Privacy and Security
This policy describes the types of information Otto (“Company” or “We”) may collect from you or that you may provide when you visit and utilize our app and the website ottosave.com (collectively, “Otto“). This includes our practices for collecting, using, maintaining, protecting, and disclosing that information and the basis for doing so.
This policy applies to information we collect in email, text and other electronic messages between you and Otto and through mobile and desktop applications you download from this Website.
Collection and use of Personal Data
We process data:
in order to provide the services and fulfill our obligations pursuant to our Terms of Service. For example, we cannot provide our services without an email address to sign into your account, conduct customer support, or send educational materials; we cannot provide the service without users providing financial information on which the Otto system is based;
where necessary to comply with a legal obligation, a court order, or to exercise and defend legal claims;
to protect your vital interests, or those of others, such as in the case of emergencies;
where you have made the information public;
where necessary in the public interest;
where necessary for the purposes of Otto’s or a third party’s legitimate interests, such as those of visitors, members or partners;
where you provide consent (for example, to join email mailing lists).
We also process your data based on our legitimate interest in:
providing quality service and in improving that service;
ensuring the services are secure;
protection against fraud, spam, and abuse, etc.;
understanding of how clients and visitors interact with our websites and services so that we can continuously improve the experience and effectiveness of doing so.
Categories of the data we collect
We collect information about you, including information that directly or indirectly identifies you, through your use of Otto. We do so:
when you provide the information, through filling out forms or otherwise providing information on our websites and apps;
when we connect to your financial institutions in order to retrieve transaction data on your behalf through Finicity our API service ("Finicity");
when you correspond with us to receive customer support via email or chat.
The email address that you provide to us as a username.
Your IP address when you interact with our website and apps.
When you chose to directly link financial accounts to Otto, Fincity stores your login credentials (including usernames and passwords) for the accounts you link to our services, account security and/or challenge questions for those accounts, and other information from the financial accounts that you link to our service (including account balances, transactions, and holdings). See Finicity's security policy at finicity.com/security.
Records and copies of your correspondence (including e-mail addresses different than that used to establish your account), if you contact us.
Your responses to surveys that we might ask you to complete for research purposes.
Details of transactions you carry out with Otto and of the fulfillment of your orders.
Information that you provide by filling in forms on our website or app. This includes information provided at the time of registering to use our app, subscribing to our app, or requesting further services. We may also ask you for information when you report a problem with our Website or app.
To provide you with customer support or service offerings, including responding to and resolving your inquiries and requests via email or text-based chat. When you request assistance from our customer support team with respect to importing third-party financial account data, to allow a customer support representative to review a limited amount of data from recent transactions for the sole purpose of facilitating technical implementation of the account aggregation services. When asked to do so by you, our customer support representative may utilize that transaction data on your behalf in interactions with third-party financial account providers intended to facilitate implementation of requested account aggregation within our services.
Finicity (our API service)
Cookies and technical data
Otto may collect information as visitors and clients browse and interact with the website and/or apps.
When you visit our website, we may place a cookie on your browser so that our system can recognize you when you make a return visit. Third parties may also place cookies on your browser for targeted advertising purposes. That cookie allows us to recognize your browser on a return visit. We do not otherwise collect or process data when you are a visitor.
Recipients of personal data
To contractors, service providers, and other third parties we use to support our business, in particular providing infrastructure and analytics services, and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them.
With respect to aggregating your banking and other financial accounts, we will transmit your account credentials to third-party aggregation partners, who will use them to gather and maintain your account balances, transactions, and holdings used to provide our services.
To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation or similar proceeding, in which personal information held by us about our Website users is among the assets transferred.
To fulfill the purpose for which you provide it.
In aggregated form, and/or information that does not identify any individual.
For any other purpose disclosed by us when you provide the information.
With your consent.
We may also disclose your personal information:
To comply with any court order, law or legal process, including to respond to any government or regulatory request.
To enforce or apply our Terms of Service or terms of sale and other agreements, including for billing and collection purposes.
If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Otto, LLC, our customers or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.
