Last updated: May 2026 · Version 1.0
OTensity (Pty Ltd, ABN: [TO BE INSERTED]) operates the OTensity NIS2 OT compliance platform at otensity.com. We are the data controller for personal data collected through our marketing website and the data processor for personal data entered by customers into the platform.
Contact: hello@otensity.com
EU Representative: To be appointed under GDPR Article 27.
Account and profile data: full name, work email address, job title, organisation name, sector, EU jurisdictions, role, and whether you are a management body member under NIS2 Article 20.
Compliance assessment data: NIS2 assessment answers and scores, compensating control justification documents, incident reports, audit evidence, remediation tasks, supplier information, training records, and management approval records.
Usage data: login timestamps, session duration, pages accessed, AI assistant queries (not stored beyond the session), and API usage.
Technical data: IP address (security and fraud prevention only), browser type, device type.
Payment data: processed by Stripe. We receive only a payment reference and subscription status.
Providing the platform: Contract (Article 6(1)(b)) GDPR compliance obligations: Legal obligation (Article 6(1)(c)) Security and fraud prevention: Legitimate interests (Article 6(1)(f)) Platform improvement and benchmark data: Legitimate interests (Article 6(1)(f)) Marketing communications: Consent (Article 6(1)(a))
We use your data to provide, operate, and improve the platform; generate NIS2 compliance assessments and documents; provide AI-powered compliance guidance; send service notifications and regulatory updates; process subscription payments; fulfil GDPR data subject requests; compile anonymised sector benchmark statistics; prevent fraud and unauthorised access; and respond to support requests.
All customer data is stored exclusively in the European Union — Frankfurt, Germany, using Supabase (AWS eu-central-1 region).
Security measures consistent with NIS2 Article 21 and GDPR Article 32 include: encryption at rest and in transit (TLS 1.3), row-level security enforcing strict data isolation between organisations, multi-factor authentication (TOTP), access logging and audit trails, and regular security assessments.
We do not sell, rent, or share your personal data with third parties for marketing purposes.
Service providers: Supabase (database, EU Frankfurt), Vercel (application hosting, EU Frankfurt), Anthropic (AI processing, queries not stored), Stripe (payment processing, payment data only), Resend (email delivery, email address and content only).
Legal requirements: We may disclose data if required by law or court order and will notify you where legally permitted.
Business transfers: In the event of a merger or acquisition, data may be transferred under equivalent privacy protections.
OTensity is operated from Australia, which does not have an EU adequacy decision under GDPR Article 45. Personal data transfers from the EU to Australia are conducted under Standard Contractual Clauses (Module 2: Controller to Processor) as approved by the European Commission under Decision 2021/914, and under legitimate interests for operational access by OTensity personnel for platform support and maintenance.
AI queries are processed by Anthropic (United States) under Standard Contractual Clauses.
Copies of our Standard Contractual Clauses are available on request at hello@otensity.com.
Account data: duration of subscription + 30 days Compliance assessment data: duration of subscription + 30 days Incident reports: duration of subscription + 30 days Anonymised benchmark data: indefinitely (no personal data) Payment records: 7 years (legal obligation) Security logs: 12 months Email communications: 2 years
After the retention period, data is permanently and irreversibly deleted from all systems.
Right of access (Article 15): Request a copy of all personal data we hold about you.
Right to rectification (Article 16): Request correction of inaccurate data.
Right to erasure (Article 17): Request deletion of your personal data. We will delete within 30 days.
Right to restriction (Article 18): Request restriction of processing in certain circumstances.
Right to data portability (Article 20): Receive your data in machine-readable JSON format.
Right to object (Article 21): Object to processing based on legitimate interests.
Right to withdraw consent: Where processing is based on consent, you may withdraw at any time.
Right to lodge a complaint: You have the right to lodge a complaint with your national supervisory authority.
To exercise any of these rights, contact hello@otensity.com. We will respond within 30 days.
The OTensity platform uses only essential cookies required for authentication and session management. We do not use tracking, analytics, or advertising cookies. No consent banner is required.
We may update this Privacy Policy with at least 14 days notice before significant changes take effect. Continued use constitutes acceptance.
For privacy enquiries, data subject requests, or concerns:
Email: hello@otensity.com Subject line: Privacy / GDPR Request
We aim to respond within 5 business days and fulfil requests within 30 days as required by GDPR.