OTTAI PRIVACY POLICY

Effective date: 15-August-2026
Last updated: 10-July-2026

1. Who we are and the scope of this policy

This Privacy Policy explains how Syai Health Technology Pte. Ltd. (UEN 202323053C) and its affiliates (together "Syai Health", "we", "us" or "our") collect, use, disclose, transfer and protect your personal data when you use our continuous glucose monitoring ("CGM") devices, companion mobile application, websites, customer support channels and related services (together, the "Services").

"Ottai" is a brand of Syai Health Technology Pte. Ltd. Syai Health markets and provides its CGM devices, companion application and related Services under the Ottai brand. References to "Ottai" in this policy, in the Ottai application and on Ottai-branded materials are references to Syai Health in its capacity as the provider of the Services.

This policy applies globally in countries and regions where Ottai provides the Services and where we have not published a separate local privacy notice or addendum. Where a local privacy notice, product-specific notice, consent screen, app permission notice or contractual privacy term applies, that notice or term supplements this policy and prevails to the extent it provides additional or mandatory local protection. You can find our local notices at Ottai Global Privacy Framework.

The Services may include products, portals, dashboards, professional tools or related functions used by hospitals, clinics, healthcare professionals (collectively, "HCPs"), caregivers or other authorised organisations to view, manage, analyse or support patient CGM data, where such functions are made available by Ottai. In this policy, references to "you" include individual users, patients, caregivers, HCPs and other authorised users, as applicable.

Where Ottai determines the purposes and means of processing, Ottai acts as the controller or responsible organisation for your personal data. Where Ottai processes personal data on behalf of an HCP, hospital, clinic, distributor, employer or other organisation, that organisation may be the controller or responsible organisation for that processing, and Ottai may act as a processor, service provider, data intermediary or equivalent role under applicable law.

2. Our Data Protection Officer and how to contact us

We have appointed a Data Protection Officer ("DPO") who is responsible for overseeing our compliance with this policy and with applicable data protection law. You may contact our DPO about anything in this policy or to exercise your rights.

Data Protection Officer — Contact details

  • Attention: The Data Protection Officer
  • Email: privacy@service.ottai.com
  • Post: 1 Fusionopolis Link, #06-06, Nexus @one-north, Singapore (138542)

Response time: We aim to acknowledge your request within 5 working days and to respond substantively within 30 days. If we need more time, we will tell you why and when you can expect a full response.

3. The personal data we collect

The Services are designed to help you monitor your glucose levels, so some of the data we handle is health-related personal data, which may be sensitive in nature. We collect the categories of personal data set out below. Not every user generates every category — what we hold depends on the features you use. More detailed function-by-function data fields are set out in the Functions and Data List, which describes the current Services and features, the personal data fields and app permissions required for each function, optional integrations, third-party services and SDKs, backend service categories, main technical endpoints where relevant, processing locations, and more detailed retention information.

The Functions and Data List forms part of the information we provide to you under this policy. We may update the Functions and Data List from time to time to reflect operational or technical changes to the Services. We will not use the Functions and Data List to introduce a materially new purpose for collecting, using or disclosing your personal data, or a materially different way of handling your health-related personal data, without providing any notice or obtaining any consent required by applicable law.

Account & identity

Fields: user ID, username/nickname, login account, email address, mobile number, profile photo, country/region, language, glucose unit, login method, authentication tokens and credentials

When/purpose: On registration, login and account setup — to identify you, secure your account, show your profile and apply your region/unit settings

Third-party login

Fields: Google user ID, email, nickname, photo; Apple sub/email; X (Twitter) user ID, email, username

When/purpose: When you choose social login — to authenticate you and link the third-party account

Purchase & order

Fields: product ID, SKU, product name, specification, quantity, price, cart, promo/discount code and amount, order number, order status, order amount, tax, shipping fee, order/payment/cancellation/closure times

When/purpose: When you buy a device or place an order — for the online store, order fulfilment and after-sales

Delivery & logistics

Fields: recipient name, phone, email, country, state/province, city, district, full address, postcode, building, courier, tracking number, dispatch and estimated/actual delivery times

When/purpose: When you order and we ship — for delivery, tracking and after-sales

Payment

Fields: payment channel, transaction number, payment status, receipt email, bank name, card brand, masked card number, cardholder name, expiry month/year, billing address, payment token/result

