← back to otto

privacy
policy.

Effective · April 2026Ref · POL-P-001otto-hq.com
i read your calendar and email to figure out what matters. i forget most of it within 24 hours — i only keep the important bits, like your preferences and what project is what. you can delete everything any time by texting "delete my data" or visiting otto-hq.com/settings.

who we are

Otto is operated by Otto HQ ("Otto", "we", "us"). We provide an AI chief of staff that communicates with you via SMS, reading your calendar and email signals to send proactive, contextual messages. This policy explains what data we collect, why, how long we keep it, and how you control it.

what we collect

To do our job, we access:

  • Phone number and email. For signup, verification, and SMS delivery.
  • Calendar metadata. Events, times, attendees, titles. Via Google, Microsoft, or Apple (CalDAV) with your explicit OAuth consent.
  • Email signals. Once Gmail is enabled (Phase 2), Otto reads thread subjects, senders, and signals — never storing message bodies verbatim.
  • Drive file activity. Filenames and timestamps only. Never contents.
  • Slack messages. Channels, mentions, thread activity — with your OAuth consent.
  • Your SMS replies to Otto. Used to calibrate timing, tone, and priorities.

ephemeral by default

Otto reads fresh data every analysis cycle and forgets most of it shortly after. Gmail, Google Calendar, and Slack remain the source of truth — Otto doesn't maintain his own historical archive.

  • Email signals (structured metadata) — 24 hours rolling
  • Calendar metadata (forward window) — 7 days
  • Calendar metadata (historical) — 24 hours
  • Conversation history (SMS logs) — 7 days rolling
  • Drive file metadata — 7 days
  • Misfire logs (anonymised) — 30 days
  • Persistent memory (your preferences, project context) — indefinite while subscribed, user-wipeable at any time

sensitivity filter

Before any of your data reaches Otto's language model, we strip content relating to HR, salary, health, or legal matters. If we can't confidently determine the topic of a message, we err on the side of silence.

how we use your data

Your data is used solely to:

  • Generate the morning brief, priority responses, and meeting prep texts that are the product itself.
  • Improve Otto's tone, timing, and accuracy based on your corrections.
  • Deliver SMS via Linq and handle payments via Stripe.

We do not sell your data. We do not use your data to train third-party models. We do not share your calendar, email, or Slack contents with anyone outside the processors listed in section 7.

your rights

  • Access — request a copy of everything Otto holds about you.
  • Erasure — text delete my data or visit otto-hq.com/settings. Full purge within 24 hours.
  • Pause — text PAUSE at any time. Otto goes silent.
  • Opt out — text STOP. Otto never messages you again.
  • Correction — tell Otto he's wrong about something; he updates and acknowledges.

sub-processors

  • Supabase — encrypted database, row-level security per user.
  • Linq — SMS delivery and phone verification.
  • Anthropic (Claude) — language model that writes Otto's messages. Filtered inputs only.
  • Stripe — payment processing.
  • Vercel — hosting.
  • Trigger.dev — scheduled background jobs.

international users

Otto operates globally. If you are in the EU/UK, we respect data subject rights — you can request access, correction, erasure, and data portability at any time via hello@otto-hq.com and we'll respond promptly.

children

Otto is not directed at anyone under 16. We do not knowingly collect data from minors. If you believe a child has signed up, email hello@otto-hq.comand we'll delete their account immediately.

changes

If we materially change this policy, you'll get an SMS from Otto. No fine print, no email footer updates.

contact

hello@otto-hq.com
Otto HQ · postal address listed on request during an active data-subject request.