Privacy Policy

Last updated: February 15, 2026

1. Introduction

Otoq ("we", "our", or "us") operates the Otoq platform at getotoq.com. Otoq is operated from Manila, Philippines. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

This policy is designed to comply with applicable data protection laws worldwide, including:

  • Philippine Data Privacy Act of 2012 (Republic Act No. 10173)
  • EU/EEA General Data Protection Regulation (GDPR)
  • UK General Data Protection Regulation (UK GDPR)
  • California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
  • Brazil Lei Geral de Proteção de Dados (LGPD)
  • Canada Personal Information Protection and Electronic Documents Act (PIPEDA)
  • South Africa Protection of Personal Information Act (POPIA)
  • Singapore Personal Data Protection Act (PDPA)

Region-specific addendums are in Section 13. By using Otoq, you consent to the data practices described in this policy.

2. Data Controller

Otoq acts as the data controller (under GDPR) and personal information controller (under RA 10173) for all personal data collected through the platform. For data processing inquiries:

3. Legal Basis for Processing

We process personal data under the following legal bases:

  • Contract performance: Processing necessary to provide the Otoq service you signed up for (account management, AI agent functionality, billing).
  • Consent: Where you explicitly consent to processing, such as when visitors voluntarily provide contact information in chat conversations. You may withdraw consent at any time.
  • Legitimate interest: For service improvement, fraud prevention, and security — balanced against your fundamental rights and freedoms.
  • Legal obligation: Where processing is required by applicable law (e.g., tax and billing records).

4. Information We Collect

Account Information

When you create an account, we collect your email address, name, and company name. If you subscribe to a paid plan, payment information is processed securely by Lemon Squeezy (our merchant of record) — we do not store your credit card details.

Knowledge Base Data

You may upload documents, provide URLs, or enter text to train your AI agent. This data is stored in our database and used exclusively to power your agent's responses. We do not use your business data to train any third-party models.

Conversation Data

We store conversations between your website visitors and your AI agent. This includes visitor messages, agent responses, and any contact information visitors voluntarily provide (name, email, phone). Visitors are identified by anonymous browser-generated IDs, not personal identifiers.

Usage Data

We automatically collect information about how you use the platform, including pages visited, features used, and conversation metrics. This helps us improve the service. We use PostHog for product analytics, which is configured to respect your privacy preferences.

Error and Performance Data

We use Sentry for error tracking to ensure platform reliability. Error reports may include technical metadata (browser type, URL, error stack traces) but do not intentionally collect personal data.

5. How We Use Your Information

  • To provide, operate, and maintain the Otoq platform
  • To process your transactions and manage your subscription
  • To power your AI agent with your knowledge base data
  • To send you service-related communications (account verification, billing, support)
  • To improve and develop new features
  • To detect and prevent fraud or abuse
  • To comply with legal obligations

6. Third-Party Services & International Transfers

We use the following third-party services, some of which process data outside the Philippines and/or the EU. We ensure adequate safeguards (such as Standard Contractual Clauses where applicable) are in place:

  • Anthropic (Claude) — AI language model for generating agent responses. Conversation messages are sent to Anthropic's API for processing. Anthropic does not use this data for training. (US-based, SOC 2 Type II)
  • OpenAI — Text embedding generation for knowledge base search. Document content is sent to OpenAI's API for embedding. OpenAI does not use API data for training. (US-based, SOC 2 Type II)
  • Supabase — Database hosting, authentication, and file storage. (SOC 2 Type II, HIPAA, GDPR compliant)
  • Lemon Squeezy — Payment processing and merchant of record. PCI DSS compliant. See Lemon Squeezy's Privacy Policy.
  • Resend — Transactional email delivery. (GDPR compliant)
  • Vercel — Application hosting and deployment. (SOC 2 Type II, GDPR compliant)
  • Upstash — Rate limiting via Redis. (SOC 2 Type II, GDPR compliant)
  • Shopify — E-commerce integration for product catalog sync (optional, user-initiated). See Shopify's Privacy Policy.
  • Sentry — Error tracking and performance monitoring. (SOC 2 Type II, GDPR compliant)
  • PostHog — Product analytics. (SOC 2 Type II, GDPR, HIPAA compliant)

7. Data Retention

We retain your data for as long as your account is active or as needed to provide you with the service. Specifically:

  • Account data: Retained while your account is active.
  • Conversation data: Retained while your account is active. Idle conversations are automatically closed after 24 hours.
  • Billing records: Retained for up to 7 years as required by Philippine tax law.
  • Error logs: Retained for 90 days.

When you delete your account, all associated data — including agents, knowledge bases, conversations, and leads — is permanently deleted from our systems. Backups may retain data for up to 30 additional days before full deletion.

8. Data Security

We implement industry-standard security measures including:

  • Encryption in transit (TLS 1.2+/HTTPS) with HSTS preloading
  • Encryption at rest (AES-256 via infrastructure provider)
  • Row-level security (RLS) policies on all database tables
  • Content Security Policy (CSP) and security headers
  • Rate limiting on API and authentication endpoints
  • Input validation and sanitization on all user inputs
  • SSRF protection on URL crawler functionality
  • Prompt injection detection on chat inputs

For more details, see our Security page.

