Back to main page
1. General Provisions
The OOTO AI Service (“OOTO AI”) collects personal information from various sources strictly to support the delivery and improvement of OOTO AI Services. The term “You” refers to a user of one or more OOTO AI Services (“User” or “Licensee”), or a customer of a User (“Customer”). If you are a Customer, please review our Privacy Policy and Terms of Use to understand how the Licensee, who offers our services, handles your personal information.
OOTO AI collects data through its API to provide the OOTO AI Services and, where permitted, for research and analytical purposes related to the development, evaluation, and improvement of our biometric and identity verification technologies. Data may include:
– face images and document images,
– biometric information (such as facial feature vectors and other templates),
– liveness and deepfake detection results,
– OCR outputs and other technical signals derived from images or documents.
Where our services are used to process biometric identifiers or biometric information of individuals located in jurisdictions with biometric privacy laws (such as the Illinois Biometric Information Privacy Act, “BIPA”), our Licensees are required to obtain an informed written consent (written release) from the individual before collecting or submitting any biometric data to OOTO AI. That written notice and consent must describe the specific purpose for which the biometric data is being collected and the length of time it will be retained. OOTO AI processes such biometric data only for the purposes specified by the Licensee and does not use it for any additional purposes that are unrelated to the services requested by the Licensee.
Such data is processed only as permitted by applicable law, to provide the OOTO AI Services and, where applicable, as part of OOTO AI’s internal research activities. We do not share research datasets, face images, biometric templates, liveness or deepfake results, or OCR outputs with any third parties for research, commercial, or marketing purposes.
Face and document images are processed and stored only for as long as necessary to complete the requested operation and any strictly necessary internal research activities. After the relevant research purpose has been fulfilled, such images are securely deleted or irreversibly anonymized to protect individual privacy.
All biometric templates used for research and analytical purposes are stored in an anonymized, non-reversible format, meaning we cannot identify end users from the data we have and such data no longer constitutes “biometric identifiers” or “biometric information” under applicable biometric privacy laws. OOTO AI does not use this data for advertising, user profiling, or direct marketing.
OOTO AI applies reasonable organizational, technical, and administrative measures to protect the collected data from unauthorized access, use, or disclosure.
OOTO AI does not retain user images longer than necessary for processing and internal research. Once the relevant processing and permitted research use have been completed, images are deleted or anonymized, and only anonymized, non-reversible templates may be retained for ongoing internal research and system improvement.
We do not use biometric identifiers or biometric information obtained through the OOTO AI Services for purposes that are unrelated to the services requested by the relevant Licensee. Any internal research, testing, or improvement of our algorithms is carried out only on data that has been irreversibly anonymized so that it can no longer be used to identify an individual.
OOTO AI is committed to respecting the privacy rights of all users, including residents of California under CCPA/CPRA. We do not sell personal information in exchange for money and we do not use biometric data for advertising. We may, however, use limited website usage information (such as cookie identifiers and analytics data) together with third-party service providers to operate our website and to measure and improve the performance of our online communications and campaigns, as described in this Privacy Policy and in the “Additional Disclosures for California Residents (CCPA/CPRA)” section.
For purposes of CCPA/CPRA, OOTO AI generally acts as a “business” with respect to personal information collected from visitors to our website and from Users who create accounts and subscribe to the OOTO AI Services. With respect to biometric and other personal information that we process on behalf of our Licensees about their end users, we act as a “service provider” or “processor” and handle such information only in accordance with our agreements with the Licensees and their instructions.
2. Personal Information We Collect
When you visit our websites, we collect two types of information about you: personal information that you actively provide to us and information that we automatically collect from your devices.
(a) Personal Information We Collect About You. Personal Information is any information relating to an identified or identifiable natural person. Personal Information that you provide to us directly through our websites will be evident from the context in which you provide it. In particular
– When you register an OOTO AI account, we receive your full name, email address and account login information.
– When you fill out our online form or contact our sales team, we receive your full name, work email address, country, and anything else you provide on the forms.
– When you respond to OOTO AI emails, we collect your email address, name and any other information you choose to include in the body of the email or response, as well as any metadata that may be included automatically. If you contact us by phone, we collect the phone number you call OOTO AI.
If you contact us by phone as a licensee, we may collect additional information to verify your identity, such as your name, mailing address, phone number, and email address.
