Logo genOTC
Sign In
Get Started

Privacy & Cookies

Version 1.1 – Last Updated: July 15, 2025

1. Introduction

genOTC SAS is a French company headquartered at 80 impasse des Rippes, 73800 Chignin, France. We operate an advanced volatility calibration Software-as-a-Service (SaaS) platform with accompanying API integrations for financial markets. This Privacy Policy explains how genOTC collects, uses, stores, and discloses personal data when you interact with our website, request a demo, use our platform or APIs, or otherwise engage with our services. It also outlines your rights under applicable laws (including the EU General Data Protection Regulation, “GDPR”, and the California Consumer Privacy Act as amended by the CPRA, “CCPA”) and how we safeguard your information. By using genOTC’s website or services, you acknowledge that your personal data will be processed as described in this Policy.

Role of genOTC – Controller or Processor: genOTC acts as a data controller for the personal information described in this Privacy Policy – meaning we determine the purposes and means of processing your personal data in line with applicable laws. This covers data collected from our website visitors, demo requesters, and customers using our platform. However, when our customers upload or process personal data through our SaaS platform or API, genOTC acts as a data processor on behalf of the customer (who is the data controller). In such cases, we only process that data under the customer’s instructions and in accordance with our Data Processing Agreement (DPA) and GDPR requirements. This Privacy Policy does not cover personal data that our customers may input into our services; any such data is governed by the customer’s own privacy policies and our contractual agreements with them.

What is “Personal Data”? In this Policy, “personal data” (or “personal information”) means any information that relates to an identified or identifiable natural person. This includes information that alone, or combined with other data, can be used to identify you as a living individual (for example, your name or email address). Anonymous data that cannot be linked back to an individual (or is irreversibly anonymized) is not considered personal data. This Privacy Policy is designed to be comprehensive and transparent. If you have any questions about any part of it, please contact us (See Contact Details in section 13 for more).

2. Information We Collect

We collect personal data about you both directly (when you provide it to us) and indirectly (through automated technologies or from third parties). The categories of information we may collect include:

Information You Provide to Us: When you interact with genOTC, for example by filling out a demo request, contacting us via web forms, signing up for newsletters, creating an account on our platform, or communicating with us (by email, phone, or otherwise), you may give us personal data. This includes identifiers and contact details such as your name, business email address, phone number, job title, employer or organization name, and any other information you choose to share. If you are a customer or trial user of our platform, we will also collect any information needed to set up and maintain your account (such as username, password, and profile information). For example, if you request a demo or free trial, we will ask for your professional contact details and information about your organization’s needs to follow up on your request. If you communicate with us, we will collect the content of your messages or inquiries. We do not actively collect any special categories of sensitive personal data (such as data about health, race, religion, etc.), and we ask that you not provide such sensitive information to us.

Transactional and Service Data: If you become a paying customer, we will process information related to your subscription or purchases. This may include billing details, financial information (like payment card details or bank account information, though typically payments are handled via secure third-party processors), and records of invoices and payments. We also keep business records of our communications and agreements with you, such as contracts or orders.

Information Collected Automatically: When you visit our website or use our SaaS platform or APIs, we automatically collect certain technical information about your device and usage of our services. This includes your IP address, browser type and version, device identifiers, locale and language settings, and operating system. We also log information about your activity, such as the pages or screens you view, the features you use, the date and time of your visit, and how you interact with our site and platform. For example, our servers may record details about API calls or user actions on the platform for security, troubleshooting, and analytics purposes. We may use cookies and similar tracking technologies (discussed in Section 3 below) to collect some of this usage data. This information helps us understand how our services are used and to secure and optimize our platform.

Cookies and Analytics Data: Through cookies and third-party tools, we may collect additional data about your browsing behavior on our site or platform. For instance, we use analytics services (like Google Analytics 4) that gather data on site traffic and usage patterns (e.g., which pages you visit, how long you stay, how you reached our site). These tools may collect information such as your IP address, approximate location, device information, and onsite behavior, and they use cookies or similar identifiers to distinguish users. We configure such tools to respect applicable privacy regulations (for example, by anonymizing IP addresses where possible). We also utilize tools for customer relationship management systems (for managing contacts and tracking website forms or email engagement). These tools may set their own cookies to track user sessions and interactions after you consent to such tracking. Any analytics data collected is used in aggregate or pseudonymized form; we do not use this data to identify you directly without your knowledge.

Information from Third Parties: We may receive personal data about you from third-party sources in certain cases. For example, we might obtain business contact details from publicly available sources or data providers (such as professional social networks or lead enrichment services like Kaspr, Lusha, or Cognism) for sales and marketing purposes. This typically includes names, job titles, company info, and work email addresses of potential customers (prospects). We may also receive referrals or leads from our business partners or events (e.g., if you attend an event or webinar and consent to share your details with us). Additionally, if you interact with our social media pages or advertising, we may receive information from those platforms under their policies. If we receive your personal data from a third party, we will treat it in accordance with this Policy and applicable law. For California residents, please note this may be considered a “sale” of data under CCPA if the information was exchanged for valuable consideration; however, genOTC only collects such lead information for B2B marketing and does so in compliance with GDPR and CCPA (see Section 8 on your rights including opting-out of sale/sharing).

Job Applicants: If you apply for a job at genOTC (for example, by sending us your CV/résumé or via a careers page), we will collect the information you provide in your application (such as contact details, employment history, education, etc.) and any further information during the recruitment process. We will use this solely for managing our recruitment and hiring, under a separate applicant privacy notice if applicable.

We do not knowingly collect personal information from children. Our services are intended for business professionals in the financial sector and are not directed to minors. If you are under the age of 16 (or the age of majority in your jurisdiction), please do not use our site or services or provide any personal data. If we discover that we have inadvertently collected personal data from a child without appropriate consent, we will delete it. (See Children’s Privacy in Section 11 below for more.)

3. Cookies and Tracking Technologies

Cookies are small data files placed on your device (computer or mobile) when you visit websites. genOTC uses cookies and similar technologies (like web beacons, pixels, and local storage) to ensure our website and platform function properly, to remember your preferences, and to analyze how users interact with us. Cookies help us provide you with a tailored experience and facilitate certain features. For example, some cookies keep you logged in to your account or remember your language preferences, while others allow us to understand which parts of our site are most popular. We categorize our cookies and tracking technologies as follows:

  • Strictly Necessary Cookies: These cookies are essential for the website or service to operate and cannot be disabled in our systems. They are usually only set in response to actions you take, such as logging in or filling out forms. Without these cookies, certain functions (like account login or security features) would not work. Because they are necessary for delivering our service, they do not require your consent.
  • Analytics and Performance Cookies: These cookies collect information about how visitors use our site and platform, such as which pages are visited most often and if any error messages are encountered. We use this data to improve the performance and design of our services. For example, we use Google Analytics to help analyze site traffic and usage patterns. Any analytics cookies will only be set on your device with your consent, in compliance with applicable law. The information collected (e.g., page views, visitor IP address (which may be masked), device identifiers) is aggregated and not intended to personally identify you. We configure our analytics tools to respect privacy; for instance, Google Analytics may be set to retain data for a limited period and not to share it.
  • Functionality Cookies: These enable enhanced functionality and personalization, such as remembering your preferences or pre-filling information. They may be set by us or by third-party providers whose services we have added to our pages (for example, if we embed a video player or chat widget, it might set cookies to remember your interactions). If you disable these cookies, some or all of these services may not function properly. These cookies typically require consent unless strictly necessary for a requested feature.
  • Advertising and Marketing Cookies: genOTC currently does not host third-party ads on our site, but we may use marketing cookies or pixels to track the effectiveness of our own marketing campaigns. For example, we might use a LinkedIn Insight Tag or similar to understand how an ad we ran on LinkedIn performed, or to allow retargeting of our site visitors on that platform. These technologies may collect data about your visit (such as which page you visited and when) and can help us reach people who have shown interest in genOTC. Any such cookies/pixels are only deployed with your consent. We do not sell your personal data to third-party advertisers, and any marketing or advertising cookies are used solely to inform and improve our own marketing strategies.

When you first visit our website, you will see a cookie consent banner or pop-up that allows you to accept or reject non-essential cookies. You have the choice to accept all cookies, reject all non-essential cookies, or customize your preferences (e.g., only enable certain categories like analytics). Your consent choices will be remembered for future visits (though by law, we may refresh consent or ask you again after a set time period). In line with regulatory guidance, analytics and marketing cookies have a limited lifespan – we do not retain identifying cookie data longer than 13 months. After that, any persistent cookies expire unless you consent again. You can withdraw or modify your cookie consent at any time by using our cookie management tool (if available) or by clearing cookies in your browser settings. Most web browsers also allow you to block or delete cookies; please note that if you disable certain cookies, some features of our site or service might not function optimally. In addition to cookies, we may use other tracking technologies in our email communications. For example, emails we send may contain a tiny image file or tracking link that allows us to detect when you have opened the email or clicked a link. We use this to gauge the effectiveness of our communications and to tailor follow-ups. You can disable image loading in your email client if you do not wish to be tracked in this way, or simply unsubscribe from our marketing emails if you prefer not to receive them. For more detailed information about our use of cookies and tracking technologies, or to change your preferences, you can refer to our Cookie Policy or contact us with any questions. By choosing to use our site and consenting to non-essential cookies, you are agreeing to the use of cookies as described in this Policy.

4. How We Use Your Information (Purposes of Processing)

We use the personal data we collect for the following business purposes (in accordance with applicable data protection laws):

