Privacy Policy

Otto ("we", "us", or "our") operates the otto-mode.ai website and the Otto VS Code extension (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

1. Information We Collect

Account Information. When you create an account, we collect your name, email address, and authentication credentials. If you sign in with GitHub or Google, we receive your name, email, and profile identifier from those providers.

Payment Information. When you subscribe to a paid plan, Stripe collects and processes your payment details (card number, billing address). We receive only a token, last four digits, and billing status — we never store full card numbers.

Usage Metadata. We collect aggregated usage data such as which Otto products and features you use, assessment scores, and team configuration. This data is used to calculate impact metrics, improve our products, and provide the Service.

Device and Log Data. We automatically collect IP addresses, browser type, operating system, and timestamps when you access the Service. This data is used for security monitoring, rate limiting, and debugging.

2. Information We Do NOT Collect

Your Source Code. Otto never stores, transmits, or accesses your source code. All assessment logic runs using metadata only (file names, dependency manifests, configuration presence). Your code stays on your machine — it is never sent to Otto servers.

Repository Contents. We do not clone, read, or cache the contents of your repositories. The VS Code extension and MCP server operate locally and communicate only metadata to the Otto API.

Advertising Data. We do not collect data for advertising purposes. We do not serve ads and do not sell, rent, or share your data with advertisers.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Process payments and manage subscriptions
• Send transactional emails (account verification, password resets, billing notifications)
• Calculate and display impact metrics and assessment scores
• Enforce rate limits and prevent abuse
• Respond to support requests
• Improve our products based on aggregated usage patterns

We do not sell your personal information. We do not use your information for automated decision-making or profiling.

4. Third-Party Services

We share information with the following third-party service providers, solely for the purposes described:

• Stripe — Payment processing. Stripe receives your billing information directly. Stripe Privacy Policy
• Resend — Transactional email delivery. Resend receives your email address. Resend Privacy Policy
• GitHub — OAuth authentication (when you sign in with GitHub). GitHub Privacy Statement
• Google — OAuth authentication (when you sign in with Google) and reCAPTCHA for bot prevention. Google Privacy Policy
• DigitalOcean — Infrastructure hosting. Your data is stored on DigitalOcean servers. DigitalOcean Privacy Policy

We do not share your personal information with any other third parties except as required by law.

5. Data Retention

Active Accounts. We retain your account data for as long as your account is active and your subscription is in good standing.

After Deletion. When you delete your account, we remove your personal data within 30 days. Some data may be retained longer where required by law (e.g., billing records for tax compliance — up to 7 years).

Inactive Accounts. Accounts with no login activity for 24 months may be flagged for deletion. We will notify you by email before deleting an inactive account.

6. Data Security

We implement industry-standard security measures to protect your data:

• All data in transit is encrypted with TLS 1.2+
• Database connections are encrypted and access-restricted
• Passwords are hashed with bcrypt (never stored in plaintext)
• API keys are hashed with SHA-256 after initial display
• Authentication tokens use RS256 JWT with key rotation
• Rate limiting is enforced on all authentication endpoints
• We conduct regular security reviews of our infrastructure and code

No method of transmission over the Internet is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

GDPR (European Economic Area). Under Articles 15-22 of the General Data Protection Regulation, you have the right to:

• Access your personal data (Article 15)
• Rectify inaccurate data (Article 16)
• Request erasure ("right to be forgotten") (Article 17)
• Restrict processing (Article 18)
• Data portability (Article 20)
• Object to processing (Article 21)

CCPA (California). Under the California Consumer Privacy Act, you have the right to:

• Know what personal information we collect and how it is used
• Request deletion of your personal information
• Opt out of the sale of personal information (we do not sell your data)
• Non-discrimination for exercising your privacy rights

To exercise any of these rights, contact us at privacy@otto-mode.ai. We will respond within 30 days (GDPR) or 45 days (CCPA).

8. Cookies

Otto uses only cookies that are strictly necessary for security and authentication. We do not use analytics, advertising, or marketing cookies. Specifically:

• NextAuth.js session cookies — Required for user authentication and CSRF protection
• Google reCAPTCHA cookies — Required for bot and fraud prevention (classified as security-essential under GDPR Recital 49)
• Cookie consent preference — Remembers your cookie banner acknowledgment

For a full list of cookies and their purposes, see our Cookie Policy.

9. Children's Privacy

Otto is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal data from a child under 13 without parental consent, we will take steps to delete that information promptly. If you believe we may have collected information from a child under 13, please contact us at privacy@otto-mode.ai.

10. International Data Transfers

Otto's servers are located in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We rely on Standard Contractual Clauses (SCCs) where required for transfers of personal data from the EEA to the US.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify registered users by email. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

• Email: privacy@otto-mode.ai
• Website: otto-mode.ai