If you are a customer, when you appear in a licensee's authorized camera or conduct transactions through a licensee's application, we collect any transactional information associated with you. Depending on how Licensee uses our OOTO AI Services, we may collect this information directly from you, from Licensee, or from third parties. The information we collect may include biometric data, email address, and other information that is detected or can be obtained from an image or other transaction conducted through the OOTO AI Services.
Different uses and applications of our OOTO AI Services require the collection of different categories of information. It is up to Licensee to determine what information it collects.
(b) Information we automatically collect on our sites. Our sites use cookies and similar technologies to operate efficiently and to understand how visitors use our services. These technologies record information about your use of our sites, including:
– Browser and device information such as IP address, device type, operating system and internet browser type, screen resolution, operating system name and version, device manufacturer and model, language, plug-ins, add-ons and language version of the sites you visit;
– Usage information, such as time spent on the Sites, pages visited, links clicked, language preferences, and the pages from which you accessed our Sites or clicked on a link;
– Information about your online activities on the Sites and connected devices over time, and interactions with our online content.
We also use third-party analytics and measurement tools (such as Google Analytics and related Google services) to help us analyze aggregate traffic, usage patterns, and the performance of our website and online campaigns. These tools may receive information from your browser or device through cookies or similar technologies in order to provide us with aggregated reports and metrics. You can control or delete cookies through your browser settings; however, some features of the OOTO AI Services may not function properly if cookies are disabled.
(d) We may store non-sensitive subscription metadata (such as selected plan, activation date, plan status, and renewal preferences) associated with your account in order to operate the OOTO AI Services. We do not store or process your payment method details. All billing transactions are processed by our payment provider, Stripe, in accordance with their privacy policies.
3. How we use personal information
(a) Our Products and Services. We use personal information to facilitate business relationships with our users, to comply with our financial regulatory and other legal obligations, and to fulfill our legitimate business interests. However, we do not guarantee compliance with all applicable laws and cannot guarantee that our users use the OOTO AI Software in compliance with applicable laws. We also use personal information to process payment transactions and provide payment-related services to our users.
(b) Marketing and Event-Related Communications. We may send you marketing emails about OOTO AI products and services, invite you to participate in our events or surveys, and otherwise communicate with you for marketing purposes, provided that we do so in accordance with the requirements of applicable consent laws. If we collect your business contact information as part of participating in trade shows or other events, we may use that information to follow up with you about the event, to send you information you have requested about our products and services and, with your permission, to include you in our marketing communications campaigns.
(c) We want to simplify digital identification. To do this, where we have our customers' permission and where not prohibited by applicable law, we use the information we collect to improve and develop our services. This includes creating and improving algorithms, developing and testing new checks, products and services.
4. How and to whom we disclose Personal Information
OOTO AI does not sell or rent personal information to marketers or unaffiliated third parties. We may share your personal information only with trusted third parties in the limited circumstances described below.
(a) Service Providers. We share personal information with a limited number of our service providers. We have service providers that provide services on our behalf, such as website hosting services, data analytics, information technology and related infrastructure, customer service, email delivery and auditing services. These service providers may need access to personal information to perform their services. We authorize these service providers to use or disclose personal information only as necessary to perform services on our behalf or to comply with legal requirements. We require such service providers to contractually obligate themselves to maintain the security and confidentiality of the personal information they process on our behalf.
(b) Our Licensees and third parties authorized by our users. We share Personal Information with our Licensees as necessary to maintain accounts, perform identity verification, and provide the OOTO AI Services on their behalf. We may also share information with third parties directly authorized by the User or the Licensee to receive Personal Information (for example, as part of an integrated product or service). The use of Personal Information by any such third party is governed by that third party’s privacy policy and by its agreement with the Licensee, not by this Privacy Policy.
(c) Business Transactions. In the event we enter into or intend to enter into a transaction that changes the structure of our business, such as a reorganization, merger, sale, joint venture, assignment, transfer, change of control or other disposition of all or part of our business, assets or stock, we may share Personal Information with third parties to facilitate and complete the transaction.
(d) Compliance and prevention of harm. We may disclose Personal Information if we believe it is necessary to: (i) comply with applicable international, federal, state (including Washington State) and local laws or regulations; (ii) enforce our contractual rights; (iii) protect the rights, privacy, safety or property of OOTO AI, you or others; or (iv) respond to requests from courts, law enforcement agencies, regulators and other public and governmental authorities, where such disclosure is required or permitted by law.
