Privacy Policy

1. Who we are

Otto (“Otto”, “we”, “us”) operates the Otto service at https://ottomail.app. For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, we act as the data controller for the personal data described here. For privacy questions or to exercise any of your rights, contact us at privacy@ottomail.app.

2. Data we collect and store

We only collect what we need to run the service. The categories of data we store are:

Account & identity

Your Google account id, name, email address and avatar URL, obtained when you sign in with Google.

Google authorization tokens

The OAuth access and refresh tokens that let Otto act on your mailbox on your behalf. They are held server-side only (never sent to your browser), encrypted at rest by our database provider, and kept only until you disconnect Google or delete your account.

Assistant conversations

Your chats with the Otto assistant. When you ask the assistant about an email, excerpts of that email (sender, subject, body text) become part of the conversation and are saved with it. Kept until you delete the chat or your account.

Settings & prompt templates

Your preferences (model, persona, signature, appearance) and any saved prompt templates.

Mailbox change signals

To deliver real-time updates we store your Gmail push-subscription state (your email address and a mailbox history cursor) and, when new mail arrives, log the message id — never its content — to ping your browser.

What we deliberately do not store

• Your mailbox. Otto never copies or syncs your email into its database — messages are fetched live from Gmail each time you view them. The only email text we retain is what appears inside an assistant conversation you chose to have about a message (see “Assistant conversations” above), and it is erased when you delete that chat or your account.
• Your Google password (sign-in is handled entirely by Google via OAuth).
• Advertising, tracking, or behavioural-profiling data. Otto runs no ad networks or third-party analytics trackers.

3. The Google data we access, and why

When you sign in with Google you grant Otto the following access. You can review and revoke it at any time at myaccount.google.com/permissions, or by disconnecting from within the app.

gmail.readonly

Read and search your mail so the assistant can find, open and summarize it.

gmail.send

Send the emails and replies you ask Otto to send.

gmail.modify

Organize your mailbox on your instruction — mark read/unread, star, archive, label and trash.

openid, email, profile

Identify you and show your name and avatar in the app.

4. Google API Services — Limited Use

Otto’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. Specifically, data obtained from Gmail is used only to provide and improve Otto’s user-facing features, and we:

• do not sell or rent your Google data;
• do not use it for advertising, profiling, or any purpose unrelated to the features you are using;
• do not use it to train generalized or foundation AI/ML models;
• do not allow humans to read it, except where you explicitly ask us to, where required for security or to comply with the law, or on data that has been aggregated and anonymized.

5. AI processing

Otto’s assistant is powered by a third-party large language model (see Subprocessors below). When you use the assistant, the relevant content of your request — which may include text from emails you ask about — is sent to the model provider’s API to generate a response. The provider processes this only to return a result to you and, under its API terms, does not use it to train its models. We do not use your Gmail content to train any model ourselves.

6. How we use your data

• To authenticate you and keep you signed in.
• To read, search, compose, send and organize mail at your instruction.
• To power the AI assistant’s responses and actions.
• To deliver real-time “new mail” updates to your browser.
• To remember your settings and saved prompts.
• To keep the service secure and to comply with our legal duties.

7. Legal bases (GDPR)

Where the GDPR applies, we rely on:

• Consent — for connecting your Google account and accessing your mailbox. You may withdraw it at any time by disconnecting or deleting your account.
• Performance of a contract — to provide the features you request.
• Legitimate interests — to keep the service secure and working, balanced against your rights.

8. Subprocessors

We share data only with the service providers needed to run Otto. Each processes data on our behalf under its own terms:

Google (Gmail API & OAuth)

Sign-in and the mailbox itself. Otto reads, sends and modifies mail through the Gmail API using the access you grant. (Global)

OpenAI

Powers the assistant. When you use Otto's AI, the relevant message content (which can include email text you asked about) is sent to OpenAI's API to generate a response. OpenAI processes this as our data processor and, per its API terms, does not use API data to train its models. (United States)

Vercel

Application hosting and delivery. (Global)

Supabase

Managed PostgreSQL database (your account, settings and chats) and the real-time channel that signals new mail. (Configured per deployment)

Resend

Sends transactional email (e.g. an account-deletion confirmation) from our no-reply address to your registered email. It receives only the recipient address and message content needed to deliver the email. (United States)

We never sell your personal data, and we do not share it for cross-context behavioural advertising.

9. Data retention

• Authorization tokens are kept until you disconnect Google or delete your account.
• Chats, settings and templates are kept until you delete them or your account.
• When you delete your account it is first deactivated and then permanently erased after a 30-day grace period, during which you may restore it.
• Your mailbox itself is never retained — messages are fetched live from Gmail. Email excerpts inside a saved assistant conversation follow that conversation’s lifetime.

10. Cookies & local storage

Otto uses only strictly necessarycookies — the session cookie that keeps you signed in and the security cookies that protect the sign-in flow. We set no advertising or analytics cookies, which is why you don’t see a cookie banner. Your browser’s local storage is used for on-device preferences (such as your theme) and, in demo mode, for demo conversations that never leave your browser. You can clear these at any time through your browser settings; clearing the session cookie simply signs you out.

11. Your rights

Subject to applicable law — including the GDPR/UK GDPR, India’s Digital Personal Data Protection Act 2023, and, for California residents, the CCPA/CPRA — you have the right to access, correct, export (portability), restrict, object to, and delete your personal data, to withdraw consent, and to grievance redressal. We do not “sell” or “share” personal data as those terms are defined under California law, and we will not discriminate against you for exercising any right.

You can exercise these directly in the app:

• Access & portability — export all your stored data as a file from Settings → Privacy & data.
• Erasure — delete your account (and disconnect Google) from Settings → Privacy & data.
• Withdraw consent — disconnect Google at any time.

You can also email privacy@ottomail.app and we will respond within the timeframe the law requires. You may also lodge a complaint with your local data-protection authority.

12. Security

Data is transmitted over HTTPS and stored on managed infrastructure that encrypts data at rest, with access controls. OAuth tokens are held server-side only and are never exposed to the browser. No method of transmission or storage is perfectly secure, but we take reasonable measures to protect your data — and, above all, we limit what we hold in the first place.

13. International transfers

Our subprocessors may process data in countries other than yours, including the United States. Where required, such transfers rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses.

14. Children

Otto is not directed to children and is not intended for anyone under 18. We do not knowingly collect data from them.

15. Changes to this policy

We may update this policy from time to time. We will update the effective date above and, for material changes, take reasonable steps to notify you.

16. Contact

Questions or requests: privacy@ottomail.app.