Privacy Policy

Last updated: September 25, 2025

This Privacy Policy explains how Brainstorm Force US LLC (“OttoKit,” “we,” “us,” or “our”) collects, uses, processes, shares, and protects information in connection with our websites, products, services, integrations, developer programs, communities, and branded social media pages (collectively, the “Services”).

Who We Are
Brainstorm Force US LLC (OttoKit) is the legal entity operating the Services. Our mailing address is Brainstorm Force US LLC, 2093 Philadelphia Pike #3090, Claymont, DE 19703, United States. If you need assistance, please contact [email protected].

---

You are not legally required to provide us with Personal Data. If you choose to provide Personal Data, you do so voluntarily and with consent. We cannot force you to provide Personal Data; however, without certain Personal Data we may be unable to provide parts of the Services.

You may withdraw consent at any time and request that we cease processing your Personal Data or delete Personal Data that is not required to be retained by law. Deletion or restriction may limit your access to updates, support, or functionality.

---

We collect Personal Data about different types of users depending on how you interact with the Services.

We collect signup and account data, such as full name, business name, address, website URL, billing details, connected applications, payment processors, transaction metadata, usage metrics, and purchases made through our Services.

On behalf of Customers, we may collect and retain End Users’ contact details, purchase/order history, and other information processed by Customers’ workflows (e.g., email addresses, phone numbers, order identifiers). We do not store full credit card numbers or comparable sensitive payment details.

We collect Affiliate contact details, payout and payment data, and related program information.

We collect developer account details, OAuth application metadata, logs and usage information related to API calls, webhooks, and app integrations.

---

Technical and statistical data that does not pertain to a specific identified individual, such as device type, browser type and version, IP data, screen size/resolution, language settings, and similar telemetry. While not inherently identifiable, some Non‑Personal Data may be considered Personal Data under certain laws if reasonably re‑identifiable.

Information about how you use the Services, including search queries performed, pages viewed, features used, content submitted or reviewed, workflow execution metadata, integration events, latency/error logs, and similar operational data.

Information that identifies an individual or relates to an identifiable person, including: (i) data you provide voluntarily (username, email address, profile picture, social accounts, other fields in forms or during onboarding/usage); and (ii) data learned from use of the Services (IP address, payment type, transactional metadata, audit logs, and similar information).

---

We collect data from your use of the Services and through your interactions with us, including:

• Forms and submissions (including form field capture even if not submitted, for fraud prevention and support);
• JavaScript capture and analytics;
• Account creation and billing;
• Workflow execution, triggers, actions, logs, and webhooks;
• OAuth authorizations and API events from connected third‑party applications;
• Support requests and communications.

We may use Google Address Autocomplete to assist in entering postal addresses.

---

We process data to:

1. Provide and operate the Services (including authentication, connectivity to third‑party apps, workflow execution, billing, and support).
2. Improve the Services using aggregated and de‑identified insights (e.g., performance tuning, bug reports, feature planning).
3. Communicate with you about the Services (transactional, operational, and – where permitted – promotional messages).
4. Market the Services (creating look‑alike audiences, sharing customer lists with advertising services under confidentiality and as permitted by law; you may opt‑out where applicable).
5. Ensure security and compliance, prevent fraud, and enforce terms.

“Our Services” include our websites, applications, developer tools, integrations, and affiliated properties.

---

If you subscribe to our newsletter or sign up for the Services, we may send periodic updates and promotional emails. You may opt out of promotional emails at any time. You cannot opt out of transactional emails (e.g., invoices, security alerts, service notices). If you express interest in a product or feature, we may contact you regarding that item.

---

You have the right to know what Personal Data we collect about you and to ensure it is accurate and relevant. You may request a copy of your Personal Data and ask us to correct inaccurate, incomplete, or outdated data. We may request reasonable verification to confirm your identity before fulfilling requests.