(e) Research data and biometric data. Research data collected through our biometric APIs (including biometric templates, liveness and deepfake results, and OCR outputs) will not be sold, leased, traded, or otherwise used to profit, and will not be disclosed to any third parties for commercial or marketing purposes. We do not disclose biometric identifiers or biometric information to third parties except: (i) to our service providers acting on our behalf under written contracts that limit their use of the data to providing services to us; (ii) with the prior written consent of the individual or the applicable Licensee, where permitted by law; or (iii) where we are required to do so by applicable law, court order, or other valid legal process, or as otherwise permitted under applicable biometric privacy laws.
We may share limited non-biometric information (such as cookie identifiers and usage data) with analytics and measurement service providers in order to operate our website and to measure and improve the performance of our online communications and campaigns, as described in this Privacy Policy.
5. User's legal position
You have a choice regarding our use and disclosure of your personal information:
(a) Opt-out of receiving electronic communications from us. If you no longer wish to receive marketing-related electronic communications from us, you may opt-out by submitting a written request to us. We will endeavor to accommodate your request(s) as soon as possible. Please note that if you opt out of receiving marketing-related emails from us, we may still send you important administrative communications necessary to provide the OOTO AI Services to you.
(b) How you can view or change your personal account information. If you wish to review, correct or update any personal information you have previously provided to us, you may do so by logging into your OOTO AI account or by contacting us.
(c) Your Privacy Rights. Depending on where you live and in accordance with applicable law, you may have the following rights with respect to the personal information we hold about you:
– The right to request confirmation of whether the OOTO AI Service processes personal data relating to you and, if it does, to request a copy of such personal data;
– The right to request that OOTO AI correct or update inaccurate, incomplete or outdated personal information about you;
– The right to request that the OOTO AI Service delete your personal information in certain circumstances where required by law;
– The right to request that the OOTO AI Service restrict the use of your personal information in certain circumstances, such as while the OOTO AI Service is considering another request you have submitted.
If the processing of your personal information is based on your prior consent, you have the right to withdraw your consent at any time.
For your protection, we may need to verify your identity before responding to your request, for example, by verifying that the email address from which you submit your request matches the email address we have on file for you. If we no longer need to process personal information about you to provide the OOTO AI Services, we will not retain, collect or process additional information to identify you.
As stated above, OOTO AI does not retain User images longer than necessary for processing and permitted research purposes. Images are deleted or anonymized once those purposes have been fulfilled. All biometric templates retained for research are stored in anonymized, non-reversible form, meaning we cannot identify end users from the data we have.
6. Storage of Information and Data Retention
We make reasonable efforts to provide a level of security commensurate with the risk associated with the processing of Personal Information. We take organizational, technical and administrative measures to protect Personal Information within our organization from unauthorized access, destruction, loss, alteration or misuse. Your Personal Information is available only to a limited number of employees who need access to that information to do their jobs.
We retain Personal Information only for as long as necessary to fulfill the purposes described in this Privacy Policy, to comply with applicable legal requirements, and in accordance with our internal Data Retention Policy and, where applicable, the retention periods communicated to individuals by our Licensees under applicable biometric privacy laws.
– Face and document images are stored only for the short period necessary to complete the requested operation and any strictly necessary internal research activities. After that, they are securely deleted or irreversibly anonymized.
– Biometric templates and derived technical signals (such as feature vectors, liveness or deepfake scores, and quality metrics) may be retained in anonymized, non-reversible form for a longer period, solely for internal research, security, fraud prevention, and service improvement. These anonymized datasets cannot be used to identify individual end users.
– Account, subscription and billing information may be retained for the duration of your account and for an additional period as required for invoicing, dispute resolution, accounting, tax and compliance purposes.
– Technical and security logs are retained for a limited period to ensure the security and integrity of our services, to detect and investigate incidents, and to comply with our legal obligations.
Where required by applicable biometric privacy laws (for example, under BIPA for Illinois residents), biometric identifiers and biometric information that remain in identifiable form will be retained only until the initial purpose for collecting or obtaining such data has been satisfied or for a period of no more than three (3) years after the individual’s last interaction with the relevant Licensee, whichever occurs first. After that, such data will be permanently destroyed or irreversibly anonymized in accordance with our internal Data Retention Policy.
