OttoBiz

Legal

Privacy Policy

How OttoBiz collects, uses, stores, and shares the data we hold on behalf of vendors and the customers they serve.

Last updated

Who we are

OttoBiz ("we", "us") is an AI-powered business automation platform for small and medium-sized vendors selling on social channels such as WhatsApp Business and Instagram. This policy explains how we handle personal data collected when a vendor uses OttoBiz to run their storefront.

You can reach us about anything in this policy at privacy@ottobiz.net.

What we collect

  • Vendor account data: name, email, business name, logo, address, and authentication credentials managed by our identity provider.
  • Customer messages and identifiers from connected channels: WhatsApp / Instagram phone numbers and usernames, message content, and media that customers send to a vendor's connected inbox. This data is processed on the vendor's behalf so the AI agent can respond.
  • Order, inventory, and invoice data that the vendor creates or that the agent generates from a conversation.
  • Payment metadata (transaction reference, amount, payer name, status) returned to us by payment integrations such as Paystack and Flutterwave. We do not store full card numbers, CVCs, or bank login credentials — those live with the payment provider.
  • Operational logs (agent actions, tool calls, outbound tasks, error traces) used for diagnostics and auditing.

Why we collect it

We process this data to deliver the OttoBiz service: routing and replying to customer messages, verifying payments, generating invoices, dispatching orders through logistics partners or vendor riders, and producing financial reports. We also process limited operational data to keep the platform secure, debug issues, and improve the agent's performance.

Legal basis

  • For vendors: performance of our contract with you (the vendor's terms of service) and your consent when you connect each channel and integration.
  • For end customers messaging a vendor: the vendor is the controller of that conversation; OttoBiz acts as a processor on the vendor's instructions. Customers' implied consent comes from initiating a chat with the vendor's business account.

How long we keep it

  • Customer chat content and operational logs are retained for 90 days by default. Vendors on paid plans may extend this for analytics and dispute resolution.
  • Order, invoice, and accounting records are retained for as long as applicable tax and commercial laws require, even after an account is closed.
  • When a vendor deletes their OttoBiz account, all data outside those legal retention requirements is purged within 30 days. See the Data Deletion page for the exact mechanism.

Who we share it with

We share the minimum data needed with carefully selected third parties, all under written data-processing agreements:

  • Meta Platforms — for delivering and receiving messages on WhatsApp Business, Instagram, and Messenger.
  • Payment providers — Paystack, Flutterwave, and others a vendor connects, to verify and reconcile transactions.
  • Logistics providers — third-party dispatch platforms (e.g. Gokada) when a vendor connects them.
  • Hosting and infrastructure — our cloud hosting provider and managed PostgreSQL database, used to run OttoBiz.
  • The OttoBiz agent runtime — our internal service that orchestrates the main agent and its subagents.

We do not sell personal data and we do not share it for advertising targeting.

Your rights

Depending on where you live, you may have rights to access, correct, export, or delete the personal data we hold about you, and to object to or restrict certain processing. You can exercise these rights at any time:

  • In-app: Settings → Account for vendors — including a one-click data export (delivered within 30 days) and account deletion.
  • By email: privacy@ottobiz.net — we will respond within 30 days.
  • Full instructions are on the Data Deletion page, including how end customers can have their data removed from a vendor's records.

Security

We use industry-standard transport encryption, encrypted backups, and least-privilege access controls. No system is perfectly secure; if we ever experience a breach affecting your data, we will notify affected users and the relevant regulator within the timelines required by law.

Children

OttoBiz is a B2B product and is not directed at children under 18. We do not knowingly collect data from children. If you believe a child has shared personal data with us, contact us and we will delete it.

Changes to this policy

We will update this page when our practices change. The "Last updated" date at the top reflects the most recent revision; for material changes we will also notify vendors by email.

Contact

Questions, requests, or complaints can go to privacy@ottobiz.net. You also have the right to lodge a complaint with your local data protection authority.