Privacy Policy

Last updated: December 28, 2025

Overview

Ottr ("we", "us", or "our") operates ottr.run. This policy explains how we collect, use, and protect your information when you use our service.

We believe in minimal data collection. We only collect what's necessary to provide the service.

Information We Collect

Account Information

When you sign in with GitHub, we receive and store:

  • Your GitHub user ID
  • Your GitHub username
  • Your primary verified email address from GitHub

Usage Data

When you use our API, we store:

  • Project names and identifiers you create
  • Key-value pairs you store (encrypted at rest)
  • Approval token metadata (expiration times, action details)
  • API request timestamps for rate limiting

Approval Page Data

When privacy attribute collection is enabled for a project (opt-in), we collect the following when someone uses an approval link:

  • IP address of the person approving
  • Browser user agent string

This data is only collected when explicitly enabled by the project owner. Users are notified on the approval page when this collection is active.

Technical Data

We may collect standard server logs including IP addresses, browser type, and request timestamps for security and debugging purposes.

How We Use Your Information

We use collected information to:

  • Provide and maintain the service
  • Authenticate your identity
  • Process your API requests
  • Detect and prevent abuse or security issues

Email Communications

We collect your email address from GitHub to enable essential account communications. We respect your inbox:

  • We will use your email for: Critical security alerts, service disruption notices, and important account notifications
  • We may occasionally send: Product updates and new feature announcements (infrequent, relevant to your usage)
  • We will never: Sell your email to third parties, send marketing spam, or share your email with advertisers

You can opt out of non-essential emails at any time by contacting us. Security-critical notifications cannot be disabled while your account is active.

Data Security

We take security seriously:

  • All values stored via the API are encrypted at rest using ChaCha20-Poly1305
  • API keys are hashed before storage — we cannot retrieve your original keys
  • All connections use HTTPS/TLS encryption
  • Session cookies are signed and use Secure and SameSite flags
  • Approval tokens are single-use and expire automatically

Data Retention

We retain your data as follows:

  • Account data: Until you delete your account
  • Project data: Until you delete the project or account
  • Approval tokens: Automatically deleted after expiration
  • Server logs: Retained for up to 90 days

Third-Party Services

We use the following third-party services:

  • GitHub OAuth — For authentication
  • Umami Analytics — For privacy-focused website analytics (see Analytics section below)
  • Infrastructure providers — For hosting and database services

We do not sell your data to third parties. We do not use your data for advertising.

Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format

To exercise these rights, contact us at the email below.

Analytics

We use Umami, a privacy-focused analytics service, to understand how our website is used. Umami collects:

  • Page views and referrer information
  • Browser type and operating system
  • Device type (desktop, mobile, tablet)
  • Approximate geographic location derived from your IP address

Your IP address is forwarded to Umami for geographic aggregation and is not stored or used to identify you personally. Umami does not use cookies, does not track you across websites, and does not collect personally identifiable information.

We also use your IP address for rate limiting to prevent abuse of our service. Rate limit data is stored temporarily in memory and automatically purged.

For more information, see Umami's privacy policy.

Cookies

We use essential cookies only — specifically a session cookie for authentication. We do not use tracking cookies. Our analytics provider (Umami) is cookie-free.

Changes to This Policy

We may update this policy from time to time. We will notify users of significant changes by posting the new policy on this page and updating the "Last updated" date.

Contact

For privacy-related questions or requests, contact us at: support@ottr.run