How Otaru AI collects, uses, and protects your personal data
Effective Date: 01 January 2026 | Last Updated: 04 March 2026 | Entity: Otaru AI Pte. Ltd. | Jurisdiction: Singapore (PDPA)
Otaru AI Pte. Ltd. ("Otaru", "we", "us", or "our") is a company incorporated in Singapore (UEN: 202518591N) with its registered office at #02-01, 68 Circular Road, Singapore 049422.
We operate an AI-native revenue enablement platform that helps organisations ramp sales teams faster, replicate top-performer behaviours, and improve deal readiness through AI-driven simulations, roleplay, coaching, and analytics.
For the purposes of the Singapore Personal Data Protection Act 2012 ("PDPA"), Otaru AI acts as an Organisation in respect of personal data collected via our website and marketing activities, and as a data intermediary (Processor) in respect of personal data processed on behalf of our business customers through the platform. Where we serve customers in jurisdictions with additional data protection requirements (such as the EU GDPR or UK GDPR), we address those requirements through our customer-specific Data Processing Agreements.
This Privacy Policy applies to:
For enterprise customers: If your organisation has signed a Pilot Services Agreement or Subscription Agreement with Otaru AI, the Data Processing Agreement (DPA) attached to that contract governs how we process personal data on your behalf, and takes precedence over this Policy where there is a conflict. Customers subject to GDPR or UK GDPR should refer to their DPA for the applicable cross-border transfer mechanisms and legal bases.
| Category | Examples | Context |
|---|---|---|
| Identity data | Name, company name | Sign-up, demo booking, contact forms |
| Contact data | Email address, phone number | Sign-up, outreach, support |
| Account data | Team membership, role | Platform account creation |
| Sales content | Sales scripts, call transcripts, persona files, playbooks | Uploaded by customer users to configure the platform |
| Communications | Email correspondence, support tickets, demo call notes | Ongoing relationship |
| Category | Examples | Notes |
|---|---|---|
| Session transcripts | Text transcripts of AI roleplay sessions | No audio recordings are stored by default |
| Coaching outputs | AI-generated feedback, scores, coaching rubric assessments | Generated per session |
| Usage metrics | Session timestamps, frequency, duration, feature interactions | Used for analytics and performance reporting |
| Audio & Video recordings | End-of-period audio & video roleplay recordings | Only where explicitly requested by the customer; retained for 30 days post-pilot then deleted |
| Derived analytics | Trend data, team-level scoring insights, longitudinal coaching data | Anonymised or aggregated where possible |
Important:
We do not use customer data — including transcripts, persona content, or sales scripts — to train or fine-tune our global AI models. Customer data is used solely to deliver the contracted services.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Delivering the Otaru AI platform and its features | Account data, session data, uploaded content | Contract performance |
| Running AI roleplay simulations and generating coaching feedback | Session transcripts, persona files, rubrics | Contract performance |
| Providing analytics, dashboards, and readiness reporting | Usage metrics, scoring data | Contract performance / Legitimate interests |
| Responding to support requests and inquiries | Identity, contact, communications data | Contract performance / Legitimate interests |
| Sending product updates, feature announcements, and relevant insights | Name, email, role | Legitimate interests (opt-out available) |
| Managing demo requests and sales pipeline | Identity, contact, company data | Legitimate interests |
| Security monitoring, fraud prevention, and abuse detection | Technical data, logs | Legitimate interests / Legal obligation |
| Complying with legal obligations (e.g. tax, regulatory requests) | Relevant personal data | Legal obligation |
| Improving platform reliability and performance | Aggregated, anonymised usage data | Legitimate interests |
Under the Singapore PDPA, we collect, use, and disclose personal data only with your deemed or express consent, or under an applicable exception, and for purposes that a reasonable person would consider appropriate in the circumstances. We rely on the following bases:
Note on Telemarketing: Where we conduct telephone or SMS marketing, we comply with Singapore's Do Not Call (DNC) Registry requirements.
We do not sell, rent, or share your personal data with third parties for their own marketing purposes. We share data only in the following circumstances:
We engage the following third-party subprocessors to deliver the platform. All subprocessors are contractually bound to data protection obligations consistent with this Policy and applicable law:
| Subprocessor | Purpose | Location |
|---|---|---|
| Google Cloud Platform (GCP) | Cloud hosting, storage, security infrastructure, Gemini AI models | Singapore (Southeast Asia 1) and/or EU |
| Firebase | Database, user authentication, in-app analytics | Singapore / US |
| Stripe | Payment processing (where payment functionality is enabled) | US / EU |
| Langfuse | Monitoring of AI tokens across LLM services in the app | US / EU |
| PostHog | Website analytics, session replay, product analytics | US / EU |
| Recall.ai | Live call bot and desktop SDK solutions for joining online calls in platforms like MS Teams, Google Meet, Zoom, Webex and Slack Hudle | US |
Important Notice regarding Recall.ai:
Customers are responsible for obtaining appropriate consent from all call participants before enabling the Live Call Coach feature to join and process real-time communications.
