Last updated: June 29, 2026
Trust controls at a glance
SeaOtter grades the work you submit against your acceptance policy. Evaluation is explicit and opt-in, retention is bounded, export stays available, and deletion removes the records we control for that surface rather than quietly hiding them. Whether your interactions improve our models is your choice — on by default outside the EU and opt-in within it — and training a private critic on your data is a separate, revocable agreement.
Consent
You send work to be graded — nothing is observed passively. Model improvement is on by default outside the EU and off by default within it, and you control it any time in settings. Training a private critic on your data is a separate, revocable agreement.
Retain
Submitted artifacts and evaluation records are kept only as long as needed to run the service and your retention settings allow, then deleted.
Export
Produce a readable snapshot of your account's evaluation history and any retained submissions we control.
Delete
Purge your evaluation records and submitted artifacts. Cross-system deletion removes the records we control and returns a deletion receipt.
For access or deletion requests, email privacy@seaotter.ai. We reply with deletion proof: what was deleted, what must be retained for legal or security reasons, and the remaining next step if one exists.
Deletion proof path
A legal reviewer should be able to see what starts deletion, what records are in scope, and what proof comes back. SeaOtter separates in-product account deletion from cross-system deletion so the action matches the records being removed.
Use the in-product delete control for your account data, or email privacy@seaotter.ai for any records held across evaluation, curation, and research systems.
Deletion covers the records SeaOtter controls for the named surface. Anything retained for legal or security reasons is named instead of hidden.
The reply states what was deleted, what remains, why it remains, and the next step if another system owner is involved.
SeaOtter is centred on the native macOS Companion, with web, evaluation API (MaaS), MCP/SDK integrations, an adversarial acceptance corpus (DaaS), and a curation and labelling console. This policy covers the specific app, window, project, file, or agent session you approve for the Companion; work submitted for evaluation; account and billing details; accept/reject decisions; and data you explicitly consent to use for training. The historical Tauri/Windows client is retired; the Swift macOS Companion is the current product.
Your agentic interaction data. When you use SeaOtter's self-serve surfaces, your agentic interaction data — the work your agents submit for evaluation, the OtterScore verdicts, and your accept / reject / re-prompt signals, plus the feedback you give about our evaluations — may be used to train and improve our models. Outside the EU, EEA, UK, and Switzerland this is on by default and you can opt out at any time; in the EU, EEA, UK, and Switzerland it is off by default and we use your data only if you turn it on. If model improvement is on, new and resumed interactions are retained for up to five years; if it is off, we keep only a 30-day operational window and do not use new interactions for training. Manage this any time in your privacy settings. Turning it off or deleting your account excludes your data from future model training and reverts to the 30-day window; data already used to train a released model can't be retracted from that model but will not be used again.
What is never used. Raw artifact bodies, files, emails, prompts, keystrokes, credentials, and personal identifiers are never used to train models — only redacted structural metadata plus the artifact you explicitly submitted are ever eligible. Rejected or stale artifacts marked do-not-train are audit-only metadata and are never model-visible.
Commercial and enterprise plans. Data from commercial, team, enterprise, on-premises, and BYOC deployments is excluded from shared model training entirely. It is only ever used to train your own private critic under an explicit, per-modality training-corpus agreement that you can revoke at any time.
Evaluation, learning, and product surfaces share a privacy and key-custody contract. That contract requires device- or tenant-held keys, no server key copy and no server decrypt capability except for an inference you request, plaintext that is ephemeral and forgotten after inference, and no raw content stored in training rows.
For the hosted service, evaluation and account data are stored in SeaOtter systems with bounded retention, and deletion controls remove submitted artifacts and evaluation records we control. For enterprise on-premises and bring-your-own-cloud (BYOC) deployments, your raw work stays inside your boundary and does not leave it without your consent. We do not sell personal data.
We use a small set of third-party sub-processors to run the hosted service (hosting, database, email, authentication, billing, and LLM inference). The current list, with each provider's purpose and region, is published at /subprocessors. A Data Processing Agreement that references that list is available on request.
Requests sent to privacy@seaotter.ai are handled as the cross-system access or deletion path.
Questions about privacy? Email privacy@seaotter.ai