GDPR Compliance

How OTTO Automation protects your data rights under the General Data Protection Regulation.

Last Updated: December 2024

Our Commitment to GDPR

OTTO Automation is committed to protecting the privacy and rights of individuals in the European Union (EU) and European Economic Area (EEA). We comply with the General Data Protection Regulation (GDPR) and have implemented measures to ensure your data is handled responsibly.

Quick Summary

Under GDPR, you have the right to access, correct, delete, and port your personal data. You can exercise these rights at any time by contacting us at ottoai.official@gmail.com.

What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It gives individuals in the EU/EEA greater control over their personal data and places obligations on organizations that collect, process, or store personal data.

Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

1. Right to Access (Article 15)

You have the right to request a copy of the personal data we hold about you. We will provide this information within 30 days of your request, free of charge.

2. Right to Rectification (Article 16)

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.

3. Right to Erasure / Right to be Forgotten (Article 17)

You have the right to request that we delete your personal data when:

  • The data is no longer necessary for its original purpose
  • You withdraw consent (where consent was the basis for processing)
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • The data must be erased to comply with a legal obligation

4. Right to Restriction of Processing (Article 18)

You have the right to request that we limit how we use your personal data while we address a complaint or verify the accuracy of your data.

5. Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit that data to another controller.

6. Right to Object (Article 21)

You have the right to object to processing of your personal data for direct marketing purposes or when processing is based on legitimate interests.

7. Rights Related to Automated Decision Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that significantly affect you. Our AI chatbots do not make such decisions.

Lawful Basis for Processing

We process personal data under the following lawful bases:

  • Contract: Processing necessary to perform our contract with you (providing our Services)
  • Consent: Processing based on your explicit consent (e.g., marketing communications)
  • Legitimate Interests: Processing necessary for our legitimate business interests, balanced against your rights
  • Legal Obligation: Processing necessary to comply with legal requirements

Data We Collect

For detailed information about what data we collect and how we use it, please see our Privacy Policy.

In summary, we collect:

  • Account information (name, email, business details)
  • Business content you provide for your chatbot
  • Chatbot conversation data (for analytics and service improvement)
  • Technical data (IP address, browser type, usage patterns)

Data Processing and Storage

Data Location: Your data may be processed and stored on servers located in the United States. We ensure appropriate safeguards are in place for international data transfers.

Data Retention: We retain personal data only as long as necessary to provide our Services or as required by law. Account data is deleted within 30 days of account termination.

Sub-processors: We use trusted third-party services to help deliver our Services. All sub-processors are contractually bound to comply with GDPR requirements.

Security Measures

We implement appropriate technical and organizational measures to protect your data:

  • SSL/TLS encryption for all data in transit
  • Encryption of sensitive data at rest
  • Regular security assessments and updates
  • Access controls and authentication measures
  • Employee training on data protection
  • Incident response procedures

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Notify affected individuals without undue delay if the breach is likely to result in high risk
  • Document the breach and our response

For Our Business Customers

If you use OTTO Automation to interact with your customers in the EU/EEA:

  • Data Controller: You are the data controller for your customers' personal data
  • Data Processor: OTTO Automation acts as a data processor on your behalf
  • DPA: We can provide a Data Processing Agreement (DPA) upon request
  • Your Obligations: You are responsible for ensuring your use of our Services complies with GDPR, including obtaining appropriate consents from your customers

Exercising Your Rights

To exercise any of your GDPR rights, please contact us:

We will respond to your request within 30 days. We may need to verify your identity before processing your request.

Complaints

If you believe we have not handled your data appropriately, you have the right to lodge a complaint with a supervisory authority. For EU residents, you can find your local authority at edpb.europa.eu.

However, we encourage you to contact us first so we can address your concerns directly.

Contact Our Data Protection Team

For any questions about GDPR or data protection: