Security

1. Data Flow Architecture

Ooty processes requests server-side. When you use the Service through your AI assistant, your assistant sends requests to Ooty's servers, which connect to third-party platforms (such as Google Search Console, YouTube, or Amazon) on your behalf and return the results to your AI client.

Response data passes through Ooty's infrastructure transiently -- it exists in memory only for the duration of the request and is discarded immediately after delivery. No platform response data is written to disk, retained in logs, or used for any other purpose.

Session metadata used for rate limiting and connection management expires automatically within 30 minutes. Rate limiting metadata (request counts and timestamps, not content) is retained for service reliability.

API credentials (OAuth tokens) are stored encrypted server-side in our database. They are encrypted at rest and protected by row-level security policies. Server-side storage enables connections to persist across devices.

Account information stored on our servers comprises your email address, licence details, and encrypted OAuth tokens. We use Supabase for encrypted storage of account data.

2. Encryption

• Data in transit: All communication between your AI client, Ooty's servers, and third-party platform APIs uses HTTPS (TLS 1.2+).
• Passwords: Passwords are hashed using bcrypt before storage. Passwords are never stored or transmitted in plain text.
• OAuth tokens: When you connect a platform via OAuth, access tokens are encrypted at rest and protected by row-level security policies.
• Database: Account data is encrypted at rest. Row-level security policies ensure that each user can only access their own records.

3. Read-Only Platform Access

Ooty accesses connected platforms in read-only mode. The Service does not post, publish, modify, or delete content on your behalf unless you explicitly initiate the action (for example, URL indexing submissions via Ooty Octopus). All OAuth connections request the minimum required permissions.

You may revoke Ooty's access to any connected platform at any time through that platform's settings or from your Ooty dashboard.

4. Data Visibility

5. Account Cancellation and Data Deletion

Upon cancellation of your subscription:

• Your access continues until the end of the current billing period.
• After the billing period expires, your access to the Service is deactivated.
• Account data (email address, licence records) is retained for up to 30 days and deleted upon request.
• OAuth connections are revoked and encrypted tokens are deleted from our servers.

To cancel, use the billing portal link in your subscription confirmation email, or contact Click to reveal email.

6. Passkey Authentication

Ooty supports passkey authentication, a phishing-resistant login method using device-based biometrics (Face ID, Touch ID, or Windows Hello). Passkeys are cryptographic credentials that remain on your device and are not transmitted to our servers.

7. Reporting Security Concerns

To report a security vulnerability or raise a security concern, contact Click to reveal email. We shall acknowledge all reports within one business day.