The specific retention periods and destruction procedures for each category of data are defined in our internal Data Retention Policy. This policy is reviewed periodically and updated as necessary to reflect changes in our services, legal requirements, and security practices.
We do not keep your personal information longer than necessary. When your account is closed, or when we no longer need your information to provide the OOTO AI Services, we delete or irreversibly anonymize it in accordance with our internal Data Retention Policy.
7. International Data Transfer
We operate around the world. Personal information may be stored and processed in any country in which we operate or in which we employ service providers. We may transfer the personal information we hold about you to recipients in countries other than the country in which the information was originally collected. These countries may have different data protection laws than your country. However, we will take steps to ensure that any such transfer complies with applicable data protection laws and that your personal information is protected in accordance with the standards described in this Privacy Policy.
8. Legal Basis for Processing
We process biometric and technical data on the following legal grounds, depending on the context and our role:
– User consent — when applicable, such as when a customer (Licensee) integrates our technology into their app or product and obtains end-user permission or written release for biometric processing;
– Performance of a contract — when data processing is necessary to deliver, maintain, and support the OOTO AI Services under our agreements with Licensees;
– Legitimate interest — to ensure system security, prevent fraud and abuse, monitor service performance, and improve the accuracy and reliability of our algorithms, where such interests are not overridden by the rights and freedoms of individuals;
– Compliance with legal obligations — where we are required to process or retain certain information under applicable law (for example, for accounting, tax, security, or regulatory purposes).
We never collect personal data directly from end users; all such data is provided to us by our Licensees or their systems in connection with their use of the OOTO AI Services. We do not store raw facial images longer than necessary for processing and any permitted research activities, and we do not retain facial images for marketing or commercial profiling. Biometric templates retained in our systems are stored only in anonymized, non-reversible form for research, analytics, security, fraud prevention, and service improvement purposes.
Where biometric privacy laws such as BIPA apply, our Licensees are responsible for providing the required written notice and obtaining any necessary written release or consent from individuals before their biometric identifiers or biometric information are collected and processed using the OOTO AI Services. OOTO AI relies on our Licensees to ensure that such consent has been obtained and processes biometric data only in accordance with the purposes and retention periods communicated to individuals by the Licensees and permitted by applicable law.
9. Data Processor Role
OOTO acts solely as a data processor, “service provider,” or similar role under applicable law, processing biometric data and anonymized biometric templates on behalf of its clients (Licensees). We do not determine the purposes for which biometric identifiers or biometric information are collected or used and we do not retain any identifiable user information beyond what is necessary to provide the OOTO AI Services in accordance with this Privacy Policy and applicable law. We do not use biometric identifiers or biometric information for our own independent purposes. The responsibility for providing required notices, obtaining appropriate written consent or releases (including where required under laws such as BIPA), and complying with end-user privacy obligations lies with the data controller (our client/Licensee).
10. Use by Minors
The OOTO AI Services are not intended for anyone under the age of eighteen (18), and we ask that you do not submit any personal information through the OOTO AI Services if you are under that age.
11. Updates to this Privacy Policy and Notices
We may modify this Privacy Policy from time to time to reflect new services, changes in our personal information practices, or relevant legislation. Any changes will be effective when we post the revised Privacy Policy on the OOTO AI Services. We may provide you with information and notices regarding the Privacy Policy or personal information collected by posting them on our website.
12. Additional Disclosures for California Residents (CCPA/CPRA)
If you are a resident of California, you may have additional privacy rights under the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”). This section supplements the information contained in our Privacy Policy and applies solely to California residents.
When we collect personal information from visitors to our website or from Users who register accounts and subscribe to the OOTO AI Services, we act as a “business” under CCPA/CPRA. When we process personal information, including biometric information, on behalf of our Licensees about their end users, we act as a “service provider” or “contractor” and handle such information only in accordance with our agreements with the Licensees and their instructions.
Categories of Personal Information We Collect.
In the 12 months preceding the date of this Privacy Policy, we may have collected the following categories of personal information, as defined by CCPA/CPRA:
– Identifiers (such as name, email address, account ID);
– Internet or other electronic network activity information (such as usage data, logs, device information, IP address);
– Biometric information and related technical data (such as facial feature vectors, liveness and deepfake detection results, and quality metrics derived from images) when our Licensees use OOTO AI for identity verification;
– Commercial information related to your subscription or use of our services (such as selected plan, activation date, and plan status);
– Other information that you choose to provide to us directly (for example, in forms or communications).
We collect these categories of information for the business purposes described in the sections “Personal Information We Collect” and “How We Use Personal Information” above, including to provide and secure our services, operate and improve our website and APIs, conduct internal research and analytics, and comply with legal obligations.
Sale and Sharing of Personal Information.
We do not sell personal information in exchange for money. We use analytics and measurement tools provided by third parties (such as Google) to understand how users interact with our website, to improve our services, and to measure the effectiveness of our online communications and campaigns. These tools may rely on cookies or similar identifiers that are also used by the providers of those tools in connection with their own services.
To the extent that this activity is considered a “sale” or “sharing” of personal information under CCPA/CPRA, California residents have the right to opt out as described below.
Use of Sensitive Personal Information.
To the extent we process sensitive personal information (such as biometric data), we do so only for the limited purposes of providing and securing the OOTO AI Services, preventing fraud, ensuring system security, conducting internal research and development to improve our algorithms, and complying with legal obligations. We do not use sensitive personal information to infer characteristics about you for marketing or advertising. As a result, the right to limit the use of sensitive personal information under CCPA/CPRA does not materially apply to our current processing activities. If our practices change, we will update this Privacy Policy and provide you with appropriate methods to exercise that right.
Your Rights Under CCPA/CPRA.
Subject to certain exceptions, California residents have the right to:
– Request that we disclose the categories and specific pieces of personal information we have collected about you;
– Request that we delete personal information that we have collected from you;
– Request that we correct inaccurate personal information that we maintain about you;Request information about our practices regarding the disclosure of personal information;
– Opt out of the “sale” or “sharing” of personal information, to the extent our use of third-party analytics or measurement tools is deemed to be a “sale” or “sharing” under CCPA/CPRA;
– Not be discriminated against for exercising any of your CCPA/CPRA rights.
How to Exercise Your Rights.
You may submit a request to exercise your CCPA/CPRA rights by contacting us at request@ooto-ai.com. In your request, please specify which right you wish to exercise and provide sufficient information to allow us to reasonably verify that you are the person about whom we collected personal information (or an authorized agent).
Response Time and Extensions.We aim to respond to verifiable consumer requests within forty-five (45) days of receipt. If we require more time (up to an additional forty-five (45) days), we will inform you of the reason and extension period in writing.
Verification of Requests.
For your protection, we will need to verify your identity before fulfilling certain requests. The verification steps may include confirming that the email address used to submit the request matches the email address associated with your account, or asking you to provide limited additional information that we can match against our records. If we are unable to verify your identity with a reasonable degree of certainty, we may be unable to fulfill your request as permitted by law.
Exceptions.
In some cases, we may deny your request, for example where disclosure would conflict with our legal obligations, adversely affect the rights or freedoms of others, interfere with security or fraud prevention, or where an exception under CCPA/CPRA or other applicable law applies. If we deny your request in whole or in part, we will explain the reasons for the denial, unless we are legally prevented from doing so.
Opt-Out of Sale or Sharing and Global Privacy Control (GPC).
California residents may exercise their right to opt out of the “sale” or “sharing” of personal information by adjusting their cookie preferences using the cookie settings icon displayed on our website (cookie consent banner). By disabling analytics and advertising cookies, you can opt out of the use of third-party tools that may be considered a “sale” or “sharing” under CCPA/CPRA. We also honor browser-based Global Privacy Control (GPC) signals where required by law and treat such signals as a request to opt out of the “sale” or “sharing” of personal information associated with the browser or device that sends the signal.
We do not sell personal information in exchange for money. We use analytics and measurement tools (such as Google Analytics and related Google services) only to understand how users interact with our website, to improve our services, and to measure the effectiveness of our online communications and campaigns. These tools may rely on cookies or similar technologies that are also used by the providers of those tools in connection with their own services. California residents can manage their preferences regarding the use of such tools by adjusting cookie settings in their browser, by using any cookie management tools we make available on our website, or by contacting us at request@ooto-ai.com.
13. Provisions relating to jurisdiction
If you wish to delete your personal or private data, email us at request@ooto-ai.com and we will delete all non-anonymized data.
If you have any questions or complaints about this Privacy Policy, send an email to request@ooto-ai.com.
Address: Doylestown, Pennsylvania 18902 United States
©OOTO AI, 2025, All rights reserved