Otto privacy policy.

"Otto" is operated by Otto Health SRL (working name pending registration), based in Romania. For any data-related question, write to [email protected].

Under Regulation (EU) 2016/679 (GDPR), we are the data controller for everything described below.

On this site (otto-health.com):

• Email address, if you sign up for early access. Optional: language code and the page you signed up from (source).
• We use Google Analytics 4 with anonymised IP, only if you accept via the cookie banner (Consent Mode v2, default deny). No Google Ads, no Meta Pixel, no Hotjar. Details and control: otto-health.com/en/cookies.
• Server logs (IP, user-agent, timestamp) are retained for at most 14 days, strictly for operational security.

Inside the Otto app (after 1 June 2026):

• Email + password (or social sign-in) — for your account.
• Optional profile data: age, sex, height, weight, goal (lose / maintain / gain). Used locally for calculations.
• Health data read from Health Connect (Android) or Apple Health (iOS): sleep, steps, activity, heart rate, weight, blood pressure. Only the metrics for which you give explicit consent.
• Food entries you log (food journal, OCR of nutrition labels, barcode scans).

Your health data is a special category under Art. 9 GDPR. We process it strictly on the basis of your explicit consent (Art. 9(2)(a)) to deliver the Otto service. It is not used for automated profiling with legal effect, not sold, not used to train public AI models, not shared with third parties for marketing.

• Early-access email: exclusively to let you know when we launch and to send 1–2 update emails before then. Nothing else. One-click unsubscribe at any time.
• App data: generating insights and weekly reports, computing TDEE/BMR, food journal.

A minimal number of processors, each under a signed DPA:

• Railway (hosting + database) — EU.
• Cloudflare (CDN, DNS) — aggregated traffic data.
• RevenueCat (subscription processing, post-launch) — receives only your email + internal user ID.
• OpenRouter (AI model for nutrition-label OCR) — receives only the label image you scan, not your data.

We do not perform US transfers that fall under Schrems II concerns without controls. We use only providers with Standard Contractual Clauses or EU hosting.

• Early-access email: until launch + 90 days, or until you unsubscribe.
• Otto account: as long as your account is active. Account deletion triggers real deletion within 30 days.
• Server logs: 14 days.

Under GDPR you have the right to:

• access the data we hold about you (Art. 15);
• request rectification (Art. 16);
• request erasure ("right to be forgotten", Art. 17);
• request restriction of processing (Art. 18);
• receive your data in a portable format (Art. 20);
• object to processing (Art. 21);
• withdraw consent at any time, without affecting the legality of prior processing.

To exercise any right, email [email protected]. We respond within 30 days.

You have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP), www.dataprotection.ro, or with your local supervisory authority.

HTTPS-only traffic. Passwords are hashed with Argon2/bcrypt — we never see them. Data is encrypted at rest in the Railway database. Auth tokens are time-limited and can be revoked from your account at any time.

On the marketing site (otto-health.com) we use a single analytics cookie set — Google Analytics 4 — and only if you explicitly accept it via the banner. By default analytics is off (Consent Mode v2, default deny). IP is anonymised. We do not run Google Ads, Meta Pixel, or other marketing trackers.

Details and direct control (accept / refuse / withdraw consent): otto-health.com/en/cookies.

The mobile app uses local storage for the session token, but that is not a cookie under the ePrivacy Directive.

If we change anything material in this policy, we'll tell you by email at least 30 days in advance. Previous versions remain available on request.