Privacy Policy

1. Who We Are

Otaru AI Pte. Ltd. ("Otaru", "we", "us", or "our") is a company incorporated in Singapore (UEN: 202518591N) with its registered office at #02-01, 68 Circular Road, Singapore 049422.

We operate an AI voice agent platform that handles business conversations on behalf of our customers — answering and making phone calls, talking to website and in-app visitors, and joining online meetings — to qualify leads, book appointments, resolve support requests, and capture each interaction in the customer's systems.

For the purposes of the Singapore Personal Data Protection Act 2012 ("PDPA"), Otaru AI acts as an Organisation in respect of personal data collected via our website and marketing activities, and as a data intermediary (Processor) in respect of personal data processed on behalf of our business customers through the platform. Where we serve customers in jurisdictions with additional data protection requirements (such as the EU GDPR or UK GDPR), we address those requirements through our customer-specific Data Processing Agreements.

2. Scope of This Policy

This Privacy Policy applies to:

• •Visitors to our website at otaruai.com and any associated subdomains
• •Prospective customers, leads, and contacts who interact with our marketing, demos, or sales outreach
• •Individuals who sign up for a free trial or paid account
• •End users of the Otaru AI platform acting under a contract between Otaru AI and a business customer
• •Individuals who interact with an Otaru AI voice agent deployed by a business customer — for example callers, website or in-app visitors, and online-meeting participants — whose personal data we process on that customer's behalf

For enterprise customers: If your organisation has signed a Subscription Agreement or order form with Otaru AI, the Data Processing Agreement (DPA) attached to that contract governs how we process personal data on your behalf, and takes precedence over this Policy where there is a conflict. Customers subject to GDPR or UK GDPR should refer to their DPA for the applicable cross-border transfer mechanisms and legal bases.

3. Data We Collect

3.1 Data You Provide Directly

3.2 Data Generated Through Platform Use

3.3 Data Collected Automatically

• •Device & technical data: IP address, browser type, operating system, device identifiers
• •Log data: Pages visited, timestamps, referral URLs, clickstream data
• •Website analytics data: Page views, click events, and session replay via PostHog – on our marketing website (otaruai.com) only; the Meridian application does not run third-party behavioural or product analytics. See Section 11 (Cookies & Analytics) below

3.4 Data We Do Not Collect

• •Call audio recordings, unless the customer enables recording (off by default), as noted above
• •Voice biometric identifiers or voiceprints — we do not create voiceprints or use voice for biometric identification
• •Sensitive special-category data (unless voluntarily disclosed by an individual during a conversation)
• •Data we know to be from individuals under the age of 18

3.5 Data From Services You Connect

Where a customer connects a third-party service to a voice agent, we access and process data from that service to provide the contracted functionality. This currently includes:

• •Google Calendar (via Google OAuth) – where the customer connects it, we access calendar availability, events, and attendee details to check availability and book appointments. Connection of Microsoft Outlook calendars is not currently available.
• •CRM, booking, and other tools the customer connects – to write conversation outcomes (such as leads and bookings) to those systems.

No model training on customer data. We do not use customer data – including call transcripts, recordings, knowledge-base content, or contact data – to train or fine-tune our global AI models. Customer data is used solely to deliver the contracted services.

4. How We Use Your Data

5. Legal Basis for Processing

Under the Singapore PDPA, we collect, use, and disclose personal data only with your deemed or express consent, or under an applicable exception, and for purposes that a reasonable person would consider appropriate in the circumstances. We rely on the following bases:

• Contractual necessity:Processing required to provide the services you or your organisation have contracted with us for – including operating your voice agents, handling conversations, and providing transcripts and analytics.
• Legitimate interests:Where we have a genuine business reason not overridden by your interests – for example, security monitoring, product analytics using anonymised data, and direct marketing communications to existing contacts (with opt-out available at any time).
• Legal obligation:Where we are required to process data to comply with Singapore law or a regulatory requirement.
• Consent:Where we rely on express or deemed consent under the PDPA (e.g. for certain cookies or marketing communications). You may withdraw consent at any time by contacting us at privacy@otaruai.com or using the unsubscribe link in our emails, without affecting the lawfulness of prior processing.

Note on Telemarketing: Where we conduct telephone or SMS marketing, we comply with Singapore's Do Not Call (DNC) Registry requirements.

6. Data Sharing & Subprocessors

We do not sell, rent, or share your personal data with third parties for their own marketing purposes. We share data only in the following circumstances:

6.1 Authorised Subprocessors

We engage the following third-party subprocessors to deliver the platform. All subprocessors are contractually bound to data protection obligations consistent with this Policy and applicable law:

Calls, recording, and consent. Where a customer deploys a voice agent — to handle calls, contact individuals via outbound campaigns, or join an online meeting — the customer is responsible for providing any required notices and obtaining any required consents from the individuals involved. This includes call-recording consent where recording is enabled, any disclosure that a person is speaking with an AI agent where law requires it, and a lawful basis for contacting individuals on an outbound list. Otaru AI processes this data on the customer's instructions and does not independently obtain consent from those individuals.

We will notify customers of any new subprocessor and allow 30 days for reasonable objection before that subprocessor begins processing. Furthermore, our contracts with AI subprocessors (such as Google Cloud Platform) strictly prohibit them from using Customer Data to train, fine-tune, or improve their own foundational AI models.

