Privacy Policy

1. Introduction

This Privacy Policy explains how BerryWell, LLC ("BerryWell," "HeyOtto!," "Otto," "we," "us," or "our") collects, uses, stores, and shares personal data in connection with the HeyOtto! application, the public website, and related services (collectively, the "Service").

HeyOtto! is an AI-powered chatbot application designed to give parents the ability to tailor their child's experience and to monitor their activity, providing a safe, educational, and fun environment for kids ages 4-18 to interact with AI.

By using the Service, you agree to this Privacy Policy, our COPPA Policy and Terms of Service. If you do not agree, do not use the Service.

For GDPR purposes, BerryWell LLC is the data controller. We are a Georgia LLC registered in the United States.

2. Information We Collect

2.1 Information You Provide Directly

Account Information

• Name
• Email address
• Password (stored encrypted)
• Phone number (optional, for notifications)
• Time zone
• Device Data
• Financial and billing information (processed through third-party payment processors)

Child Profile Information

• Child names
• Ages or age ranges
• Profile preferences
• Family values and preferences
• Restricted topics
• Custom instructions for AI interactions

Communication Content

• Chat messages and conversations with our AI
• Feedback and support requests
• User-reported content
• Survey responses

2.2 Information Collected Automatically

Usage Information

• General app usage data (to improve performance)
• Pages and features accessed
• Time spent on the Service
• Interaction patterns and frequency
• Device information (type, operating system, browser)
• IP address
• Session information
• Wireless and mobile network information
• Geo-location information

Technical Information

• Log files
• Cookies and similar technologies
• Device identifiers
• Performance data
• Error reports and diagnostics

Other Information

• Records and copies of correspondence if you contact us
• Details of transactions carried out through the Service
• Information when you report problems with the Service

2.3 Information from Third Parties

Authentication Providers

• If you sign up using Google or Apple Sign-In, we receive basic profile information (name, email, profile picture) as permitted by your privacy settings with those providers

Payment Processors

• Transaction information and payment status (we do not store full credit card numbers)

3. Children's Privacy

3.1 Parental Consent and Control

We take children's privacy seriously and comply with the Children's Online Privacy Protection Act (COPPA) and similar laws:

• No one under age 18 may create an account
• We require verifiable parental consent before collecting any personal information from children under 13 via payment verification
• Children under 13 may only use the Service through a parent-managed account
• Parents provide information about their children and control children's profiles
• Parents can review, modify, or delete their children's information at any time
• We do not knowingly collect personal information directly from children under 13 without parental consent

3.2 Children's Information

Information parents may provide about children includes:

• First name or nickname
• Age or age range
• Biological sex (optional)
• Interests, preferences, and personality traits
• Parental guidance preferences

For children under age 13, you should NOT provide:

• Full name, address, phone number or email address
• Pictures, photos, or videos of the child

3.3 Children's Content

• Children's chat messages are stored as part of the Service functionality
• Parents can review and delete children's conversations
• Children's data is used only to provide age-appropriate responses and improve safety features
• We do not use children's personal information for marketing or advertising

3.4 Parental Rights

Parents have the right to:

• Review their children's personal information
• Access and manage their child's data through the app
• Request correction or deletion of their children's information
• Refuse further collection or use of their children's information
• Receive notice of our children's privacy practices
• Prevent further collection or use of their child's information by deleting account

To exercise these rights, contact us at privacy@berrywell.ai.

If we learn we have collected information from a child under 13 without parental consent, we will delete it promptly.

For our complete COPPA Policy, please see chat.heyotto.app/coppa.

