Privacy Policy

Last Updated: May 31st, 2025

At Ottaga ("we," "us," or "our"), we are committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered emotional support service ("Service").

Important: While our Service provides emotional support, we are not a healthcare provider and this Privacy Policy does not constitute a HIPAA-covered relationship.

1. Information We Collect

1.1 Information You Provide Directly

  • Account Information: Name, email address, age verification, user preferences, and profile settings
  • Conversation Data: All messages, interactions, and communications with our AI system
  • Support Communications: Messages sent to our support team
  • Feedback and Surveys: Responses to voluntary surveys or feedback requests

1.2 Information Collected Automatically

  • Usage Data: How you interact with our platform, features used, session duration, and navigation patterns
  • Device Information: IP address, browser type and version, operating system, device identifiers, screen resolution
  • Technical Data: Log files, error reports, performance metrics, and system diagnostics
  • Location Data: General geographic location based on IP address (not precise geolocation)

1.3 Third-Party Analytics

We use PostHog, a third-party analytics service, to track page events and analyze how users interact with our Service. PostHog collects:

  • Page views and navigation patterns
  • Feature usage and interaction events
  • Technical information about your device and browser
  • Performance metrics and error data
  • Anonymized behavioral analytics

PostHog helps us understand which features are most useful and where we can improve the user experience. For more information about PostHog's data practices, visit: PostHog Privacy Policy

2. How We Use Your Information

2.1 Primary Purposes

  • Service Provision: Operate and maintain the Service, including AI response generation
  • Personalization: Customize your experience and improve conversation continuity
  • Service Improvement: Enhance AI capabilities, develop new features, and optimize performance
  • Communication: Send service updates, security alerts, and support responses
  • Safety and Security: Detect fraud, prevent abuse, and protect against security threats

2.2 Legal Basis for Processing

We process your information based on:

  • Consent: When you explicitly agree to processing (such as signing up for our Service)
  • Contractual Necessity: To provide the Service as outlined in our Terms of Service
  • Legitimate Interests: Service improvement, security, and business operations
  • Legal Compliance: When required by applicable United States law

2.3 Automated Decision Making

Our AI system processes your conversations to generate responses. While this involves automated processing, you can always:

  • Request human review of AI responses through our support team
  • Modify or delete your conversation data
  • Discontinue use of the Service at any time

3. Data Retention

3.1 Retention Periods

  • Conversation Data: Stored for up to 24 months from your last interaction
  • Account Information: Retained while your account is active, plus 30 days after deletion
  • Usage Analytics: Anonymized data may be retained indefinitely for service improvement
  • Support Communications: Retained for 3 years for quality assurance purposes

3.2 Deletion Timeline

  • Account deletion requests are processed within 30 days
  • Conversation data deletion requests are processed within 7 days
  • Some data may be retained longer if required by law or for legitimate business purposes

4. Data Storage and Security

4.1 Security Measures

We implement industry-standard security measures including:

  • Encryption in Transit: All data transmitted to and from our Service is encrypted using TLS 1.3
  • Infrastructure Security: Our data is stored with SOC 2 Type II certified service providers (including PostHog for analytics data) that implement encryption at rest and other enterprise security controls
  • Access Controls: Role-based access with multi-factor authentication for staff
  • Regular Audits: Security assessments and vulnerability testing
  • Data Minimization: We collect only necessary data and limit access on a need-to-know basis
  • Incident Response: Procedures for detecting, responding to, and reporting security incidents

4.2 Data Storage Location

Your data is primarily stored on secure servers in the United States. We may use cloud service providers with data centers in other countries, but we ensure appropriate safeguards are in place.

4.3 Data Breach Notification

In the event of a data breach affecting your personal information, we will:

  • Notify affected users within 72 hours when feasible
  • Report to relevant authorities as required by law
  • Provide clear information about the breach and steps being taken

5. Data Sharing and Disclosure

5.1 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties for commercial purposes.

