Get Otii Ltd - Privacy Policy
How Get Otii Ltd collects, uses, and protects your personal data
Version: 1.1
Reference: OTII-PRV-007
Last Updated: 16 March 2026
ICO Registration: ZC096557 (Get Otii Ltd)
Registered Address: 144 Great Portland Street, London, W1W 6QT
Next Review: March 2027
This notice is written for nursery managers, practitioners, and other users of the Otii platform and website (get-otii.com). If you are a nursery provider uploading data on behalf of your setting, please also refer to our Data Processing Agreement.
1. Who We Are
Get Otii Ltd is a company registered in England and Wales, Company No. 16496040, trading as Get Otii. Our registered address is 144 Great Portland Street, London, W1W 6QT.
We are registered with the Information Commissioner's Office (ICO) under reference ZC096557.
We provide Otii — an AI-powered compliance and inspection-readiness platform for early years providers, aligned to the Ofsted Inspection Toolkit (September 2025) and the EYFS 2024 statutory framework.
Data Protection Lead: Maggie Bolger, CEO | privacy@get-otii.com
General enquiries: hello@get-otii.com
2. What Data We Collect
2.1 Website Visitors (get-otii.com)
When you visit our website we may collect:
Name and email address, if you complete a contact or early access form
Technical data: IP address, browser type, device type, pages visited, time on site
Cookie data — see Section 11 and our separate Cookie Policy for full detail
This data is collected via Squarespace (our website platform) and Copper CRM (our sales pipeline tool).
2.2 Otii Platform Users
When you register for or use the Otii platform, we collect:
Contact details: name, email address, job role, phone number
Account information: login credentials (passwords are hashed — never stored in plain text)
Employment-related records: training logs, CPD records, supervision notes, policy sign-offs
Compliance and evidence: documents, risk assessments, audit logs, inspection-readiness records
Usage data: platform interactions, feature usage, session activity
AI interaction logs: prompts submitted to the Otii AI assistant (retained for up to 30 days by our AI provider — see Section 6)
2.3 Children's Data
Otii is not intended for direct use by children and does not collect children's data directly. Where nursery providers upload records that reference children (for example, welfare check logs, safeguarding notes, or SEND records), the provider is the Data Controller for that data. Get Otii Ltd acts as a Data Processor only, handling that data solely on the provider's instructions.
Important: If your setting uploads any data relating to an identifiable child, you must ensure you have a lawful basis under UK GDPR Article 6 and, where applicable, Article 9(2) for that processing. Get Otii Ltd does not determine the lawful basis for data your setting uploads.
3. How We Use Your Data
| Purpose | Lawful Basis |
|---|---|
| Providing and maintaining access to the Otii platform | Contract (Article 6(1)(b)) |
| Processing your subscription and payments | Contract (Article 6(1)(b)) |
| Responding to support requests and enquiries | Contract / Legitimate Interests (Article 6(1)(f)) |
| Sending service updates, product news, and inspection guidance | Legitimate Interests (Article 6(1)(f)) |
| Sending marketing communications (newsletters, event invites) | Consent (Article 6(1)(a)) – opt-in only |
| Improving the platform through aggregated, anonymised usage analytics | Legitimate Interests (Article 6(1)(f)) |
| Detecting and preventing fraud, misuse, and security incidents | Legitimate Interests (Article 6(1)(f)) |
| Complying with legal, regulatory, or safeguarding obligations | Legal Obligation (Article 6(1)(c)) |
| AI-assisted compliance prompts and guidance (advisory only) | Contract / Legitimate Interests (Article 6(1)(b)/(f)) |
We do not make solely automated decisions that have legal or similarly significant effects on you. All AI outputs are advisory and require human review before any decision is taken, in line with UK GDPR Article 22.
4. Who We Share Data With
We do not sell your personal data. We may share data with the following categories of recipients:
Service providers who process data on our behalf (see Section 6 — Sub-processors)
Regulators or law enforcement where required by law or to protect the safety of children
Professional advisors (legal, financial) under confidentiality obligations
Business successors in the event of a merger, acquisition, or restructure — you will be notified
All third-party providers are contractually required to process data only on our instructions and to maintain appropriate security measures.
5. How Long We Keep Your Data
| Data Type | Retention Period |
|---|---|
| Account and contact data | Duration of subscription + 7 years (statutory accounting) |
| Platform compliance records | Up to 3 years post-account closure, unless deleted by Controller |
| Staff training and supervision logs | 3 years after record creation or employment end |
| Safeguarding / welfare records (uploaded by settings) | Controller-defined; default 3 years |
| Usage and audit logs | 24 months rolling |
| AI interaction logs (Anthropic API) | Up to 30 days (Anthropic's platform default) |
| Marketing contact data | Until you unsubscribe or withdraw consent |
| Billing and payment records | 7 years (statutory requirement) |
| Provider | Purpose | Location | Safeguard |
|---|---|---|---|
| Vercel Inc. | Frontend hosting and content delivery | EU/UK edge nodes | UK IDTA Standard Contractual Clauses |
| Render Inc. | Backend hosting and managed database | EU region (confirmed) | UK IDTA Standard Contractual Clauses |
| Anthropic (Claude API) | AI query processing and compliance prompts | USA | UK IDTA SCCs; no training on customer data; logs up to 30 days |
| Stripe Payments UK Ltd | Subscription payment processing | UK / EEA | FCA-regulated; PCI-DSS Level 1; UK adequacy applies |
| Squarespace Inc. | Website hosting and lead capture forms | USA | UK IDTA Standard Contractual Clauses |
| Copper CRM | Sales pipeline and prospect contact management | USA | UK IDTA Standard Contractual Clauses; GDPR Article 32 compliant |
| Google Workspace | Internal team communications (not customer data) | UK / EEA | Google Workspace DPA; UK Addendum SCCs |
| Mailchimp (Intuit) | Newsletter and marketing email delivery | USA | UK IDTA Standard Contractual Clauses |
Where you are a Data Controller uploading staff or setting data, your statutory obligations (EYFS 2024, KCSIE 2024) may require longer retention periods. Those obligations remain yours — Otii will not delete data before you instruct us to.
6. Sub-Processors and International Transfers
To deliver the Otii platform, we use the following third-party data processors. Where data is transferred outside the UK, we use appropriate safeguards as listed below.
AI processing note: The Otii AI assistant is powered by the Claude API (Anthropic). Under our commercial agreement with Anthropic, data submitted via the API is not used to train their models. API interaction logs are retained by Anthropic for up to 30 days for security and reliability purposes only, then deleted. Our AI processes only site-specific compliance content — it cannot access child records held in your nursery management system.
7. Data Security
All data in transit is protected by TLS 1.3 encryption
All data at rest is protected by AES-256 infrastructure-level encryption (Render and Vercel/Cloudflare R2)
Application-level field encryption is applied to sensitive children's data fields specifically
Role-Based Access Control (RBAC) ensures users only access data relevant to their role
Multi-Factor Authentication (MFA) is required for all manager and HQ-level roles
Passwords are hashed — never stored in plain text
Full audit logs of all data access, uploads, edits, and deletions are maintained
Annual penetration testing by a CREST-accredited provider — on roadmap for Q3 2026
We will notify you and, where required, the ICO within 72 hours of becoming aware of a personal data breach that is likely to result in risk to your rights and freedoms.
8. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
| Right | What It Means |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Ask us to correct inaccurate or incomplete data |
| Erasure | Request deletion of your data where there is no compelling reason for us to keep it |
| Restriction | Ask us to pause processing of your data in certain circumstances |
| Portability | Receive your data in a structured, machine-readable format |
| Objection | Object to processing based on legitimate interests or for direct marketing |
| Withdraw consent | Where processing is based on consent, you can withdraw it at any time |
| Automated decisions | Request human review of any automated decision that significantly affects you |
To exercise any of these rights, email: privacy@get-otii.com. We will respond within 30 calendar days. There is no charge for reasonable requests.
If you are unhappy with how we have handled your data, you have the right to complain to the ICO at ico.org.uk or by calling 0303 123 1113. We would always prefer to resolve concerns directly — please contact us first.
9. Children's Use of the Platform
The Otii platform is designed for use by professionals aged 18 and over. It is not directed at children and we do not knowingly collect personal data from children. The ICO's Age Appropriate Design Code (Children's Code) informs our approach to any data that may indirectly relate to children through nursery provider uploads.
10. Links to Other Websites
Our website and platform may contain links to third-party websites, including Ofsted, the DfE, and sector resources. We are not responsible for the privacy practices of those sites and recommend you read their privacy notices separately.
11. Cookies
Our website uses cookies. Please see our separate Cookie Policy (get-otii.com/cookies) for full detail on what we set, why, and how to manage your preferences.
In summary: we use strictly necessary cookies to make the site function, and analytics cookies to understand how visitors use our site. Analytics cookies are only set with your consent via our cookie banner. We do not use advertising or tracking cookies.
12. Updates to This Notice
We may update this Privacy Notice when our services change, when legislation updates, or following regulatory guidance from the ICO. When we make material changes, we will notify platform users by email and update the 'Last Updated' date on this page. We recommend reviewing this notice periodically.
Last updated: 16 March 2026 | Version 1.1
Previous version: 20 September 2025 (v1.0 — superseded)
Get Otii Ltd | Company No. 16496040 | ICO Ref: ZC096557 | privacy@get-otii.com | get-otii.com/privacy