You may request deletion of your Personal Data or restriction of processing by us and by third parties. We may postpone or deny requests if the data is required for the purposes for which it was collected or for other legitimate reasons (e.g., legal obligations).

You may withdraw consent at any time. Withdrawing consent will not affect the lawfulness of processing carried out prior to withdrawal. In many cases, withdrawal of consent will result in deletion of the relevant Personal Data.

Where technically feasible, you may request transfer of your Personal Data in accordance with the right to data portability. Contact [email protected] to initiate.

You may lodge a complaint with a data protection authority regarding our processing of your Personal Data.

---

We do not convey your Personal Data to third parties for their direct marketing purposes. If applicable, California Civil Code §1798.83 permits California residents to request information regarding disclosures for direct marketing. To make such a request, email [email protected] and we will confirm that no such disclosures were made. We are required to respond to one request per customer per calendar year.

We respond to browser “Do Not Track” (DNT) signals as supported by your browser settings.

---

Notwithstanding other provisions, you may exercise rights under Brazilian law, including (i) confirmation of processing; (ii) access; (iii) correction of incomplete, inaccurate, or outdated data; (iv) anonymization, blocking, or deletion of unnecessary/excessive data or data processed unlawfully; (v) portability to another provider subject to commercial and industrial secrecy; (vi) deletion of Personal Data processed with consent (subject to exceptions in Art. 16); (vii) information on public and private entities with which we shared data; (viii) information about the possibility of denying consent and consequences; and (ix) revocation of consent as provided in §5 of Art. 8.

---

To access, correct, amend, delete, or port Personal Data, contact [email protected]. We will respond within a reasonable timeframe and within deadlines required by applicable law. Where available, you may modify certain information directly within your account settings.

---

We respect your privacy and do not disclose, share, rent, or sell Personal Data to third parties except as described here:

• At your direction (e.g., executing a workflow that sends data to a third‑party app; facilitating payments).
• Compliance and safety (e.g., to comply with court orders, laws, legal processes, or governmental requests).
• Service operation (sharing with vetted subprocessors under contract who provide hosting, infrastructure, analytics, support, email delivery, payments, and related services).

Our subprocessors include (illustrative, may change): Stripe, PayPal, Mollie, Paystack (payments); AppSignal, Hex, Sentry, Logtail, Slack, Google Analytics (monitoring, statistics, crash/error logging, team collaboration); Postmark, AWS (email and storage); TaxJar (tax calculation); Cloudflare (optimization, CDN, security); UpCloud (website hosting); Fly.io (application hosting). We may update this list from time to time.

---

Personal Data may be transferred to and stored on servers outside of your jurisdiction, potentially in countries that may not provide the same level of protection as your home country. We take steps to ensure appropriate safeguards (e.g., Standard Contractual Clauses, adequacy decisions, and comparable measures) are in place.

We will only transfer Personal Data to: (i) countries that the European Commission has deemed to provide an adequate level of protection; and/or (ii) recipients who have executed appropriate data transfer agreements (e.g., EU Standard Contractual Clauses) to provide a high level of protection.

By submitting Personal Data through the Services, and where required by law, you acknowledge and agree to such transfer, storage, and processing.

---

We use both first‑party and third‑party cookies and similar technologies for authentication, session management, analytics, and security. You may opt out of certain cookies using in‑product controls or your browser settings. Some cookies may have identifying features.

---

The Services are intended for users 16 years of age or older (or older where required by local law). We do not knowingly collect Personal Data from children under 16. We reserve the right to request proof of age.

If we learn that we have collected Personal Data from a child under 13, we will delete such data as quickly as possible. If you believe a child has provided us Personal Data, please contact [email protected].

---

We use industry‑standard technical and organizational measures designed to protect the security and integrity of the Services and to prevent unauthorized access or misuse. Nevertheless, transmission over the Internet and electronic storage carry inherent risks, and we cannot guarantee absolute security. We will comply with applicable law in the event of a breach and notify you when required.

