Privacy Policy
Last updated February 1, 2026
This Privacy Policy explains what information Startup Otter collects, how we use it, who we share it with, and the choices you have. It applies to everything on the Startup Otter platform — website, dashboard, and APIs.
1. Information you provide directly
Account: first/last name, email, password (stored as a bcrypt hash — never plaintext), preferred first name, date of birth, phone country code and number, timezone, country, mailing address, notification and email-digest preferences. Personal Profile: handle, slug, display name, pronouns, headline, background (rich text), headshot, cover photo, location, industries, classifications, skills/interests, affiliations, intro video, social links. Business / Capital Profiles you create: name, handle, slug, logo, cover, headline, about, what-you're-solving, who-you're-a-fit-for (capital), founded year, location and addresses, contact, company size, stage, industries, financials (revenue status, amount raised, ARR), social links, team roles, capital type, check size, investment focus. Events & Resources: title, slug, summary, description (rich text), cover, category, format, dates, location/venue, topics, industries, organizer, registration URL, downloadable files (up to 3 per item, 0.25 GB each), and Author/Contributor for resources. Communications & Interactions: questions you ask or answer, chatter posts you author, comments you write, reactions you place, bookmarks and seashell ratings, files you upload (including pitch decks to capital profiles), inquiry messages, direct messages between members, content reports you submit, internal notes admins/moderators add about reports.
2. Information collected automatically
Sessions: a secure HTTP-only session cookie (named "so_session"), session expiry, IP address at sign-in, browser user-agent. Activity: profile view counts (we record who viewed which profile and when, to power analytics dashboards), event "Interested" clicks, license-key issuance/redemption/disable/reissue audit logs, admin moderation actions, and the read/unread state of notifications and messages. Telemetry: basic logs (latency, error counts) used to keep the platform reliable.
3. Information from third parties
Google Sign-In: when you sign in with Google we receive your name, email, and a Google session identifier from Google's identity service. We do NOT pull your Google profile picture, and we do not pull avatars from Microsoft or Apple either — your platform avatar comes from the headshot you upload on your Personal Profile. Geocoding: when you add a location to a profile, event, or resource, we send the address text to a geocoding service (Google Maps when an API key is configured, otherwise OpenStreetMap) to get latitude and longitude so the location can be searched by distance.
4. How we use your information
To operate the platform — render profiles, deliver Chatter, send messages, run search and the Cmd+K command palette, the @mentions inbox ("Noted"), notifications, real-time updates, geo-radius and region filters, ratings, comments, and the activity feed. To deliver tier-gated features — your tier (encoded in your license key) determines which features you can access (e.g., capital financials, pitch-deck submission, increased inquiries). To support moderation — to investigate reports, hide or remove content, and message authors when needed. To send transactional and digest email — sign-up confirmations, password resets, notifications, and (optionally) weekly digests. To improve the product — diagnose errors, measure performance, and decide what to build next.
5. Who can see what
Public surfaces: a published profile's display name, handle, slug, headline, location (city/state/country), cover photo, headshot or logo, about/solving/good-fit, industries/classifications, intro video, social links, founded year, company size, stage, capital type, check size and investment focus (capital), and any events or resources you've published are visible to everyone on the internet. Member-only surfaces: full profile detail (including financials when entitled), the Chatter feed, comments, reactions, questions and answers, the directory's geo-radius and certain advanced filters, messaging, and the activity feed are visible only to signed-in members. Other members: people you've connected with see your full member profile and can message you; admins of a business/capital profile you own can edit the profile but can't publish it, change its handle, or delete it. Reports: when you flag content, the report and your reporter ID are visible to admins and moderators (not to the author). Admins: see the full admin console — users & tiers, content moderation, audit log, reference data, pricing, license keys, handle registry, and a per-user detail view with activity log, internal notes, and billing ledger.
6. Sharing with third parties
We share data only when needed to run the service: with our cloud object storage provider (Emergent) to host files, images, and videos; with the geocoding provider (see §3); with the email delivery provider when transactional emails are enabled (MailerSend / MailerLite or Postmark depending on configuration); and with legal, safety, or government authorities when required by law. We do not sell your personal information. We do not run ad networks on Startup Otter.
7. Cookies & local storage
We use one essential cookie ("so_session") to keep you signed in. The cookie is HTTP-only, Secure, and SameSite=None so it works across the dashboard and public site. We may use localStorage to remember UI preferences (e.g., draft chat docks, view toggles).
8. Email & notifications
We send transactional emails (password reset, account events, content notifications) and, if enabled, periodic email digests. You can adjust notification toggles per category and digest frequency in Account Settings. Critical security and account emails (e.g., password reset) cannot be turned off.
9. Data retention
Account, profile, and content data are retained while your account is active. When you delete your account, your Personal Profile, sessions, and license key are removed; your Business and Capital profiles, events, and resources are soft-deleted (hidden from the public, slugs released) and remain in the database for an audit and recovery window before permanent deletion. Moderation reports and admin notes are retained for accountability. Audit logs (license-key history, admin actions, moderation history) are retained indefinitely.
10. Security
Passwords are bcrypt-hashed and never stored or logged in plaintext. Files are served from a signed, unguessable storage path. We rate-limit account-recovery flows and lock out accounts after repeated failed login attempts. No system is 100% secure — if you believe your account has been compromised, change your password and email hello@startupotter.com.
11. Children
Startup Otter is not directed to children under 16. We do not knowingly collect personal information from anyone under 16; if you believe we have, email us and we will delete it.
12. International users
Startup Otter is hosted in the United States. If you use the platform from outside the US, you consent to your information being processed in the US.
13. Your choices & rights
You can: edit or delete your Personal Profile, Business profiles, Capital profiles, events, and resources from your dashboard; change your handle (subject to availability); change your URL slug; adjust notification and digest preferences; download a copy of your data by emailing hello@startupotter.com; and delete your account at any time. Depending on where you live (e.g., EU/UK/California) you may have additional rights to access, correct, port, or erase your data and to object to certain processing — exercise these by emailing hello@startupotter.com.
14. Changes to this Policy
We may update this Privacy Policy. Material changes will be announced in-app or by email and the "Last updated" date below will change.
15. Contact
Questions, requests, or complaints about this Policy: hello@startupotter.com.