  • Providing and Improving the Service: To deliver our SaaS platform and API services to you, maintain and support them, and to process transactions. For example, we use your information to create and manage user accounts, authenticate you when you log in, provide the functionality of our volatility calibration tools, and respond to your service requests. We also use data (especially usage and analytics data) to understand how our services are performing and to make improvements or develop new features. This includes debugging, troubleshooting, and securing the platform.
  • Communicating with You: To respond to your inquiries, demo requests, and support tickets. If you ask us a question or request a demo of our platform, we will use your contact details to communicate with you and provide the requested information or assistance. We may also send administrative or transactional communications, such as confirmations, technical notices, updates, security alerts, and customer support messages. These communications are necessary for us to effectively serve you and are not promotional in nature.
  • Marketing and Business Development: To inform you about new developments at genOTC, such as new products, services, events, or special offers that may be of interest (especially if you have requested a demo or are an existing customer). For instance, if you subscribe to our newsletter or if you are a prospect who we believe could benefit from genOTC’s solutions, we may send you marketing communications by email or phone. We will ensure any such outreach is done in compliance with applicable spam and privacy laws – for example, we will obtain your opt-in consent where required (such as for individuals in the EU for email marketing). You can always opt out of marketing communications (see Section 8 on Your Rights). We also use data to personalize or tailor our marketing – e.g., to send more relevant content based on your industry or indicate in marketing emails if you have shown interest in certain features. Important: genOTC does not sell your personal information to third parties for their own marketing. We may use third-party tools to assist in our marketing (for example, Active Campaign or Bigin by Zoho to send personalized outreach emails, or a CRM to track leads), but such processing is done under our instructions and on our behalf.
  • Analytics and Product Research: To analyze trends, track the effectiveness of our marketing campaigns and advertising, and improve our website and services. We use analytics data (which is typically aggregated or pseudonymized) to understand user behavior and preferences. For example, we may analyze how users navigate our UI or where they encounter errors, in order to enhance user experience. We may also derive insights from feedback or usage patterns to guide our product development (for example, identifying which features are most used). These analyses help us make informed business decisions and improve our offerings for the benefit of our customers.
  • Security and Fraud Prevention: To ensure the security of our website and platform, protect against unauthorized access, and reduce the risk of fraud. We may process data (like IP addresses, log-in attempts, and user activity logs) to monitor for suspicious or malicious activity and to detect, prevent, and investigate fraud, abuse, or security incidents on our platform. If we detect an issue, we might use personal data to mitigate it (e.g., blocking an IP address that appears to be attacking our servers) and to notify affected users or authorities as appropriate.
  • Compliance with Legal Obligations: To comply with applicable laws, regulations, and lawful requests from authorities. This includes processing personal data where needed to fulfill tax and accounting obligations (e.g., keeping invoice records), to satisfy Know-Your-Customer (KYC) or other regulatory requirements if they apply in the context of our financial services offering, or to respond to court orders, law enforcement requests, or legal processes. For example, as a French company we must retain certain financial records for specific periods, and we may need to provide information to regulators or authorities upon proper request. We will only disclose what is necessary and as required by law (see Section 6 on Disclosures).
  • Enforcing Our Rights and Agreements: To enforce our terms of service, contracts, and to protect our business operations. We may process and retain data as needed to handle any disputes or to investigate potential violations of our terms or this Policy. This can include using data to assert legal claims or defend against them.
  • Other Purposes (with Notice to You): If we intend to use your personal data for any purpose materially different from the above, we will provide specific notice at the time of collection or before the new processing, and if required, obtain your consent. For example, if we ever wanted to process your data for a new analytics project or share it in a way not covered in this Policy, we would let you know and request permission as necessary.

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals without human involvement. Any profiling we do (for instance, scoring leads in our CRM or segmenting customers by usage) is for internal analysis and does not result in automated decisions that affect your rights or status. If this changes in the future, we will update this Policy and inform you as required.

Legal Bases for Processing (GDPR): When we process personal data of individuals in the European Economic Area (EEA), United Kingdom, or other regions with similar laws, we do so under one of several legal justifications, as established by GDPR:

Contractual Necessity: Many processing activities are necessary to perform a contract or to take steps at your request prior to entering into a contract. For example, when you sign up for our platform, we must process your account data to provide the service; if you request a demo or quote, we process your info to arrange that. Without this data, we cannot fulfill our contractual obligations to you.

Legitimate Interests: We process certain data as needed for purposes of our legitimate interests (or those of third parties), provided such processing is not outweighed by your data protection rights. Our legitimate interests include delivering and improving our services, securing our platform, running our business efficiently, and communicating with our customers. For instance, using analytics to improve user experience, or using business contact information for B2B marketing to corporate clients may be based on legitimate interest. When we rely on this basis, we ensure we consider and respect your rights – you have the right to object to processing based on legitimate interests in certain cases (see Section 8).

Consent: In some cases, we rely on your consent to process personal data. This is particularly the case for optional activities such as sending you promotional emails (when required by law), or placing non-essential cookies on your device. Where we rely on consent, you have the right to withdraw it at any time (with effect going forward). For example, if you consent to receive our newsletter, you can unsubscribe later; if you consent to analytics cookies, you can change your mind via our cookie settings or browser controls. Withdrawing consent will not affect the lawfulness of processing done before the withdrawal.

Legal Obligation: Sometimes we must process data to comply with a legal obligation. For example, we may retain transaction records to meet financial reporting laws, or disclose information if required by a regulatory authority. In such cases, the law is the basis for processing, and we only process what is necessary for compliance.

Public Interest or Vital Interests: These bases are less likely to apply to our standard operations. We do not generally process data for official public interest tasks, and it’s unlikely we will need to process your data to protect someone’s “vital interests” (life or safety) except in extreme situations (e.g., an emergency involving a data subject).

We will normally identify the applicable legal basis for each processing activity at the time of collection or upon request. If you have questions about the specific basis for a particular use of your data, feel free to contact our Data Protection Officer (see Section 13).

CCPA Notice: For purposes of California law, the ways we use personal information as described above are business purposes under the CCPA (e.g., maintaining accounts, providing services, marketing our services, detecting security incidents, etc.). We do not use or disclose sensitive personal information (as defined in CPRA) for purposes that California law deems unrelated or incompatible with the provision of our services; any sensitive data we collect (if at all) is used only for necessary business services (for instance, login credentials are used for authentication). We do not use personal data for profiling or automated decision-making in a way that produces legal or similarly significant effects. Please also refer to Section 8 for the rights of California residents.

