Privacy Policy

This Privacy Policy (hereinafter this "Privacy Policy" or this "Policy") is issued by Ottomato (hereinafter "Ottomato", "we", "us", or "our"). This Policy explains what information Ottomato collects when you interact with our website located at https://ottomato.ai (the "Site"), our artificial-intelligence voice agent named Otto (the "Voice Agent"), the private online learning community Ottomato operates on a Third-Party Service (hereinafter the "Academy" or the "PPA"), any application Ottomato builds, distributes, or otherwise operates through the Academy or through a custom engagement (each, an "Application"), our electronic-mail newsletter titled The Builder's Report (the "Newsletter"), and any other service Ottomato operates (collectively, the "Services"). This Policy also explains the lawful bases Ottomato invokes as a matter of European data-protection law, with whom we share data, how long we retain it, and how you can exercise your rights.

If any part of this Policy is unclear, contact us at [email protected].

A. Definitions

For purposes of this Policy, the following capitalized terms have the meanings given below. Additional terms may be defined parenthetically on first use in the body of this Policy and carry that defined meaning throughout.

• "Academy" or "PPA" means the private online learning community Ottomato operates on a Third-Party Service, available at https://skool.com/ppa.
• "Application" means any software application Ottomato builds, distributes, or otherwise operates through the Academy or through a custom engagement, including applications that run on the user's own device and applications that run on third-party infrastructure.
• "Application Programming Interface" or "API" means a defined set of protocols and tools for building software and for enabling communication between software components.
• "Artificial Intelligence" or "AI" means computational systems that perform tasks typically associated with human cognition, including language understanding, language generation, voice synthesis, and voice recognition.
• "California Consumer Privacy Act of 2018" or "CCPA" means the California Consumer Privacy Act of 2018, California Civil Code Section 1798.100 et seq.
• "California Privacy Rights Act of 2020" or "CPRA" means the California Privacy Rights Act of 2020, which amended the CCPA.
• "Children's Online Privacy Protection Rule" or "COPPA" means the rule at 16 Code of Federal Regulations Part 312, which governs the online collection of personal information from children under thirteen (13) years of age.
• "Client Content" means data, documents, media, code, or other material provided to Ottomato by a client in connection with a paid engagement.
• "Community Content" means posts, replies, reactions, direct messages, and other content shared by a member inside the Academy or any other community surface Ottomato operates.
• "Data Processing Agreement" or "DPA" means a written contract that governs the processing of personal data by a processor on behalf of a controller.
• "Data Subject Access Request" or "DSAR" means a request by an individual to exercise a right granted under the General Data Protection Regulation, the California Consumer Privacy Act of 2018, or an equivalent statute.
• "Domain Name System" or "DNS" means the hierarchical and decentralized naming system that translates human-readable domain names into machine-readable network addresses.
• "European Economic Area" or "EEA" means the twenty-seven (27) Member States of the European Union together with Iceland, Liechtenstein, and Norway.
• "General Data Protection Regulation" or "GDPR" means Regulation (European Union) 2016/679 of the European Parliament and of the Council of 27 April 2016.
• "Internet Protocol address" or "IP address" means the numerical label assigned to a device connected to a network that uses the Internet Protocol for communication.
• "Newsletter" has the meaning given in the introductory paragraph of this Policy.
• "Output" means content, data, or media generated by an Artificial-Intelligence model in the course of delivering a Service.
• "Personal Data Protection Act B.E. 2562 (2019)" or "PDPA" means the Personal Data Protection Act B.E. 2562 (2019) of the Kingdom of Thailand.
• "Personal Information Protection and Electronic Documents Act" or "PIPEDA" means the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, of Canada.
• "Services" has the meaning given in the introductory paragraph of this Policy.
• "Site" has the meaning given in the introductory paragraph of this Policy.
• "Standard Contractual Clauses" or "SCCs" means the contractual clauses approved by the European Commission pursuant to Commission Implementing Decision (European Union) 2021/914 for the transfer of personal data to third countries.
• "Third-Party Service" has the meaning given in Section 5 of this Policy.
• "Transport Layer Security" or "TLS" means the cryptographic protocol that provides secure communication over a computer network.
• "United Kingdom General Data Protection Regulation" or "UK GDPR" means the United Kingdom General Data Protection Regulation as given effect in United Kingdom law by the European Union (Withdrawal) Act 2018.
• "United States", "United States of America", or "U.S." means the United States of America.
• "Voice Agent" has the meaning given in the introductory paragraph of this Policy.

