O
Otis
How it Works

Privacy Policy

Information We Collect

We collect information you provide directly to us, such as when you create an account, upload invoices, or contact us for support. This may include your name, email address, company information, and invoice data.

How We Use Your Information

We use the information we collect to provide, maintain, and improve our services, including analyzing pricing trends, providing cost management insights, and communicating with you about your account.

Information Sharing

We do not sell, trade, or otherwise transfer your personal information to third parties. We may share aggregated, non-personally identifiable information for analytical purposes.

Data Security

We implement appropriate security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

Google user data (Gmail API)

If you choose to connect a Gmail mailbox to Otis, we access and process Gmail data via the Gmail API. Otis requests the scope https://www.googleapis.com/auth/gmail.modify.

What we access

  • Message metadata (e.g., From/Reply-To, Subject, timestamps, message IDs), message snippets/body text as needed to detect invoice-related emails, and PDF attachments.

What we do with it

  • Identify invoice-related emails, download PDF attachments for invoice processing, and apply a label (e.g., OTIS_PROCESSED) to prevent reprocessing.
  • We do not send emails on your behalf.

What we store

  • OAuth tokens (refresh/access tokens) needed to keep the integration working (stored encrypted).
  • Minimal processing metadata (e.g., message IDs, history checkpoints, and label settings) to prevent duplicate processing.
  • Invoice documents you choose to process (PDF attachments) and the extracted invoice data created from them.

Retention

  • OAuth tokens and processing metadata: kept while your mailbox connection is enabled; if you disconnect, we stop accessing Gmail and retain the encrypted refresh token for up to 30 days to allow reconnection without re-authorization (or delete immediately if you choose), then delete.
  • Stored invoice documents and extracted invoice data: kept until you delete them or your account is closed; after account deletion we delete within 30 days.

Deletion / revoking access

  • You can disconnect the mailbox in Otis, which stops further access.
  • You can also revoke Otis's access at any time in your Google Account security settings.
  • You can request deletion of Gmail-derived data (including tokens and stored invoice documents) by contacting hello@getotis.ai; we will verify your request and delete within 30 days.

Google API limited use: Otis's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Vulnerability Disclosure Policy

1. Introduction

Otis is dedicated to preserving the security of our systems and protecting customer data from unauthorised access or disclosure. This policy provides guidance to security researchers on how to conduct vulnerability discovery activities responsibly and how to report security vulnerabilities discovered in Otis systems.

This policy explains which systems are in scope, which activities are permitted, how to report vulnerabilities, and the expectations around public disclosure.

2. Guidelines

We ask that you:

  • Notify us as soon as possible after discovering a real or potential security vulnerability.
  • Provide us with a reasonable amount of time to investigate and remediate the issue before publicly disclosing it.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, or destruction or manipulation of data.
  • Use exploits only to the extent necessary to confirm the presence of a vulnerability. Do not use exploits to access data, establish persistence, pivot to other systems, or escalate privileges beyond what is required to demonstrate the issue.
  • Immediately stop testing and notify us if you encounter any sensitive data (including personal data, financial information, or proprietary information), and keep such data strictly confidential.
  • Avoid submitting a high volume of low quality or speculative reports.

3. Authorisation

Security research conducted in accordance with this policy is considered authorised. Otis will not initiate or pursue legal action against individuals who act in good faith and comply with this policy.

We commit to working collaboratively with researchers to understand, validate, and remediate reported vulnerabilities.

4. Scope

This policy applies to the following Otis owned systems and services:

  • Otis web application hosted at https://getotis.ai
  • Otis application backend APIs and services
  • Otis Gmail integration components used for invoice processing
  • Otis web based dashboards and user interfaces

Any systems or services not explicitly listed above are considered out of scope and must not be tested.

Vulnerabilities discovered in third party services or platforms used by Otis (such as Google, AWS, or email providers) should be reported directly to the relevant vendor in accordance with their vulnerability disclosure policies.

If you are unsure whether a specific system or endpoint is in scope, please contact us before testing.

5. Types of Testing Not Authorised

The following activities are not permitted under this policy:

  • Denial of service (DoS or DDoS) testing
  • Physical security testing (e.g. office access, tailgating)
  • Social engineering (including phishing, vishing, or pretexting)
  • Automated scanning that significantly impacts system availability

6. Reporting a Vulnerability

To report a security vulnerability, please email hello@getotis.ai.

We will acknowledge receipt of your report within one business day where possible and will keep you informed of progress throughout the investigation. Reports may be submitted anonymously.

7. Desirable Information

To help us investigate and resolve reported vulnerabilities efficiently, please include as much of the following information as possible:

  • A clear description of the vulnerability
  • The affected system, endpoint, or component
  • The potential impact and severity
  • Steps required to reproduce the issue, including screenshots or scripts where appropriate

Reports should be submitted in English where possible.

8. Our Commitment

If you provide contact information, Otis commits to communicating in a transparent and timely manner. We will:

  • Acknowledge receipt of vulnerability reports promptly
  • Inform you whether the issue has been confirmed
  • Provide updates on remediation progress where appropriate

We appreciate responsible disclosures made in good faith and view security researchers as partners in keeping Otis and its users safe.

Contact: hello@getotis.ai
Last updated: December 2025

Contact Us

If you have any questions about this Privacy Policy, or would like to report a security vulnerability, please contact us at hello@getotis.ai.

Privacy Policy last updated: December 2025