Privacy Policy

Oteria is operated by Graybridge Labs (“we”, “us”, “our”). We provide an AI-powered scene partner for actors. This policy explains what data we collect, how we use it, and your rights.

Privacy notices can be sent to privacy@oteria.app.

We operate in the United States, United Kingdom, and European Union. Depending on where you are located, different data protection laws may apply (see Section 10).

Account data

When you sign in via Google OAuth, we receive and store your name and email address. We do not store passwords. We assign an internal user ID to your account.

Scripts and scenes

Scripts you paste, upload, or photograph are stored on our servers (hosted on Turso), scoped to your account. Scene settings — character assignments, voice selections, mode preferences — are stored alongside each scene.

Audio

AI-generated audio (text-to-speech output) is cached locally in your browser using IndexedDB. Audio files are not uploaded to our servers. They remain on your device until you clear your browser data.

Microphone input

Oteria uses the Web Speech API for microphone input. Depending on your browser and operating system, speech recognition may be handled by the browser or its speech recognition provider. Oteria does not record or store your microphone audio; we only receive the recognition result needed to match your spoken line to the script.

BYOK keys

If you connect your own ElevenLabs API key, it is encrypted at rest using AES-256-GCM (or equivalent) with a server-side encryption secret. Your key is decrypted only at the moment of a voice generation request and is never logged, exposed to the client after submission, or shared with third parties.

Usage data

We may collect anonymised, aggregated usage metrics — such as feature usage frequency and session duration — to improve the Service. This data cannot identify you personally.

Payment data

Where paid plans are available, payments are processed by our payment provider. We do not store your full credit card number. We may receive and store limited billing information (e.g., last four digits, expiry date, billing country) for record-keeping.

• We do not record or store your microphone audio.
• We do not read, scan, or analyze your scripts for any purpose beyond providing the Service.
• We do not use your content to train AI models.
• We do not sell your data to third parties.
• We do not track you across other websites.

We use the data we collect to:

• Provide and maintain the Service — parsing scripts, generating speech, matching spoken lines, storing scenes.
• Authenticate your identity via Google OAuth.
• Process payments and manage subscriptions where paid plans are available.
• Enforce usage caps and prevent trial abuse.
• Communicate with you about your account, service updates, or support requests.
• Improve the Service using anonymised, aggregated usage data.
• Comply with legal obligations.

We use the following third-party services to operate Oteria. Your data is shared with them only as necessary to provide the Service:

When you use BYOK, voice generation requests go directly to your own ElevenLabs account. We act as a conduit — the text is sent to ElevenLabs on your behalf using your key. Your usage is governed by your ElevenLabs plan, limits, and terms.

• Account data: retained while your account is active. Deleted on account deletion.
• Scripts and scenes: retained while your account is active. Deleted on account deletion.
• Audio cache: stored in your browser only. We cannot delete it — clear your browser data to remove it.
• BYOK keys: deleted immediately when you disconnect your key or when your account is deleted.
• Waitlist emails: retained until you request removal or we complete the early access programme.
• Usage metrics: retained in anonymised, aggregated form indefinitely.

We implement appropriate technical and organisational measures to protect your data:

• All connections use HTTPS/TLS encryption in transit.
• BYOK API keys are encrypted at rest using AES-256-GCM (or equivalent).
• Database access is restricted to authenticated server-side code only.
• Authentication is handled by Google OAuth — we never see or store your Google password.
• Generated audio files are cached locally and are not uploaded back to our servers.

No system is perfectly secure. If we become aware of a data breach affecting your personal data, we will notify you and the relevant authorities as required by applicable law.

We use essential cookies only — specifically, a session cookie for authentication. We do not use advertising cookies, tracking pixels, or cross-site trackers.

We may collect anonymised analytics data to understand how the Service is used. This data is aggregated and cannot identify you.

Oteria is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it promptly.

Depending on your location, you may have the following rights under applicable data protection law (including GDPR, UK GDPR, and CCPA):

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate data.
• Deletion: request deletion of your account and associated data.
• Portability: request your data in a standard, machine-readable format.
• Restriction: request that we limit how we process your data.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent, withdraw it at any time.

For EU and UK users

Our legal basis for processing your data is: (a) performance of a contract (providing the Service), (b) legitimate interests (improving the Service, preventing abuse), and (c) your consent (where applicable). You have the right to lodge a complaint with your local data protection authority.

For California users

Under the CCPA, you have the right to know what personal information we collect and how we use it, to request deletion, and to opt out of the sale of personal information. We do not sell your personal information.

To exercise any of these rights, contact us at privacy@oteria.app. We will respond within 30 days (or as required by applicable law).

Your data may be processed in countries other than your own, including the United States. Where we transfer data outside the UK or EU, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions to ensure your data is protected.

We may update this policy from time to time. Material changes will be communicated via the Service or email. The “Last updated” date at the top reflects the most recent revision.

For privacy-related questions or to exercise your data rights:

privacy@oteria.app

For support questions, contact support@oteria.app. We usually respond within a few working days.