1. Scope

This Policy applies to:

• The Site at https://ottomato.ai and its staging mirrors.
• The Voice Agent, wherever it is embedded, including the inline embed on the contact page and the floating widget on other pages.
• Forms Ottomato hosts on the Site, including the contact form and any future inquiry or waitlist form.
• The Academy, to the extent Ottomato controls the information you share with Ottomato directly. The community-platform provider has its own privacy policy and acts as an independent controller for your community-platform account.
• The Newsletter.
• Anonymous, cookieless website analytics as described in Section 7.

Applications are governed by their own individual privacy policies as described in Section 11, not by this Policy.

This Policy does not cover third-party platforms Ottomato links to but does not operate, including X, formerly known as Twitter (X Corp., available at https://x.com), YouTube (YouTube LLC, available at https://youtube.com), LinkedIn (LinkedIn Corporation, available at https://linkedin.com), and community-platform surfaces outside the Academy.

2. Information We Collect

2.1 Information you provide to Ottomato directly

• Contact data: your name, electronic-mail address, company name, and the content of the message you submit through the contact form or by electronic mail.
• Voice and chat data: if you speak with or type to the Voice Agent, the audio, text, and transcript of your conversation are processed by a third-party conversational-AI provider identified in Section 5 and briefly retained to generate a response. Ottomato may receive the transcript to route your inquiry and improve the Voice Agent. See Section 5 and Section 12.
• Transcript-request data: if you ask Ottomato to send a Voice Agent transcript to you, Ottomato collects your electronic-mail address, the transcript, the page where the conversation happened, and the time of the request. The same request adds your address to the Newsletter list. You can unsubscribe from the Newsletter at any time.
• Community data: if you join the Academy, your profile, posts, reactions, and direct messages are stored on the third-party community platform identified in Section 5. Anything you share with Ottomato directly, such as a support ticket or a question sent to the founder, is handled under this Policy.
• Newsletter data: if you subscribe to the Newsletter directly or through a transcript request, Ottomato stores your electronic-mail address on Ottomato infrastructure until you unsubscribe. You may unsubscribe at any time using the link in any Newsletter message.

2.2 Information we collect automatically

• Analytics: Ottomato collects anonymous page views, referrers, browser and operating-system family, and country-level geolocation using a privacy-focused, cookieless analytics tool. This tool does not identify individual users. See Section 7.
• Server logs: the third-party hosting providers identified in Section 5 record standard request metadata on Ottomato's behalf: Internet Protocol address, user agent, timestamp, path, and response code. Logs are retained for up to thirty (30) days for security and performance reasons.
• Form metadata: when you submit the contact form, Ottomato records the originating Internet Protocol address and user agent alongside your message to deter spam.

3. How We Use Your Information and Our Lawful Bases

• To respond to your inquiry. Ottomato uses contact data to reply to messages, schedule discovery conversations, and determine whether Ottomato is the right fit for your project. Lawful basis: performance of a contract at your request, and Ottomato's legitimate interest in operating a business.
• To operate the Academy. Ottomato uses Community Content and Ottomato-side support data to moderate, answer questions, publish learning material, and improve member experience. Lawful basis: performance of a contract and Ottomato's legitimate interest in operating a healthy community.
• To operate the Voice Agent. Voice and chat data is processed to generate the Voice Agent's response in real time, qualify inquiries, send Ottomato a routing signal, and, when you request it, send a transcript to the electronic-mail address you provide. Lawful basis: consent (you chose to interact with the Voice Agent and requested the transcript) and Ottomato's legitimate interest in qualifying inquiries.
• To improve the Services. Anonymous analytics, aggregated form-intake patterns, and non-identifying feedback inform design and content decisions. Lawful basis: Ottomato's legitimate interest in improving a product it offers.
• To send the Newsletter. If you subscribed directly or requested a Voice Agent transcript, Ottomato sends occasional essays about building with Artificial Intelligence. You can unsubscribe from any electronic-mail message. Lawful basis: consent.
• To comply with legal obligations. Tax, accounting, anti-fraud, and law-enforcement requests where a valid order exists. Lawful basis: legal obligation.
• To protect the Services. Server logs, rate limits, honeypot fields, and abuse detection protect Ottomato and its users from spam, scraping, and attacks. Lawful basis: Ottomato's legitimate interest in platform integrity.