9. Your Rights

Under both the GDPR and the Philippine Data Privacy Act (RA 10173), you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you.
  • Right to rectification: Request correction of inaccurate or incomplete data.
  • Right to erasure (right to be forgotten): Request deletion of your data via account settings or by contacting us.
  • Right to data portability: Export your data (leads, conversations) in machine-readable formats (CSV).
  • Right to restrict processing: Request that we limit how we process your data.
  • Right to object: Object to processing based on legitimate interest.
  • Right to withdraw consent: Withdraw consent at any time by deleting your account or contacting us.
  • Right to lodge a complaint: File a complaint with the National Privacy Commission (NPC) of the Philippines, or with your local EU/EEA supervisory authority if applicable.
  • Right to damages: Under RA 10173, you may claim compensation for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data.

To exercise any of these rights, contact us at privacy@getotoq.com. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

10. Cookies & Local Storage

We use the following types of cookies and storage:

  • Essential cookies: Required for authentication and session management. These cannot be disabled as they are necessary for the service to function.
  • Analytics cookies (PostHog): Used to understand how users interact with the platform and improve the service. You can opt out of analytics at any time via the cookie consent banner.
  • Widget localStorage: The chat widget uses localStorage to maintain visitor identity across sessions. No personal data is stored — only an anonymous browser-generated ID.

We do not use tracking cookies or third-party advertising cookies.

11. Children's Privacy

Otoq is not intended for use by anyone under the age of 18 (or 16 in the EU). We do not knowingly collect personal information from children. If we discover that we have collected personal data from a child, we will delete it promptly.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the National Privacy Commission (NPC) within 72 hours of becoming aware of the breach, as required by RA 10173 and the GDPR.
  • Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
  • Document the breach, its effects, and the remedial actions taken.

13. Region-Specific Addendums

The following sections provide additional information required by specific jurisdictions. These supplement (and do not replace) the main privacy policy above.

🇺🇸 California (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to know: You may request the categories and specific pieces of personal information we have collected about you in the past 12 months.
  • Right to delete: You may request deletion of your personal information (subject to legal exceptions).
  • Right to opt-out of sale/sharing: We do not sell your personal information, nor do we share it for cross-context behavioral advertising.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
  • Right to correct: You may request correction of inaccurate personal information.
  • Right to limit use of sensitive personal information: We do not collect sensitive personal information as defined by the CPRA.

Categories of personal information collected: Identifiers (email, name), commercial information (subscription data), internet activity (usage data), professional information (company name). We collect this information for the business purposes described in Section 5.

To exercise your rights, email privacy@getotoq.com or use the "Do Not Sell or Share My Personal Information" request — though note we do not sell data. We will verify your identity and respond within 45 days.

🇬🇧 United Kingdom (UK GDPR)

If you are a UK resident, you have the same rights as described in Section 9 under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our legal bases for processing are the same as stated in Section 3.

  • Supervisory authority: You may lodge a complaint with the Information Commissioner's Office (ICO).
  • International transfers: Data transferred outside the UK uses appropriate safeguards (Standard Contractual Clauses or adequacy decisions).

🇧🇷 Brazil (LGPD)

If you are a Brazilian resident, you have rights under the Lei Geral de Proteção de Dados (LGPD), including:

  • Confirmation of whether processing is carried out
  • Access to your data
  • Correction of incomplete, inaccurate, or outdated data
  • Anonymization, blocking, or deletion of unnecessary or excessive data
  • Portability of data to another service provider
  • Deletion of data processed with consent
  • Information about public and private entities with which we share data
  • Information about the possibility of not providing consent and the consequences
  • Revocation of consent

Supervisory authority: You may lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).

🇨🇦 Canada (PIPEDA)

If you are a Canadian resident, your personal information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA). You have the right to:

  • Access your personal information held by us
  • Challenge the accuracy and completeness of your data and request amendments
  • Withdraw consent (subject to legal or contractual restrictions)
  • File a complaint with the Office of the Privacy Commissioner of Canada

We collect, use, and disclose your personal information only for purposes that a reasonable person would consider appropriate under the circumstances, and we obtain meaningful consent for such activities.

🇿🇦 South Africa (POPIA)

If you are a South African resident, you have rights under the Protection of Personal Information Act (POPIA), including:

  • The right to be notified that your personal information is being collected
  • The right to access your personal information
  • The right to request correction or deletion of your personal information
  • The right to object to the processing of your personal information
  • The right not to have your personal information processed for direct marketing via unsolicited communications
  • The right to lodge a complaint with the Information Regulator

🇸🇬 Singapore & 🇹🇭 Thailand (PDPA)

If you are in Singapore or Thailand, you have rights under the respective Personal Data Protection Acts, including:

  • The right to access your personal data
  • The right to correct your personal data
  • The right to withdraw consent for the collection, use, or disclosure of your data
  • The right to request erasure or anonymization of data (Thailand)
  • The right to data portability

Singapore: Complaints may be filed with the Personal Data Protection Commission (PDPC).
Thailand: Complaints may be filed with the Office of the Personal Data Protection Committee.

🇦🇺 Australia (Privacy Act 1988)

If you are an Australian resident, your personal information is protected under the Privacy Act 1988 and the Australian Privacy Principles (APPs). You have the right to:

🇯🇵 Japan (APPI)

If you are a Japanese resident, your personal information is protected under the Act on the Protection of Personal Information (APPI). You have the right to:

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page, updating the "Last updated" date, and (for material changes) sending an email notification. Your continued use of the service after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights:

Otoq is operated from Manila, Philippines.

You may also lodge a complaint with the National Privacy Commission at privacy.gov.ph/complaints-assisted.