Data Protection Officer

Othra processes biometric identity data — the most sensitive category of personal information recognized under EU/UK GDPR, the Turkish KVKK, and California's CCPA/CPRA. Hanium LLC has appointed a dedicated Data Protection Officer to safeguard your rights, supervise our processing activities, and serve as the single point of contact for any privacy matter.

Contact the DPO

The Data Protection Officer can be reached directly. We recommend writing in English, Turkish, or German — though we accept correspondence in any of the languages Othra ships in. Please describe your request clearly and, where possible, include the email address associated with your Othra account so we can verify your identity before disclosing any personal data.

Role & mandate

The Data Protection Officer's role is defined by Article 39 of the EU GDPR and reflected in Othra's internal governance. The DPO operates independently of the product, engineering, and commercial teams and reports directly to the highest level of management.

The DPO's core responsibilities include:

• Informing and advising Hanium LLC and its staff of their obligations under applicable data protection law (GDPR, UK GDPR, CCPA/CPRA, KVKK, LGPD, PIPEDA, APPI).
• Monitoring compliance with this Privacy Policy, the Othra Terms of Service, and our internal data handling standards.
• Reviewing and signing off on Data Protection Impact Assessments (DPIAs) before any new processing of biometric data, takedown evidence, or cross-border transfers begins.
• Cooperating with supervisory authorities and serving as the contact point for the EDPB, the UK ICO, the Turkish KVKK Authority, and the California Privacy Protection Agency.
• Acting as the contact point for users exercising their rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent.
• Investigating complaints and personal data breaches, and managing the 72-hour notification window required under GDPR Article 33.

Scope of responsibility

The DPO oversees all Othra processing activities, including:

• Biometric data — face vectors generated by Apple's on-device Vision framework. These never leave the device unencrypted; the DPO supervises the cryptographic boundary.
• Account & authentication data — emails, hashed passwords, Sign in with Apple identifiers.
• Detection telemetry — Hive AI deepfake-detection results processed under a strict Data Processing Agreement.
• Takedown evidence — URLs, screenshots, and messages you submit through the concierge takedown flow.
• Product analytics — Amplitude usage events, fully anonymized and never linked to biometric identifiers.
• Customer correspondence — support tickets routed through Resend.
• Sub-processors — every third party listed in our Privacy Policy, audited at least annually.

Independence

Under GDPR Article 38(3), the DPO cannot receive instructions regarding the exercise of their tasks and cannot be dismissed or penalized for performing them. Hanium LLC has formalized this independence in writing. The DPO has direct, unfiltered access to senior management and to all processing operations, source code, infrastructure logs, and contracts necessary to perform their duties.

Exercising your rights

You can exercise the following rights at any time by writing to dpo@othra.ai. You do not need to justify your request, and exercising your rights is always free.

• Access — receive a copy of every piece of personal data we hold about you, in a structured, machine-readable format.
• Rectification — correct any inaccurate or incomplete data.
• Erasure ("right to be forgotten") — request deletion of your account, biometric template, and all associated records. Some data may be retained where required by law (for example, takedown receipts kept for evidentiary purposes).
• Restriction — temporarily limit our processing while a question is being resolved.
• Portability — receive your data in JSON and have it transmitted to another controller where technically feasible.
• Objection — object to processing based on legitimate interests, including profiling.
• Withdraw consent — for any processing that relies on consent, withdraw it without affecting prior lawful processing.
• Lodge a complaint — with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement.
• CCPA / CPRA rights — if you are a California resident, you may also request that we do not sell or share your personal information. Othra does not sell personal information.

Response times

The DPO acknowledges every request within seventy-two hours and provides a substantive response within thirty days, in line with GDPR Article 12. Where a request is particularly complex or where you have submitted a high volume of requests, the period may be extended by a further two months — in which case we will explain the reason for the extension inside the initial thirty-day window.

Supervisory authorities

You have the right to lodge a complaint with a supervisory authority if you believe Othra has handled your personal data unlawfully. We will cooperate fully. Selected authorities for the regions Othra operates in:

• European Union — your local Data Protection Authority. A directory is maintained by the European Data Protection Board at edpb.europa.eu.
• United Kingdom — Information Commissioner's Office (ICO), ico.org.uk.
• Türkiye — Kişisel Verileri Koruma Kurumu (KVKK), kvkk.gov.tr.
• California — California Privacy Protection Agency (CPPA), cppa.ca.gov.
• Switzerland — Federal Data Protection and Information Commissioner (FDPIC), edoeb.admin.ch.
• Japan — Personal Information Protection Commission (PPC), ppc.go.jp/en.

EU / UK representative

Hanium LLC is incorporated in Wyoming, United States. For users in the European Union and the United Kingdom, we will appoint an Article 27 representative as soon as our user base in those territories crosses the threshold that triggers the obligation. Until then, all enquiries from EU and UK data subjects can be addressed directly to the DPO at dpo@othra.ai — we will treat your request with the same priority as if it were submitted to a local representative.