Octuo Privacy Policy
Tutuo, Inc. ("Tutuo", "we", "us") operates the Octuo service ("Octuo", the "Service") at https://octuo.tutuo.ai. This Privacy Policy explains what personal data we collect, how we use it, with whom we share it, how long we keep it, and what rights you have. We use plain language because we want this readable, not just compliant.
If you have any question or want to exercise a right, email privacy@tutuo.ai.
This Policy is supplemented by the Beta Notice during the Octuo Public Beta and by the AI Disclosure for any AI-related processing.
1. Who we are (controller identity, GDPR Art 13(1)(a))
| Field | Value |
|---|---|
| Legal entity | Tutuo, Inc. |
| Service operated | Octuo |
| Service jurisdiction | United States |
| Privacy contact | privacy@tutuo.ai |
| General contact | support@tutuo.ai |
| Postal address | Available on request to privacy@tutuo.ai |
We do not currently have a dedicated EU representative under GDPR Art 27. EU users may contact our privacy address directly; we will respond within statutory time limits.
2. What data we collect
We collect only what we need to operate the Service.
2.1 You provide
- Account data: email address, password (hashed), display name, preferences (language, theme, model defaults).
- Payment data: handled by Stripe; we receive a customer ID and subscription / charge events but never see your card number.
- Vault contents: credentials you choose to store. We hold these encrypted with a per-user data encryption key; the key is wrapped by an AWS KMS customer master key. We cannot read your plaintext vault contents.
- Chat / agent input: messages you send to Octuo, files you upload, devices you register.
2.2 We capture automatically
- Service telemetry: HTTP request paths and response codes, feature use, error stack traces, performance metrics.
- Device events: heartbeats, capability registrations, dispatch attempts (when you connect a Mac or iOS client).
- Authentication events: login success/failure, password reset initiation, suspicious activity flags.
- Audit log: append-only record of security-relevant operations on your account (logins, vault dispenses, account-setting changes).
2.3 We do NOT collect
- Your card number (handled exclusively by Stripe).
- Vault plaintext (we only see ciphertext + envelope metadata).
- Cross-site tracking pixels (no Facebook Pixel, Google Analytics, etc.).
- Marketing-purpose location data.
3. Why we process your data (purposes + lawful basis, GDPR Art 13(1)(c))
| Purpose | Lawful basis | Examples |
|---|---|---|
| Provide Octuo to you | Contract performance (GDPR Art 6(1)(b)) | Storing your account, running chats, dispatching agent actions |
| Bill you | Contract performance | Stripe charges, invoices, refunds |
| Keep Octuo secure | Legitimate interest (Art 6(1)(f)); legal obligation (Art 6(1)(c)) | Audit log, abuse detection, account-takeover defense |
| Improve Octuo | Legitimate interest | Aggregate usage analytics during beta (telemetry §2.2 above) |
| Email you about Octuo | Consent (Art 6(1)(a)); legitimate interest for service emails | Service announcements, beta updates, password resets |
| Comply with the law | Legal obligation | Subpoenas, valid law-enforcement requests |
We do not rely on consent for processing necessary to perform the contract (you cannot withdraw consent for chat history while keeping an active account); we do rely on consent for marketing emails and you can opt out anytime in Account Settings.
4. Who we share data with (recipients, GDPR Art 13(1)(e))
We share only what each recipient needs to perform its function.
| Recipient | What | Purpose | Location |
|---|---|---|---|
| Stripe, Inc. | Email, customer ID, subscription / charge events | Process payments | United States |
| OpenAI, L.L.C. | Your prompt, system context | Generate AI responses | United States |
| Anthropic, PBC | Your prompt, system context | Generate AI responses | United States |
| Google LLC | Your prompt, system context | Generate AI responses | United States |
| Amazon Web Services, Inc. | All Service data (encrypted at rest) | Hosting, KMS, S3, RDS | United States (us-west-1) |
| Sentry / error tracking | Stack traces, user-id-only | Debug crashes | United States |
| Law enforcement / regulators | What is legally required | Compliance with valid orders | Varies |
We do not sell your data, exchange it for advertising audience matching, or share it with data brokers.
For the full list of LLM providers and what data flows to each, see the AI Disclosure.
5. International data transfers (Art 13(1)(f))
Octuo runs on AWS in the United States. If you are in the European Union, the United Kingdom, or another jurisdiction with data protection laws restricting transfers to the US, your data is transferred to and processed in the United States.
We rely on the following transfer mechanisms:
- EU users: Standard Contractual Clauses (the European Commission's 2021 Module 1 SCCs) with each US sub-processor (Stripe, OpenAI, Anthropic, Google, AWS).
- UK users: the UK International Data Transfer Addendum to the EU SCCs.
- California users (CCPA): see §11 below.
- China users (PIPL): see §10 below.
You can request a copy of the SCCs by emailing privacy@tutuo.ai.
6. How long we keep your data (retention, Art 13(2)(a))
| Data | Retention | Reason |
|---|---|---|
| Account record (active) | While your account is active | Required to provide the Service |
| Chat history | While your account is active OR until you delete a conversation | You control retention via deletion |
| Vault ciphertext | While your account is active | You control retention via deletion |
| Audit log | 7 years | Security forensics + compliance |
| Telemetry (non-personal aggregate) | 13 months | Trend analysis |
| Telemetry (personal-identifying) | 90 days | Debug recent issues |
| Stripe billing records | 7 years | Financial records + tax |
| Backups | 7 days rolling | Disaster recovery |
| Account record (deleted) | 30-day grace period, then hard delete | Allows account recovery; balanced against right-to-be-forgotten |
You can export your data anytime from Account Settings (§9 below).
7. Your rights (GDPR Art 15-22; CCPA equivalents)
You have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate data.
- Erase your data ("right to be forgotten") — Account → Delete.
- Portability — download a machine-readable export.
- Restrict processing — pause processing while we resolve a complaint.
- Object to processing based on our legitimate interests.
- Withdraw consent for marketing emails anytime, with no impact on Service access.
- Not be subject to solely automated decisions that produce legal or significant effects on you. (Octuo does not currently make any such decisions; AI suggestions are not automated decisions in this sense.)
- Lodge a complaint with your supervisory authority. EU users may complain to the Data Protection Authority of their member state; UK users to the ICO; California residents to the CA Attorney General.
To exercise any right, email privacy@tutuo.ai. We respond within 30 days (we may extend by an additional 60 days for complex requests, with notice).
8. Security
- Encryption in transit: TLS 1.2+ everywhere; HSTS preload.
- Encryption at rest: AWS RDS storage encrypted; vault items envelope-encrypted with a per-user DEK wrapped by an AWS KMS CMK.
- Authentication: bcrypt password hashing; JWT with rotating signing key; HttpOnly secure cookies; rate-limiting on authentication endpoints.
- Audit log: append-only, tamper-evident hash chain on security-relevant events.
- Segregation: production environment isolated from
development;
octuo_admindatabase role separated fromoctuo_app_writer; KMS key access restricted to Pod IRSA roles.
We follow the principle of least privilege internally and review access quarterly.
9. Self-serve data export and deletion
In Account Settings:
- Download my data: produces a JSON + Markdown package of your chat history, memory items, knowledge entries, vault metadata (NOT plaintext credentials), device list, and billing history. We email you a download link; the link expires in 7 days.
- Delete my account: schedules deletion with a 30-day grace period (for cancellation). Vault keys are shredded immediately on schedule (vault contents become unreadable even to us). After the grace period, all account data is hard-deleted from primary storage; backups age out of the 7-day rolling window.
10. China-specific notice
If you are in mainland China:
- Octuo is a US-based service. We do not have a China legal entity, ICP filing, or local data center. Your data is stored in and processed from the United States.
- We rely on the lawful-basis framework of US law and the GDPR-style protections above; we have not registered a separate Standard Contract with the Cyberspace Administration of China.
- LLM providers (OpenAI, Anthropic, Google) likewise operate from the United States; their content moderation is governed by US law and their respective acceptable-use policies, not Chinese regulation.
- You are responsible for compliance with Chinese law in your use of Octuo; we make no representation that the Service is lawful for your purpose in China.
- If GFW filtering blocks access, Octuo is not designed to bypass it.
If you do not accept these conditions, do not use Octuo.
11. California residents (CCPA)
You have the same access / deletion / portability rights described in §7 above. Additionally:
- Categories of personal information collected: identifiers (email, customer ID), commercial information (subscription, purchases), internet activity (Service telemetry), inferences (preferences derived from use).
- Categories sold or shared for cross-context behavioral advertising: NONE. We do not sell your information.
- Right to know: email privacy@tutuo.ai; no charge for the first request per 12 months.
- Right to opt out of sale: not applicable (we do not sell).
- Non-discrimination: we will not deny Service or charge a different price for exercising your rights.
- Authorized agent: you may use an authorized agent; we will verify with you directly.
California Attorney General complaints: oag.ca.gov/contact/consumer-complaint.
12. Children
Octuo is not intended for children under 13 (or the equivalent minimum age in your jurisdiction; 16 in some EU member states under GDPR). We do not knowingly collect data from children. If you believe a child has used Octuo, email privacy@tutuo.ai and we will remove their account.
13. Cookies and similar technologies
See the Cookie Policy for the small set of cookies we use. We do not use third-party tracking cookies.
14. Changes to this Policy
We may update this Privacy Policy. If a change is substantive (we expand a processing purpose, add a new sub-processor category, weaken a user right, or change retention periods upward), we will:
- Bump the version major and the
effective_datein the frontmatter. - Notify you by email at least 30 days before the new version takes effect.
- Show an in-app banner on next sign-in.
If you continue to use Octuo after the new version takes effect, you accept the changes. If you do not accept, you may delete your account during the notice period; we will refund unused subscription days pro-rata if you cancel solely because of the change.
Non-substantive clarifications (typo fixes, formatting, restating
existing protections more clearly) bump the version minor and update
the last_updated date but do not require notice or consent.
15. Contact
| Topic | |
|---|---|
| Privacy questions, exercising rights, lodging concerns | privacy@tutuo.ai |
| General Service questions | support@tutuo.ai |
| Security disclosures | security@tutuo.ai |
| Press / legal | legal@tutuo.ai |
This Privacy Policy is part of the Octuo legal documents set. See also: Terms of Service, Beta Notice, Acceptable Use Policy, AI Disclosure, Refund Policy, Cookie Policy.