We will notify customers of any new subprocessor and allow 30 days for reasonable objection before that subprocessor begins processing. Furthermore, our contracts with AI subprocessors (such as Google Cloud Platform) strictly prohibit them from using Customer Data to train, fine-tune, or improve their own foundational AI models.
When processing data on behalf of a business customer, we act as a Data Processor and follow that customer's documented instructions. The customer remains the Data Controller.
We may disclose personal data to law enforcement, regulators, or courts where required by law, court order, or to protect the rights, property, or safety of Otaru AI, our customers, or others.
In the event of a merger, acquisition, financing, or sale of assets, personal data may be transferred to the relevant third party as part of that transaction, subject to equivalent privacy protections.
Customer data is primarily stored in Singapore using Google Cloud's Southeast Asia 1 region. Some subprocessor infrastructure (e.g. Stripe for payment processing) may involve data transfers to other jurisdictions, including the United States.
Under the Singapore PDPA, we ensure that any overseas transfer of personal data is made only to organisations that provide a comparable standard of protection, achieved through:
For customers whose data is subject to GDPR or UK GDPR (e.g. EU or UK-based users), we address international transfer requirements — including Standard Contractual Clauses — through the applicable customer DPA.
| Data Type | Retention Period | Notes |
|---|---|---|
| Session transcripts & feedback reports (Raw Data) | Duration of contract + deletion on request or termination | Deleted within agreed SLA upon request or contract end |
| Audio and Video recordings | 30 days after pilot/contract end | Only where specifically contracted; then permanently deleted |
| Derived analytics & trend data | Duration of active user account | Deleted or anonymised upon request or contract termination |
| Account & identity data | Duration of account + [12 months] post-termination | Retained for legal and audit purposes |
| Marketing & lead data | Until opt-out or [3 years] of inactivity | Subject to PDPA consent requirements and applicable anti-spam laws |
| Financial & invoice records | 7 years | Required under Singapore Companies Act and tax law |
Upon contract termination, Otaru AI will delete or anonymise all personal data as specified in the applicable DPA and confirm completion of deletion within the agreed timeframe.
Under the Singapore PDPA, you have the following rights in respect of your personal data:
To exercise any of these rights, contact our Privacy Officer at privacy@otaruai.com. We will respond within 30 calendar days as required under the PDPA.
Enterprise customers: End users whose data is processed on behalf of a business customer should direct rights requests to the business customer (the Data Controller / Organisation). We will assist the customer in fulfilling such requests as required by our DPA.
If you believe we have not handled your personal data in accordance with the PDPA, you may lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore at pdpc.gov.sg.
We implement industry-standard technical and organisational security measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. Our security measures include:
In the event of a personal data breach where we act as a Data Intermediary (Processor), we will notify affected business customers without undue delay and no later than 48 hours after confirming the breach. Where we act as a Data Controller, we will notify the Personal Data Protection Commission (PDPC) of Singapore within 72 hours of the breach is notifiable under the PDPA, and we will cooperate fully in any required regulatory notifications.
Our website uses cookies and similar tracking technologies. When you first visit our site, a consent banner allows you to accept or decline non-essential cookies. Your choice is remembered for future visits. We use the following types:
| Category | Purpose | Consent Required |
|---|---|---|
| Strictly necessary | Authentication, session management, security, cookie consent preference | No |
| Functional | Remembering preferences, language settings | No (or implicit) |
| Analytics | Understanding how visitors use the site, page views, click tracking, session replay (PostHog) | Yes (for persistent cross-session tracking) |
How analytics works with your consent choice: We use PostHog for website analytics. If you decline cookies, analytics data is stored only in your browser's session storage and is cleared when you close the tab — we cannot identify you as a returning visitor. If you accept cookies, PostHog sets a persistent identifier that allows us to recognise you across visits and provide a better experience.
You can change your cookie preference at any time by clearing your browser's local storage for this site, which will cause the consent banner to reappear on your next visit. You can also manage cookies through your browser settings.
The Otaru AI platform is designed for use by business professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. If you believe a minor's data has been submitted to us, please contact us immediately at privacy@otaruai.com.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:
We encourage you to review this Policy periodically. Continued use of the platform or website after changes become effective constitutes acceptance of the updated Policy.
If you have any questions about this Privacy Policy, wish to exercise your data rights, or want to report a data protection concern, please contact us:
Otaru AI Pte. Ltd.
#02-01, 68 Circular Road, Singapore 049422
Privacy Officer: privacy@otaruai.com
Website: otaruai.com
UEN: 202518591N
We aim to respond to all privacy-related enquiries within 30 calendar days. For complex requests, we may extend this by a further 30 days and will inform you accordingly.
© 2026 Otaru AI Pte. Ltd. All rights reserved. | Privacy Policy | Terms of Service
