Effective Date: 05/09/2025

Introduction & Organisational Info

We, at Otem, are dedicated to serving our customers and contacts to the best of our abilities. Part of our commitment involves the responsible management of personal information collected through our website otem.co.uk, and any related interactions. Our primary goals in processing this information include enhancing the user experience on our platform, providing timely support, and improving our products and services.

We process personal information with the utmost respect for privacy and security, adhering to all relevant regulations and guidelines. Our practices are designed to safeguard the confidentiality and integrity of your personal information while enabling us to deliver the products and services you trust us with.

We have a designated point of contact for all data protection matters. If you have any questions or require further information about how we manage personal information, please feel free to contact us at privacy@otem.co.uk.

Your privacy is our priority. We are committed to processing your personal information transparently and with your safety in mind. This commitment extends to our collaboration with third-party services that may process personal information on our behalf. All activities are conducted in strict compliance with applicable privacy laws.

Scope and Application

This policy applies to all visitors, registered users, and customers of our website otem.co.uk and our services. It outlines our practices and your rights concerning the collection, use, and protection of your personal information, ensuring it is processed with the highest standards of privacy and security.

Data Collection and Processing

We use cookies to deliver and improve our services, analyse site usage, customise your experience, and market our services to you. We use Cookiebot, a Consent Management Platform (CMP), to manage your cookie preferences and to obtain and document your consent. Upon your first visit, our website will present you with a cookie consent banner, where you can accept, reject, or customise your preferences. You can update or withdraw your consent at any time by using the privacy trigger, which is a small icon on our website, or by visiting our Cookie Policy page.

Our commitment to transparency and data protection extends to how we collect and use your personal information. We gather personal data through various interactions, including when you use our services or products such as tutoring, online teaching, AI support, scheduling, and booking.

We use Google OAuth 2.0 to authenticate users accessing our conversational AI assistant.

When you authenticate:

What we collect: - Your Google Account email address

- Your basic profile information (name, profile picture)

- OAuth access tokens for Dialogflow CX API access

How we use it:

- To verify your identity as an authenticated member

- To enable your interactions with our Dialogflow conversational agent

- To maintain your conversation sessions

- To prevent unauthorized access to our AI assistant

What we DON'T do:

- We do not access your other Google services or data

- We do not store your Google password

- We only use the OAuth token to communicate with our Dialogflow agent

- We do not share your information with third parties Data Storage:

- OAuth tokens are stored securely and expire after [timeframe]

- Conversation data is stored in accordance with Google's data retention policies

- You can revoke access at any time through your Google Account settings

Third-Party Services:

- We use Google Dialogflow CX for our conversational AI functionality

- We use Outseta for membership authentication

- We use Webflow for website hosting

We do not knowingly collect personal data from individuals under 16 years of age without verifiable parental consent. If we discover that we have inadvertently collected such data, we will delete it promptly. For any of our services that require verifiable parental consent, such as AI-based products, a parent or legal guardian is responsible for creating any accounts and providing explicit consent. They must also register, maintain bookings, and make payments on behalf of the minor, as well as ensure appropriate supervision.

The following list details the types of personal information we may process:

• First and Last Name
• Email address and/or Phone number
• Address and City
• Payment Information
• Purchase history
• Interaction logs (e.g., time spent on pages)
• Details about your service usage and preferences

Please note that we only process information that is essential for delivering our services, complying with legal obligations, our legitimate interests, or enhancing your user experience.

Our Use of Third-Party Integrations

We integrate with trusted third-party service providers to offer a seamless user experience. We share personal information with these providers only as necessary to provide the services you have requested, and all data sharing is covered by Data Processing Agreements (DPAs) and other appropriate safeguards.

Calendly (for Scheduling and Bookings)

We use Calendly to manage our booking and scheduling services. When you use our embedded Calendly form, the following personal data is collected:

• Data Processed: Name, email address, phone number, educational information, session requirements, and booking preferences.
• Legal Basis: Contract. This processing is necessary to fulfill our service agreement with you by confirming and managing your booking.

