Privacy Policy

Last updated: April 30, 2026

Trust controls at a glance

You can pause, inspect, export, and delete before SeaOtter deploys a workflow

SeaOtter is built around worker-pull workflows. Observation is opt-in, retention is bounded by the surface you use, export stays available from product controls, and deletion removes retained records we control for that surface rather than quietly hiding them. Those controls stay available before a workflow is diagnosed, deployed, or measured.

Pause

Pause observation

Stops new device-local observation before recommendations update.

Retain

Bounded retention

Expired shadow windows, linked runs, and observed samples are deleted by retention enforcement where that surface is enabled.

Export

Export your evidence

Produces a readable snapshot of local privacy state and retained observed-data records when available.

Delete

Delete retained records

Purge removes current device-local MVP data. Cross-surface deletion removes retained benchmark, pilot, shadow, and observed-data records we control, then returns a deletion receipt.

For cross-surface deletion requests, email privacy@seaotter.ai. We reply with deletion proof: what was deleted, what must be retained for legal or security reasons, and the remaining next step if one exists.

Deletion proof path

Deletion is a controlled action, not a vague promise

A legal reviewer should be able to see what starts deletion, what records are in scope, and what proof comes back. SeaOtter separates device-local purge from cross-surface deletion so the action matches the records being removed.

Request: tell us what to delete

Use the product purge control for device-local MVP data, or email privacy@seaotter.ai for benchmark, pilot, shadow, and research records.

Remove: we clear controlled records

Deletion covers records SeaOtter controls for the named surface. Anything retained for legal or security reasons is named instead of hidden.

Prove: you get a receipt

The reply states what was deleted, what remains, why it remains, and the next step if another system owner is involved.

1. What this page covers

SeaOtter currently has three relevant data surfaces: the web benchmark and pilot intake, the desktop MVP's device-local observer, and opt-in shadow observation for pilot or research workflows.

2. What we collect today

Web benchmark and pilot intake: the answers you submit, the computed result, contact details, company details you provide, and basic product analytics.
Desktop MVP local data: the current MVP's observed activity, recommendation history, observation state, and local export artifacts stored by the desktop app on your device.
Opt-in shadow observation: tenant-scoped usage scope, consent timestamp, retention metadata, and connector-derived workflow signals/provenance for pilot or research workflows.

3. How we use your data

Compute and deliver benchmark or pilot results.
Show device-local workflow observations and recommendations inside the desktop MVP.
Improve the benchmark methodology and product.
Reach out about your result if you request it.
Run opt-in shadow observation and research review flows only when a tenant has explicitly configured a usage scope for that path.

4. Training and research use

SeaOtter's baseline model training today is primarily based on synthetic or non-user data. Observed workflow data is not taken from general desktop use by default. In the current implementation, only opt-in shadow observation with an explicit usage scope can materialize into the observed-workflow research queue, and only the training-corpus scope is marked training-eligible. Reviewed samples outside their retention window, or missing audit/provenance controls, are blocked from training planning.

Recommendation, RL telemetry, and product-learning surfaces use a shared privacy learning contract. That contract requires device-held keys, no server key copy, decrypt-only-for-requested inference, plaintext forgotten after inference, no raw content in training rows, and explicit training consent before redacted workflow metadata can improve models.

5. Storage and retention

Desktop MVP data is currently stored locally by the app on your device. Shadow observation and benchmark data are stored in SeaOtter systems when those flows are used. For tenant-authenticated observed-data flows, SeaOtter has a retention enforcement control that can delete expired shadow windows, linked shadow benchmark runs, and observed workflow samples. Fully automated retention coverage across every MVP surface is still being implemented. We do not sell personal data.

6. Your controls and rights today

Current controls depend on the surface:

Pause observation: the desktop MVP can pause new observation before any workflow recommendation is produced.
Export: the desktop MVP exports the current device-local privacy snapshot, and authenticated observed-data tenants can export retained shadow / observed-data server records when that surface is enabled.
Delete: the desktop MVP purge control deletes the current device-local MVP data from the app. Authenticated observed-data tenant deletion removes retained shadow windows, linked shadow benchmark runs, and observed workflow samples for that tenant. Web benchmark or pilot data deletion can be requested through the cross-surface deletion path.
Unsubscribe from all communications.

SeaOtter does not yet provide a single self-serve endpoint that exports or deletes every record across benchmark, pilot, shadow, and research systems. Until that is complete, requests sent to privacy@seaotter.ai are handled as the cross-surface access or deletion path.

7. Contact

Questions about privacy? Email privacy@seaotter.ai