Privacy Policy

Effective date: 25 May 2026
Operator: Kopec InnoTech s.r.o.
Registered address: Grafická 3365/1, Smíchov, 150 00 Praha 5, Czech Republic
Company ID (IČ): 21847126
Tax ID (DIČ): Not VAT registered
Registered at: Městský soud v Praze, oddíl C, vložka 407382
Contact email: contact@kopecinnotech.com
Website: www.kopecinnotech.com

1. Who We Are

OtterSay is a voice-first productivity service operated by Kopec InnoTech s.r.o., a limited liability company incorporated in the Czech Republic. We process personal data as a data controller under Regulation (EU) 2016/679 (GDPR) and applicable Czech law.

We offer two email-based services:

  • TLDR – send any text to tldr@ottersay.com and receive a concise AI-generated summary by return email.
  • TTS (Text-to-Speech) – send text to tts@ottersay.com and receive an email with an audio recording you can listen to on the go.

No app download, no dashboard login, and no copy-paste are required. You interact entirely through email.

2. Data We Collect and Why

2.1 Account and registration data

OtterSay accounts are created in one of two ways:

  • (a) Paid subscription activation: when you purchase a subscription through our website, the payment is processed by Paddle (see Section 2.4). We receive your email address from Paddle and use it to activate your paid account in our service database. No passwords are stored by OtterSay – subscription management is handled through the Paddle customer portal.
  • (b) Automatic activation: if you email tldr@ottersay.com or tts@ottersay.com without a prior account, we automatically create a free-tier account using your email address only. No name or password is collected or stored by OtterSay.

Purpose: to create and manage your account, identify you when you send emails to the service, and communicate with you about your account and service use.

Legal basis: Contract (Art. 6(1)(b) GDPR) – account creation is necessary to deliver the service you requested.

2.2 Email content you submit

When you email tldr@ottersay.com or tts@ottersay.com, we receive:

  • The email body (plain text or HTML)
  • Any .txt, .html, or .pdf attachments you include
  • Standard email headers (sender address, subject line, timestamp)

Purpose: to process your request – summarise the text or convert it to speech – and deliver the result back to you by email.

Retention: Email content is processed transiently and is not stored permanently on our systems after your request has been fulfilled.

Legal basis: Contract (Art. 6(1)(b) GDPR).

2.3 Credit and usage data

We record the number of credits allocated and consumed per billing period, keyed to your email address, in a PostgreSQL database. Your current credit usage for the active billing period is also included in each service reply email. For analytics and operational reporting, anonymised snapshots of this data are periodically exported to Google Sheets.

Purpose: to enforce fair-use limits, calculate billing, and allow you to track your usage.

Legal basis: Contract (Art. 6(1)(b) GDPR) and Legitimate Interest (Art. 6(1)(f) GDPR) in preventing abuse of the service.

2.4 Payment data

Payments are processed and managed by Paddle.com Market Limited (‘Paddle’), which acts as the Merchant of Record for all OtterSay purchases. Paddle acts as an independent data controller for payment and billing data under its own privacy notice. Kopec InnoTech s.r.o. does not receive or store card numbers, bank account details, or any other payment instrument data.

We receive non-sensitive billing confirmation data from Paddle (e.g. payment success/failure, subscription status, subscription ID).

Legal basis: Contract (Art. 6(1)(b) GDPR) and Legal Obligation (Art. 6(1)(c) GDPR) for accounting records.

2.5 Website and server data

Our website (hosted on WordPress) and web server collect:

  • IP addresses and user-agent strings – retained in standard server logs.
  • Session and authentication cookies set by WordPress and any active plugins.

Purpose: security, fraud prevention, debugging, and legal compliance.

Legal basis: Legitimate Interest (Art. 6(1)(f) GDPR).

Note: our email-processing backend does not perform IP logging.

2.6 Marketing communications

We may send you occasional emails about new features, service updates, or relevant offers. We only do this if you have explicitly opted in by clicking the opt-in link included in your first service reply email.

Purpose: to keep you informed about OtterSay features and offers that may be of interest to you.

Legal basis: Consent (Art. 6(1)(a) GDPR). You can withdraw your consent at any time by clicking the unsubscribe link in any marketing email, or by emailing support@ottersay.com. Withdrawal does not affect the lawfulness of any communications sent before withdrawal.

We do not send marketing emails to users who have not explicitly opted in.

2.7 Cookies

Our website uses cookies for session management, authentication, and – depending on installed plugins – analytics or consent management. A full cookie list is maintained in our Cookie Notice, which is presented to you when you first visit the website and is updated whenever plugins change. You can manage cookie preferences at any time via the cookie preference centre on the website.

3. How We Share Your Data

We do not sell your data. We share data only with the processors listed below, each engaged under a Data Processing Agreement (DPA) or equivalent contractual safeguard as required by Art. 28 GDPR.

Processor

Paddle.com Market Limited (UK/Ireland)

Merchant of Record: handles all payment processing, tax collection, and billing. Receives and controls billing data necessary to process your subscription. Acts as an independent data controller for payment data under its own privacy notice. Safeguard: UK Adequacy Decision covers UK-based processing; SCCs (Commission Decision 2021/914) apply to any onward transfers to third countries.

Anthropic, PBC (USA)

AI summarisation (TLDR service) and optional email-body cleaning. Receives email text content you submit. Safeguard: SCCs under Anthropic’s DPA.

ElevenLabs / OpenAI / Google (various)

Audio synthesis (TTS service). Receives email text content you submit. The specific provider used depends on your plan and voice selection. Safeguard: SCCs or equivalent under each provider’s DPA.

Google LLC (USA)

Google Sheets API – receives periodic analytics snapshots (email address, credit usage summary) for operational reporting. Primary credit data is stored in a PostgreSQL database on our own infrastructure. Safeguard: SCCs under Google Workspace DPA.

WordPress hosting provider

Hosts the public-facing OtterSay website only. No user account or service data is stored in WordPress. Safeguard: DPA with provider; provider selection disclosed on our website.

Cookie plugin vendor

Manages cookie consent records. Safeguard: DPA with vendor; vendor disclosed in Cookie Notice.

Transfers outside the EEA (to USA-based processors) are covered by SCCs issued under Commission Decision 2021/914 or an equivalent transfer mechanism recognised by Czech/EU supervisory authorities.

4. How Long We Keep Your Data

  • Account data (name, email, hashed password): retained for the duration of your account plus 3 years after closure, for legal and accounting purposes.
  • Free-tier accounts with no service activity (no requests processed) for 12 consecutive months may be deleted along with all associated personal data. We will notify the account email address at least 30 days before deletion so you have the opportunity to use the service and retain your account.
  • Email content submitted for processing: deleted after your request is fulfilled.
  • Credit and usage records: retained for the duration of your account. Analytics snapshots in Google Sheets are anonymised or removed when your account is deleted.
  • Marketing consent records: retained until consent is withdrawn, then deleted within 30 days.
  • Payment records: retained for 10 years as required by Czech accounting law (Act No. 563/1991 Coll.).
  • Server logs (IP, user agent): retained for up to 12 months.

5. Your Rights Under GDPR

As a data subject you have the following rights. To exercise any of them, email support@ottersay.com with the subject line ‘Data Rights Request’.

  • Right of access (Art. 15): obtain a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): correct inaccurate or incomplete data.
  • Right to erasure (Art. 17): request deletion of your data where there is no overriding legal ground for retention.
  • Right to restriction of processing (Art. 18): ask us to pause processing while a dispute is resolved.
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): object to processing based on legitimate interest.
  • Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: you may complain to the Czech supervisory authority, the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, www.uoou.cz), or the supervisory authority of your EU country of residence.

We will respond to all requests within 30 days. Complex requests may take up to 3 months; we will notify you of any extension.

6. Account Deletion and Data Erasure

To delete your OtterSay account and associated personal data, email support@ottersay.com with the subject line ‘Delete My Account’. Upon receipt we will:

  • Delete your account record and credit ledger from our PostgreSQL service database.
  • Remove any analytics snapshot rows associated with your email address from our Google Sheets reporting.
  • Delete or anonymise any remaining server logs associated with your account within the applicable retention period.

We will confirm deletion within 30 days. Certain data may be retained longer where required by law (e.g. accounting records, see Section 4).

7. Security

We implement technical and organisational measures appropriate to the risk, including:

  • Encrypted transmission (TLS/STARTTLS) for all email and API communications.
  • Hashed password storage – we never store or transmit plaintext passwords.
  • Access controls limiting who can access user data and the Google Sheets ledger.
  • No storage of payment card data — fully delegated to Paddle’s infrastructure as Merchant of Record.

No method of transmission or storage is 100% secure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and affected individuals without undue delay, as required by Art. 33–34 GDPR.

8. Minimum Age

OtterSay is not directed at children. In accordance with Art. 8 GDPR and Czech law implementing Directive 2002/58/EC, you must be at least 16 years old to create an account and use the service. By registering, you confirm that you meet this requirement. If we become aware that a user is under 16, we will delete the account and associated data.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users by email at least 14 days before any material change takes effect. The ‘Last updated’ date at the top of this document reflects the most recent revision. Continued use of the service after the effective date constitutes acceptance of the updated policy.

10. Contact Us

For privacy-related questions, data rights requests, or to report a concern:

Email: support@ottersay.com

Post: Kopec InnoTech s.r.o., Grafická 3365/1, Smíchov, 150 00 Praha 5, Czech Republic