Zoom & Google Meet (for Online Tutoring Sessions)

As part of our service, we use Zoom and Google Meet to facilitate online tutoring sessions.

• Data Processed: We share your name and email address with Zoom or Google Meet to create and manage the meeting invitation.
• Session Data: We may process and retain transcripts and notes from your sessions, including diagrams and formulas, to improve the quality of our services. These are processed under our Legitimate Interests to enhance and develop our teaching content. We will only record a session with your explicit consent, which you can withdraw at any time.
• Legal Basis: Contract (for sharing data to create the meeting) and Legitimate Interests (for processing notes and transcripts).

Planned Payment Processing Provider Integrations (Stripe & PayPal)

In the future, we plan to integrate payment processing services (Stripe and PayPal) into our Calendly booking flow. When this is active, we will process your payment information to securely complete your transactions. The legal basis for this processing will be Contract. We will update this privacy policy with specific details on the data shared with these third party payment processing providers at that time.

‍

Tutor Registration

Direct Collection (Tutor registration via Website Form)

• Data Processed: Name, email address, contact number, subject specialism, preferred level of teaching, and additional user-provided information.
• Legal Basis: Contract and Legitimate Interests. This data is essential for taking the necessary steps to enter into a contract with you as a tutor. We also have a legitimate interest in collecting this information to assess your suitability for the role and to match you with appropriate students.
• Enhanced DBS Certificate: We process information about your Enhanced DBS Certificate status to comply with our Legal Obligation to protect minors in educational settings. It is also in our Legitimate Interests to verify the backgrounds of our tutors to ensure the safety of our students and their families.

AI Tutor Learning Companion Service

• Purpose: To provide AI support and learning resources, Otem AI operates the Sigma conversational agent to support learning and educational interactions.

• Data Processed: Email address, role identification, educational level, and interest registration. Processing is necessary for the purposes of the legitimate interests pursued by Otem AI in providing, maintaining, and improving the contracted educational service, specifically our AI Conversational Agent Sigma.
• Legal Basis: Legitimate Interests. Our legitimate interest is to ensure access is authorised by individuals who register and authenticate using Google OAuth 2.0 allowing the necessary checks for Google to enable and provision authenticated access to the Otem AI Conversational Agent Sigma for genuine use.
• Purpose Limitation: Conversation history is collected exclusively for the purpose of auditing, measuring, and enhancing the functional performance, accuracy, and educational relevance of the Sigma agent. No data collected through end-user conversations shall be used for general advertising, sales, or to train any large, foundational, or public-facing generative AI models.
• Deployment: We will process conversation history with the AI to improve our agent provide personalised responses. We will use Google's AI services to operate this feature, and your chat history will be retained for a limited period (e.g., up to 90 days) to improve the service, which is also based on our legitimate interests. Your data privacy rights are not affected.
• Data Minimisation and Confidentiality
  
  • Data Minimisation: The Sigma agent is designed to operate without the need for Personal Identifiable Information (PII). To uphold this, Otem AI has implemented a mandatory Data Loss Prevention (DLP) process leveraging Google Cloud Sensitive Data Protection.
  • Automatic Redaction: This process automatically inspects all end-user conversational input for PII (including, but not limited to, names, phone numbers, email addresses, and certain sensitive UK/EU identifiers). Any PII detected is instantly and automatically redacted and anonymised at the source before being written to permanent storage logs. Logs will, therefore, only contain conversation transcripts purged of personal identifiers.
  • Data Residency: All conversation history, redacted logs, and agent configuration data are stored at rest within the Google Cloud Platform region europe-west2 (London, UK), ensuring data residency within the European geographical area.
  Storage Limitation and Accountability
  • Storage Period: Conversation history is retained only for the duration necessary to satisfy the stated purpose (agent improvement and auditing). The retention period is strictly defined via the agent's Security Settings (Retention Window) and is subject to regular, automatic deletion.
  • Underlying AI Models: The generative AI capabilities of the Sigma agent utilise the Gemini model. Conversation data generated by end-users is not used by Google to train or improve the underlying large language model (LLM). Our use of the LLM is strictly for inference, guided by our proprietary Generative AI Education Rules to maintain educational context, accuracy, and safety.
  • Data Subject Rights: All data subject rights under UK GDPR are fully maintained and can be exercised via the contact details provided in this Privacy Policy.