4. Where Your Data Is Stored

The Site is hosted on third-party shared infrastructure in the United States. Domain-Name-System records and Transport-Layer-Security certificates are administered through third-party providers identified in Section 5.

If you are located in the European Economic Area, the United Kingdom, or any other jurisdiction outside the United States, your personal information will be transferred to the United States. For transfers from the European Economic Area and the United Kingdom, Ottomato uses the European Commission's Standard Contractual Clauses and, where the applicable third-party provider supports them, complementary safeguards. You can request a copy of the Standard Contractual Clauses by electronic mail at [email protected].

5. Third-Party Services and Subprocessors

Certain Services interoperate with third-party services, platforms, or infrastructure providers (each a "Third-Party Service"). Your use of any Third-Party Service may be subject to the terms, conditions, and privacy practices of that Third-Party Service. Ottomato does not control and is not responsible for the policies, practices, availability, performance, security, or pricing of any Third-Party Service. You are encouraged to review the terms and privacy notices of each Third-Party Service before engaging with it.

The following Third-Party Services receive personal data from the Site, the Voice Agent, the Newsletter, or the Academy on their own infrastructure in order to deliver a specific function of the Services. Each is bound by a Data Processing Agreement or equivalent contractual commitment. Ottomato does not sell your personal data to any of them. The list is current as of the date above; Ottomato may add or remove providers as the Services evolve and will keep this list accurate.

Ottomato also uses a self-hosted electronic-mail management system to maintain the Newsletter list and send requested transcript messages. This system stores electronic-mail addresses, subscription status, unsubscribe records, and transcript-message delivery data for Ottomato's internal use. Ottomato does not sell this information. If you ask Ottomato to delete it, Ottomato will delete it subject to legal retention limits and unsubscribe-suppression records needed to honor your opt-out.

• Hostinger International Ltd. (hereinafter "Hostinger"), available at https://hostinger.com — static website hosting for the Site. Receives standard request metadata (Internet Protocol address, user agent, path, timestamp) for any request served.
• Cloudflare, Inc. (hereinafter "Cloudflare"), available at https://cloudflare.com — Domain-Name-System resolution, Transport-Layer-Security termination, and edge caching for ottomato.ai subdomains. Cloudflare acts as a processor for any request it proxies on Ottomato's behalf.
• Porkbun LLC (hereinafter "Porkbun"), available at https://porkbun.com — domain registrar and secondary Domain-Name-System provider. Receives minimal registration and WHOIS metadata necessary to maintain the ottomato.ai domain.
• xAI Corp. (hereinafter "xAI"), available at https://x.ai — conversational Artificial-Intelligence provider that powers the current Voice Agent. Receives your voice audio, text chat, and conversation transcripts when you interact with the Voice Agent.
• Google LLC (hereinafter "Google"), available at https://google.com — operator of Google Workspace, which Ottomato uses for electronic-mail delivery to and from [email protected]. Receives the content of electronic-mail messages exchanged with Ottomato.

6. How Long We Keep Data

• Contact-form submissions: up to twenty-four (24) months from receipt, then deleted unless they have matured into an active engagement.
• Voice Agent transcripts: up to ninety (90) days unless they are tied to an active engagement, in which case they are retained for the duration of that engagement. Transcript messages you request by electronic mail may also remain in Ottomato's electronic-mail management system until you ask for deletion, subject to legal retention limits and unsubscribe-suppression records.
• Newsletter subscribers: until you unsubscribe. Bounced electronic-mail addresses are removed automatically.
• Server logs: up to thirty (30) days.
• Analytics: aggregated only. No per-visitor retention.
• Electronic-mail correspondence: for the duration of the business relationship plus a reasonable archival period for reference and legal compliance, generally not exceeding seven (7) years.

7. Cookies and Tracking

The Site does not set tracking cookies. The privacy-focused analytics tool Ottomato uses is intentionally cookieless and collects anonymous page-level data. Ottomato does not integrate Google Analytics, Facebook Pixel, or any advertising network on the Site.

