Privacy Policy

Effective Date: March 2, 2026 Welcome to Otto AI (“Otto,” “we,” “us,” or “our”). This Privacy Policy explains what data we collect, how we use it, who we share it with, and your rights regarding that data. It applies to all Otto AI services, including the DApp at useotto.xyz, the Otto AI Agent Swarm accessible via ACP (Agent Commerce Protocol) and x402, and our public documentation at docs.useotto.xyz. We believe crypto users deserve transparency. This policy is specific to our actual data practices — not generic legal boilerplate.

---

​

1. Information We Collect

​

1.1 Wallet Data (Required)

Your blockchain wallet address is the primary identifier for all interactions with Otto AI. We collect it when you connect your wallet to use the Service. Your wallet address is used to:

• Authenticate your session
• Execute DeFi transactions you request
• Track your points and leaderboard standing
• Link your chat history and transaction records

We never have access to your private keys, seed phrases, or the ability to move funds without your explicit approval.

​

1.2 Chat & Conversation Data

We store the full content of your conversations with Otto AI, including your messages and the AI’s responses. This data is linked to your wallet address and stored in our database. We also record metadata about each AI request, including the model used, token counts, cost estimates, and response times.

​

1.3 Transaction Data

When you execute DeFi transactions through Otto (swaps, bridges, lending, perpetual futures), we store a record including the transaction hash, tokens involved, amounts, chains, and order details (e.g., Hyperliquid order parameters). On-chain transaction data is publicly visible on the respective blockchain by nature.

​

1.4 Optional Personal Information

You may optionally provide:

• Display name (max 30 characters) — shown on the leaderboard
• Email, phone number, or Google account — only if you choose these sign-in methods via our authentication provider (Dynamic Labs)
• Telegram username — only if you include it when submitting feedback

We do not require any of this information. You can use Otto AI with nothing more than a wallet connection.

​

1.5 Automatically Collected Data

• IP address — used temporarily for rate limiting only. IP-based rate limit counters expire after 60–300 seconds. We do not store IP addresses in our database or use them for tracking.
• Rate limit and session counters — stored temporarily in Redis with automatic expiration (60 seconds to 24 hours depending on the counter type).

​

1.6 What We Do NOT Collect

• No Google Analytics, Mixpanel, PostHog, Segment, or any traditional web analytics
• No marketing cookies or tracking pixels
• No residential address or government-issued ID
• No persistent cookies — we use only localStorage for theme preference
• No behavioral tracking or fingerprinting

---

​

2. How We Use Your Information

We use the data we collect to:

• Provide the Service — process your chat messages, execute requested DeFi transactions, display portfolio data, and maintain your session
• Maintain the points program — track daily check-ins, streaks, and leaderboard rankings
• Process airdrop claims — verify eligibility and record claim signatures
• Improve service quality — analyze AI response times, token usage, and cost data to optimize performance (aggregate, not individual)
• Prevent abuse — rate limiting and bot prevention via reCAPTCHA on feedback forms
• Fulfill ACP jobs — when agents receive work via the Agent Commerce Protocol, we store job completion records including the client wallet, deliverable content, and price

We do not sell your data. We do not use your data for advertising. We do not share your data with data brokers.

---

​

3. Third-Party Services

Otto AI integrates with the following third-party services. Each receives only the data necessary to perform its function: Each third-party service operates under its own privacy policy. We encourage you to review their policies if you have concerns about how they handle data.

---

​

4. Cookies & Local Storage

We use minimal client-side storage:

• localStorage — stores your theme preference (light/dark mode). No user identifiers or tracking data.
• No marketing cookies, no tracking pixels, no third-party cookie scripts.

Server-side temporary storage (Redis):

• Rate limit counters keyed by wallet address or IP address, automatically expiring after 60–300 seconds
• Check-in replay prevention keys, automatically expiring after 24 hours

---

​

5. Data Retention

Data that has exceeded its retention period is periodically purged from our systems. We are also working on implementing self-service data management tools, including the ability for users to request early deletion of their data (see Section 7 below). On-chain transaction data (transaction hashes, token transfers) is permanently recorded on public blockchains and cannot be deleted by anyone, including us.

---

​

6. Data Security

We take reasonable measures to protect your data:

• Database access is restricted to authorized services via environment-scoped credentials
• All connections to our services use HTTPS/TLS encryption in transit
• API endpoints are rate-limited to prevent abuse
• Wallet authentication is handled by Dynamic Labs’ security infrastructure
• We never store private keys, seed phrases, or wallet passwords

No system is perfectly secure. Given the beta nature of the Service, we encourage you to use Otto AI with amounts you can afford to lose, as stated in our Terms & Conditions.

---

​

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right to Access — You can request a copy of the data we hold about your wallet address. Contact us at support@useotto.xyz.
• Right to Erasure — You can request deletion of your data. We will delete data stored in our database (chat messages, transaction records, analytics, points data). Please note:
  • On-chain transactions are immutable and cannot be deleted by any party.
  • Wallet addresses that appear in publicly recorded blockchain transactions will remain visible on-chain.
  • We are actively working on building self-service data deletion tools. Until those are available, deletion requests are handled manually via email.
• Right to Portability — You can request an export of your data in a machine-readable format.
• Right to Rectification — You can request correction of inaccurate data (e.g., display name).
• Right to Object — You can object to specific uses of your data. Since we do not use data for marketing or profiling, this primarily applies to AI analytics processing.

GDPR Note: Wallet addresses may constitute personal data under GDPR when they can be linked to an identifiable individual. We treat wallet addresses with the same care as other personal identifiers. If you are located in the European Economic Area, you have the right to lodge a complaint with your local data protection authority. To exercise any of these rights, contact us at support@useotto.xyz.

---

​

8. Children’s Privacy

Otto AI is not directed at individuals under the age of 18. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, please contact us and we will take steps to delete it.

---

​

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will:

• Update the “Effective Date” at the top of this page
• Post a notice on the DApp interface
• Announce changes via our official channels (Telegram, Twitter/X)

Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

---

​

10. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights:

• Email: support@useotto.xyz
• Telegram: t.me/useOttoAI
• Twitter/X: @useOttoAI