4. How We Use Your Information

4.1 To Provide and Improve the Service

• Create and manage your account
• Process your subscription and payments
• Provide AI chat functionality
• Personalize responses based on family profiles
• Maintain age-appropriate content filtering
• Generate alerts for potentially concerning content
• Store conversation history for context and continuity
• Provide customer support
• Send service-related communications

4.2 To Enhance Safety and Security

• Maintain functionality, security, and compliance
• Monitor for inappropriate content and behavior
• Detect and prevent fraud, abuse, and security incidents
• Enforce our Terms of Service
• Protect the rights and safety of our users
• Respond to parental inquiries and provide alerts and reports
• Comply with legal obligations

4.3 To Improve Our AI Models

• Operate, maintain, and improve the application
• Train and improve AI response quality
• Enhance content safety filters
• Develop age-appropriate response mechanisms
• Improve accuracy and helpfulness of responses
• Note: Personal information is anonymized or removed before use in training

4.4 For Analytics and Research

• Understand how users interact with the Service
• Analyze usage patterns and trends
• Conduct internal research and development
• Improve user experience and features
• Generate aggregated, anonymized statistics

4.5 For Marketing Communications (With Your Consent)

• Send promotional materials and updates
• Notify you of new features and offers
• Conduct surveys and collect feedback
• Note: You can opt out of marketing communications at any time

5. How We Share Your Information

We do not sell your personal information. We may share information with:

5.1 Service Providers

We share information with third-party vendors who perform services on our behalf:

• Cloud hosting providers (data storage and processing)
• Payment processors
• AI model providers (generating responses)
• Email service providers (transactional emails)
• Analytics services (understanding usage patterns)
• Customer support tools

These providers are contractually obligated to protect your information and use it only for specified purposes.

5.2 AI Model Providers

We use third-party AI model providers (such as OpenAI, Anthropic, Google, and X.AI) to generate chat responses and enhance user experiences. These providers process chat inputs and related data only to deliver the AI functionality on our behalf. If a user is under 13, we require verifiable parental consent before any interaction with AI features that collect or process personal information.

• Conversations are sent to these providers to generate AI responses
• These providers have their own privacy policies governing their use of data
• We use business-tier services with enhanced privacy protections where available
• Personal information is minimized when sent to AI providers

5.3 Legal Requirements

We may disclose information if required to do so by law or in response to:

• Court orders, subpoenas, or legal processes
• Government or regulatory requests
• Requests to protect rights, property, or safety
• Investigations of potential violations of our Terms
• Emergency situations involving potential harm

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred. We will notify you before your information is transferred and becomes subject to a different privacy policy.

5.5 With Your Consent

We may share information for other purposes with your explicit consent.

5.6 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for:

• Research and analysis
• Marketing and promotional purposes
• Public reporting
• Business partnerships

Contact us at privacy@berrywell.ai for a list of current service providers.

6. Data Retention

6.1 Retention Periods

We retain your information for as long as necessary to:

• Provide the Service to you
• Comply with legal obligations
• Resolve disputes
• Enforce our agreements

6.2 Specific Retention

• Account Information: Retained while your account is active and for a reasonable period after deletion
• Chat Conversations: Retained while your account is active; deleted upon request or account deletion
• Payment Information: Retained as required by law and for tax/accounting purposes
• Usage Logs: Retained for 12-24 months for security and analytics purposes

6.3 Deletion

When you delete your account:

• Personal information is deleted or anonymized within 90 days
• Some information may be retained in backups for up to 90 additional days
• Information required for legal compliance may be retained longer
• Anonymized or aggregated data may be retained indefinitely

You can request deletion of specific information by contacting us.

7. Data Security

We use administrative, technical, and physical safeguards to protect your information. However, no security system is 100% effective, and we cannot guarantee absolute security.

You acknowledge that data transmission and storage carry inherent risks. Any transmission of information is at your own risk.

We are not responsible for circumvention of privacy settings or security measures.