5.2 Limited Sharing

We may share your information only in these circumstances:

Service Providers: Trusted third parties who assist in operating our platform, including:

  • Cloud hosting providers (with data processing agreements)
  • Analytics services (PostHog, as described above)
  • Customer support tools
  • Security and fraud prevention services

Legal Requirements: When required by law, court order, or government request, or to:

  • Comply with legal obligations
  • Protect our rights and property
  • Investigate potential violations of our Terms
  • Protect the safety of our users or the public

Business Transactions: In connection with a merger, acquisition, or sale of assets, with appropriate privacy protections

Emergency Situations: If we believe disclosure is necessary to prevent serious harm to an individual or the public

6. Your Privacy Rights

6.1 General Rights

You have the right to:

  • Access: Request a copy of your personal data
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your personal data ("right to be forgotten")
  • Portability: Receive your data in a portable format
  • Objection: Object to processing based on legitimate interests
  • Restriction: Request limitation of processing in certain circumstances

6.2 Conversation-Specific Rights

  • Download Conversations: Export your conversation history
  • Delete Individual Messages: Remove specific conversations or messages
  • Opt-out of Analysis: Prevent use of your conversations for service improvement

6.3 Marketing and Communications

  • Opt-out: Unsubscribe from marketing emails (service-related emails may continue)
  • Preference Management: Control types of communications you receive

6.4 Exercising Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days for most requests.

7. State-Specific Privacy Rights

7.1 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

  • Right to Know: Detailed information about data collection and use
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt-out of sale of personal information (we don't sell data)
  • Right to Non-Discrimination: We won't discriminate for exercising your rights
  • Right to Correct: Request correction of inaccurate personal information

To exercise these rights, contact us at [email protected] with "California Privacy Request" in the subject line.

7.2 Other State Laws

We comply with applicable state privacy laws where required. If you have questions about your privacy rights under your state's laws, please contact us.

8. Service Availability and Jurisdiction

8.1 United States Only

Our Service is currently available only to users located in the United States. By using our Service, you represent that you are located in the United States. We may use technical measures to restrict access from outside the United States.

8.2 Data Storage

Your data is stored on secure servers located in the United States and is subject to United States privacy laws and regulations.

9. Children's Privacy

Our Service is intended for users 16 years of age and older. We do not knowingly collect personal information from children under 16. If you are under 18, you must have parental consent to use our Service.

If we discover we have collected information from a child under 16 without proper consent, we will delete such information immediately.

10. Third-Party Services

10.1 Third-Party Integrations

Our Service uses PostHog for analytics as described above. This Privacy Policy does not cover PostHog's data practices - please review their privacy policy for more information.

10.2 External Links

Our Service may contain links to external websites. We are not responsible for the privacy practices of these external sites.

11. Tracking Technologies

11.1 Analytics Tracking

We use PostHog to track page events and user interactions for analytics purposes. This may involve:

  • Session Tracking: Temporary identifiers to track your session
  • Event Tracking: Recording of page visits and feature usage
  • Performance Monitoring: Technical data about Service performance

11.2 Browser Storage

Our Service may use browser storage technologies (such as local storage or session storage) to:

  • Remember your preferences and settings
  • Maintain your session while using the Service
  • Store temporary data for Service functionality

11.3 Managing Tracking

You can manage tracking through your browser settings. Note that disabling certain tracking may affect Service functionality. PostHog tracking can be disabled through your browser's privacy settings or by contacting us to opt out.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will:

  • Post the updated policy on this page with a new "Last Updated" date
  • Notify users of material changes via email when possible
  • For significant changes, we may require renewed consent

Your continued use of the Service after changes indicates acceptance of the updated policy.

13. Data Controller and Contact Information

Data Controller: Ottaga

Contact: [email protected]

For privacy-related inquiries, please include "Privacy Request" in your email subject line.

Response Times:

  • General inquiries: Within 5 business days
  • Data access/deletion requests: Within 30 days
  • Data breach notifications: Within 72 hours when applicable

14. Effective Date and Jurisdiction

This Privacy Policy is effective as of the "Last Updated" date above and is governed by the laws of Minnesota, United States.

By using our Service, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your information as described herein.