Privacy Policy

We collect what we need to make Otai work for you. We do not sell your data. We do not train AI models on your conversations. You can export or delete your data at any time.

Questions: privacy@getotai.com.

Otai is operated by Lab256 LLC, a Delaware limited liability company. For purposes of GDPR and comparable laws, Lab256 LLC is the data controller for personal data we collect through getotai.com, the Otai app, and related services (the "Service").

Contact for privacy matters: privacy@getotai.com.

Otai is intended for users aged 18 and older. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, email privacy@getotai.com and we will delete it promptly.

Account data. Email address, and (optionally) a display name and avatar.

Conversations and reflections. The content of your chats with Otai, onboarding answers, daily check-ins, sparring sessions, and any documents you upload.

Generated artifacts. Snapshots, roasts, transcripts, and summaries Otai creates for you.

Memory embeddings. Vector representations of your messages used to retrieve relevant context for future conversations. Embeddings are stored alongside your account and used only for your retrieval.

Usage data. Sign-in events, feature usage, check-in cadence, and similar product-analytics signals.

Billing data. If you subscribe, payment is handled by Stripe. We store the Stripe customer and subscription identifiers and your current plan status; we do not see or store full card details.

Technical data. IP address (hashed for the public Roast Me tool), browser and device type, language, and timestamps. We use this for security, abuse prevention, and basic diagnostics.

Cookies and similar tech. We use only essential cookies — primarily authentication session cookies. We do not use third-party advertising or tracking cookies.

To provide the Service — authenticate you, stream Otai's responses, retrieve memory, render check-ins, generate snapshots, deliver emails you've subscribed to, process subscriptions. Legal basis: performance of our contract with you.

To keep the Service safe — rate limiting, abuse detection, fraud prevention, debugging. Legal basis: our legitimate interest in operating a secure service, and compliance with law.

To improve the Service — aggregated, de-identified usage trends only. We never use the content of your conversations to improve the product without your specific consent. Legal basis: our legitimate interest in improving the Service.

To communicate with you — account messages, reminders you've enabled, and important legal/security updates. Legal basis: contract, legitimate interest, and (for optional marketing) consent.

We do not train AI models on your conversations. Your messages, onboarding answers, check-ins, and uploaded documents are not used to train any AI model — ours, our subprocessors', or any third party's. Where a subprocessor offers settings that disable training on prompts, we use those settings.

We do not sell your personal information. For purposes of the California Consumer Privacy Act (CCPA) and comparable laws: we do not sell, share for cross-context behavioral advertising, or rent your personal information.

We do not share your conversations with other users. Account data is isolated by user via database-level row security.

We share the minimum necessary with the providers that power Otai. Each is bound by a written agreement that restricts their use of your data to providing services to us.

• Anthropic, PBC — generates Otai's responses. We use Anthropic's API; under their API terms, prompts and outputs are not used to train Anthropic's models by default.
• OpenAI, Inc. — computes memory embeddings. We use OpenAI's API; embeddings sent via API are not used to train OpenAI's models.
• Supabase, Inc. — hosts the Postgres database, authentication, and file storage.
• Vercel, Inc. — hosts the web application and delivers content via CDN.
• Stripe, Inc. — processes subscription payments. Subject to Stripe's privacy policy.
• Resend, Inc. — delivers transactional and reminder emails you've opted into.

We will update this list when we add or change material subprocessors. We may also disclose data when required by law (subpoena, court order) or to protect rights, safety, and property.

Business transfers. If we are involved in a merger, acquisition, or asset sale, your data may be transferred as part of that transaction; we will notify you and any applicable changes will be reflected in this policy.

Our systems are hosted in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. For transfers from the EU, UK, and Switzerland, we rely on the European Commission's Standard Contractual Clauses (and UK International Data Transfer Addendum) with our subprocessors. A copy of the relevant clauses is available on request.

Account data and conversations. Retained while your account is active. On deletion, hard-deleted within 30 days, except where law requires longer (e.g., financial records).

Backups. Encrypted backups are retained for up to 30 days and then overwritten. Deleted content may persist in backups during this window.

Public Roasts. Roasts created via the public Roast Me tool (without an account) are stored indefinitely to power shareable URLs. They contain only the text you pasted; we do not associate them with personal identifiers beyond a hashed IP used for rate-limit purposes.

Security logs. Kept up to 12 months for abuse prevention and incident response.

Depending on your jurisdiction, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your data ("right to erasure")
• Export your data in a portable format
• Object to or restrict certain processing
• Withdraw consent where processing is based on consent
• Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you — Otai is decision-support; you remain the decision-maker
• Lodge a complaint with your local data protection authority (EU/UK) or, for California residents, the California Privacy Protection Agency

To exercise any of these, email privacy@getotai.com. We will respond within 30 days. We may need to verify your identity before fulfilling certain requests.

We do not sell or share personal information as those terms are defined under California law. The rights in Section 9 apply to California residents, including the right to know, delete, correct, and limit use of sensitive personal information. You may designate an authorized agent to make requests on your behalf.

We use industry-standard safeguards: TLS in transit, encryption at rest, least-privilege access, row-level security on user data, secret rotation, and audit logging for sensitive admin actions. We perform regular dependency updates and review high-risk changes.

No system is perfectly secure. If a breach affecting your data occurs, we will notify affected users without undue delay and as required by applicable law.

Enterprise customers may execute a Data Processing Addendum (DPA) under which Lab256 LLC acts as processor for the enterprise's instructed processing. Request a DPA at enterprise@getotai.com.

We will update this policy as the product, law, or business evolves. Material changes will be announced via email and in the app at least 14 days before they take effect.

Lab256 LLC
Email: privacy@getotai.com