Categories of third-party providers
Categories of services used to process data include:
Infrastructure & Fulfillment
Otto partners with third-parties to provide storage and server access that acts as infrastructure for our website and apps. In addition, we partner with third-parties to fulfill payments and transactions in fulfillment of our terms.
Otto partners with third-parties to aggregate financial information from your financial institutions when you request it.
Otto partners with third-parties to help us monitor and analyze website traffic and can be used to keep track of user behavior, helping us to improve the services and experience of using them.
Otto partners with third-parties to help us receive, process, and respond to customer support requests, as customer support and education are a core part of the services offered.
Performance and Logging
Otto partners with third-parties that assist us in monitoring the stability of the website and applications and resolving issues or errors with the service.
Otto partners with third-parties to manage receipt of consent to send marketing emails and sending those same emails.
We retain account data for a period of time after an account expires, whether through trial expiration or subscription expiration.
Automated data processing
In conjunction with a third-party payment processor, we use automated analysis to screen for suspicious or fraudulent transactions.
When we make solely automated decisions that affect you in a legal or a significant way, you have the right to provide your point of view and have those decisions reviewed by a member of our staff.
Children under the age of 13
Otto is not intended for children under 13 years of age. No one under this age may provide any personal information to the Website. We do not knowingly collect personal information from children under 13. If you are under 13, do not use or provide any information on Otto or on or through any of its features, register on Otto, make any purchases through Otto, use any of the interactive or public comment features of Otto or provide any information about yourself to us, including your name, address, telephone number, e-mail address or any screen name or user name you may use. If we learn we have collected or received personal information from a child under 13 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 13, please contact us.
We have established a number of procedures to help you manage your personal data.
Requests to delete personal data will be subject to any applicable legal and ethical reporting or document filing or retention obligations with which Otto must comply. In all other cases, Otto will keep personal data only as long as is reasonably required for the processing of the purpose for which the personal data were collected and in accordance with any applicable legal or ethical reporting or documentation retention requirements.
Adjust notification and email preferences
Updating account information
You may correct, amend, or update your email and/or password at any time by adjusting that information in your account setting. You may cease aggregation of transactions from your financial institutions at any time through the individual account settings in the Otto app.
California Privacy Rights
California Civil Code Section § 1798.83 permits users of Otto that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.
Otto has not and does not transfer information to third parties for direct marketing purposes.
Otto is operated from the United States. If you are located outside of the United States and choose to use Otto or provide information to us, you acknowledge and understand that your information will be transferred, processed, and stored in the United States, as it is necessary.
Otto LLC, Security Policy (last modified 1/13/2022)
Security and protection of your data are a top priority for us. We use the highest industry standards and spare no expense in ensuring your data is safe.
Our development team and API service are all based right here in the USA.
All information transferred over the web can be read like a children's book unless we scramble it using encryption. We enforce a strict level of encryption, similar to banks (SSL /TLS1.2), on all requests to our apps as well as all data requested or sent by the apps.
All data stored with us is encrypted using an advanced standard (AES-256) or better. The encryption is done with symmetric keys and we also encrypt the keys and change them regularly.
In addition, we double encrypt extra sensitive data like names and passwords.
Server and Database Access
We limit the number of people who have access to production data and we protect that access using two factor authentication.
Any server on the web can try to connect to any other server on the web. A firewall allows us to prevent connections for all servers except our own. All Otto servers are protected by separate firewall layers.
The internet and all software on it is undergoing a constant stream of updates. These updates often include bug fixes and security fixes. Keeping up with these changes is something that is built into our process, in fact, every time we deploy code changes, our servers are re-built from scratch to include many of these fixes automatically.
As we add new features or edit existing ones, we're constantly making changes to the code. After these changes are tested, they are also reviewed by senior level developers. Once approved, these changes are never directly transferred from a developer's computer to a live server, but they're submitted to a code repository where they're reviewed again and built from scratch before they're pulled from there to a production environment.
Finicity (a division of Mastercard)
We use Finicity and leading API service in the United States as the bridge between our app and our clients financial institutions. For information on the security practices of Finicity please visit finicity.com/security.