When/purpose: When you pay. Full card details are handled by the payment processors; we retain only the payment result, transaction reference and masked information

App & device

Fields: App version, OS platform and version, device brand, model and device ID, jailbreak/root status, CPU, board, network status, language, NFC support, FCM/APNs push token

When/purpose: On app start, login and push — for compatibility, diagnostics, push notifications and fraud/abuse prevention

Technical, network & service-operation metadata

Fields: IP address, connection logs, DNS or network request metadata, API request metadata, messaging or push-delivery metadata, service routing information, timestamps, error logs, crash logs, diagnostic events, and backend service interaction records

When/purpose: When you use the Services — to operate backend services, route requests, deliver messages and notifications, maintain service reliability, diagnose faults, prevent abuse, support security monitoring, troubleshoot technical issues and investigate service or device problems. Not every technical connection or service endpoint receives glucose readings or health logs.

CGM device

Fields: CGM MAC address, serial number, deviceId, device type, binding/unbinding records, activation, wear, warm-up, connection, expiry/grace and abnormal-status states

When/purpose: On device binding, activation and wear — to operate the sensor, attribute readings and handle after-sales

Glucose & monitoring (health data)

Fields: real-time glucose values, timestamps, trend, level, sequence number, curve points, max/min/average, time-in-range (TIR), AGP, daily/weekly/monthly and other glucose reports

When/purpose: While you wear a sensor — the core monitoring, statistics, reports and alerts. This is health-related personal data

Glucose thresholds & alerts

Fields: high/low/urgent-low thresholds, fast rise/fall thresholds, reminder switches, sound/vibration settings, alert records and timestamps, notification data

When/purpose: When you set goals and wear a sensor — for abnormal-reading alerts and personalised reminders

Health log & manual records

Fields: meals, fingerstick readings, weight, insulin, medication, exercise check-ins, images, time, notes, pre/post-meal glucose

When/purpose: When you log entries — for your health diary, statistics and AI-assisted recognition or analysis, where you choose to use the relevant feature. This is health-related personal data

Location & region

Fields: GPS latitude/longitude, IP address, reverse-geocoded address, country/region, and registration/login/binding/daily/GPS-type location records

When/purpose: On registration, login, binding, wear and exercise — for region matching, customer-service routing and (where enabled) activity tracking

Exercise & ecosystem

Fields: exercise start/end time, GPS track, distance, steps, calories, exercise records and goals; Apple Watch / Garmin / widget / Nightscout sync data

When/purpose: If you enable activity, a smartwatch or a third-party ecosystem feature

Customer service & AI

Fields: AI questions and answers, customer-service sessions, message history, feedback, images, service group and bot ID; data passed to our customer-service tool (userId, name, phone, email, photo, device MAC)

When/purpose: When you contact support or use the AI assistant — to answer queries and handle after-sales

After-sales & device issues

Fields: device-abnormal events, connection failures, jitter, write failures, unbinding reasons, after-sales request type, device MAC/deviceId, complaint content

When/purpose: When you report a problem — for after-sales, quality analysis and troubleshooting

Cookies and similar technologies

Fields: cookies, pixels, local storage, SDK identifiers, device identifiers, session identifiers and web analytics data.

When/purpose: When you use our websites, web-based services or app-related web views - to operate the Services, keep you signed in, remember preferences, maintain security, understand service usage, diagnose issues and, where permitted, support analytics or marketing.

Health-related personal data.

Glucose readings, manual health logs and related monitoring data reveal information about your health. We collect and use them only to provide the monitoring Services you have asked for, to support product safety and quality matters, or as otherwise permitted or required by applicable law. We generally rely on your consent to collect and use such data. You can withdraw that consent as described in Section 11, although doing so may mean we can no longer provide the monitoring features.

HCP and institutional account data

Fields: name, work email address, work phone number, professional title, department, hospital, clinic or organisation name, professional or staff identifier, role, access permissions, login method, account status, audit logs and usage records

When/purpose: When a healthcare professional, hospital, clinic or authorised organisation creates or uses a professional account or portal — to verify and manage authorised access, configure roles and permissions, support clinical or care-team workflows, maintain security, provide auditability and administer professional Services.

Patient-management and professional-service data

Fields: patient identifiers, patient account or device linkage information, CGM readings, reports, alerts, trend information, device status, notes, tags, care-team assignments, report-sharing records, review history, professional comments, uploaded documents, consultation-related information or other information entered, uploaded, viewed or managed by authorised healthcare professionals or institutions through the Services

When/purpose: When a patient is linked to, managed by, reviewed by or supported through a hospital, clinic, healthcare professional, caregiver or other authorised organisation using the Services — to enable patient monitoring, glucose-data review, report generation, care coordination, device support, clinical workflow, patient support, auditability, quality and safety follow-up, and medical device compliance.

Where an HCP uses the Services to manage patient data, that HCP may also collect, use, disclose and retain patient data for its own healthcare, clinical, legal, regulatory, professional or operational purposes. Such HCP is responsible for its own handling of personal data and should provide its own privacy notice where required by applicable law.

4. How and why we use your personal data

We may collect personal data directly from you, from the CGM device and app, from HCPs, caregivers or authorised organisations, from third-party login providers, payment providers, delivery partners, customer-service channels, app stores, analytics and diagnostics tools, optional integrations, distributors, retailers, regulators or other sources permitted by applicable law.

We use your personal data for the following purposes:

  • Providing the core Services — operating your CGM sensor, displaying real-time and historical glucose data, statistics, reports and abnormal-reading alerts.
  • Creating and securing your account and authenticating you, including through third-party login.
  • Processing purchases, payments, delivery, returns refunds, warranties and other after-sales support.
  • Providing customer service, technical support and our in-app AI assistant or AI-enabled features.
  • Diagnosing crashes and errors, maintaining compatibility, and improving the reliability, usability, safety and performance of the Services.
  • Sending service messages, safety notices, product notices, account communications and, where enabled, push notifications and alerts.
  • Detecting and preventing fraud, abuse, misuse, security incidents and unauthorised access.
  • Complying with legal, regulatory, accounting, tax, medical device, product safety, audit and record-keeping obligations.
  • Handling product complaints, adverse events, field safety matters, recalls, vigilance reporting, regulatory submissions, audits and other medical device safety or compliance matters.
  • Enabling HCP, caregiver or care-team use of the Services, including patient linkage, professional account management, role-based access, patient monitoring, glucose-data review, report generation, care coordination, device support and clinical workflow support.
  • Supporting authorised HCPs, caregivers or care teams in providing patient care, reviewing CGM data, managing device-related issues, communicating with patients, maintaining care records and carrying out related healthcare or operational activities.
  • Maintaining records of HCP access, activity, report generation, data sharing, patient linkage, account administration and audit logs for security, accountability, clinical workflow, quality, regulatory and compliance purposes.
  • Using anonymised, aggregated or de-identified data for service analytics, product performance review, quality improvement, safety monitoring, research, statistical analysis, business reporting and development of new or improved products, services or features.
  • Carrying out any other purpose that we notify you of at or before the time of collection, use or disclosure, or for which you have provided consent, or which is permitted or required by applicable law.

Because the Services relate to CGM devices and related medical device services, we may use and disclose personal data, including health-related personal data where necessary, for medical device safety, quality, regulatory and compliance purposes. Where practicable, we use anonymised, aggregated or de-identified data for analysis and improvement. We use identifiable health-related personal data only where necessary for the relevant purpose, consistent with this policy and permitted or required by applicable law.

We make reasonable efforts to ensure that personal data collected by us or on our behalf is accurate and complete where the data is likely to be used by us to make a decision that affects you or disclosed to another organisation. You should keep your account information accurate and up to date, and you should notify us if relevant information changes.

5. Our basis for using your data, and your choices

We process your personal data on the basis permitted by the data protection law that applies to you. These usually include your consent; the performance of a contract with you; our legitimate interests in operating, securing and improving the Services; compliance with legal obligations; and the protection of your vital interests in a health emergency. For sensitive health data, we rely on your explicit consent, or another basis your local law allows.

Withdrawing consent. You may withdraw consent at any time by contacting us or using available in-app settings, subject to reasonable notice and applicable law. We will tell you the likely consequences where required. Some features may no longer be available if you withdraw consent. Withdrawal does not affect processing carried out before the withdrawal takes effect or processing that is permitted or required by law.

Analytics and tracking. Tools that are strictly necessary to run the Services operate by default. Analytics, marketing or other non-essential technologies are used based on your consent where consent is required, and you can adjust your choices through our app, website, browser, device settings or other controls we make available.

AI assistant and AI-enabled features. Where you use our AI assistant or AI-enabled features, we may process the questions, prompts, images, voice input, text, health logs or other content that you actively submit for that feature to provide the requested response, recognition, support or analysis. We will not use your identifiable glucose data, health logs, support content, images, voice input or other health-related personal data to train general-purpose AI models unless we have notified you and obtained any consent or other legal basis required by applicable law.

HCPs, caregivers and authorised care access. Some Services may allow you to share or make available CGM data, glucose reports, alerts, device information, health logs or other personal data to HCPs, caregivers, family members or other persons involved in your care or support. We do not automatically share health-related personal data with them merely because such function is available. Sharing or access occurs only where you choose to enable or authorise it, where a person legally authorised to act on your behalf does so, where an HCP or institution confirms that it has the necessary consent or lawful authority, or where disclosure is permitted or required by applicable law. Each HCP, institution, caregiver or other recipient is responsible for its own legal, professional, clinical, institutional and confidentiality obligations.

6. App permissions

Clipboard access. Our app accesses your device clipboard only in direct response to your actions - for example, when you copy a message from the in-app AI assistant or customer-service chat, or when you paste content such as a verification code or device identifier into a field. We do not read the clipboard in the background or use it to build a profile of you, and copied content stays on your device unless you choose to send it through the Services.

Device permissions. Our app may request device permissions such as notifications, Bluetooth, camera/photo access, microphone, location or background activity where required for a feature you use. The current app permissions, relevant functions and data involved are listed in the Functions and Data List. You may manage permissions through your device or app settings, although disabling a permission may affect the relevant feature.

Cookies and similar technologies. Our websites, web-based services and certain app-related web views may use cookies, pixels, local storage, SDKs, device identifiers or similar technologies to operate the Services, keep you signed in, remember preferences, maintain security, understand usage, diagnose issues and, where permitted, support analytics or marketing.

7. Third-party services and SDKs we use

We use third-party services and SDKs to provide, secure, analyse and support the Services. The current list of third-party services and SDKs, the purposes for which they are used, the data they handle and the relevant processing locations are set out in the Functions and Data List. We do not use third-party services or SDKs to build third-party advertising profiles of you.

Each provider may process data under its own privacy policy when acting independently. Optional integrations, such as smartwatch, ecosystem or third-party data-sharing features, are used only where you choose to enable them or where they are otherwise authorised for the relevant account.

8. How we share and disclose your data

We do not sell your personal data.

We disclose personal data only as described below:

  • Service providers and processors - cloud hosting, customer service, analytics, crash reporting, mapping, payment, logistics, communication, security, professional services, and other providers that process data on our behalf under contract.
  • Payment providers - to process payments, refunds, fraud checks and related payment services.
  • Ottai group entities - where necessary to operate, secure, support or improve the Services, under appropriate safeguards.
  • HCPs, hospitals, clinics, caregivers, family members or other persons involved in your care or support - where you choose to enable or authorise the sharing or access, where a person legally authorised to act on your behalf does so, where the relevant HCP or institution confirms that it has the necessary consent or lawful authority, or where disclosure is permitted or required by applicable law.
  • Medical device, safety and quality recipients - regulators, notified bodies, testing laboratories, auditors, professional advisers, insurers, HCPs or other relevant parties where reasonably necessary for product complaints, adverse events, field safety matters, recalls, regulatory filings, audits, legal claims or medical device compliance matters.
  • Legal and regulatory recipients - courts, law enforcement, regulators, public authorities and other competent bodies where required or permitted by law, court order or authority request, or to protect our rights, users, patients or others.
  • Business-transfer recipients - in connection with a merger, acquisition, financing, restructuring, sale of assets, transfer of business, insolvency or similar transaction, subject to appropriate safeguards.
  • Third parties you initiate or authorise - third-party platforms such as xDrip+, AAPS (AndroidAPS), Nightscout, smartwatch ecosystems or other recipients you choose to connect with or share data with.

Where practicable and appropriate for the relevant purpose, we disclose only the personal data reasonably necessary for the recipient to perform the relevant function or for the relevant purpose to be achieved.

Stopping future sharing may not delete data that has already been received, downloaded, stored or independently processed by a recipient. If an HCP, caregiver, third-party platform or other organisation holds your data independently, you may need to contact that recipient directly to exercise rights in relation to the data it holds.

