Privacy Policy
Last updated: June 2026
The short version
Your music stays on your device. We don't listen to it, store it, or transmit it unless you explicitly choose to share. Oto is built to work locally first.
What data stays on your device
The following data is stored entirely in your browser using localStorage and IndexedDB. It never leaves your machine:
- Audio files — all tracks you load are processed locally. No audio is uploaded to any server.
- Track library — metadata (BPM, key, duration, ratings) stored in IndexedDB.
- Cue points, loops, labels, and notes — stored in localStorage per track.
- Waveform data and mood grid coordinates — cached locally after analysis.
- Style Memory and Style DNA — your mixing history and fingerprint, stored locally.
- Preferences and settings — stored in localStorage.
- Session stats — mix time, tracks played, etc., stored locally.
- Generative audio & local AI Bridge — the SYNTH source and the optional local AI Bridge run entirely on your device; no audio or generation data is sent to our servers.
What you choose to share
The following features involve sending data to external services. All are opt-in — they only activate when you use them:
- Google Sign-In — if you sign in with Google, your name and email are sent to Supabase (our authentication provider) to create your account. We receive your name and email. No audio data is shared.
- Cloud Sync — if configured, your library metadata, cue points, loops, and preferences are synced to Supabase. Audio files are never synced.
- Mix Sharing & Challenge Submissions — if you share a recorded mix or submit to a weekly challenge, the audio file is uploaded to Supabase Storage and accessible via a public link. You can delete your challenge submissions at any time from the leaderboard.
- Live Streaming — if you go live, your master audio output is streamed peer-to-peer via WebRTC to connected listeners. No audio is stored on our servers.
- AI set planning & coaching — when you use AI features (set planning, mix report cards, live direction), your text prompt and library metadata — track names, BPM, key; never audio — are sent to our AI provider through the Vercel AI Gateway, which routes to Anthropic (Claude) and may fail over to OpenAI. These run under a monthly usage quota; we log usage events (action counts and timestamps, not your prompts or audio) to enforce it. You may optionally supply your own Anthropic API key in Settings, in which case requests go directly to Anthropic. Voice prompts are transcribed locally by your browser's SpeechRecognition API — no voice audio is sent to our servers.
- Spotify / SoundCloud Seeding — if you connect your Spotify or SoundCloud account, we fetch your top tracks and listening data to calibrate your library. OAuth tokens are stored locally and never sent to our servers. No audio is accessed.
- Cloud HD Stems — if configured, audio is sent to a Demucs API endpoint you provide for ML stem separation.
- Practice Rooms & B2B — mixer state (not audio) is relayed through our signaling server for real-time collaboration.
Payments
If you choose to support Oto financially, payments are processed by Stripe. We do not store your payment information. Stripe's privacy policy governs payment data handling.
What we collect automatically
When you sign up or return to Oto, we store basic account and session data in Supabase to improve the product:
- User profile — your name, email, experience level, timezone, and last visit date.
- Session data — timestamp, screen size, platform, and theme. One record per visit.
- Feature usage events — which features you use (e.g. "loaded a track", "entered Vibe Mode", "gave a direction"). No audio content is included — only action names and basic metadata like BPM/key.
- AI usage events — when you use AI features, we record which AI action ran, a timestamp, and credit/token counts, in order to enforce monthly usage quotas. Your prompts and audio are never stored in these events.
This data is stored in Supabase (our database provider) and is used solely to understand how the product is used and to improve it. We do not sell, share, or monetize this data. No third-party analytics, tracking pixels, or advertising scripts are used.
Cookies
Oto does not set any cookies. All persistent data uses localStorage and IndexedDB.
Third-party services
- Google Fonts — font files are loaded from Google's CDN. Google may log this request.
- Supabase — authentication and optional cloud storage. Supabase Privacy Policy
- Stripe — payment processing. Stripe Privacy Policy
- Anthropic (Claude) & OpenAI — AI set planning and coaching, accessed via the Vercel AI Gateway (Claude, with OpenAI failover). Anthropic Privacy Policy · OpenAI Privacy Policy
- Vercel — hosting, serverless functions, and the AI Gateway that routes AI requests. Vercel Privacy Policy
- Upstash — Redis used for API rate limiting; stores transient request counters (which may include a hashed identifier or IP), not your content. Upstash Privacy Policy
Data deletion
Open the settings menu (the gear on the dial, or the top bar inside the mixer) and choose Sign out to clear your local profile. To clear all local data: open your browser's developer tools → Application → Clear Storage. All local data is immediately and permanently deleted.
For server-stored data (user profile, sessions, usage events, cloud sync), contact us at hello@useoto.io and we will delete your account and all associated data within 30 days.
Contact
Questions about this policy: hello@useoto.io or jessica@okaeri.ai