Othra is built on a single thesis: your face, your name, and your digital identity belong to you — and only you. This Privacy Policy explains, in plain terms, what data we collect, how we process it, who we share it with, and the rights you have under applicable privacy law. We took extraordinary measures to ensure that the most sensitive data we process — your biometric identity — never leaves your device unencrypted.
The Othra mobile application and the website at othra.ai ("Othra", "we", "us") are operated by:
Hanium LLC
5830 E 2nd St, Ste 7000, PMB 33039
Casper, WY 82609-4308, United States
Email: legal@othra.ai
Hanium LLC is the data controller for the personal data described in this Policy. For the purposes of EU/UK GDPR and the Turkish KVKK, Hanium LLC determines the purposes and means of processing.
This Policy applies to (a) the Othra iOS application, (b) the othra.ai website, and (c) the supporting cloud services that we operate to deliver Othra ("Services"). It does not apply to third-party platforms (Instagram, X, Reddit, TikTok, Telegram, LinkedIn) where you may submit a takedown request — those platforms remain the data controllers for any data you submit through their forms.
| Category | What it includes |
|---|---|
| Account data | Apple ID identifier (a non-reversible token issued by Apple), display name (optional), and the email address you choose to share — including Apple's "Hide My Email" private relay address. |
| Biometric reference | A cryptographic vector representation of your face derived on-device, plus the photos you voluntarily upload to your Face Vault. The raw images of your face from the liveness scan are never transmitted to our servers. |
| Scan data | Images you upload to be analyzed for AI manipulation. Stored encrypted at rest and automatically deleted after 24 hours. |
| Takedown data | The URL of the suspect content, your free-text description, the platform you select, the generated takedown letter, and the response status returned by the platform. |
| Consent settings | Your preferences regarding which AI uses you allow, deny, or restrict — stored as structured boolean flags. |
| Device & usage | Device model, iOS version, app version, locale, time-zone, anonymous diagnostic events. No advertising identifiers (IDFA) are collected. |
Biometric data is processed with extra care because European, U.S., and Turkish law treat it as a special category requiring explicit consent and stronger safeguards.
During the one-time identity verification, the Othra app uses Apple's on-device Vision framework to derive a numerical "embedding" — a sequence of floating-point numbers that uniquely represents your face but cannot be reversed into a photo. This embedding is encrypted with AES-256-GCM using a key bound to your Othra account.
The photo of your face from the verification scan is never uploaded to any server, ever. What we store is a one-way mathematical fingerprint — encrypted — that we use solely to confirm a suspect image matches you.
| Purpose | GDPR / KVKK basis |
|---|---|
| Account creation & authentication Linking Apple Sign In to your Othra profile. |
Performance of contract · Art. 6(1)(b) GDPR |
| Biometric verification Producing and storing the encrypted embedding. |
Explicit consent · Art. 9(2)(a) GDPR / KVKK m. 6 |
| AI manipulation analysis Sending uploaded scan images to a deepfake detection provider. |
Explicit consent & legitimate interest · Art. 6(1)(a),(f) |
| Automated takedown Generating and delivering legal removal notices. |
Performance of contract & legal claims · Art. 6(1)(b), Art. 9(2)(f) |
| Security & fraud prevention | Legitimate interest · Art. 6(1)(f) |
| Product analytics Aggregated, non-identifying usage telemetry. |
Legitimate interest, with opt-out · Art. 6(1)(f) |
We engage trusted third parties to deliver parts of the Service. Each is contractually bound by GDPR-grade data processing agreements. We do not sell or rent personal data.
| Processor | Purpose | Region |
|---|---|---|
| Apple Inc. | Sign In with Apple identity provider; on-device Vision processing; App Store distribution and billing. | United States |
| Supabase | Account database, encrypted file storage, authentication. EU region. | EU (Frankfurt) |
| Hive AI | Deepfake / AI-generation detection on uploaded scan images. Image deleted from Hive within 24 h. | United States |
| Resend | Transactional email delivery for automated takedown notices. | EU / United States |
| Amplitude | Aggregated, non-identifying product analytics. No biometric data sent. | United States (EU residency available) |
When you initiate a takedown, Othra generates a legally framed letter using the locale you selected (one of nine languages and twelve jurisdictional frameworks). For Telegram and Reddit, we deliver the letter on your behalf via Resend; for Instagram, X, TikTok, LinkedIn, we open the official platform form for you to submit manually.
The data shared with the receiving platform is limited to what their takedown procedure requires: your name (or a pseudonym you choose), the URL of the offending content, your description, and a forensic reference number generated by Othra. The receiving platform becomes an independent data controller for the data you transmit through them.
| Data | Retention period |
|---|---|
| Encrypted biometric embedding | Until you delete your Face Vault entry, your account, or revoke consent. |
| Vault photos | Until you delete them or your account. |
| Scan images uploaded for analysis | Auto-deleted after 24 hours. |
| Takedown record | 5 years (limitation period for legal action) unless you delete your account earlier. |
| Diagnostic / analytics events | 13 months, then aggregated. |
| Account record | Until you delete your account; then 30-day grace period for backups, then permanent erasure. |
Despite these measures, no method of transmission or storage is 100% secure. If we detect a security incident affecting your data, we will notify you and competent authorities within 72 hours where required by GDPR Art. 33–34 or KVKK m. 12.
Hanium LLC is established in the United States. Where personal data is transferred from the European Economic Area, the United Kingdom, or Türkiye to the United States, we rely on the European Commission's Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, and KVKK m. 9 explicit-consent or adequacy mechanisms as applicable. We perform a Transfer Impact Assessment for each new sub-processor.
Subject to applicable law, you have the right to:
To exercise any of these rights, contact our DPO at dpo@othra.ai. We respond within 30 days (extendable by 60 days for complex requests, with prior notice).
If you are a California resident, you also have the right to: know which categories of personal information we collect; opt out of "sale" or "sharing" of personal information (we do neither); limit the use of sensitive personal information (we already limit biometric data to the purposes in this Policy); and be free from retaliation for exercising your rights. Direct any CCPA request to dpo@othra.ai with the subject line "California Privacy Rights".
Othra is intended for users aged 16 and over. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe a child has registered, contact legal@othra.ai and we will delete the account immediately.
The Othra website uses one strictly-necessary cookie for session handling and, with your consent, Google Analytics 4 (operated by Google LLC) for aggregated traffic measurement. We do not use advertising cookies, retargeting pixels, or any third-party trackers beyond what is described below.
Google Analytics 4 helps us understand how visitors discover and use the Othra website — which pages they read, how they arrived, and where they leave. The data is aggregated and statistical; we cannot identify individual visitors through it. We have configured Google Analytics with the following privacy-protective settings:
When you first visit othra.ai, a discreet consent banner appears in the bottom-right corner. You may accept analytics cookies, decline them entirely, or close the banner — closing the banner keeps the regional default in place. Your choice is stored locally in your browser and respected on every subsequent page view. You can change your decision at any time by clearing site data for othra.ai in your browser settings, which will resurface the banner.
Separate from the website, the Othra iOS application uses the Amplitude SDK to record aggregated, non-identifying product events (for example, "scan completed"). You can opt out of in-app analytics at any time via Profile → Notifications & Telemetry. The website's Google Analytics configuration and the app's Amplitude configuration are independent — opting out of one does not opt you out of the other.
| Sub-processor | Purpose | Data category |
|---|---|---|
| Google LLC (Google Analytics 4) | Aggregated traffic measurement on othra.ai | Cookies, anonymized IP, page interaction events |
| Amplitude, Inc. | Product analytics inside the iOS app | Anonymized event identifiers, screen names, app-state events |
| Vercel Inc. | Website hosting and edge delivery | Server logs (IP, request metadata) for security and uptime |
Each sub-processor is bound by a Data Processing Agreement that incorporates the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent safeguards for other regions where applicable.
We may update this Policy to reflect changes in law, technology, or business practice. Material changes will be announced in-app and on this page at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
For any privacy question, request, or complaint:
Hanium LLC — Data Protection
5830 E 2nd St, Ste 7000, PMB 33039
Casper, WY 82609-4308, United States
DPO: dpo@othra.ai
Legal: legal@othra.ai