9. International transfers and overseas access

Your personal data may be stored, accessed or processed in countries or regions where we, our group entities, service providers, HCP partners, distributors or business partners operate. The current primary hosting location, service-provider processing locations and international transfer details are listed in the Functions and Data List.

References to overseas processing include storage, hosting, remote access, customer support, technical support, diagnostics, security monitoring, service-operation processing and processing by our group entities, service providers or business partners located outside your country or region. The fact that primary hosting is located in one country or region does not necessarily mean that all support, diagnostic, security, communication or service-operation processing occurs only in that country or region.

Where GDPR or similar international-transfer rules apply, we use appropriate transfer mechanisms such as adequacy decisions, standard contractual clauses, binding corporate rules, recognised certifications, contractual safeguards, transfer assessments, supplementary measures or derogations where permitted. Where other laws apply, we take steps required by those laws to provide comparable or appropriate protection for transferred personal data.

Your personal data may be subject to the laws of the country or region where it is stored, accessed or processed. Where overseas laws permit access by courts, law enforcement, regulators or public authorities, we respond to such requests only where we consider it necessary or appropriate to comply with applicable legal requirements, protect our rights, protect users or others, or otherwise act as permitted by applicable law.

10. How long we keep your data

We keep personal data only for as long as necessary for the purposes described in this policy, or for longer where required or permitted by law.

  • Glucose and related health-monitoring data - retained while your account remains active, because continuous monitoring depends on longitudinal history. When you delete your account, this data is deleted from our primary systems and connected services, and database backups are purged within 7 days, unless longer retention is necessary for user-requested reports, product complaint handling, adverse-event investigation, or regulatory, safety, legal, audit or dispute-resolution purposes.
  • Account and profile data - retained while your account remains active; deleted from our primary systems on account deletion, with backups purged within 7 days, unless longer retention is necessary for safety, regulatory, legal, audit or dispute-resolution purposes.
  • Order, payment and tax records - retained for the period required or permitted by applicable accounting, tax, payment, audit or legal requirements, in a form no longer linked to your deleted account.
  • Customer-service, after-sales and correspondence records - retained for as long as needed to handle the matter and any related quality, safety, legal, regulatory or accountability follow-up.
  • Medical device safety, quality and regulatory records - retained for as long as necessary or permitted to comply with applicable medical device, product safety, vigilance, recall, regulatory, audit, legal or dispute-resolution requirements.
  • HCP and professional-service records - retained for as long as needed to administer professional accounts, support patient management, maintain auditability, comply with contractual or legal requirements, and support safety, quality, security and dispute-resolution purposes.

When a retention period ends, we delete, destroy or irreversibly anonymise the data unless retention remains necessary or permitted under applicable law. Anonymised, aggregated or de-identified data that no longer identifies you may be retained and used for the purposes described in this policy. We are also implementing defined maximum-retention limits as part of our data-protection roadmap.

11. Your rights

Subject to applicable law and any lawful exceptions, you may have rights over your personal data. These may include:

  • Access - to ask for a copy of personal data we hold about you and information about how it has been used or disclosed.
  • Correction or rectification - to ask us to correct personal data that is inaccurate or incomplete.
  • Deletion or erasure - to ask us to delete personal data where it is no longer needed or where deletion is otherwise required by law.
  • Restriction - to ask us to restrict certain processing where applicable law provides this right.
  • Portability - to receive certain personal data in a structured, commonly used and machine-readable format, where applicable.
  • Objection - to object to processing based on legitimate interests, direct marketing or certain other grounds, where applicable.
  • Withdrawal of consent - to withdraw consent where we rely on consent, without affecting processing carried out before withdrawal.
  • Complaint - to lodge a complaint with the relevant data protection authority or supervisory authority.

To exercise rights, contact privacy@service.ottai.com. We may need to verify your identity and authority before acting on a request. We may refuse or limit a request where permitted by law, such as where the request is manifestly unfounded or excessive, where retention is required by law, or where disclosure would adversely affect the rights and freedoms of others.

Correction of device-generated records. For device-generated readings, logs or technical records, we may not be able to alter the original record without affecting data integrity. Where appropriate, we may correct account information, add a note, regenerate a report, assist with deletion where permitted, or explain why the record cannot be changed.

