Ottly | On-Demand Freelance Experts in 5 Minutes

Privacy Policy

Ottly
Navigation
Find ProfessionalsSpecialtiesWork with usBenefits
Get 180€
Invite and earn rewards
Language & Currency
Log in

Privacy Policy

Updated: February 23, 2026

1. Data Controller

In compliance with Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 (LOPDGDD), we inform you that the data controller for your personal data is:

  • Company Name: Ottly Platform
  • Registered Office: Madrid, Spain
  • Website: ottly.io
  • Privacy Contact: privacy@ottly.io

2. Data We Collect

We collect different categories of data depending on your user profile and interaction with the platform:

2.1 Registration and Identification Data

  • Full name, email address and encrypted password.
  • If registered via Google OAuth: name, email and profile photo provided by Google. We do not access your Google password or any other account data.
  • For Talent/Experts: professional title, biography, skills, work experience, portfolio (links, images), introduction video, availability, hourly rate and geographic location (city/country).
  • For Clients: name or business name, sector and general project description.

2.2 Financial and Billing Data

  • Payments are processed entirely through Stripe, Inc. as a PCI-DSS Level 1 certified payment processor. Ottly does not store card numbers, complete bank details or tax identification documents.
  • For Experts who activate payments: Stripe Connect collects and stores KYC data (ID document, bank account, tax address) directly on their secure servers. Ottly only stores the Stripe account identifier (alphanumeric ID) to link payments.
  • Tax ID number (NIF/CIF) for billing purposes and compliance with the EU DAC7 Administrative Cooperation Directive.

2.3 Professional Validation Data

  • Results from automated technical tests (soft skills and technical quizzes).
  • Verification status and validation score assigned by our AI system and human review.
  • These data are used exclusively to ensure the quality of the talent directory and are not shared with third parties.

2.4 Communications and Session Data

  • Messages exchanged within the platform between Clients and Talent.
  • Work session records: date, duration, participants and status (scheduled, in progress, completed).
  • Post-session ratings and feedback (review text, numeric score).

2.5 Navigation and Technical Data

  • IP address, device type, browser and operating system.
  • Technical and analytical cookies (see our Cookie Policy).
  • Error monitoring data collected by Sentry (anonymized error traces for technical debugging).
  • Real-time connection status (online/offline) managed via WebSocket and Redis, which stores only a temporary session identifier.

3. Purpose and Legal Basis

Purpose Legal Basis (Art. 6 GDPR)
Provision of intermediation servicePerformance of a contract (Art. 6.1.b)
Payment management and billingPerformance of a contract and legal obligation (Art. 6.1.b and 6.1.c)
KYC/AML verification and DAC7 complianceLegal obligation (Art. 6.1.c)
Talent quality validation (tests, AI)Legitimate interest (Art. 6.1.f) — ensuring marketplace quality
Commercial communications and updatesExplicit consent (Art. 6.1.a)
Technical and error monitoringLegitimate interest (Art. 6.1.f) — platform security and stability
Analytical cookiesConsent (Art. 6.1.a), per LSSI-CE

4. Recipients and International Transfers

Your data may be shared with the following recipients, in all cases with the legally required safeguards:

  • Stripe, Inc. (USA) — Payment processing. Stripe participates in the EU-U.S. Data Privacy Framework and holds PCI-DSS Level 1 certification. Stripe Privacy Policy.
  • Google LLC (USA) — OAuth authentication and Google Fonts. Participant in the EU-U.S. Data Privacy Framework.
  • Functional Software Inc. (Sentry) (USA) — Technical error monitoring. Anonymized data. Participant in EU-U.S. Data Privacy Framework.
  • Hosting provider — Servers located in the EU (or, if using a US-based provider, under Standard Contractual Clauses approved by the EC).

We do not sell, rent, or share your personal data with third parties for marketing purposes without your explicit consent.

5. Retention Periods

Data Category Period
Account and profile dataWhile account is active + 12 months after deletion
Billing and transaction data6 years (Spanish Commercial Code Art. 30; General Tax Law 58/2003)
Messages and communicationsWhile account is active + 6 months
Session and connection data (Redis)Temporary — deleted on disconnect or logout
Error logs (Sentry)90 days
Analytical cookiesAs specified in the Cookie Policy

6. Your Rights

In accordance with Articles 15 to 22 of the GDPR and Articles 12 to 18 of the LOPDGDD, you have the right to:

  • Access: Know what personal data we are processing about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure ("Right to be Forgotten"): Request deletion of your data when it is no longer necessary for the purpose for which it was collected.
  • Restriction of Processing: Under certain circumstances provided by law.
  • Data Portability: Receive your data in a structured, commonly used and machine-readable format (JSON/CSV).
  • Objection: Object to the processing of your data on grounds relating to your particular situation.
  • Withdrawal of Consent: At any time and without retroactive effect, for processing based on consent.

You can exercise these rights by sending an email to privacy@ottly.io, attaching a copy of your ID or equivalent identification document. Your request will be addressed within a maximum of 30 days.

If you believe that the processing of your data violates applicable regulations, you have the right to file a complaint with the Spanish Data Protection Agency (AEPD)www.aepd.es.

7. Security Measures

Ottly implements appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure or destruction, including:

  • Password encryption using secure hashing algorithms (bcrypt).
  • HTTPS/TLS communications across the entire site.
  • Authentication via JWT tokens with temporal expiration.
  • Rate limiting on sensitive endpoints to prevent brute force attacks.
  • Payment processing delegated to Stripe (PCI-DSS Level 1), with no sensitive financial data stored on our servers.
  • Restricted access to data by Ottly staff, under the principle of least privilege.

8. Minors

Ottly is not intended for persons under 18 years of age. We do not knowingly collect data from minors. If we become aware that we have collected data from a minor, we will proceed to delete it immediately.

9. Changes to this Policy

Ottly reserves the right to modify this Privacy Policy to adapt it to legislative, jurisprudential, or business practice developments. In the event of substantial changes, registered users will be notified by email and a prominent notice will be published on the platform at least 15 calendar days before it takes effect.

10. Contact

For any inquiry related to the protection of your data, you can contact us at: