Privacy Policy Summary for Otter.ai

This summary explains Otter.ai’s privacy policy in simple terms. Please refer to the full policy for complete details.

Data Collection

Automatically Collected:
IP address (used for advertising).
Device information.
Browsing activity (through cookies).
Voluntarily Provided:
Name.
Email address.
Password.
Calendar information (if integrated with calendar apps).
Payment details (if applicable).

Sensitive Data: The policy doesn’t explicitly state the collection of sensitive data like biometrics, health information, or racial data. However, meeting conversations could contain such information if discussed by users.

Data Usage

Primary Purposes: Service delivery, account creation, and providing transcription and recording services.
Secondary Purposes: The policy mentions using data for improving AI models. This involves de-identified data, meaning individual users cannot be identified.

AI Training and Profiling: Otter uses de-identified data to train its AI models. No direct user profiling is mentioned.

Third-Party Sharing

Third Parties: Otter uses subprocessors (listed in the full policy) to provide services. These may include cloud providers (like AWS).
Data Sales/Sharing: Otter states it does not sell personal information to third parties for advertising.
International Data Transfers: The policy doesn’t explicitly detail international data transfers, but the use of global cloud providers implies this possibility. Compliance with GDPR and CCPA is mentioned.

User Rights

Access: You can likely access your data (the policy implies this).
Correction: The policy doesn’t explicitly mention data correction.
Deletion: You can delete conversations, which are moved to the trash and automatically deleted after 30 days. You can manually clear them sooner.
Opting Out of Sales: Not applicable, as Otter doesn’t sell data.

How to Exercise Rights: The policy refers to instructions on how to manage permissions and delete conversations, but doesn’t specify a direct method for accessing or correcting data.

Data Retention

Conversations are kept in the trash for 30 days before automatic deletion. Manual deletion is also possible.
Exceptions may exist for legal reasons or fraud prevention.

Security Measures

Otter uses AWS S3 storage with server-side encryption (AES-256).
Two-factor authentication is available.
Employee background checks and confidentiality agreements are in place.
Employee computers have security measures like hard drive encryption and anti-malware software.

Concerning Clauses

The policy mentions compliance with the Stored Communications Act, which provides some legal protection for user data from government requests. However, it doesn’t fully clarify the process or limitations.

Summary Cards:

1. Which Data Is Collected (Email, IP – for Ads)

Rating: 3/5 (IP address collection for ads is a concern)

2. Your Privacy Rights (Access: Yes, Delete: Yes)

Rating: 3/5 (Correction and other rights are unclear)

3. How Long Data Is Kept (30 days, GDPR Compliant)

Rating: 4/5 (Clear retention policy, GDPR compliance mentioned)

4. Security of Your Data (Encryption: Yes, Shares: AWS)

Rating: 4/5 (Strong encryption, reputable cloud provider)

5. Hits & Misses (✅ Clear Purpose, ❌ Unclear Data Access)

Rating: 3/5 (Clear purpose but lacks clarity on user rights)

Key Takeaways:

Otter collects some data automatically (like IP address) and some voluntarily (like email).
Otter doesn’t sell your data, but it uses de-identified data for AI training.
You can delete your conversations, but accessing or correcting your data is not explicitly detailed.
Otter employs various security measures, including encryption and two-factor authentication.
Some aspects of data access and government requests remain unclear.

Overall Rating: 3.4/5 The policy shows a commitment to security and transparency but lacks clarity on certain user rights and data handling practices. Further clarification is needed.