Privacy Policy
Last updated: February 3, 2026
This privacy notice for OTseek, Inc. (doing business as “OTseek,” “we,” “us,” or “our”) describes how we collect, use, disclose, retain, protect, and dispose of personal information related to our websites, applications, and services (collectively, the “Services”).
Enterprise scope: This notice does not apply to Enterprise Customer Data processed under a separate enterprise agreement and data processing addendum.
We maintain a security and privacy program aligned with industry standards, including SOC 2 controls. We completed a SOC 2 Type I report on December 12, 2025.
Contact: privacy@otseek.com
1. DEFINITIONS
- Personal Information (PI): Information that identifies, relates to, describes, or can reasonably be linked to an individual or household.
- Sensitive Personal Information (SPI): Categories defined by applicable law (e.g., account credentials).
- De-Identified, Aggregated, or Derived Data: Data that cannot reasonably be used to identify a person, including statistics, usage metrics, embeddings/vectors, and content transformed to remove direct and reasonably linkable identifiers. We maintain de-identification and contractually prohibit re-identification.
2. INFORMATION WE COLLECT
You provide directly
Account/profile data (name, email, username, password, role/title, organization if provided); content you submit (e.g., text, files, prompts, feedback, support tickets); communication preferences; and marketing sign-ups where applicable.
SPI (limited): account login credentials (email/username + password).
Payments: handled by Mercury; we do not store full card numbers (we may store tokens/last-4/expiration for billing).
Automatically collected
Log/usage data (feature use, timestamps, IP, device identifiers, error logs); device/network data (OS, browser, app version, ISP/mobile carrier). We may infer approximate location from IP for security and localization. We do not collect precise geolocation.
From service providers/partners
Identity, hosting, analytics, security, customer support, compute/inference, and payments providers may supply limited information needed to operate, secure, and support the Services. We do not purchase personal information from data brokers.
Microsoft Graph APIs notice
Our use and transfer of information received from Microsoft Graph APIs complies with the Microsoft Graph API Services User Data Policy, including Limited Use; Microsoft Graph APIs are not used to develop, improve, or train generalized AI/ML models.
3. OUR USE OF SERVICE PROVIDERS AND TECHNOLOGY PARTNERS
We engage service providers and technology partners for infrastructure, compute/inference, analytics, security, support, and related operations.
Feature delivery
To provide requested functionality, certain inputs may be processed under written agreements that restrict use to providing services to us, require appropriate security, and prohibit unauthorized secondary use.
No sale / no cross-context behavioral ads
We do not sell personal information or share it for cross-context behavioral advertising.
Subprocessor list
Our subprocessor information is available upon request in our Data Processing Agreement (DPA).
4. HOW WE USE PERSONAL INFORMATION
We use PI to:
- Provide and maintain the Services (authentication, account administration, feature functionality).
- Secure the Services (fraud/abuse detection, integrity, incident response).
- Support and communicate (troubleshooting, notices, product updates, and marketing where permitted). You may opt out of marketing communications at any time by using the unsubscribe links in our emails or by contacting privacy@otseek.com.
- Evaluate and improve features, safety, performance, and user experience; conduct analytics, quality assurance, and research.
- Comply with law and enforce terms; protect rights, safety, and property.
- Where required (e.g., EEA/UK), legal bases include contract necessity, legitimate interests, consent (where applicable), and legal obligations.
5. SOURCES OF PERSONAL INFORMATION
- Directly from you;
- Automatically from your devices and use of the Services;
- From service providers/partners supporting identity, hosting, analytics, security, payments, support, and compute/inference.
6. DISCLOSURE OF PERSONAL INFORMATION
We disclose PI to:
- Service providers and subprocessors under written agreements that restrict use to providing services to us and require appropriate security;
- Successors/assignees in connection with mergers, acquisitions, financings, or similar transactions;
- Authorities or other parties where required to comply with law, enforce terms, or protect rights/safety; and
- Others as directed or authorized by you.
- De-identified/aggregated/derived data may be used and disclosed as described in Section 3. We maintain measures to prevent re-identification and prohibit it contractually.
We do not sell personal information or share it for cross-context behavioral advertising.
7. RETENTION & DISPOSITION
We retain PI only as long as necessary for the purposes described, to satisfy legal, accounting, or reporting requirements, and for security/fraud prevention. When PI is no longer needed, it is deleted or de-identified. If immediate deletion is not possible (e.g., backups), PI is segregated and access-restricted until deletion.
Retention criteria
We determine retention periods based on factors such as the amount, nature, and sensitivity of the data; potential risk from unauthorized use or disclosure; the purposes for which we process it and whether those purposes can be achieved through other means; applicable legal, regulatory, tax, accounting, or reporting requirements; and our security, fraud-prevention, resilience (RTO/RPO), and business continuity needs.
8. ANALYTICS & TELEMETRY
We do not rely on browser cookies to operate the Services and do not use third-party advertising cookies. We collect usage telemetry to improve the Services, including via Datadog (feature use, performance metrics, error events). We collect LinkedIn profile information and predict origin company on marketing pages to support customer acquisition via RB2B. Contact privacy@otseek.com with questions about analytics settings.
9. SECURITY MEASURES (TECHNICAL, ORGANIZATIONAL & PHYSICAL)
We employ layered safeguards, including:
- Encryption in transit and at rest (e.g., TLS 1.3+, AES-256);
- Access controls (least privilege, role-based access, SSO/MFA, privileged access management, secrets management);
- Secure development (code review, CI/CD gates, dependency scanning);
- Monitoring (centralized logging/SIEM, anomaly detection, vulnerability scanning);
- Annual penetration tests by qualified professionals;
- Personnel security (confidentiality agreements, background checks, and annual security & privacy training for employees and contractors);
- Event logs retained for three months;
- Quarterly access recertification across systems holding confidential or personal information.
- No method is 100% secure. See Section 10 for incident response.
Resilience targets: RTO 1 hour for critical services (AI systems included); Targets are non-contractual; any binding service levels are set out in applicable customer agreements.
10. SECURITY INCIDENTS & BREACH NOTIFICATIONS
We maintain an Incident Response Plan (detection, containment, eradication, recovery, post-incident review, and notifications). If a breach results in unauthorized access to PI, we will investigate, mitigate, and notify affected parties without undue delay and within applicable legal timelines.
Recipients may include affected individuals, regulators/authorities, and law enforcement where appropriate. We may defer notice at the request of law enforcement if disclosure would impede an investigation. See Annex B.
11. YOUR PRIVACY RIGHTS, EU/UK REPRESENTATIVE & HOW TO EXERCISE RIGHTS
Depending on your location, you may have rights to access, correct, delete, port, restrict, or object to certain processing, and to withdraw consent where consent applies.
Submit requests or questions to privacy@otseek.com.
We will verify your identity and respond within required timeframes (for example, generally within 45 days for certain U.S. state laws).
Authorized agent requests are honored as permitted by law.
Appeals
If we decline a request, you may appeal via privacy@otseek.com. If your appeal is denied, you may contact your applicable regulator.
EEA/UK users
You also have the right to lodge a complaint with your local supervisory authority. Where required, our EU/UK representative is:
- James Chung / privacy@otseek.com
12. US STATE-SPECIFIC DISCLOSURES
We do not sell personal information or share it for cross-context behavioral advertising.
Categories collected in the last 12 months (California definitions):
| Category | Examples | Collected |
|---|---|---|
| Identifiers | name, email, IP, account ID | YES |
| Customer Records | contact info; billing tokens/last-4 if applicable | YES (limited) |
| Protected Classes | gender, etc. | NO (unless voluntarily provided in recruiting/research) |
| Commercial Info | purchases, transaction history | YES (if paid plans) |
| Biometrics | fingerprints, voiceprints | NO |
| Internet/Network | usage metrics, interactions with our site/app | YES |
| Geolocation | approximate location from IP | YES (approximate only) |
| Audio/Visual | support call recordings; uploaded files | YES (situational) |
| Professional/Employment | business contact details for provisioning | YES (B2B) |
| Education | student records | NO |
| Inferences | feature usage patterns, preferences | YES |
| Sensitive PI | account login + password | YES (restricted use) |
California “Shine the Light.” We do not disclose personal information for third-party direct marketing.
13. GOVERNANCE & ACCOUNTABILITY
Authority
The Chief Technology Officer (CTO) and Chief Artificial Intelligence Officer (CAIO) are authorized by the Board to implement and enforce privacy and security programs.
Management reporting
The team issues quarterly reports to executive leadership covering audit results, incidents, risk assessments, and remediation status.
Monitoring & audits
We conduct annual penetration tests, routine vulnerability scanning, centralized logging/SIEM, and track findings to closure. Requests & referrals:
All requests for personal information (from individuals, law enforcement, media, or others) are referred to trained personnel via privacy@otseek.com; employees and contractors complete annual security & privacy training.
Suspicious attempts
Employees must report attempted social engineering or unauthorized PI requests to privacy@otseek.com immediately; events are logged for three months.
Identity & access governance
Role-based access, MFA, least privilege, quarterly access reviews, segregation of duties, and centralized logging.
14. CONTACT US
OTseek, Inc.
269 Orange St Apt 417, New Haven, CT 06510, United States
Email: privacy@otseek.com
15. CHANGES TO THIS NOTICE
We may update this notice periodically. We will post the updated version with a new “Last updated” date and, where appropriate, provide prominent notice or direct communication for material changes.
ANNEX A — SECURITY CONTROLS OVERVIEW
Physical security (hosting providers)
Facilities employ 24×7 professional security, CCTV, badge access, and visitor logging.
Asset & media controls
Devices are inventoried and encrypted; media is sanitized consistent with NIST 800-88 upon decommissioning.
Identity & access
SSO + MFA, least privilege, quarterly access reviews, privileged session logging, and emergency break-glass procedures with approval and post-use review. Identity and access practices align to NIST 800-53 control families.
Network & application security
Segmentation, WAF, rate limiting, secure configuration baselines, dependency monitoring, and security headers.
Monitoring & response targets (non-contractual)
Centralized logging/SIEM, alerting, and vulnerability management with target response objectives:
- P0 (major outage) initial response ≤ 5 minutes; containment ≤ 1 hour during trading hours for asset class.
- P1 (minor outage) initial response ≤ 1 hour during trading hours for asset class.
- P2 (bug or feature request) initial response ≤ 1 day during trading hours for asset class.
Resilience
RTO 30 minutes for critical services (AI systems included).
ANNEX B — BREACH NOTIFICATION: RECIPIENTS & TIMELINES
Recipients (as applicable): affected individuals; regulators/authorities; law enforcement where appropriate; and internal leadership per escalation procedures.
Notice content typically includes: nature of incident, categories of PI affected, approximate number of individuals, likely consequences, measures taken/proposed, and contact points. We may reasonably delay notification when requested by law enforcement if notice would impede an investigation.