Data Storage and International Transfers

Data Storage: Personal information is stored on secure servers located in the GB, EU, and US.

International Transfers: When we transfer your personal data to countries outside of the UK and EU, we do so using a legally compliant transfer mechanism. For transfers to the US, we rely on Standard Contractual Clauses (SCCs), which are legally binding agreements that require the recipient to adhere to GDPR-level data protection standards. We ensure all data transfers are protected by robust technical and organisational safeguards.

User Rights and Choices

At Otem, we recognise and respect your rights regarding your personal information, in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. We are committed to ensuring you can exercise your rights effectively.

Below is an overview of your rights and how you can exercise them:

• Right of Access (Article 15 GDPR): You have the right to request access to the personal information we hold about you and to obtain information about how we process it.
• Right to Rectification (Article 16 GDPR): If you believe that any personal information we hold about you is incorrect or incomplete, you have the right to request its correction or completion.
• Right to Erasure (‘Right to be Forgotten’) (Article 17 GDPR): You have the right to request the deletion of your personal information when it is no longer necessary for the purposes for which it was collected, among other circumstances.
• Right to Restriction of Processing (Article 18 GDPR): You have the right to request that we restrict the processing of your personal information under certain conditions.
• Right to Data Portability (Article 20 GDPR): You have the right to receive your personal information in a structured, commonly used, and machine-readable format and to transmit those data to another controller.
• Right to Object (Article 21 GDPR): You have the right to object to the processing of your personal information, under certain conditions, including processing for direct marketing.
• Right to Withdraw Consent (Article 7(3) GDPR): Where the processing of your personal information is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to Lodge a Complaint (Article 77 GDPR): You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal information violates applicable data protection laws.

To exercise any of these rights, please contact us at privacy@otem.co.uk. We will respond to your request in accordance with applicable data protection laws and within the timeframes stipulated by those laws.

Direct Marketing and Communications

At Otem, we may use your personal information to send you direct marketing communications about our products, services, promotions, and other relevant information that we believe may be of interest to you. We are committed to ensuring that our direct marketing practices are transparent, lawful, and in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the ePrivacy Directive.

• Obtaining Consent: We will only send you marketing communications if you have given us clear consent. Every direct marketing communication we send will include clear instructions on how to unsubscribe or opt-out. You can exercise your right to opt-out at any time, and we will promptly honor your request.
• Managing Your Preferences: You have control over the direct marketing communications you receive. You can manage your communication preferences by using the unsubscribe link provided in our marketing emails or text messages.

Data Breach Notification Procedures

At Otem, we understand the importance of protecting your personal information and take proactive measures to safeguard it. In the event of a data breach that poses a risk to your privacy rights and freedoms, we have established clear procedures for promptly identifying, assessing, and mitigating the impact of the breach. Our data breach notification procedures are designed to comply with applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR).

• Notification Obligations: If required by law, we will notify the relevant data protection authorities of the data breach within 72 hours. If a data breach poses a significant risk to your privacy rights and freedoms, we will notify you without undue delay.
• Point of Contact: If you have any questions or concerns about a data breach or believe you may have been affected, please contact us immediately at privacy@otem.co.uk.

Policy Updates and Changes

We may update this privacy policy from time to time to reflect changes in legal requirements, industry standards, or our business operations. In the event of significant changes, we will provide notice through prominent means, such as email, website notifications, or other appropriate channels. We will also indicate the effective date of the updated policy at the top of the document.¹

Contact Us

If you have any questions or concerns about our privacy policy or any updates to it, please do not hesitate to contact us at privacy@otem.co.uk. We are here to address any inquiries you may have and to ensure that you feel confident about how your personal information is handled.

‍