privacy
policy.

Effective · May 2026Ref · POL-P-001otto-hq.com

i read your calendar to figure out what matters. i forget most of it within a week. you can delete everything by texting DELETE. i never sell your data or use it to train models.

who we are

Otto is operated by Rhys James Trevethan trading as Otto (ABN: 37 750 733 139) ("we", "us", "our"). We provide an AI chief of staff that communicates with you via SMS, reading your calendar signals to send proactive, contextual messages. This policy explains what data we collect, why, how long we keep it, and how you control it.

what we collect

Phone number and calendar access are required to operate the service. Name is optional. If you do not provide required information, we cannot deliver the service.

Phone number — your identity in Otto. Used to send and receive SMS via Twilio. Never sold or shared for marketing purposes.
Name — optionally provided during onboarding so Otto can address you personally.
Calendar data (Google or Microsoft OAuth) — Otto requests: calendar.readonly (read events for briefings and meeting prep), calendar.events (create, update, or delete events you ask Otto to manage), drive.metadata.readonly (file names and links attached to calendar events only — never file contents).
Gmail data (Google OAuth) — Otto requests gmail.readonly to surface signal-worthy emails (sender, subject, key context) in your daily brief. The full message body is processed only in memory at the moment of brief generation to extract the relevant signal — it is never written to Otto's database, never logged, and never used to train any AI model. Only the derived signal (sender, subject, short snippet, labels, received time) is stored. Attachments are ignored entirely. Quoted thread history, signatures, and credential-shaped strings (one-time codes, reset links, API-key-shaped tokens) are stripped before any text reaches the language model.
SMS message history — messages between you and Otto are retained for a rolling 7-day window, then automatically deleted.
Preferences and memory — preferences you express over SMS are stored as key-value pairs tied to your account, retained while your subscription is active. You can delete these at any time.
Payment information — we store only your Stripe customer ID and subscription ID. Card details remain solely with Stripe.

how we use your data

Your data is used solely to:

Deliver the Otto service — daily briefings, meeting prep, nudges via SMS.
Process your calendar and messages through the Anthropic Claude API to generate AI responses.
Manage your subscription and process payments via Stripe.
Monitor service health and fix errors (via Sentry, with PII scrubbed before transmission).
Understand aggregate product usage to improve Otto (via PostHog, with phone numbers hashed).
Comply with legal obligations.

We do not sell your data. We do not use your data to train third-party AI models. Otto uses AI to generate briefings and suggestions but does not make automated decisions that produce legal or similarly significant effects on you (GDPR Art. 22). All AI output is informational — you retain full control over any actions taken.

Legal basis for processing (EU/UK users — GDPR Art. 6):

Delivering the service (SMS, briefings, calendar processing, AI) — Contract performance (Art. 6(1)(b))
Payment processing — Contract performance (Art. 6(1)(b))
Error monitoring via Sentry — Legitimate interests (Art. 6(1)(f)) — service reliability
Analytics via PostHog — Legitimate interests (Art. 6(1)(f)) — service improvement
Legal compliance — Legal obligation (Art. 6(1)(c))

sub-processors

Twilio — SMS delivery. Retains message metadata (timestamps, phone numbers) per its own retention policy. Privacy policy.
Anthropic — AI processing. Calendar and message data sent to Claude API. Privacy policy.
Google — Calendar OAuth. Privacy policy.
Microsoft — Calendar OAuth. Privacy policy.
Stripe — Payments. Privacy policy.
Supabase — Database hosting. Privacy policy.
Vercel — Application hosting. Privacy policy.
Trigger.dev — Background job execution. Privacy policy.
Sentry — Error monitoring (PII scrubbed). Privacy policy.
PostHog — Analytics (phone hashed). Privacy policy.

Google API Limited Use: Otto's use of Google Calendar and Gmail data is limited to providing the Otto service (daily brief and SMS chief-of-staff features). Gmail message bodies are processed transiently in memory and immediately discarded after signal extraction; no raw email content is persisted, transferred, or used to develop, improve, or train any generalised or personalised AI/ML model. We do not use Google user data for serving advertisements, and do not allow humans to read Google user data except with your explicit consent or as required by law. Otto complies with the Google API Services User Data Policy, including the Limited Use requirements.

Analytics: Otto uses PostHog for product analytics. PostHog is configured in cookieless, memory-only mode — no cookies or persistent identifiers are set in your browser. Session data is not retained between visits. Your phone number is hashed before transmission; raw phone numbers are never sent to PostHog.

cross-border transfers

Your data is processed by service providers located in the United States and other countries outside Australia. These providers are listed in §4.

For EU/EEA and UK users:Transfers to the United States are made under Standard Contractual Clauses (SCCs) approved by the European Commission, or where the recipient participates in the EU–US Data Privacy Framework. You may request details of the specific transfer mechanism for any provider by contacting us.

For Australian users: We take reasonable steps to ensure that overseas recipients handle your personal information consistently with the Australian Privacy Principles, as required by APP 8 of the Privacy Act 1988 (Cth). By using Otto, you consent to the disclosure of your personal information to these overseas recipients.

data retention

SMS messages — 7-day rolling window in Otto's database, then auto-deleted. Twilio retains message metadata (timestamps, phone numbers) per its own retention policy.
Calendar data — processed in real time; not stored beyond OAuth tokens.
OAuth tokens — retained while integration is connected; deleted on revocation or account closure.
Preferences & memory — retained while subscription is active.
Account data — retained for 30 days after account closure or STOP, then permanently deleted.

your rights

Access — request a copy of everything Otto holds about you.
Erasure — text DELETE (then CONFIRM DELETE) to permanently delete your account and all data. Or email us.
Pause — text PAUSE at any time. Otto goes silent. Text RESUME to restart.
Opt out of SMS — text STOP. No further messages sent. Your account and data are retained for 30 days, then permanently deleted. Reply RESUME within that window to reactivate.
Correction — tell Otto he's wrong about something; he updates and acknowledges.
Portability — request your data in a structured, machine-readable format.

Australian users have rights under the Privacy Act 1988 (Cth), including the Australian Privacy Principles. You may request access to or correction of your personal information, and lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

If you are in the European Economic Area or UK, you have additional rights under GDPR/UK GDPR: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), portability (Art. 20), objection to legitimate-interests processing (Art. 21), and withdrawal of consent. To exercise any of these rights, email hello@otto-hq.com. We will respond within 30 days. You may also lodge a complaint with your local supervisory authority (e.g. the ICO in the UK).

security

Before any of your data reaches Otto's language model, we strip content relating to HR, salary, health, or legal matters. If we can't confidently determine the topic of a message, we err on the side of silence.

Data breach notification: In the event of an eligible data breach likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable, in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988(Cth). For users in the EU or UK, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and notify affected individuals without undue delay where the breach is likely to result in high risk to their rights and freedoms (GDPR Art. 33–34).

children

Otto is not directed at children or minors. You must be 18 years of age or older (or the age of majority in your jurisdiction) to subscribe. We do not knowingly collect personal information from anyone under 18. If you believe we have collected data from someone under 18, email hello@otto-hq.com and we will delete it promptly.

changes

If we materially change this policy, you'll get an SMS from Otto at least 14 days before changes take effect. Continued use after that constitutes acceptance.

contact

hello@otto-hq.com
Otto HQ · postal address available on request.