, no tracking data is sent to Google and no cookies are placed or retained on your device. You may also control cookies through your browser settings or by installing the Google Analytics Opt-Out Browser Add-on.
5. Third-Party Services
We use Google Analytics 4, a web analytics service provided by Google LLC ("Google"). Google processes analytics data on our behalf in accordance with its data processing terms. Google may transfer data to servers in the United States. Google participates in the EU-U.S. Data Privacy Framework. For more information about how Google handles data, please review Google's Privacy Policy and the Google Analytics safeguards page.
The Site is hosted on AWS infrastructure, specifically Amazon CloudFront and Amazon S3. AWS acts as an infrastructure provider and, where CloudFront access logging is enabled, as a data processor for limited technical data (IP addresses and request metadata contained in access logs). AWS processes this data in accordance with the AWS Data Processing Addendum, which is incorporated into the AWS Service Terms and includes Standard Contractual Clauses for international data transfers. AWS maintains ISO 27001, ISO 27017, ISO 27018, and SOC 1/2/3 certifications. For more information, see AWS's privacy practices and the list of AWS sub-processors.
The Site may contain links to websites operated by our partners, members, or other third parties. We are not responsible for the privacy practices or content of those external websites. We encourage you to review the privacy policies of any third-party site you visit. A link from the Site does not imply endorsement of, or responsibility for, the linked site's practices.
6. Data Sharing
We do not currently sell, rent, or share personal data with partners, members, or other third parties for their own marketing or commercial purposes.
We may share limited data in the following circumstances:
- Service Providers. We may share data with third parties that perform functions on our behalf, such as service providers and vendors that host or operate our Site, analyze data, store data on our behalf, or for other data processing.
- Legal Obligations. We may disclose information if required to do so by law, regulation, legal process, or governmental request.
- Protection of Rights. We may disclose information where we believe it is necessary to protect the rights, property, or safety of OTL, our users, or the public.
We reserve the right to share data with partners or members in the future to the extent permitted by applicable law. If we materially expand our data-sharing practices, we will update this Privacy Policy and, where required by law, provide you with appropriate notice or obtain your consent before any such sharing takes effect.
7. Data Retention
- Analytics Data. Google Analytics data retention is configured at 14 months, after which event-level data associated with users is automatically deleted from Google's servers. Aggregated reporting data (which cannot identify individuals) may be retained indefinitely.
- Server Logs. Access logs are retained for a maximum of 30 days, after which they are automatically purged. Aggregated or anonymized data derived from logs (such as total request counts per page) may be retained indefinitely but cannot identify individual visitors.
- Email Correspondence. If you contact us by email, we retain your correspondence for as long as reasonably necessary to address your inquiry and for our legitimate record-keeping purposes, unless you request deletion.
8. International Data Transfers
Open Transaction Layer, Inc. is incorporated in the State of Delaware, United States. The Site is hosted using AWS infrastructure, specifically Amazon CloudFront (a content delivery network) serving content from an Amazon S3 storage origin located in the United States (us-east-1, N. Virginia).
Amazon CloudFront delivers Site content from a global network of over 750 edge locations across 50+ countries, including locations within the European Economic Area ("EEA"). When you visit the Site, static content is typically served from the edge location nearest to you. If the requested content is not cached at that edge location, CloudFront retrieves it from the S3 origin in the United States.
If enabled, CloudFront access logs containing your IP address, request timestamp, edge location identifier, and user-agent string are stored in an S3 bucket in the United States.
If you consent to analytics cookies, Google Analytics processes usage data on Google's infrastructure, which may include servers in the United States. Google participates in the EU-U.S. Data Privacy Framework and relies on Standard Contractual Clauses as an additional transfer mechanism. For more information, see https://policies.google.com/privacy/frameworks.
Where personal data is transferred outside the EEA, we rely on the following mechanisms to ensure adequate protection: (a) the EU-U.S. Data Privacy Framework, under which both Google LLC and Amazon.com, Inc. are certified; and (b) Standard Contractual Clauses incorporated into the AWS Data Processing Addendum and Google's data processing terms, both of which apply automatically under their respective service terms and include the European Commission's 2021 Standard Contractual Clauses.
If you decline analytics cookies, the only data that may be transferred to the United States is the technical routing of your HTTP request through CloudFront infrastructure (which typically occurs at the edge location nearest to you) and, if CloudFront logging is enabled, the resulting access log entry.
9. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access — You may request confirmation of whether we process your personal data and obtain a copy of that data.
- Rectification — You may request correction of inaccurate personal data.
- Erasure — You may request deletion of your personal data where there is no compelling reason for its continued processing.
- Restriction — You may request that we restrict processing of your personal data in certain circumstances.
- Data Portability — You may request a copy of your personal data in a structured, machine-readable format.
- Objection — You may object to processing based on legitimate interests.
- Withdraw Consent — Where processing is based on consent (e.g., analytics cookies), you may withdraw consent at any time by adjusting your cookie preferences. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
- Lodge a Complaint — You have the right to lodge a complaint with a supervisory authority in your member state of residence.
- Right to Know — You may request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to Delete — You may request deletion of personal information we have collected from you.
- Right to Opt Out — You have the right to opt out of the "sale" or "sharing" of personal information. We do not sell personal information. You may opt out of analytics data collection by declining cookies.
- Non-Discrimination — We will not discriminate against you for exercising any of your privacy rights.
To exercise any of these rights, please contact us at legal@otl.network. We will respond to verifiable requests within the timeframes required by applicable law (generally 30 days under GDPR; 45 days under CCPA).
10. Children's Privacy
The Site is not directed at children under the age of 16, and we do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that information promptly.
11. Do Not Track / Global Privacy Control
Some browsers transmit "Do Not Track" (DNT) or Global Privacy Control (GPC) signals. If you decline cookies through our cookie preferences banner, our Site does not set analytics cookies or transmit data to Google regardless of any DNT or GPC signal. We honor GPC signals as a valid opt-out request where required by applicable law (including under the CCPA).
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the functionality of the Site. When we make material changes, we will update the "Last Updated" date at the top of this page. We encourage you to review this Privacy Policy periodically. Your continued use of the Site after any update constitutes your acknowledgment of the revised policy, except where applicable law requires us to obtain your renewed consent, in which case we will do so before implementing the relevant changes.
13. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us at:
Open Transaction Layer, Inc.
Email: legal@otl.network
© 2026 Open Transaction Layer, Inc. All rights reserved.