Privacy Policy

1. Introduction

Welcome to Otis ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website ossus.artoo.love (the "Site") and use our AI personal assistant service accessible via text message (the "Service").

Otis is an AI-powered personal assistant that helps you manage your daily tasks by accessing your Gmail emails, Google Calendar events, contacts, and other connected services through text message commands. We take your privacy seriously and are transparent about how we handle your data.

By accessing or using our Site or Service, you agree to this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Site or use the Service.

2. Information We Collect

2.1 Personal Information

We may collect personal information that you voluntarily provide to us when you:

• Register for beta access or sign up for our Service
• Fill out forms on our Site
• Contact us via email or other communication channels
• Use our text message AI assistant service
• Connect your Google account or other third-party services

This information may include:

• First and last name
• Email address
• Phone number
• Text message content and conversation history
• Google account information (email address, profile picture)

2.2 Information from Connected Services

When you connect third-party services to Otis, we may access and process the following information on your behalf:

Gmail Access

• Email content, subject lines, and metadata (sender, recipient, date, time)
• Email labels and categories
• Attachments and file information
• Read/unread status

Scope: We only access emails when you explicitly request information through text commands. We do not continuously monitor or store your emails.

Google Calendar Access

• Calendar events (title, description, location, attendees)
• Event dates, times, and time zones
• Recurring event patterns
• Event reminders and notifications
• Calendar names and settings

Scope: We access calendar information only when you request scheduling assistance or event information. We can create, modify, and delete events only with your explicit permission.

Google Contacts Access

• Contact names, phone numbers, and email addresses
• Contact photos and profile information
• Contact groups and labels
• Notes and custom fields

Scope: We access contacts only when you request to find contact information or send messages to specific people.

2.3 Automatically Collected Information

When you visit our Site, we may automatically collect certain information about your device, including:

• IP address
• Browser type and version
• Operating system
• Referring website
• Pages visited and time spent on pages
• Date and time of visits

2.4 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Site and store certain information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Site.

3. How We Use Your Information

We use the information we collect for various purposes, including to:

• Provide, operate, and maintain our AI personal assistant Service
• Process your text messages and provide AI-generated responses
• Access your Gmail, Google Calendar, and Contacts on your behalf to fulfill your requests
• Read and summarize emails when you ask about your inbox
• Create, modify, or delete calendar events when you request scheduling assistance
• Look up contact information when you need to reach someone
• Learn your preferences and communication patterns to provide better assistance
• Send you updates, newsletters, and marketing communications (with your consent)
• Respond to your inquiries and provide customer support
• Improve and personalize your experience with our Service
• Monitor and analyze usage patterns and trends
• Detect, prevent, and address technical issues and security threats
• Comply with legal obligations and enforce our terms of service

3.1 AI Processing

We use artificial intelligence and machine learning to process your requests and provide intelligent responses. This includes:

• Natural language processing to understand your text commands
• Context analysis to provide relevant responses based on your conversation history
• Pattern recognition to learn your preferences and improve service quality
• Automated decision-making for routine tasks (with your consent)

4. How We Share Your Information

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following circumstances:

4.1 Service Providers

We may share your information with third-party service providers who perform services on our behalf, such as:

• Cloud hosting providers (e.g., Vercel, Supabase)
• Analytics services (e.g., Vercel Analytics)
• AI service providers (e.g., Novita AI, OpenAI) for processing your requests
• Messaging service providers (e.g., LoopMessage) for text message delivery
• Google APIs for accessing Gmail, Calendar, and Contacts

These service providers have access to your personal information only to perform specific tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Important Note on Google Data: Your Gmail, Calendar, and Contacts data is accessed through Google's secure OAuth 2.0 authentication. We only request the minimum permissions necessary to provide our Service. Google data is processed in real-time to fulfill your requests and is not permanently stored on our servers unless explicitly required for functionality (e.g., conversation context).

4.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).

4.3 Business Transfers

If we are involved in a merger, acquisition, or asset sale, your personal information may be transferred. We will provide notice before your personal information is transferred and becomes subject to a different Privacy Policy.

5. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

5.1 Retention Periods

• Conversation History: Stored for up to 30 days to maintain context and improve service quality. You can request deletion at any time.
• Gmail Data: Not permanently stored. Accessed in real-time only when you make a request.
• Calendar Data: Not permanently stored. Accessed in real-time only when you make a request.
• Contacts Data: Not permanently stored. Accessed in real-time only when you make a request.
• Account Information: Retained for as long as your account is active, plus 90 days after account deletion.
• Authentication Tokens: Stored securely and encrypted. Revoked immediately upon account deletion or service disconnection.

When we no longer need your information, we will securely delete or anonymize it. You can request immediate deletion of your data at any time by contacting us.

6. Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

6.1 Security Measures

• Encryption: All data transmitted between you and our Service is encrypted using TLS 1.2 or higher
• OAuth 2.0: We use Google's secure OAuth 2.0 protocol for authentication - we never store your Google password
• Token Encryption: All authentication tokens are encrypted at rest using industry-standard encryption (AES-256)
• Access Controls: Strict access controls limit who can access your data within our organization
• Regular Audits: We conduct regular security audits and vulnerability assessments
• Secure Infrastructure: Our infrastructure is hosted on secure, SOC 2 compliant platforms
• Minimal Data Storage: We minimize data storage by processing most requests in real-time without permanent storage

However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us.

7. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information, including:

• Access: Request access to the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information and conversation history
• Objection: Object to the processing of your personal information
• Portability: Request transfer of your information to another service
• Withdraw Consent: Withdraw your consent at any time (where processing is based on consent)
• Revoke Access: Disconnect Google services and revoke our access to Gmail, Calendar, and Contacts at any time

7.1 Managing Connected Services

You can manage your connected services and permissions at any time:

• Revoke Google Access: Visit Google Account Permissions to revoke Otis's access to your Gmail, Calendar, or Contacts
• Delete Conversation History: Text "delete my data" to immediately remove all stored conversation history
• Disconnect Service: Text "disconnect" to stop the service and delete your account

To exercise these rights, please contact us at daniel@artoo.love. We will respond to your request within 30 days.

8. Children's Privacy

Our Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us, and we will take steps to delete such information.

9. Google API Services User Data Policy

Otis's use and transfer of information received from Google APIs adheres to Google API Services User Data Policy, including the Limited Use requirements.

9.1 Limited Use Disclosure

Otis's use of information received from Google APIs will adhere to the following requirements:

• We only request access to the data necessary to provide and improve our AI assistant features
• We do not use Google user data for serving advertisements
• We do not allow humans to read your Gmail, Calendar, or Contacts data unless:
  • We have your explicit consent
  • It is necessary for security purposes (e.g., investigating abuse)
  • It is required to comply with applicable law
  • The data has been aggregated and anonymized
• We do not transfer your Google user data to third parties except as necessary to:
  • Provide or improve our Service (e.g., AI processing)
  • Comply with applicable law
  • Protect against security threats

10. Third-Party Links

Our Site may contain links to third-party websites or services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policy of every site you visit.

11. International Data Transfers

Your information may be transferred to and maintained on computers located outside of your state, province, country, or other governmental jurisdiction where data protection laws may differ. By using our Service, you consent to the transfer of your information to the United States and other countries.

12. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA), including:

• The right to know what personal information we collect, use, and disclose
• The right to request deletion of your personal information
• The right to opt-out of the sale of your personal information (we do not sell personal information)
• The right to non-discrimination for exercising your CCPA rights

13. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR), including the rights listed in Section 7 above. Our legal basis for processing your information includes:

• Consent: You have given clear consent for us to process your personal information
• Contract: Processing is necessary for a contract we have with you
• Legal obligation: Processing is necessary to comply with the law
• Legitimate interests: Processing is in our legitimate interests and does not override your rights

14. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

15. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

• Email: daniel@artoo.love
• Website: ossus.artoo.love
• Schedule a Call: Calendly