5. How We Share or Disclose Information

We understand the importance of keeping your personal data confidential. We do not sell your personal information to third parties for their own commercial use. However, in the normal course of operating our business and providing our services, we may disclose personal data to certain categories of recipients, as detailed below, only for the purposes described in this Privacy Policy or as permitted by law:

Service Providers and Partners: We share data with trusted third parties who perform services on our behalf, also known as processors or service providers. These include: cloud hosting providers (for example, the servers and data centers that host our platform and website), email delivery services, customer relationship management (CRM) software providers, analytics providers, customer support tools, and marketing platforms (such as email automation or sales outreach tools like Bigin by Zoho or Active Campaign). We only provide these partners the information that is necessary for them to carry out their tasks, and we contractually bind them to protect the data and use it solely for the agreed purpose. For instance, if we use a CRM like Bigin by Zoho to manage contacts, the personal data you provided (e.g., name, email, company) will be stored with that cloud service; if we use an email campaign tool to send newsletters, your email address and name will be processed by that tool to send the mail. These third parties are not allowed to use your data for their own purposes. genOTC conducts due diligence and enters into Data Processing Agreements (including Standard Contractual Clauses when applicable for cross-border transfers – see Section 7) with all such service providers to ensure they uphold privacy and security standards. (A list of our key sub-processors can be provided on request.)

Within Our Corporate Group: If genOTC is part of a group of related companies or has affiliates (e.g., subsidiaries, parent, or sister companies), we may share personal data within that corporate family as needed to operate our services and business. For example, if genOTC SAS has U.S.-based or other regional affiliates involved in service provision or support, your data might be accessible to them. Any internal transfers will follow an internal data protection policy and, if transferring outside of Europe, will be covered by appropriate safeguards (such as intercompany standard contractual clauses).

Business Transfers: In the event of a potential or actual corporate transaction such as a merger, acquisition, investment, reorganization, financing, bankruptcy, or sale of some or all of our business or assets, personal data may be disclosed or transferred to third parties (such as an acquiring entity and its advisors) as part of that transaction. We would seek to ensure that any such third party honors the privacy commitments we have made in this Policy. If a change in ownership or control of your personal data occurs, we will notify you where required (for example, if your personal data will be used in materially new ways, you will be given an opportunity to consent or opt out).

Legal Requirements and Safety: We may disclose personal information to courts, law enforcement, government authorities, or other third parties when we believe in good faith that such disclosure is necessary to comply with a legal obligation or request (such as a subpoena, court order, or government demand), or to meet national security or law enforcement requirements. We may also disclose data if we believe it is necessary to protect our rights, property, or safety, or that of our customers, users, or the public. This could include disclosing information to investigate or prevent fraud, security issues, or other harmful or illegal activities. We will carefully review any request to ensure it has a proper legal basis and only provide the minimum data required. Where permitted, we may inform affected users of such requests.

With Your Consent or at Your Direction: In certain situations, we might share information with third parties if you have expressly consented to or requested such sharing. For example, if you ask us to introduce you to one of our partners or you intentionally interact with third-party integrations in our platform, we will share data as needed to fulfill your request. Similarly, if we ever want to share your testimonial or success story on our website or marketing materials, we would obtain your consent before associating your name or feedback with it.

Aggregated or Anonymized Data: We may share data that has been aggregated and/or anonymized in such a way that it no longer identifies you personally. For instance, we might publish trends or statistics about how our platform is used, or share aggregated analytics insights with a partner. Such information does not constitute personal data and may be disclosed without restriction.

Third-Party Links: Our website or platform may contain links to third-party websites, services, or content that are not operated by genOTC. For example, our site may link to our social media pages, documentation resources, or partner websites. If you click on a third-party link, you will be directed to that third party’s site, which is outside of our control. This Privacy Policy does not apply to those external sites or services. We are not responsible for the privacy practices of any site we do not operate. We encourage you to review the privacy policies of any third-party sites or services before providing any personal information to them.

6. Data Retention

We will not retain your personal data for longer than is necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. genOTC has defined specific retention periods for different categories of data, based on legal obligations and business needs. After the applicable retention period expires, we will either delete or anonymize the data. Below is an overview of our retention practices:

Prospective Customer Data (Leads & Demo Requests): If you provide your information to inquire about our services (for example, requesting a demo or downloading content), but you do not become a customer, we generally retain your personal data for up to 3 years from the date of collection or the last interaction from you, whichever is later. We retain it for this period to follow up on your request and potentially send occasional updates about genOTC that may interest you. This 3-year period aligns with French CNIL guidance for B2B prospect data. After 3 years of no interaction, we will either delete your contact information or securely archive it in an anonymized form. (If you ask us to stop sending you marketing communications, we will move your data to a suppression list to ensure we honor that request going forward, and only retain minimal information necessary to maintain the suppression, typically for at least 3 years.)

Customer Account Data: If you are or become a genOTC customer (e.g., by signing a SaaS subscription or using our platform in production), we will retain your personal data for the duration of the active customer relationship and thereafter as long as necessary for post-termination obligations. Basic account information (like your name, contact details, account credentials, and usage history) will be kept while your account is active. Upon termination or expiration of our contract with you, we will typically retain relevant data for up to 3 years after the end of the contract for potential re-engagement and support purposes, unless you request deletion sooner (where applicable). Certain data may be kept longer if required for legal compliance – for instance, contractual records and invoicing information will be retained for at least the minimum period required by French law (which can be up to 10 years for financial and accounting records). We may also retain correspondence or support records for a few years to have a history of dealings in case of later questions or disputes.

Platform Usage Data and Logs: We retain technical logs and usage data collected from our platform and API for a limited period necessary for security, troubleshooting, and analysis. Generally, raw logs containing IP addresses and user activity are kept for 12 to 18 months. For example, system logs and API call logs may be stored for one year to detect patterns of abuse or investigate incidents. In some cases, we may keep security-related logs for a longer duration if relevant to an ongoing investigation or legal obligation. After the retention period, such data is either deleted or aggregated. We aim to either remove or anonymize usage data that is older than roughly 12-18 months, except where we have a specific reason to retain it longer (such as to comply with a legal requirement or if the data has been aggregated in analytics that do not identify individuals).

Analytics Data: Data collected via Google Analytics, Active Campaign, Bigin by Zoho, and similar analytics cookies is retained in accordance with the settings we have configured with those providers. We generally configure Google Analytics 4 to retain user-level and event data for around 14 months (a common default for analytics retention) unless a shorter period is required by local law. Any analytics cookies placed on your browser have a lifespan capped as described in Section 3 (e.g., not more than 13 months for audience measurement cookies). After these periods, the data either expires or is purged from our analytics accounts.

Marketing Communications Data: If you have opted in to receive marketing emails (such as a newsletter), we will retain your contact information until you unsubscribe or until we determine that our emails are no longer effective (for instance, if you do not open emails over an extended period). If you unsubscribe or opt out, we will stop sending you emails and will place your email on a do-not-contact list indefinitely to ensure we respect your choice. We may keep records of the consent you gave for as long as we send you communications and for a suitable time thereafter (to demonstrate compliance with anti-spam laws). If you are a California resident who has opted out of “sale” or “sharing” of data, we will similarly note that and refrain from those activities indefinitely (we do not sell data, but we will honor any opt-out as required).

Job Applicant Data: For candidates who apply to work with us and are not hired, we typically retain application data for up to 2 years after the position is filled or the application is received. This is to consider you for future opportunities and to comply with any record-keeping obligations. You may ask us to delete your applicant data sooner, and we will do so unless legal requirements prevent it. For hired candidates, personal data becomes part of their employee record and is retained per employment law requirements (beyond the scope of this Policy).

Legal and Compliance Records: Notwithstanding the stated retention periods above, we may retain information for a longer period if required by law or if necessary to establish, exercise, or defend our legal rights. For example, if we are involved in litigation or receive a legal hold notice, we will preserve relevant data until it is safe to delete. Similarly, if a law enforcement authority has legitimately requested we retain certain data, we will do so. In all cases, data that is kept longer will still be subject to appropriate safeguards and only used for the purposes justified.

Once the retention period expires or the data is no longer needed, we ensure that the data is either securely deleted or anonymized (so that it can no longer be linked to an identifiable individual). Anonymized data may be retained indefinitely as it no longer constitutes personal data. We have implemented automatic deletion routines where feasible to manage retention. For example, prospect data is periodically reviewed and purged if outdated; old log files are regularly rotated and deleted. If you have any questions about our specific data retention policies for a certain type of information, you can contact us (see Contact Us in Section 13), and we will provide additional details.

7. International Data Transfers

genOTC is based in France and, as a result, your personal data will be primarily processed and stored in France or other countries within the European Economic Area (EEA). However, in order to operate our business and provide our services, we may need to transfer or allow access to your personal data outside of your home country, including to countries outside the EEA. For example:

  • Many of our service providers are global companies. Some of our processors (such as cloud infrastructure providers, CRM or email services, etc.) might process data in the United States or other jurisdictions outside Europe.
  • If you are located outside of France (e.g., in the United States or Asia), using our services will necessarily involve transferring your personal data to our servers or offices in the EEA. Likewise, data may flow between our European operations and any support teams or affiliates we have in other regions.

Whenever we transfer personal data across national borders, we take steps to ensure such transfers comply with applicable data protection laws. In particular, transfers from the EEA (or United Kingdom or Switzerland) to countries not deemed “adequate” by the European Commission are safeguarded by appropriate legal mechanisms:

  • Standard Contractual Clauses (SCCs): We rely on the European Commission’s approved Standard Contractual Clauses as a primary safeguard for international data transfers. These are contractual commitments between the transferring and receiving parties that obligate the recipient to protect personal data to EU privacy standards. For example, if we use a U.S.-based service provider to store or process EEA personal data, we will sign SCCs with them (unless they have an alternative approved mechanism in place).
  • EU–US Data Privacy Framework: Where applicable, we may also rely on certifications under the new EU–US Data Privacy Framework (DPF) or equivalent UK/Swiss frameworks, for transfers to certified organizations in the United States. If one of our U.S. partners is DPF-certified, we consider that an acceptable safeguard as well. (genOTC itself may consider self-certifying to the DPF for transfers of HR or customer data to any U.S. affiliate, if relevant. Any updates will be reflected here.)
  • Adequacy Decisions: When transferring data to a country that has been officially recognized by the EU as providing an adequate level of data protection, we rely on that adequacy decision. For example, personal data could be transferred to countries like Canada or Japan under their adequacy status without additional safeguards.
  • Binding Corporate Rules and Other Mechanisms: Although genOTC does not currently use Binding Corporate Rules, some of our processors or partners might (e.g., an intra-company BCR for a global cloud provider). We will consider any valid transfer mechanism that may apply to specific situations, such as codes of conduct or certification schemes if they become available and approved.

In addition, we implement supplementary measures where needed to ensure that your data receives an essentially equivalent level of protection to that in the EU. These measures may include technical protections (like strong encryption of data in transit and at rest, so that even if data is accessed abroad it remains unreadable to unauthorized parties) and organizational policies (such as limiting access to data to only those who need it, and vetting our vendors’ security practices). We also carefully review government access laws in destination countries and assess risks as recommended by European regulators. If we determine that a particular transfer cannot be legally made or adequately protected, we will suspend the transfer and work to resolve the issue.

You have the right to request more information about our cross-border data transfers and the safeguards in place. If you would like to obtain a copy of the SCCs we use or information on specific transfer mechanisms, you may contact us (see Section 13), and we will be happy to provide relevant information (some information may be redacted for confidentiality). Please note that by using our services or submitting your information to us, you acknowledge that your personal data may be transferred to and processed in countries other than your own. These countries may have different (and possibly less protective) privacy laws than your jurisdiction. In all cases, we will protect your personal data as described in this Policy.

8. Your Rights and Choices

Your Data Protection Rights: Depending on your jurisdiction, you have certain rights regarding your personal data. genOTC is committed to upholding these rights and has processes to enable you to exercise them. The following is a summary of key rights under the GDPR and CCPA (California law), which may apply to you. If you are located in other regions (such as the UK, Canada, etc.), similar rights may apply – we will honor any applicable rights under those regimes as well.

If you are an individual in the European Union/EEA (GDPR): You have the following rights with respect to your personal data, in accordance with Articles 15-21 of the GDPR:

  • Right of Access: You have the right to request confirmation of whether we are processing personal data about you, and if so, to request a copy of the data and information about how it is processed. This allows you to understand and verify the lawfulness of our processing.
  • Right to Rectification: If any of your personal data that we hold is inaccurate or incomplete, you have the right to have it corrected or updated. We encourage you to keep your information up-to-date and will make corrections promptly.
  • Right to Erasure: You have the right to request deletion of your personal data (“right to be forgotten”) in certain circumstances. This is not an absolute right; it applies, for example, if the data is no longer necessary for the purposes it was collected, or if you withdraw consent and we have no other legal basis, or if you object to processing and we have no overriding interest, or if the data was processed unlawfully. Please note we may need to retain certain information if required by law or for legitimate business purposes (we will inform you if so).
  • Right to Restrict Processing: You can ask us to restrict (i.e., pause) the processing of your personal data in specific situations – for instance, while we verify your data correction request, or if you object to our processing and we are considering that objection. When processing is restricted, we will still store your data, but not use it until the restriction is lifted (except in limited circumstances such as legal claims).
  • Right to Data Portability: You have the right to receive personal data that you provided to us in a structured, commonly used, machine-readable format, and to have that data transmitted to another controller where technically feasible. This right applies when processing is based on your consent or a contract and carried out by automated means. We can also send the data directly to another entity at your request, if technically possible.
  • Right to Object: You have the right to object to our processing of your personal data at any time if the processing is based on our legitimate interests (or those of a third party) and you feel it impacts your fundamental rights and freedoms. You also have the absolute right to object if your data is processed for direct marketing purposes – if you object, we will stop processing your data for marketing immediately. If you object to processing based on legitimate interest, we will stop unless we have compelling legitimate grounds that override your rights (or the processing is needed for legal claims).
  • Right to Withdraw Consent: If we rely on your consent for any processing, you have the right to withdraw that consent at any time. You can do so by contacting us or, for things like marketing emails or cookies, by using the provided opt-out mechanisms (unsubscribe link, cookie settings, etc.). Withdrawal of consent will not affect processing already carried out, but we will cease the processing going forward.
  • Right not to be subject to Automated Decisions: You have the right not to be subject to a decision based solely on automated processing (including profiling) that has legal or similarly significant effects on you. As noted, genOTC does not engage in such processing without human involvement. If that changes, you will be informed and given appropriate options.

We may ask you to verify your identity (and authority, if you are making a request on behalf of someone else) before responding to a GDPR rights request. This is to ensure that we do not disclose data to an unauthorized person. Verification may include checking that the request comes from a known email address or asking for additional information to confirm your identity. We will respond to requests within one month, or inform you of an extension if needed. There is generally no fee for exercising these rights, but repetitive or excessive requests may incur a reasonable fee as permitted by law.

If you are a California resident (CCPA/CPRA): You have the following rights regarding your personal information under California law:

  • Right to Know: You can request that we disclose the categories and specific pieces of personal information we have collected about you in the past 12 months, the categories of sources of that information, the business purpose for collecting it, and the categories of third parties with whom we shared it. You also have the right to know if we “sold” or “shared” any personal information (as those terms are defined under CCPA) and the details of such activity. (However, note that genOTC does not sell personal information to third parties, and we do not share personal information for cross-context behavioral advertising, so in general there should be nothing to disclose in that regard aside from service provider disclosures.) This Privacy Policy is intended to provide much of that information.
  • Right to Delete: You have the right to request that we delete the personal information we have collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. For example, we may retain information needed to complete the transaction for which it was collected or to comply with legal obligations. We will inform you of any such exceptions that apply.
  • Right to Correct: You have the right to request that we correct inaccuracies in your personal information, taking into account the nature of the information and the purposes of processing. Upon verifying your request, we will correct any inaccurate personal information we hold about you.
  • Right to Data Portability: You have the right to request a copy of the specific pieces of personal information we collected about you, in a portable and, to the extent technically feasible, readily usable format. We will provide this information in a format (like a PDF or CSV file) that you can use and, if feasible, transmit to another entity.
  • Right to Opt-Out of Sale/Sharing: California law gives you the right to opt out of the “sale” of personal information or the “sharing” of personal information for targeted advertising. As noted, genOTC does not sell personal data to third parties. We also do not share personal data for cross-context behavioral advertising (targeted ads) except possibly through the use of analytics/marketing cookies which are entirely under your control (since we only use them with consent). Nonetheless, if you send us a request to opt out of sales/sharing, we will record it and ensure that your data is not sold or shared in a manner covered by CCPA. Our cookie management tool or “Do Not Sell or Share My Personal Information” link (if provided on our website) can also be used to register such preferences for online data.
  • Right to Limit Use of Sensitive Personal Information: The CPRA provides that you can direct businesses to limit the use of “sensitive personal information” to certain purposes. genOTC does not collect or use sensitive personal information for any purpose beyond what is necessary to provide our services (e.g., login credentials, which could be considered sensitive, are only used for authentication). We do not use sensitive data to infer characteristics about you or for any secondary purposes. As such, this right is not specifically applicable to our processing – there is no unrelated use of sensitive data that we need to limit.
  • Right of Non-Discrimination: You have the right not to receive discriminatory treatment for exercising any of your CCPA rights. This means we will not deny you services, charge you a different price, or provide a lesser quality of service just because you exercised your privacy rights. We do not offer financial incentives that would be considered discriminatory under CCPA for the provision of data.