Account deletion and shared data. If you delete your account or ask us to delete personal data, we will process the request in accordance with applicable law and relevant rules in this policy. Account deletion may stop access to your account and may prevent connected devices, caregivers, HCPs or other connected persons from viewing glucose readings or reports through the Services. Account deletion may not delete data already received, downloaded, stored or independently processed by third-party platforms, HCPs, caregivers, family members or other recipients with whom data was shared.

Where personal data is held or independently managed by an HCP, hospital, clinic, caregiver, distributor, employer or other organisation, we may refer your request to that organisation or assist it in responding, as required or permitted by applicable law and our arrangements with that organisation.

How to exercise your rights

Contact our DPO at privacy@service.ottai.com. To protect your account and your health data, we will verify your identity before we act on a request. We will respond within the timeframe in Section 2. We do not charge for most requests, but we may charge a reasonable fee for an access request where permitted, and we will give you an estimate first.

12. How we protect your data

We use technical and organisational measures designed to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal, loss or similar risks. These measures include encryption in transit, physical segregation of health data from other data, access controls, authentication, audit logging, segregation of administrative access, data minimisation where practicable, security reviews, incident-response procedures and vendor due diligence. Encryption of stored data is part of our security roadmap. No system is completely secure, but we work to protect personal data and respond promptly to incidents.

For professional or institutional functions, we may use role-based access controls, account administration controls, activity records, access logs, authentication measures, permission settings or other safeguards to help ensure that patient data is accessed only by authorised users for authorised purposes.

You are responsible for taking reasonable steps to protect your account, device and credentials. You should use a strong password or secure login method, keep your device locked when not in use, maintain appropriate device security settings, avoid sharing verification codes or account credentials, and notify us promptly if you believe your account, device or credentials have been compromised.

13. Personal data breaches

We maintain procedures to detect, assess, investigate and respond to personal data breaches. Where required by applicable law, we will notify the relevant regulator, supervisory authority, affected individuals, HCPs, customers or business partners. Where GDPR applies, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of a notifiable personal data breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. We will notify affected individuals where required by applicable law.

14. Children and people under guardianship

The Services may be used to monitor the glucose of a child or a person who lacks capacity. Where a user is a minor or under guardianship, the account should be set up and managed by a parent, legal guardian or other authorised person. If you create, manage or use an account for a child, a person under guardianship or another person who requires assistance, you represent that you are authorised to do so and to provide consent on that person's behalf.

Where we ask for age, date of birth, country or guardian information, we may use that information to help determine whether guardian involvement or consent is required. A parent or legal guardian may contact us to exercise applicable rights in relation to the personal data of a child or person under guardianship, subject to identity and authority verification. If you believe a child's data has been provided to us without appropriate authority, please contact our DPO.

15. Marketing and communications

We may send service-related messages, product notices, safety notices, updates and support communications relating to your account, device or use of the Services. These may continue where necessary even if you opt out of marketing.

We may send marketing communications only where permitted by applicable law and, where required, with your consent. You may opt out of marketing communications at any time using the unsubscribe or opt-out mechanism provided, or by contacting us. We will not use identifiable glucose readings, health logs or health-related personal data to send personalised marketing communications unless we have notified you and obtained any consent required by applicable law. We do not knowingly send marketing communications to children.

16. Automated processing and AI

The Services may use automated processing or AI-enabled features for functions such as alerts, reports, pattern recognition, customer support, voice or image recognition, diagnostics, security monitoring, fraud prevention, service reliability and product improvement. We do not use personal data to make decisions based solely on automated processing that produce legal or similarly significant effects on you, unless this is permitted by applicable law and appropriate safeguards are provided.

AI-generated outputs, reports, alerts or support responses are intended to support the relevant Service and should be used in accordance with product instructions, app guidance and applicable medical advice. HCPs and users remain responsible for clinical or care decisions as applicable.

17. Changes to this policy

We may update this policy from time to time. We will post the updated version with a new "Last updated" date and, where the changes are material, we will take reasonable steps to notify you before they take effect, such as through the app, website, email, account notice or other appropriate channel. If required by law, we will obtain consent before applying the change.

18. Language Precedence

Where this Agreement is provided in multiple languages, the English version prevails to the extent permitted by applicable law.

19. Questions and complaints

If you have a question or concern, please contact our DPO first at privacy@service.ottai.com so we can try to resolve it. You also have the right to lodge a complaint with the data protection authority in your country or region.