Privacy Policy

Information We Collect

When you create an account, we collect your email address and a username you choose. If you sign up through Google, we receive your Google account email and display name. We do not collect your date of birth or birth year.

When you use Otto we collect the content you create (posts, comments, votes, messages), information about the communities you create or moderate, and reports you submit.

We collect your IP address when you interact with the platform. However, we do not store raw IP addresses. IP addresses are immediately hashed with a server-side salt before storage, meaning we cannot recover the original address. These hashed values are used solely for rate limiting and abuse prevention.

How We Use Your Information

  • To provide and operate the platform
  • To send verification emails and password reset links
  • To enforce our rules and prevent abuse through rate limiting
  • To support the moderation system (reports and enforcement actions)
  • To generate link thumbnails for posts

Information Sharing

We do not sell your personal information. We do not share your data with third parties for advertising purposes. Information may be disclosed if required by law or to protect the safety of our users.

If you sign in with Google, Google may receive information about your authentication session in accordance with their own privacy policy. We use the Resend email service to deliver verification and notification emails.

Data Security

Passwords are hashed using bcrypt before storage. Authentication tokens are signed with ES512 (ECDSA) cryptography. All user-generated HTML content is sanitised to prevent cross-site scripting. Uploaded images are validated at the byte level to block malicious file types. Security headers are applied to all responses.

Cookies & Authentication

Otto uses HTTPOnly cookies to store your authentication token (JWT). These cookies are essential for keeping you logged in and cannot be accessed by JavaScript running on the page. We do not use cookies for tracking or advertising.

Children’s Privacy

Otto is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13 without the consent of the child’s parent or guardian as required by law, we will delete it.

Your Rights

You can update your profile information, change your email address, or change your password from the settings page at any time. You may request deletion of your account by contacting us via our contact form.

Data Retention

Your account data is retained for as long as your account is active. If your account is deleted, we will remove your personal information (username, email, password). Posts and comments you created will remain visible to preserve community discussions, but your username will be replaced with “[deleted]” so they are no longer linked to your identity. You can delete individual comments before deleting your account if you wish to remove specific content. After account deletion, you may still request removal of specific comments by contacting us via our contact form.

Hashed IP addresses used for rate limiting are retained temporarily and cannot be linked back to you.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through a notice on the platform. Continued use of Otto after changes take effect constitutes acceptance of the revised policy.

Contact

If you have questions about this Privacy Policy, please contact us via our contact form.

Last updated: February 2026. See also our Terms of Service and Rules.