California residents may designate an authorized agent to make a request under CCPA on their behalf. If you use an authorized agent, we will take steps to verify both your identity and the agent’s authorization (for example, we may require a signed permission from you or proof of the agent’s power of attorney, and we may still verify your identity directly).

How to Exercise Your Rights: To exercise any of your applicable privacy rights or to make an inquiry about your personal data, please contact us using the details in the Contact Us section (Section 13). You can send us an email at dpo@genotc.com or mail your request to our company address (Attention: Data Protection Officer). Please clearly state your request, including which right you wish to exercise and the context (e.g., “I’d like a copy of my data collected when I signed up for a demo”). Be as specific as possible so we can respond accurately. For certain requests (access, deletion, etc.), we may need to request additional information from you to verify your identity, as noted above. We will respond within the timeframe required by law (for example, within one month for GDPR requests, and within 45 days for CCPA requests, with the possibility of a 45-day extension). If you have an account with us, some of your information can be accessed and updated directly by logging in. For example, you can usually edit your profile information, change your notification preferences, or download certain data through your account settings. We encourage you to use such self-service tools where available. For anything you cannot self-service, our team is ready to assist upon request.

Your Choices (Opt-Outs): In addition to formal rights requests, you have several straightforward ways to control your information:

  • Marketing Emails: If you no longer wish to receive marketing or promotional emails from us, you can opt out at any time by clicking the “unsubscribe” link at the bottom of any marketing email, or by contacting us and requesting to be removed. Once you opt out, we will honor that choice for future campaigns (though we may still send you essential transactional emails if you are a customer).
  • Cookies: As described in Section 3, you can manage your cookie preferences via our cookie banner or your browser settings. This allows you to refuse analytics/marketing cookies if you choose. If you want to revoke consent for analytics cookies after initially accepting, you can clear your cookies or use the cookie management tool to change your setting.
  • Do Not Track: Our website does not currently respond to “Do Not Track” signals in a standardized way (as there is no consensus on how to interpret them), but we treat global privacy control signals for CCPA opt-out where applicable. Regardless, you can control tracking through the cookie methods above.
  • Third-Party Advertising Opt-Outs: While genOTC does not serve third-party ads, if you want to opt out of targeted advertising by third parties on other sites, you can use industry tools like the Network Advertising Initiative (NAI) opt-out page or the Digital Advertising Alliance (DAA) opt-out page. These can help manage preferences for many advertising networks at once.

We commit to respecting your rights and will not retaliate or deny service if you exercise them. Our goal is to be transparent and give you control over your personal data. If you have any questions or concerns about your rights or how to exercise them, please contact our DPO (dpo@genotc.com).

9. Data Security

genOTC takes the security of your personal data very seriously. We implement appropriate technical and organizational measures to protect your information from unauthorized access, disclosure, alteration, and destruction. While no system can guarantee absolute security, we follow industry best practices and continually improve our safeguards to reduce risks. Our security measures include, but are not limited to:

  • Encryption: We use encryption to protect data in transit and at rest. For example, our websites and APIs enforce HTTPS/TLS encryption for all data exchanges to prevent eavesdropping. Sensitive data and personal information stored in our databases are encrypted or pseudonymized where feasible.
  • Access Controls: We limit access to personal data strictly to personnel and service providers who need it to perform their duties. genOTC staff access to customer personal data is controlled by role-based access and is reviewed regularly. Administrative access to systems containing personal data is protected with strong authentication (such as multi-factor authentication) and logging of access. Our employees and contractors are bound by confidentiality obligations.
  • Network & Application Security: We maintain firewalls and monitoring systems to protect our infrastructure. Regular vulnerability assessments and security testing (including penetration testing) are conducted on our platform and websites to identify and address potential weaknesses. Our development practices incorporate security reviews and adherence to secure coding standards.
  • Data Backups and Resilience: We perform regular backups of critical data to ensure it can be restored in case of accidental deletion or system failure. Our hosting providers offer high-availability infrastructure across multiple data centers, reducing the risk of data loss or downtime.
  • Organizational Policies: We have internal policies and training in place to ensure our team handles personal data safely and in compliance with privacy laws. Our Data Protection Officer oversees these efforts and monitors compliance. We also vet our third-party service providers for robust security (requiring them to meet standards and certifications where appropriate).

In addition to preventive measures, we also have an incident response plan. In the event of a data breach (a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data), we will act promptly to mitigate the impact and notify affected parties in accordance with applicable laws. This means:

  • We will investigate the incident immediately and take steps to control and contain it (such as isolating affected systems, changing credentials, restoring backups, etc.).
  • We will assess the risk to individuals’ rights and freedoms resulting from the breach. If we determine the breach is likely to result in a significant risk to affected individuals (e.g., potential for financial harm, identity theft, confidentiality breach), we will prepare to notify those individuals.
  • We will notify authorities and individuals as required. Under GDPR, for example, we will notify the CNIL (the French data protection authority) within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals, and we will inform affected individuals without undue delay when the breach is likely to result in a high risk. Under U.S. state laws or other jurisdictions, we will similarly notify affected consumers and regulators as mandated. Our notifications will describe the nature of the breach, likely consequences, measures taken, and any steps individuals should take to protect themselves.
  • We will document the incident and our response, and take steps to prevent future incidents (such as fixing vulnerabilities and improving processes).

While we strive to protect your data, it is also important for you to play a part in keeping your information secure. We encourage you to use strong, unique passwords for your genOTC account and to keep your login credentials confidential. Please notify us immediately if you suspect any unauthorized access to your account or any security vulnerabilities in our services. If you have questions about the security of our services or wish to report a particular concern, you can reach out to us at support@genotc.com or through our contact channels.

10. Third-Party Services and Integrations

As part of providing our platform and website, genOTC may integrate with or provide links to third-party services (as noted earlier in how we share data and cookies sections). Please be aware of the following:

If you choose to use an integration or third-party plugin in conjunction with our platform (for example, if our SaaS allows connecting to a cloud storage service, or using an analytics plugin), any data that third-party service collects or processes is subject to that third party’s terms and privacy policy. We are not responsible for how third-party tools handle your data, although we try to only enable reputable integrations. We recommend reviewing the privacy policies of any third-party services you use with genOTC.

Our website might contain social media features (like a “Share” or “Follow” button for LinkedIn, Twitter, etc.). If you interact with these, those platforms may collect your IP address or set a cookie. Those interactions are governed by the privacy policy of the respective social media companies.

Occasionally, we might include links to external content (for example, a link to a partner’s whitepaper or an article about volatility calibration). Clicking those links will take you to a site outside our control. We do not endorse or assume liability for external sites’ content or privacy practices.

We advise you to use caution and familiarize yourself with the privacy practices of any external sites or services. If you find any third-party integration or link on our site that you believe is problematic or not working as intended, please let us know.

11. Children’s Privacy

genOTC’s services are not intended for children under the age of 16 (and in many cases, our services are only relevant to adult professionals in finance). We do not knowingly collect personal data from children. If you are under 16 (or the applicable minimum age in your jurisdiction), please do not use our website or platform or provide any personal information to us. We do not sell products or services to minors, and our site is not designed to attract them. In the unlikely event that we discover we have collected personal information from a child without proper consent, we will take immediate steps to delete that information from our servers. If you believe that we might have any information from or about a minor, please contact us so that we can investigate and promptly address it. Parents or guardians: if you become aware that a child under your care has provided personal data to genOTC, please contact us at dpo@genotc.com, and we will work with you to remove any such data and terminate the child’s account if applicable. We appreciate your cooperation in keeping personal data of minors off our platform.

12. Updates to this Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will post the updated Policy on our website and change the “Last Updated” date at the top. If the changes are significant, we will provide a prominent notice on our website or through other communication channels before the change takes effect, and where required by law we will seek your consent for material changes (for example, if we plan to use your data for new purposes that require consent). genOTC encourages you to review this Policy periodically to stay informed about how we are protecting your information. If you continue to use our website or services after an update takes effect, you will be considered to have accepted the revised Policy to the extent permitted by applicable law. However, if any changes materially affect how your personal data is handled, we will provide you an opportunity to consent or opt out, as required. For example, if we ever expand our data collection or sharing in a way that affects you, we may announce the changes via email or a notification in the platform, in addition to updating this document. We maintain a change log or version history of our privacy policies and can provide prior versions upon request.

13. Contact Us (Including Data Protection Officer)

genOTC has appointed a Data Protection Officer (DPO) responsible for overseeing our privacy strategy and compliance. If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, you can reach out to us as follows:

  • By Email: You can contact our DPO at dpo@genotc.com. This is the dedicated email address for privacy inquiries, data subject requests, and any issues related to personal data. We strive to respond promptly to all legitimate requests.
  • By Mail: You may also write to us at: Attention – Data Protection Officer genOTC SAS, 80 impasse des Rippes, 73800 CHIGNIN, France

Please include your name and contact information and clearly state the nature of your request or question. If you are making a data rights request, please specify which right you wish to exercise (as detailed in Section 8) and provide any relevant context so we can assist you efficiently. We may need to verify your identity for certain requests – if so, we will let you know what verification is required.

We are committed to working with you to address any concerns about your privacy. If you contact us with a complaint or question, our DPO and/or privacy team will investigate and respond. In most cases, we aim to resolve any issues directly with you. However, if you feel that we have not adequately addressed your privacy concerns, you have the right to escalate the matter to a data protection authority. As genOTC is based in France, our lead supervisory authority for GDPR matters is the French CNIL (Commission Nationale de l’Informatique et des Libertés). You have the right to lodge a complaint with the CNIL or with the supervisory authority in your EU member state of residence or workplace. For example, if you reside in the EU, you can contact your local Data Protection Authority. Their contact details can usually be found on the EU Commission’s website or by searching for “[Your Country] Data Protection Authority.” In France, CNIL can be reached via https://www.cnil.fr or at 3 Place de Fontenoy, 75007 Paris. If you are in the UK, you can contact the ICO (Information Commissioner’s Office). If you are in California and have concerns about how we handled your request, you may contact the California Attorney General’s office. We would appreciate the chance to address your concerns before you approach a regulator, so please consider reaching out to us first.

Your trust is extremely important to genOTC, and we will do our best to resolve any issues to your satisfaction. Thank you for reading our Privacy Policy. We value your privacy and are dedicated to protecting your personal data while providing you with a high-quality, secure service.