The Voice Agent does not use an embedded third-party widget. Browser requests are made to Ottomato's voice runtime and xAI's realtime endpoint to provide the conversation.

8. Your Rights

Depending on where you live, you may have the following rights:

• Access — you may request a copy of the personal information Ottomato holds about you.
• Rectification — you may ask Ottomato to correct inaccurate or incomplete data.
• Erasure — you may ask Ottomato to delete your personal data, subject to legal retention limits.
• Portability — you may receive your data in a structured, machine-readable format.
• Restriction — you may ask Ottomato to limit how it uses your data.
• Objection — you may object to processing based on legitimate interest, including direct marketing.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time. Past processing remains lawful.

For residents of the European Economic Area or the United Kingdom: you have the above rights under the General Data Protection Regulation and the United Kingdom General Data Protection Regulation.

For California residents: you have the right to know what personal information Ottomato collects, the right to delete it, the right to correct it, and the right to non-discrimination for exercising these rights under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020. Ottomato does not sell or share personal information for cross-context behavioral advertising.

For residents of Canada, Thailand, and the wider European Economic Area: equivalent rights apply under the Personal Information Protection and Electronic Documents Act, the Personal Data Protection Act B.E. 2562 (2019), and local implementations of the General Data Protection Regulation.

To exercise any right, send a Data Subject Access Request by electronic mail to [email protected] from the address associated with your data. Ottomato responds within thirty (30) days or sooner where required.

9. Age and Children

The Services have the following minimum-age requirements:

• Free surfaces (Site, contact form, Newsletter, free Academy preview content): users must be at least thirteen (13) years of age, consistent with the Children's Online Privacy Protection Rule.
• Residents of the European Economic Area and the United Kingdom: users must be at least sixteen (16) years of age, consistent with Article 8 of the General Data Protection Regulation.
• Paid Academy tiers and custom engagements: users must be at least eighteen (18) years of age and have legal contractual capacity in their jurisdiction.

Ottomato does not knowingly collect personal data from children below the applicable minimum age. If you believe Ottomato has collected data from a child below the applicable minimum age, contact [email protected] and Ottomato will delete it.

10. Security

Ottomato applies reasonable technical and organizational safeguards to protect your data. These include Transport Layer Security for data in transit, encrypted storage where supported, least-privilege access controls, content-security-policy headers and HTTP Strict Transport Security on the Site, subresource integrity on pinned third-party scripts, and audit logging of administrative actions. No system is perfectly secure, and Ottomato cannot guarantee absolute security.

To report a suspected vulnerability, send an electronic-mail message to [email protected]. Refer also to the security-contact file at /.well-known/security.txt.

11. Applications

Ottomato develops and distributes Applications through the Academy and through custom engagements. Each Application is governed by its own privacy policy and terms of use, which are provided with or within the Application. Some Applications are designed to run entirely on the user's own device and do not transmit data to Ottomato or to any third party. Other Applications may collect, process, or transmit data as described in their specific policies. Users are responsible for reviewing the privacy policy and terms of use of each Application before use.

This Privacy Policy governs the ottomato.ai website, the Voice Agent, the Newsletter, the Academy, and general interactions with Ottomato. It does not govern individual Applications, which have their own policies.

12. Artificial-Intelligence Disclosure

The Voice Agent is an Artificial-Intelligence software agent. When you speak with the Voice Agent, you are speaking with software, not a human being. Conversations with the Voice Agent are processed in real time by the conversational-AI provider identified in Section 5 and may be reviewed by Ottomato to route your inquiry and improve responses. Any Output the Voice Agent produces, including suggested next steps or summaries of your request, is not professional advice and should not be treated as such. Where appropriate, Ottomato will follow up in writing from [email protected].

13. Complaints

If you believe Ottomato has mishandled your data, send an electronic-mail message to [email protected]. If you are not satisfied with Ottomato's response, you may lodge a complaint with your local supervisory authority: in the European Economic Area, your national data-protection authority; in the United Kingdom, the Information Commissioner's Office; in California, the California Privacy Protection Agency.

14. Changes

Ottomato will update this Policy when the Services or applicable law changes. The "Last Updated" date at the top of this Policy reflects the most recent version. For material changes, Ottomato will notify Newsletter subscribers by electronic mail and post a notice at the top of the Site for at least fourteen (14) days.

15. Contact

Ottomato. All inquiries: [email protected].