7.1 Security Measures

We implement reasonable technical and organizational security measures to protect your information:

• Encryption of data in transit (TLS/SSL)
• Encryption of sensitive data at rest
• Access controls and authentication requirements
• Regular security assessments and updates
• Employee training on data protection
• Incident response procedures

7.2 Security Limitations

Despite our efforts:

• No method of transmission or storage is 100% secure
• We cannot guarantee absolute security of your information
• You are responsible for maintaining the security of your password and account
• You should notify us immediately of any security breaches

7.3 Your Responsibility

To protect your account:

• Use a strong, unique password
• Do not share your password with others
• Log out after using shared devices
• Enable two-factor authentication if available
• Review account activity regularly

8. Your Rights and Choices

8.1 Access and Portability

You have the right to:

• Access your personal information
• Obtain a copy of your data in a portable format
• Request information about how we use your data

8.2 Correction and Updates

You can:

• Update your account information through account settings
• Correct inaccurate information
• Request correction of information you cannot update directly

8.3 Deletion

You can:

• Delete your account through account settings
• Request deletion of specific information
• Request deletion of children's information

8.4 Opt-Out Rights

You can opt out of:

• Marketing Emails: Click unsubscribe in any marketing email or adjust settings
• SMS Notifications: Reply STOP to any SMS or adjust settings
• AI Training: Opt out of using your conversations for AI model training
• Cookies: Adjust browser settings (may affect functionality)

8.5 Do Not Track

Our Service does not respond to Do Not Track signals because there is no industry standard for compliance.

8.6 State-Specific Rights

California Residents (CCPA/CPRA)

California Civil Code Section § 1798.83 permits California residents to request information about our disclosure of personal information to third parties for direct marketing purposes.

To make such a request under CCPA, email us at privacy@berrywell.ai

• Right to know what personal information is collected
• Right to know if personal information is sold or shared
• Right to opt out of sale/sharing of personal information
• Right to deletion of personal information
• Right to correct inaccurate information
• Right to limit use of sensitive personal information
• Right to non-discrimination for exercising these rights

European Residents (GDPR)

• Right to access personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent
• Right to lodge a complaint with supervisory authority

Other State Laws

We comply with applicable state privacy laws including Virginia CDPA, Colorado CPA, Connecticut CTDPA, and Utah UCPA.

8.7 Exercising Your Rights

To exercise any of these rights:

• Email us at privacy@berrywell.ai
• Use the account settings in the Service

We will respond to requests within the timeframe required by applicable law (typically 30-45 days).

9.  GDPR Rights (EU/UK Users)

This section applies if you are located in the European Economic Area, United Kingdom, or Switzerland ("EEA Individual").

Legal Basis for Processing

We process your personal data based on:

• Performance of a contract: To provide services to you and your child
• Legitimate interests: To analyze and improve services, provide customer services, and conduct marketing (where not overridden by your rights)
• Legal compliance: To meet legal obligations
• Consent: Where required by law or in certain other cases

As an EEA Individual, you have the right to:

• Access and obtain a copy of your personal data (including in portable form)
• Correct inaccurate or outdated personal data
• Delete personal data we hold about you (subject to legal exceptions)
• Object to processing of your personal data
• Restrict how we process and disclose your personal data
• Withdraw consent at any time (without retroactive effect)
• Prevent processing for direct marketing purposes
• Transfer your personal data to a third party
• Lodge a complaint with your local Data Protection Authority

France residents: You also have the right to set guidelines for retention and communication of your personal data after your death.

International Data Transfers

• Data may be processed outside your country
• Safeguards: Standard Contractual Clauses, legal compliance, provider safeguards EEA/UK users: GDPR rights apply, DPO contact: dpo@berrywell.ai

9.1 Data Location

Data may be processed and stored in the United States. Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from your jurisdiction.

9.2 Safeguards

When transferring data internationally, we:

• Use Standard Contractual Clauses approved by relevant authorities
• Implement appropriate safeguards as required by law
• Ensure service providers provide adequate protection
• Comply with applicable data transfer regulations

9.3 EEA and UK Users

If you are in the European Economic Area or United Kingdom:

• We process data based on legitimate interests, contractual necessity, or consent
• We implement appropriate safeguards for international transfers
• You have specific rights under GDPR (see Section 8.6)
• Our data protection officer can be reached at [DPO email]

10. Cookies and Tracking Technologies

10.1 Types of Technologies

We use:

• Cookies: Small text files stored on your device
• Local Storage: Browser-based storage
• Session Storage: Temporary browser storage
• Analytics Tools: To understand usage patterns
• Performance Tools: To monitor and improve Service performance

10.2 Cookie Categories

• Essential Cookies: Required for the Service to function
• Functional Cookies: Remember your preferences
• Analytics Cookies: Help us understand usage
• Marketing Cookies: Used for advertising (if applicable)

10.3 Managing Cookies

You can control cookies through:

• Browser settings
• Cookie preference tools (if provided)
• Third-party opt-out tools

Note: Disabling essential cookies may affect Service functionality.

10.4 Third-Party Tracking

We may use third-party analytics services (e.g., Google Analytics) that use cookies to collect usage information. These providers have their own privacy policies.

11. Third-Party Links and Services

11.1 External Links

The Service may contain links to third-party websites or services. We are not responsible for:

• Privacy practices of third-party sites
• Content of third-party services
• How third parties handle your information

11.2 Third-Party Integrations

If you use third-party authentication (Google, Apple):

• Your use is governed by their privacy policies
• We receive only information you authorize
• You can revoke access through your third-party account settings

11.3 AI Model Providers

We use third-party AI services with their own privacy policies.

• OpenAI: https://openai.com/privacy
• Anthropic: https://www.anthropic.com/privacy
• Google: https://policies.google.com/privacy
• X.AI: https://x.ai/privacy-policy

12. Updates to This Privacy Policy

12.1 Changes

We may update this Privacy Policy from time to time. When we make material changes:

• We will update the "Last Updated" date
• We will notify you by email
• We may display a prominent notice in the Service
• For material changes affecting children's privacy, we will obtain renewed parental consent

12.2 Your Acceptance

Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy. If you do not agree to changes, you should stop using the Service and may delete your account.

12.3 Version History

We maintain previous versions of this Privacy Policy, which you can request by contacting us.

13. Contact Us

13.1 Privacy Questions

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices:

Email: privacy@berrywell.ai Privacy Officer: Natalie Gibson Website: https://www.heyotto.app

13.2 Data Protection Officer (If Applicable)

For EEA or UK residents:

DPO Email: dpo@berrywell.ai

13.3 Supervisory Authority

EEA and UK residents have the right to lodge a complaint with their local data protection authority.

14. Additional Information for Specific Jurisdictions

14.1 California Residents

California Shine the Light Law: California residents can request information about personal information shared with third parties for their marketing purposes.

Categories of Personal Information: See Section 2 for detailed categories of information collected.

Business Purpose for Collection: See Section 4 for how we use information.

Categories of Third Parties: See Section 5 for how we share information.

14.2 Nevada Residents

Nevada residents may opt out of the sale of covered information. We do not sell personal information, but you can contact us to exercise this right.

14.3 European Residents

Legal Basis for Processing

• Performance of contract (providing the Service)
• Legitimate interests (improving Service, safety, fraud prevention)
• Consent (where required)
• Legal obligations (compliance with laws)

Data Controller: BerryWell LLC

15. Definitions

• Personal Information: Information that identifies, relates to, or could reasonably be linked with a particular individual or household
• Processing: Any operation performed on personal information, including collection, storage, use, or disclosure
• Service: The HeyOtto! application and all related services, websites, and applications
• You/Your: The individual or entity using the Service

---

Survival

The policies in this Privacy Policy remain effective even if our Terms of Service are terminated and you are no longer using the Service.

---

By using HeyOtto!, you acknowledge that you have read, understood, and agree to this Privacy Policy.

Email: support@heyotto.app

Website: https://www.heyotto.app

All rights reserved, BerryWell LLC 2026.