Safety is our starting point, not a feature. Every system, every policy, every line of code was written with your family in mind.
A note to parents: We are currently finalizing our formal third-party certifications. While the badges are coming, the engineering is already here. We build to a higher standard of care because families deserve more than just “good intentions”—they deserve defensible technology.
We designed and built the HeyOtto environment to align with the most rigorous frameworks for data protection and child safety.
Our data minimization practices ensure we never collect more than is strictly necessary. We do not track behavior for advertising, and we never sell child data.
We honor the Right to be Forgotten and Privacy by Design. Parents have total control with the ability to export or delete their family's history at any time.
Our internal processes are built on the principles of Security, Availability, and Confidentiality. From encrypted data-at-rest to secure system hardening, we maintain enterprise-grade defenses.
Three independent layers of technical protection, working together on every message.
Data at rest and in transit
All conversations are encrypted in transit using TLS 1.2 or higher. At rest, sensitive data is protected using AES-256 encryption. Our database architecture is isolated to prevent cross-tenant data leaks.
Zero-training / Zero-retention APIs
We utilize Zero-Retention and No-Training APIs. Your child's private questions never become part of a public AI's knowledge base. Your child's curiosity remains their own.
Removing identifying info before it hits the AI
We use a secure proxy layer that strips personally identifiable information before it ever reaches a third-party model. This PII Scrubbing layer is a core part of our commitment to child privacy.
Straight answers to the questions every privacy-conscious parent should be asking.
No, HeyOtto is designed to protect your child’s privacy. Our system relies on secure, enterprise-grade AI services that explicitly forbid using customer data for model training. Your child’s interactions stay private.
We follow a "Defense in Depth" strategy. All data is encrypted in transit using TLS 1.2 or higher. At rest, sensitive data is protected using AES-256 encryption. Our database architecture is isolated to prevent cross-tenant data leaks.
We practice "Data Minimization." We only retain conversation history to provide the Parent Dashboard functionality. Parents have the Right to Erasure at any time; if you delete a child profile or your account, all associated conversational data is purged from our active systems in accordance with GDPR and COPPA standards.
While we are in the process of pursuing formal SOC2 Type II certification, we currently perform regular internal security audits, continuous system hardening, and dependency scanning to proactively mitigate emerging threats. Our infrastructure is built on the same secure-system principles used by enterprise-level financial and healthcare platforms.
When we started HeyOtto, we didn't just want to build a better chatbot; we wanted to build a safer digital world for our own families. Having spent our careers in global privacy and cybersecurity, we know that "good intentions" aren't enough when it comes to children's data.
We believe that Security is the foundation of Sovereignty. You cannot have control over your family's values if you don't have control over your family's data. That is why we built HeyOtto to a higher standard of care—engineering for privacy, transparency, and integrity from the very first line of code.
We are committed to being the most transparent AI company in the world. Thank you for trusting us with your child's curiosity.
— Natalie Gibson & The HeyOtto Engineering Team
We collect only what is strictly necessary.
Your child's data is never sold or shared with advertisers.
You maintain complete control over data access and deletion.
We build systems that are defensible and auditable.
We design for full parental transparency.
We align with evolving child privacy and global protection standards.
