Ottly ("we," "us," or "our") respects your privacy. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use Ottly ("Service"). By using the Service, you consent to the practices described in this policy.
1. Information We Collect
1.1 Information You Provide
- Account information: Name, email address, and authentication credentials (including via Google OAuth).
- Profile information: Display name, avatar, and preferences you set in your account.
- Content: Research queries, articles, workflows, generated content, and other data you create using the Service.
- Communications: Messages you send to our support team.
- Payment information: Billing details are collected and processed by our third-party payment processor (see Section 7).
1.2 Information Collected Automatically
- Usage data: Features used, actions taken, timestamps, and session duration.
- Device information: Browser type, operating system, screen resolution, and device identifiers.
- Network information: IP address and approximate geographic location derived from it.
- Cookies and similar technologies: See Section 8 for details.
1.3 Information from Third Parties
- OAuth providers: When you sign in with Google, we receive your name, email, and profile picture as authorized by you.
- Payment processor: Our payment processor may share transaction confirmations and subscription status with us.
2. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:
| Purpose | Legal Basis | |---------|-------------| | Providing the Service and managing your account | Performance of our contract with you (Art. 6(1)(b) GDPR) | | Processing payments and preventing fraud | Performance of contract and legitimate interest (Art. 6(1)(b), (f)) | | Sending important service notifications | Performance of contract (Art. 6(1)(b)) | | Improving the Service and analytics | Legitimate interest (Art. 6(1)(f)) | | Marketing communications | Your consent (Art. 6(1)(a)) — you may withdraw consent at any time | | Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
3. How We Use Your Information
We use your information to:
- Provide, operate, and maintain the Service.
- Process transactions and send related information (confirmations, invoices).
- Personalize your experience and deliver relevant content.
- Send administrative notifications (security alerts, policy changes, support messages).
- Analyze usage patterns to improve the Service.
- Detect, prevent, and address fraud, abuse, and technical issues.
- Comply with applicable legal obligations.
4. Information Sharing
We do not sell your personal information. We may share your information only in the following circumstances:
- Payment processor: Our third-party payment processor, acting as our Merchant of Record, processes your payment information, handles tax compliance, and issues invoices. Your payment data is subject to their privacy policy and PCI-DSS compliant security standards.
- AI model providers: When you use AI features, your prompts and inputs are sent to third-party AI providers (such as OpenAI, Google, and Anthropic) to generate responses. These providers process data under their respective API terms, which prohibit using API inputs for model training.
- Infrastructure providers: We use cloud hosting and database services from reputable providers. These providers act as data processors under appropriate data processing agreements.
- Legal compliance: We may disclose information if required by law, regulation, legal process, or governmental request.
- Protection of rights: We may share information to protect the rights, property, or safety of Ottly, our users, or the public.
- Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.
5. Data Security
We implement industry-standard technical and organizational measures to protect your information, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
- Application-level encryption of sensitive credentials (OAuth tokens).
- Isolated container environments with no direct public internet access to backend systems.
- Regular security reviews and dependency updates.
No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee its absolute security.
6. Your Rights
6.1 All Users
All users have the right to:
- Access your personal information held by us.
- Correct inaccurate or incomplete information.
- Delete your account and associated data.
- Export your data in a portable format.
- Opt out of marketing communications at any time.
6.2 EEA, UK, and Swiss Residents (GDPR)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):
- Right to restriction of processing: You may request that we restrict the processing of your data in certain circumstances.
- Right to object: You may object to processing based on our legitimate interests.
- Right to data portability: You may request your data in a structured, commonly used, machine-readable format.
- Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK, CNIL in France, or the relevant supervisory authority in your country).
To exercise any of these rights, contact us at privacy@ottly.com.
6.3 California Residents (CCPA)
California residents have additional rights under the California Consumer Privacy Act:
- Right to know what personal information is collected, used, and shared.
- Right to delete personal information.
- Right to opt-out of the sale of personal information — we do not sell your data.
- Right to non-discrimination for exercising your privacy rights.
To exercise these rights, contact us at privacy@ottly.com.
7. Payment Processing
All payments for the Service are processed by a third-party payment provider acting as our Merchant of Record. This means:
- The payment provider collects and processes your payment information (credit card, PayPal, etc.) directly. We do not store your full payment details.
- The provider handles sales tax, VAT, and other applicable tax obligations.
- Invoices and receipts for your purchases are issued by the payment provider.
- Your payment data is subject to the payment provider's privacy policy and their PCI-DSS compliant security standards.
8. Cookies
We use cookies and similar technologies to:
- Maintain your authenticated session.
- Remember your preferences and settings.
- Analyze Service usage and performance.
- Improve the Service.
Types of cookies we use:
- Essential cookies: Required for the Service to function (authentication, security). Cannot be disabled.
- Analytics cookies: Help us understand how users interact with the Service. You can opt out through your browser settings.
We do not use cookies for third-party advertising. You can control cookies through your browser settings, but disabling essential cookies may prevent the Service from functioning properly.
9. International Data Transfers
Your information may be transferred to and processed in the United States, where our servers are located. If you are located in the EEA, UK, or Switzerland, we ensure that such transfers are protected by appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Data processing agreements with our service providers that include appropriate data protection commitments.
10. Data Retention
We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:
- Account data: Retained until you delete your account.
- Usage logs: Retained for up to 12 months for analytics and security purposes.
- Payment records: Retained as required by applicable tax and accounting laws (typically 7 years), managed by the payment provider.
After account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law.
11. Children's Privacy
The Service is not intended for children under 16 (or under 13 in jurisdictions where 13 is the applicable age of consent). We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days in advance via email or through the Service. The "Effective Date" at the top of this policy indicates when it was last revised.
13. Contact Us
For questions about this Privacy Policy or to exercise your privacy rights, contact us at:
- Privacy inquiries: privacy@ottly.com
- General support: support@ottly.com
If you are in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.