Legal

Privacy Policy

Last updated: May 2026 · Effective immediately

Short version: OTPLink reads your emails locally in your browser to find OTP codes and sign-in links. Your emails are never sent to our servers, never stored, and never shared with anyone.

1. Who we are

OTPLink ("we", "our", "us") is a browser extension that automatically detects and fills one-time passwords (OTPs) and magic sign-in links from your email inbox. We are not affiliated with Google, Microsoft, or any email provider.

2. What data we access

To function, OTPLink requests read-only access to your Gmail and/or Outlook inbox via OAuth. Specifically, we request the minimum scopes needed to search for recent OTP and sign-in emails:

Gmail: gmail.readonly (read-only access to search and read email content)
Outlook: Mail.Read (read-only access to search and read email content)

We only query your inbox when you are on a page with an active OTP input field or sign-in form. We do not continuously monitor your inbox.

3. How we use your data

Email content accessed by OTPLink is used exclusively to:

Detect OTP verification codes in recent emails
Detect magic sign-in links in recent emails
Autofill the detected code or present the sign-in link on the active page

Email content is processed entirely within your browser. It is never transmitted to any OTPLink server, never logged, and never retained after the autofill action is complete.

4. Data storage

OTPLink stores the following data locally on your device using chrome.storage:

Your connected email address (to identify your account for API calls)
OAuth access tokens (stored in local device storage, never synced to our servers)
Your extension settings (e.g., auto-submit preference, toast notifications)

No email content, OTP codes, or sign-in links are ever stored.

5. Third-party services

OTPLink uses the following third-party APIs to access your inbox:

Google Gmail API, governed by Google's Privacy Policy
Microsoft Graph API, governed by Microsoft's Privacy Statement

We do not use any analytics, advertising, or tracking services. We do not sell or share your data with any third parties.

6. Permissions

OTPLink requests the following browser permissions:

Identity: to authenticate with Gmail/Outlook via OAuth
Storage: to save your settings and tokens locally
Active tab / scripting: to detect input fields and fill OTP codes on the current page
Host permissions for Gmail & Outlook APIs: to make authenticated API requests to your inbox

7. Revoking access

You can revoke OTPLink's access to your email at any time:

Gmail: Visit myaccount.google.com/permissions and remove OTPLink
Outlook: Visit account.microsoft.com/privacy/app-access and remove OTPLink

You can also disconnect your account from within the OTPLink extension settings at any time, which removes locally stored tokens from your device.

8. Children's privacy

OTPLink is not directed at children under the age of 13. We do not knowingly collect any information from children.

9. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. Continued use of OTPLink after changes constitutes acceptance of the updated policy.

10. Contact

If you have questions or concerns about this Privacy Policy, please contact us at hello@otp-link.com.