6.2 Business Customers (Controller-to-Processor)

When processing data on behalf of a business customer — including the personal data of the individuals its voice agents call, speak with, or otherwise interact with — we act as a Data Processor (data intermediary) and follow that customer's documented instructions. The customer remains the Data Controller and is responsible for the lawfulness of the conversations it initiates or enables and for providing any required notices and consents to those individuals.

6.3 Legal Requirements

We may disclose personal data to law enforcement, regulators, or courts where required by law, court order, or to protect the rights, property, or safety of Otaru AI, our customers, or others.

6.4 Business Transfers

In the event of a merger, acquisition, financing, or sale of assets, personal data may be transferred to the relevant third party as part of that transaction, subject to equivalent privacy protections.

7. International Transfers

Otaru AI operates on global cloud infrastructure, and providing the Services involves transferring personal data across borders. In particular:

• •Our primary application database (Supabase / PostgreSQL) is hosted on Amazon Web Services in the Asia Pacific (Seoul) region, South Korea. This is where structured data such as call logs, transcripts, lead and booking records, and contact lists is stored.
• •Real-time voice and language processing during a conversation is performed by Google Vertex AI (Gemini) in the United States (us-central1). This audio and text is processed in real time and is not persisted by the model.
• •Call recordings, where the customer enables recording, are stored in Google Cloud Storage. (Uploaded knowledge-base documents are extracted to text and stored in the primary database, not in Google Cloud Storage.)
• •Other subprocessors – including Twilio (telephony), Bright Data (web ingestion), Resend (email), Recall.ai (online meetings), and Stripe (payments) – may process data in the United States and other jurisdictions.

Under the Singapore PDPA, we ensure that any overseas transfer of personal data is made only to organisations that provide a comparable standard of protection, achieved through:

• •Contractual arrangements – binding our subprocessors to data protection obligations consistent with Singapore PDPA requirements
• •Reliance on subprocessors that maintain recognised security certifications (such as SOC 2 and ISO 27001) providing equivalent protection standards

For customers whose data is subject to GDPR or UK GDPR (e.g. EU or UK-based users), we address international transfer requirements – including Standard Contractual Clauses – through the applicable customer DPA.

8. Data Retention

Upon contract termination, Otaru AI will delete or anonymise all personal data as specified in the applicable DPA and confirm completion of deletion within the agreed timeframe.

9. Your Rights

Under the Singapore PDPA, you have the following rights in respect of your personal data:

• Right of access:Request confirmation of whether we hold personal data about you and, if so, access to that data.
• Right to correction:Request that we correct any personal data about you that is inaccurate, incomplete, or misleading.
• Right to withdraw consent:Withdraw consent to the collection, use, or disclosure of your personal data at any time, subject to legal or contractual restrictions. Withdrawal does not affect the lawfulness of prior processing.
• Right to data portability:Request that your personal data be transferred to another organisation in a commonly used machine-readable format, where technically feasible.

To exercise any of these rights, contact our Privacy Officer at privacy@otaruai.com. We will respond within 30 calendar days as required under the PDPA.

Enterprise customers: End users whose data is processed on behalf of a business customer should direct rights requests to the business customer (the Data Controller / Organisation). We will assist the customer in fulfilling such requests as required by our DPA.

If you believe we have not handled your personal data in accordance with the PDPA, you may lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore at pdpc.gov.sg.

10. Security

We implement industry-standard technical and organisational security measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. Our security measures include:

• •Identity and access management with role-based controls
• •Data encryption in transit (TLS) and at rest
• •Regular vulnerability scanning and security assessments
• •Data segmentation and detailed access logging
• •Inherited compliance certifications through Google Cloud Platform, including SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, ISO 27701, PCI DSS, and FedRAMP Moderate

In the event of a personal data breach where we act as a Data Intermediary (Processor), we will notify affected business customers without undue delay and no later than 48 hours after confirming the breach. Where we act as a Data Controller and the breach is notifiable under the PDPA, we will notify the Personal Data Protection Commission (PDPC) of Singapore as soon as practicable and in any event within 72 hours, and we will cooperate fully in any required regulatory notifications.

11. Cookies & Analytics

Our website uses cookies and similar tracking technologies. When you first visit our site, a consent banner allows you to accept or decline non-essential cookies. Your choice is remembered for future visits. We use the following types:

How analytics works with your consent choice: We use PostHog for website analytics. If you decline cookies, analytics data is stored only in your browser's session storage and is cleared when you close the tab – we cannot identify you as a returning visitor. If you accept cookies, PostHog sets a persistent identifier that allows us to recognise you across visits and provide a better experience.

You can change your cookie preference at any time by clearing your browser's local storage for this site, which will cause the consent banner to reappear on your next visit. You can also manage cookies through your browser settings.

12. Children's Privacy

The Otaru AI platform is designed for use by business professionals and is not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. If you believe a minor's data has been submitted to us, please contact us immediately at privacy@otaruai.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

• •Update the "Last Updated" date at the top of this page
• •Notify active customers and platform users by email or in-app notification
• •Where required by law, seek fresh consent

We encourage you to review this Policy periodically. Continued use of the platform or website after changes become effective constitutes acceptance of the updated Policy.

14. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data rights, or want to report a data protection concern, please contact us: