Privacy Policy

1. Basic information

Scotty is an AI assistant that, with your authorisation, connects to the tools you already use — such as email, calendar, messaging and CRM systems — to draft replies, prepare meetings, organise your work and keep you briefed. To do this, Scotty processes personal data on your behalf. In the following, we explain what data we process, on which legal basis and for what purpose, and we inform you of your rights.

Personal data is all data with which you can be personally identified or that makes you identifiable via an identifier, for example via your IP address. If you have any questions regarding the use of your personal data, please contact us as the responsible body (see section 2).

For security reasons and to protect the transmission of personal data and other confidential content, our service uses SSL/TLS encryption in transit, and data is encrypted at rest. You can recognize an encrypted connection by the string “https://” and the lock icon in your browser line. We do not use your content to train foundation AI models.

2. Who we are (responsible for data protection)

Responsible for data processing within the meaning of the General Data Protection Regulation (GDPR) is:

autarc GmbH (haftungsbeschränkt) (Amtsgericht Berlin, HRB 249005), represented by the managing directors Etienne Krause and Thies Hansen, Hoppestraße 31, 13409 Berlin, (+49) 1-51 68547823, hello@autarc.energy.

Contact details of our data protection officer: dataprotection@autarc.energy.

3. Account data and data collected when you use Scotty

When you create a Scotty account, we process the data required to provide the service, such as your name, email address, organisation, role and authentication data. This processing is based on the performance of our contract with you (Art. 6 (1) (b) GDPR).

When you use Scotty, we automatically process technical data necessary to operate the service securely and reliably, such as an abbreviated IP address, date and time of access, device and browser information, and event/usage logs. We use this data for authentication, troubleshooting, security, abuse prevention and to improve the service, based on our legitimate interest (Art. 6 (1) (f) GDPR).

We also process the instructions, prompts and feedback you provide to Scotty so that the assistant can carry out the tasks you ask of it.

4. Connected services and the data Scotty accesses

Scotty only accesses data from a third-party service after you explicitly connect that service and grant the corresponding permissions (for example via OAuth). You can review and revoke these permissions at any time, both within Scotty and in the settings of the connected provider.

Depending on which integrations you enable, Scotty may access and process: emails, drafts and attachments (e.g. Gmail / Google Workspace); calendar events and availability (e.g. Google Calendar); messages and contact details (e.g. WhatsApp Business); and contacts, deals, notes and activities from CRM systems (e.g. HubSpot, Pipedrive).

We process this connected-account data solely to provide the features you request — such as drafting and sending replies, summarising threads, preparing meeting briefings, and creating or updating records. We do not sell this data and we do not use it to train foundation AI models. Access is limited to what is required to perform the requested task, and the legal basis is the performance of our contract with you (Art. 6 (1) (b) GDPR) and our legitimate interest in providing a functioning assistant (Art. 6 (1) (f) GDPR).

5. How Scotty uses AI to process your data

To generate drafts, summaries and suggestions, Scotty sends the relevant content to large language model (LLM) providers acting as our processors. These providers process the content only to return a result to us and, under our agreements, do not use your content to train their models.

AI-generated output can be inaccurate or incomplete. You remain responsible for reviewing Scotty's output before relying on or sending it, particularly in communications with customers. Scotty does not make legally significant decisions about you through solely automated means without your involvement.

Where required, content sent to AI providers may be processed on servers outside the EU/EEA. In such cases, transfers are safeguarded by EU Standard Contractual Clauses and additional technical and organisational measures (see section 8).

6. Service providers and subprocessors

We work with carefully selected service providers (processors) who support us in operating Scotty, for example for cloud hosting, AI model inference, messaging delivery, error monitoring and product analytics. We conclude data processing agreements (Art. 28 GDPR) with these providers, obliging them to process personal data only in accordance with our instructions and in compliance with the GDPR.

Connected providers (such as Google, Meta/WhatsApp, HubSpot and Pipedrive) act as independent controllers for the data held in their own systems; their own privacy policies apply to that processing. Scotty only acts on the data you authorise it to access.

7. Data retention

We retain personal data only for as long as necessary for the purposes described in this policy or as required by law. Account data is retained for the duration of your contract. You can delete connected-account data at any time by disconnecting the relevant integration or deleting the corresponding items in Scotty.

Technical and event logs are retained for a limited period for security and troubleshooting purposes and then deleted or anonymised. Where statutory retention periods apply (e.g. tax and commercial law, Section 147 (3) AO — up to 10 years), we retain the relevant data accordingly and delete it upon expiry of those periods.

After you delete your account, we delete or anonymise your personal data, unless we are legally required to retain it.

8. International data transfers

Some of our processors are located outside the EU/EEA, including in the USA. According to the case law of the European Court of Justice (ECJ, judgment of 16.07.2020 — C-311/18, Schrems II), these countries do not necessarily offer a level of data protection equivalent to that of the EU.

Where we transfer personal data to such countries, we rely on appropriate safeguards under Art. 46 GDPR — in particular the EU Standard Contractual Clauses — together with supplementary technical and organisational measures such as encryption and data minimisation.

9. Payment processing

If your plan is paid, payments are processed by Stripe Payments Europe Ltd, Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland. Stripe collects the data necessary to process the payment, such as name, billing details and payment method. We have concluded a data processing agreement with Stripe in accordance with Art. 28 GDPR. The legal basis for the transfer of payment data is Art. 6 (1) (b) GDPR. Further information: https://stripe.com/privacy.

10. Cookies and similar technologies

We use cookies and similar technologies that are strictly necessary to operate Scotty — in particular to keep you signed in and to secure your session. The legal basis is the performance of our contract with you (Art. 6 (1) (b) GDPR) or our legitimate interest in a secure, functioning service (Art. 6 (1) (f) GDPR).

Any non-essential cookies (e.g. for product analytics) are only used with your consent (Art. 6 (1) (a) GDPR), which you can withdraw at any time with effect for the future. You can also manage cookies in your browser settings.

11. Your rights as a data subject

You have the right to information about the personal data we process about you (Art. 15 GDPR); the right to rectification of inaccurate or incomplete data (Art. 16 GDPR); the right to erasure (Art. 17 GDPR); the right to restriction of processing (Art. 18 GDPR); the right to data portability in a structured, commonly used and machine-readable format (Art. 20 GDPR); and the right to object to processing based on our legitimate interests (Art. 21 GDPR).

Where processing is based on your consent, you can withdraw that consent at any time with effect for the future, without affecting the lawfulness of processing carried out before the withdrawal.

You also have the right to lodge a complaint with a supervisory authority, in particular in the country of your residence, place of work or the place of the alleged infringement (e.g. Berlin Commissioner for Data Protection and Freedom of Information, Friedrichstraße 219, 10969 Berlin).

12. Contact

If you have any questions about this privacy policy or wish to exercise your rights, please contact us at hello@autarc.energy or our data protection officer at dataprotection@autarc.energy.