To the extent we implement required security measures under applicable law, we are not responsible for unauthorized access, hacking, or other intrusions; nor are we responsible for loss, theft, deletion, corruption, destruction, or damage to data.

---

We retain Personal Data as long as it is accurate and necessary for the purposes for which it was collected, or as otherwise permitted under law (e.g., resolving disputes, enforcing agreements, compliance). Personal Data no longer required will be deleted or de‑identified unless we have a lawful basis to retain it.

---

We comply with applicable laws regarding breach notification. In the event of a severe breach, we will notify affected data subjects and coordinate with legal authorities to mitigate risk.

---

If and while we participate in the EU‑U.S. DPF, the Swiss‑U.S. DPF, and the UK Extension, we will adhere to the applicable Principles. The U.S. Federal Trade Commission has jurisdiction over our DPF compliance. To learn more about the DPF and, where applicable, view our certification, visit the official DPF website. In cases of onward transfers inconsistent with the Principles, we remain liable.

Complaints & Independent Recourse (DPF): If you have an unresolved DPF‑related complaint, we commit to cooperate with JAMS, an independent U.S.‑based dispute resolution provider, at no cost to you. As a last resort and in limited situations, individuals may invoke binding arbitration before the DPF Panel.

---

You may contact our data protection officer at [email protected]. Complaints should describe how you believe your data rights were harmed and include relevant evidence. We respond to most complaints within 14 days.

In the event of a dispute, you and we agree to resolve disputes through binding arbitration in Delaware, USA, conducted in English. By entering into the Terms of Use, the parties waive the right to a jury trial or to participate in a class action. Discovery may be limited and any award may be subject to limited judicial review. Applicable law: Delaware, USA.

---

If we undergo a merger, acquisition, or transfer of the Services, Personal Data may be transferred to the successor. The then‑current privacy policy will govern use of the data; no change will have retroactive effect without required notice.

---

We may amend this Policy at any time. Material changes will be posted prominently within the Services. Your continued use of the Services after changes become effective constitutes acceptance of the updated Policy.

---

OttoKit allows individuals and organizations to integrate and automate actions between various third‑party applications. To use the Services, you must have accounts with the third‑party applications you connect and complete authentication (typically via OAuth). Authorization tokens/keys are stored securely to facilitate continued use. When you enable integrations, those third‑party applications grant OttoKit access to the information required to execute your configured workflows.

Data we access and process for automation may include content and metadata from the connected third‑party applications. Users and account administrators may delete or export account data. For assistance, contact [email protected].

Sensitive or regulated information (e.g., financial account numbers, PHI/medical records) should not be transmitted through the Services unless explicitly permitted and appropriately protected. OttoKit is not responsible for the independent data practices of third‑party applications.

If you are invited to a team account, certain information may be visible to the account holder and other team members. Integrations and configurations within a team account may be accessible to team members per the organization’s policies.

You are responsible for obtaining necessary consents before collecting, processing, transmitting, or disclosing other parties’ Personal Data via the Services.

For organizational use, administrative account holders control user provisioning and policies. Please direct workplace privacy questions to your administrator. OttoKit is not responsible for the privacy or security practices of your organization.

Upon removal of a connected integration, we promptly and automatically delete the associated authorization credentials from our systems. Task history may be available for a limited retention period (e.g., 30 days) and then deleted automatically.

---

OttoKit’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy and the Google Privacy Policy, including the Limited Use requirements. If you wish to revoke OttoKit’s access to your Google account, you may do so through your Google security settings page.

Google Workspace APIs: Google Workspace APIs are not used to develop, improve, or train generalized AI and/or ML models.

OttoKit provides automation features that integrate with YouTube through the YouTube Data API.

What data we access: When you authorize OttoKit to connect with your YouTube account, we securely access only the data necessary to support the features you enable. This may include video metadata, thumbnails, playlists, channel details, and other content required to execute your workflows. The specific data accessed depends on your selected triggers and actions. We do not collect or store your YouTube login credentials. Access is granted via Google’s secure OAuth 2.0 system, and authorization tokens are encrypted and used solely to execute your workflows.

How we use this data: We use YouTube data only to perform the actions you have explicitly configured (e.g., upload videos, update metadata, detect new uploads, set thumbnails). We do not use this data for advertising, analytics, profiling, or training machine learning models. We do not share YouTube data with third parties except as required to carry out your configured automations.

Revoking access: You may revoke OttoKit’s access to your YouTube account at any time via your Google account permissions page. Once access is revoked, OttoKit immediately loses the ability to access your YouTube account and data.

Data deletion and retention (YouTube): When you disconnect your YouTube account or revoke access: (a) OAuth tokens tied to your YouTube account are automatically deleted; (b) any cached or temporary YouTube data associated with your workflows is purged; (c) we retain only minimal metadata if required for legal, billing, or security compliance. You may also request manual deletion or export of your YouTube‑related data at any time by contacting [email protected]. We retain YouTube data only as long as necessary to provide the Service you requested.

Compliance: OttoKit’s use and transfer of information received from Google & YouTube APIs complies with: (i) the Google API Services User Data Policy (including Limited Use), and (ii) the YouTube Terms of Service. OttoKit does not use data received from Google or YouTube APIs to develop, improve, or train generalized AI or machine learning models.

• Encryption: All data transmitted between our systems and Google services uses TLS 1.2+; sensitive data at rest (including authorization tokens) uses AES‑256.
• OAuth 2.0: We use Google OAuth 2.0 for authentication; we do not store Google credentials.
• Access Controls: Role‑based access controls (RBAC) restrict access to personal and sensitive data.
• Token Management: Tokens are stored in encrypted environments and used only for actions you authorize; tokens are deleted when access is revoked.
• Data Minimization: We collect only what is necessary to provide the Services; we do not use Google/YouTube data for ads, analytics, or model training.
• Security Monitoring & Auditing: We continuously monitor for unusual activity and conduct regular audits.
• Incident Response: We maintain a breach response plan and will notify affected users when required.
• CASA Compliance: OttoKit participates in Google’s Cloud Application Security Assessment (CASA) for approved apps and adheres to CASA standards to protect Google user data.

---

OttoKit provides automation features that integrate with Google Analytics 4 through the Google Analytics Data API and Admin API. This section explains how we access, use, store, and delete Google Analytics-related data

What Data We Access: When you authorize OttoKit to connect with your Google Analytics account, we access data necessary to support your configured automation workflows. This includes GA4 property metadata, account information, data streams, conversion events, and analytics reports. The specific data accessed depends on the actions you configure within OttoKit. All access is granted through Google’s secure OAuth 2.0 system using the analytics.readonly and analytics.edit scopes. Authorization tokens are encrypted and used solely to execute workflows you have configured.

How We Use This Data: Data accessed from your Google Analytics account is used only to perform the automation actions you have explicitly configured — such as fetching reports, listing properties, listing conversion events, and creating new conversion events in your GA4 property. We do not use this data for advertising, profiling, or training machine learning models. OttoKit does not share Google Analytics data with third parties unless required to carry out your configured automations.

Revoking Access: You may revoke OttoKit’s access to your Google Analytics account at any time by visiting your Google account permissions page. Once revoked, OttoKit will immediately lose the ability to access your account and data.

Data Deletion and Retention: When you disconnect your Google Analytics account or revoke access, OAuth tokens are automatically deleted from our systems and any temporary data associated with your workflows is purged. Users may request manual deletion of their data at any time by contacting [email protected].

---

OttoKit does not share Restricted Platform Data from Facebook with any third‑party organizations or individuals.

---

Questions about this Policy or our data practices? Contact our Data Protection Officer:
Email: [email protected]
Postal: Brainstorm Force US LLC, 2093 Philadelphia Pike #3090, Claymont, DE 19703, United States