Privacy Policy

1. Information We Collect

Information You Provide

• Account Information: Display name, email address, and password when you create an account.
• Entity Information: Species, lineage data, descriptions, photos, and location information for organisms you register on the Platform.
• Payment Information: Credit card details and billing address. Note: Payment information is processed by Stripe and is not stored on our servers.
• Communications: Messages you send to other users, support inquiries, and feedback you provide.
• Seller Information: If you sell through the Platform, we collect business details, bank account information for payouts, and identity verification documents as required by our payment processor.

Information Collected Automatically

• Device Information: Browser type, operating system, device identifiers, and IP address.
• Usage Data: Pages visited, features used, search queries, and interaction patterns.
• Location Data: General location based on IP address. Precise location is used only for Entity registration and is offset to protect privacy (see our Location Privacy help page for details).
• Cookies: We use cookies and similar technologies to maintain sessions, remember preferences, and analyze usage. See Section 7 for details.

2. How We Use Your Information

We use the information we collect to:

• Register Entities and maintain lineage records
• Process orders and facilitate marketplace transactions
• Send order confirmations, updates, and notifications
• Process payments and issue refunds
• Facilitate communication between Buyers and Sellers
• Provide customer support and respond to inquiries
• Verify Seller identities and prevent fraud
• Improve our services, develop new features, and analyze usage patterns
• Send promotional communications (with your consent)
• Comply with legal obligations and enforce our terms

3. Location Privacy

We take location privacy seriously. When you register an Entity with a location, we apply a random offset to the displayed coordinates so that your exact address is never shown publicly.

• Public Entity pages show an approximate area, not exact coordinates
• Exact addresses are shared with Buyers only after a purchase is confirmed (for local pickup) or not at all (for shipped orders)
• You can hide Entity locations entirely from public view

For more details, see our Location Privacy help page.

4. Information Sharing

We do not sell your personal information. We may share your information in the following circumstances:

• With Sellers: When you make a purchase, we share your display name, shipping address, and contact information with the Seller to fulfill your order.
• With Buyers: If you are a Seller, your listing information and display name are publicly visible. Your contact information is shared with Buyers who place orders.
• Public Entity Pages: Entity information (species, lineage, descriptions, photos, approximate location) is publicly visible. Your full name is never displayed — only your display name.
• Service Providers: We share information with third-party service providers who help us operate our platform, including:
  • Stripe (payment processing)
  • Amazon Web Services (hosting and infrastructure)
  • Email service providers (transactional emails)
• Legal Requirements: We may disclose information if required by law, court order, or government request, or to protect the rights, property, or safety of Ohtli, our users, or others.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

5. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure password hashing
• Regular security assessments and updates
• Access controls limiting employee access to personal data
• PCI-compliant payment processing through Stripe

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your information for as long as necessary to provide our services and fulfill the purposes described in this policy:

• Account Information: Retained while your account is active and for a reasonable period afterward to comply with legal obligations.
• Entity Records: Lineage records are retained indefinitely as part of the permanent genetic registry, even if your account is closed.
• Transaction Records: Retained for 7 years for tax and legal compliance.
• Communications: Retained for 3 years or as required for dispute resolution.
• Usage Data: Aggregated and anonymized data may be retained indefinitely for analytics.

You may request deletion of your account and personal data by contacting us. Some information may be retained as required by law or for legitimate business purposes. Entity records in the genetic registry are maintained as a permanent public record.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential Cookies: Required for the platform to function, including authentication and session management.
• Preference Cookies: Remember your settings and preferences.
• Analytics Cookies: Help us understand how users interact with our platform to improve our services.

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of our platform.

8. Your Rights and Choices

Depending on your location, you may have the following rights:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal information, subject to legal retention requirements and the permanence of Entity registry records.
• Portability: Request a machine-readable copy of your data.
• Opt-Out: Opt out of marketing communications.

To exercise these rights, please contact us at help@ohtli.org.

California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, request deletion, and opt out of the sale of personal information. We do not sell personal information. To make a request, contact us at help@ohtli.org.

9. Children's Privacy

Ohtli is not intended for children under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

10. Third-Party Links

Our platform may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page and updating the "Effective Date" at the top. For material changes, we may also send you an email notification. Your continued use of Ohtli after changes become effective constitutes acceptance of the revised policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: