This Privacy Policy describes how Otonomii ("we," "us," or "our") collects, uses, discloses, and protects personal data when you use our products, services, websites, and applications (collectively, "Services"). It applies to all individuals who interact with our Services, including customers, end users, website visitors, job applicants, and business contacts.

We are committed to protecting your privacy and processing your personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and other applicable regional privacy legislation.

01

Collection of Personal Data

Data You Provide Directly

Identity and Contact Information

Name, email address, phone number, job title, company name, and mailing address provided during account registration, subscription purchase, or communication with us.

Payment Information

Credit card numbers, billing addresses, and payment method details processed through PCI DSS-compliant payment processors. We do not store full card numbers on our servers.

Inputs and Outputs

Prompts, queries, documents, data files, and other content you submit to our AI services (Inputs), and the responses, analyses, decisions, and generated content returned by our Services (Outputs).

Feedback

Ratings, reviews, bug reports, feature requests, survey responses, and other feedback you provide about our Services.

Communications

Content of emails, chat messages, support tickets, and other communications exchanged between you and Otonomii, including metadata such as timestamps and recipient information.

Data Collected Automatically

Device Information

IP address, browser type and version, operating system, device identifiers, screen resolution, and language preferences.

Usage Data

Pages visited, features used, actions taken, timestamps, session duration, click patterns, and navigation paths within our Services.

Log Data

Server logs including request URLs, response codes, referrer URLs, and technical error information.

Cookies and Similar Technologies

First-party and third-party cookies, web beacons, pixel tags, and local storage used for authentication, preferences, analytics, and security. See our Cookie Policy for detailed information.

Model Training Data

Otonomii may use the following categories of data to train, improve, and evaluate our AI models:

Publicly Available Data

Data from public websites, open datasets, government records, and other publicly accessible sources, collected in compliance with applicable terms of service and robots.txt directives.

Commercial Datasets

Data licensed from third-party data providers under commercial agreements that authorize use for model training purposes.

User Inputs and Outputs

Inputs and Outputs from non-enterprise, non-API users may be used for model improvement unless the user opts out. Enterprise and API customers' data is never used for training. Opt-out is available in account settings and is effective within 24 hours.

Feedback Data

Thumbs up/down ratings, preference selections, and explicit feedback provided through in-product feedback mechanisms.

Safety-Flagged Materials

Content that triggers safety classifiers may be retained and reviewed to improve safety systems, regardless of opt-out status. Retention is limited to the minimum necessary for safety evaluation.

02

Uses of Personal Data

Service Provision

To provide, maintain, and operate the Services, including processing your requests, generating outputs, and delivering functionality you have subscribed to.

Features and Improvements

To develop new features, improve existing functionality, optimize performance, and enhance user experience based on usage patterns and feedback.

Communications

To send service-related communications including account notifications, security alerts, subscription renewals, and product updates. Marketing communications are sent only with your consent and include unsubscribe options.

Account Management

To create, maintain, and secure your account, including identity verification, access management, and account recovery.

Payment Processing

To process payments, manage billing, issue invoices, handle refunds, and comply with financial reporting requirements.

Fraud Prevention

To detect, prevent, and respond to fraud, abuse, security incidents, and violations of our terms. This includes automated analysis of usage patterns and anomaly detection.

Dispute Resolution

To investigate and resolve disputes, complaints, and support requests related to your use of the Services.

Debugging and Error Resolution

To identify, diagnose, and fix technical issues, bugs, and service disruptions. This may involve analysis of log data and error reports.

Research

To conduct internal research on AI safety, model performance, fairness, and reliability. Research data is aggregated or de-identified where possible.

Legal Compliance

To comply with applicable laws, regulations, legal processes, and governmental requests. To enforce our terms of service and protect our legal rights.

03

Disclosure of Personal Data

We do not sell your personal data. We may share your personal data in the following limited circumstances:

Affiliates

We may share data with Otonomii subsidiaries and affiliated companies for purposes consistent with this Privacy Policy. Affiliates are bound by the same data protection obligations.

Service Providers

We share data with third-party service providers who process data on our behalf, including cloud infrastructure providers, payment processors, analytics services, customer support tools, and email delivery services. Service providers are contractually obligated to process data only as instructed and to maintain appropriate security measures. A list of sub-processors is available upon request.

Corporate Transactions

In connection with a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal data may be transferred as part of the transaction. We will notify you of any such transfer and any changes to the applicable privacy policy.

Government and Law Enforcement

We may disclose personal data when required by law, regulation, legal process, or governmental request. We may also disclose data when we believe in good faith that disclosure is necessary to protect the safety of any person, investigate fraud, or respond to a government request. We will attempt to notify affected users before disclosing data to law enforcement unless prohibited by law or court order.

With Your Consent

We may share your personal data with third parties when you have given explicit consent for such sharing. You may withdraw consent at any time, though withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

04

Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data. To exercise any of these rights, contact privacy@otonomii.com or use the self-service tools in your account settings.

Right to Know

You have the right to know what personal data we collect about you, the purposes for which it is used, and the categories of third parties with whom it is shared. We will respond to verified requests within 30 days.

Right to Access and Portability

You have the right to receive a copy of your personal data in a structured, commonly used, machine-readable format (JSON or CSV). This includes Inputs, Outputs, account information, and usage data. Data export is available through account settings or by request.

Right to Deletion

You have the right to request deletion of your personal data. Upon receipt of a verified deletion request, we will delete your data within 30 days from active systems and within 90 days from backup systems. Some data may be retained as required by law or for legitimate business purposes (fraud prevention, legal claims, regulatory compliance).

Right to Correction

You have the right to request correction of inaccurate personal data. You can update most account information directly through account settings. For data that cannot be self-corrected, submit a correction request to privacy@otonomii.com.

Right to Object

You have the right to object to processing of your personal data based on legitimate interests. Upon receipt of an objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Right to Restriction

You have the right to request restriction of processing while we verify the accuracy of your data, evaluate an objection, or when processing is unlawful but you oppose deletion.

Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal is effective prospectively and does not affect the lawfulness of processing prior to withdrawal.

No Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Where automated decisions are made, you have the right to obtain human intervention, express your point of view, and contest the decision.

No Data Sales

Otonomii does not sell personal data as defined under CCPA/CPRA. We do not share personal data for cross-context behavioral advertising. There is no need to opt out of sales because we do not engage in them.

05

International Data Transfers

Otonomii's primary servers are located in the United States. If you access our Services from outside the United States, your personal data may be transferred to, stored in, and processed in the United States or other countries where we or our service providers operate.

Adequacy Decisions

For transfers to countries with an adequacy decision from the European Commission or equivalent authority, no additional safeguards are required. We monitor adequacy decisions and adjust transfer mechanisms if decisions are invalidated.

Standard Contractual Clauses

For transfers to countries without an adequacy decision, we rely on European Commission-approved Standard Contractual Clauses (SCCs). SCCs are supplemented by Transfer Impact Assessments that evaluate the legal framework of the destination country and any supplementary measures needed.

Derogations

In limited circumstances, transfers may be based on explicit consent, contract necessity, or important reasons of public interest. These derogations are used only when other transfer mechanisms are not available.

06

Data Retention and Security

Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected. Account data is retained for the duration of the account relationship plus 30 days. Inputs and Outputs are retained for 30 days by default (configurable by enterprise customers). Payment records are retained for 7 years to comply with tax and financial regulations. Log data is retained for 12 months. Safety-flagged content is retained for 24 months for ongoing safety system evaluation.

Aggregation and De-identification

Where possible, we aggregate or de-identify data for analytical and research purposes. De-identified data is not subject to this Privacy Policy as it cannot be used to identify an individual. We apply technical measures to prevent re-identification and contractually prohibit any attempt to re-identify de-identified data.

Security Measures

We implement technical and organizational security measures appropriate to the sensitivity of the data processed. Technical measures include AES-256 encryption at rest, TLS 1.3 encryption in transit, hardware security module (HSM) key management, multi-factor authentication, network segmentation, and intrusion detection systems. Organizational measures include security awareness training, background checks for personnel with data access, incident response procedures, business continuity planning, and regular security assessments by independent third parties.

07

Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18 without verification of parental consent, we will take steps to delete that information within 30 days. If you believe we have inadvertently collected data from a minor, please contact us at privacy@otonomii.com immediately. Enterprise customers who deploy Otonomii in environments where minors may be present (educational institutions, family-oriented services) are responsible for implementing age verification, parental consent mechanisms, and age-appropriate content filtering as required by applicable law.

08

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. For material changes — those that affect the scope of data collected, the purposes of processing, or your rights — we will provide at least 30 days advance notice via email to the address associated with your account and a prominent notice on our website. Non-material changes (clarifications, formatting, typographical corrections) may be made without advance notice. The "Last Updated" date at the top of the policy indicates when the most recent revision was published. Your continued use of the Services after the effective date of a revised policy constitutes acceptance of the changes.

09

Contact Information

Privacy Inquiries

privacy@otonomii.com

For general privacy questions, data subject rights requests, and privacy complaints.

Data Protection Officer

dpo@otonomii.com

For matters requiring DPO attention, GDPR-specific inquiries, and regulatory correspondence.

Otonomii, Inc.

548 Market Street, Suite 46382

San Francisco, CA 94104

United States

Otonomii Europe Ltd.

70 Sir John Rogerson's Quay

Dublin 2, D02 R296

Ireland

10

Legal Bases for Processing (EEA/UK)

For individuals in the European Economic Area and United Kingdom, we process personal data on the following legal bases:

Legal BasisProcessing ActivitiesContract PerformanceAccount creation, service provision, payment processing, subscription management, customer supportConsentMarketing communications, optional analytics, model training with user I/O (opt-out available), cookie preferencesLegitimate InterestsService improvement, fraud prevention, security monitoring, debugging, internal research, product analyticsLegal ObligationTax reporting, regulatory compliance, law enforcement requests, records retention, anti-money laundering

11

Regional Supplements

Canada (PIPEDA)

For individuals in Canada, we process personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation. We obtain express consent for the collection of sensitive personal information and implied consent for non-sensitive information where the purpose would be obvious to a reasonable person. You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting privacy@otonomii.com. Cross-border transfers are made in accordance with PIPEDA requirements, and we ensure that personal information transferred outside Canada receives a comparable level of protection through contractual or other means.

Brazil (LGPD)

For individuals in Brazil, we process personal data in accordance with the Lei Geral de Protecao de Dados (LGPD). You have the rights to: confirmation of processing, access to data, correction of incomplete or inaccurate data, anonymization or blocking of unnecessary data, data portability, deletion of data processed with consent, information about shared data, information about the possibility of denying consent and the consequences, and revocation of consent. International data transfers are protected by Standard Contractual Clauses and certification of adequate protection levels. To exercise your LGPD rights, contact privacy@otonomii.com.

Republic of Korea (PIPA)

For individuals in the Republic of Korea, we process personal information in accordance with the Personal Information Protection Act (PIPA). Our domestic representative for Korean data protection matters can be contacted at privacy@otonomii.com with "Korea PIPA" in the subject line. We provide all rights required under PIPA, including the right to access, correct, delete, and suspend processing of personal information. We obtain separate consent for processing sensitive information and for transferring personal information to third parties or overseas. We publish and maintain a privacy policy that meets PIPA requirements, including the designation of a personal information protection officer.