Privacy Policy

1. Who we are

OTA Media Ltd (“OTA Media”, “we”, “us”) is the data controller for personal data processed through the OTA Media Leadership Index at otamedia.ai, The Fifty at fifty.otamediagroup.com, and the Hello Li iOS application (bundle ai.helloli).

Registered office: Unit 82a James Carter Road, Mildenhall, Bury St. Edmunds, England, IP28 7DE
Contact: info@otamediagroup.com
ICO registration: Registered with the UK Information Commissioner's Office

2. What data we collect

When you use the Leadership Index, we may collect the following categories of personal data:

Account data: your name, email address, and authentication credentials when you create an account. If you sign in with Google, we receive your name and email from Google. We do not receive or store your Google password.

Assessment data: your responses to the psychometric assessment questions, your computed dimension scores, normalised scores, and your assigned leadership archetype. This is the core data generated through the Leadership Index.

Organisation data: if you join an organisation on the platform (for example, via a team invite), we store your membership of that organisation, your role within it, and your invitation status.

Payment data: if you subscribe to a paid plan, payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription status but never see or store your card number, bank details, or billing address.

Usage data: we collect anonymised analytics data including pages viewed, features used, and session duration through PostHog. This data is used to improve the product and is not linked to your identity.

Technical data: standard server logs including your IP address, browser type, and operating system. These are retained for security and debugging purposes.

3. How we use your data

We process your personal data for the following purposes:

To deliver the assessment: calculating your leadership scores, determining your archetype, and displaying your results. The lawful basis is performance of a contract (you request the assessment and we deliver it).

To manage your account: authenticating your identity, storing your assessment history, and enabling access to your dashboard. The lawful basis is performance of a contract.

To enable team features: if your organisation administrator invites you, we share your name, archetype, and aggregated scores with the organisation's admin dashboard. The lawful basis is legitimate interest (enabling the team functionality you opted into by accepting the invitation).

To produce The Fifty rankings: if you are a nominated participant in The Fifty, your assessment data contributes to the ranking methodology. Your individual responses are never published. Only your archetype and aggregated profile appear in the rankings. The lawful basis is legitimate interest.

To communicate with you: sending invitation emails, assessment confirmations, and product updates. The lawful basis is legitimate interest for transactional emails and consent for marketing emails. Every email includes an unsubscribe option.

To improve the platform: analysing anonymised usage patterns to improve the assessment experience. The lawful basis is legitimate interest.

4. How we protect your data

We take the security of your data seriously, particularly given the sensitive nature of psychometric assessment results. The following measures are in place:

Encryption: all data is protected by industry-standard encryption, both in transit and at rest.

Strict access controls: your assessment data can only be accessed by you and, where applicable, your organisation's administrator. No other user can query, view, or export your individual responses or scores.

Audited infrastructure: our database, authentication, and application are hosted on independently audited cloud providers with industry-standard security certifications.

Rate limiting and audit logging: access to the platform is rate-limited to prevent abuse, and sensitive operations are logged with an audit trail.

Input validation: all data submitted to the platform is validated before processing.

5. Who we share your data with

We share personal data only with the following categories of recipients, and only to the extent necessary to operate the platform:

Supabase — our database and authentication provider, acting as a data processor on our behalf.

Vercel — our application hosting provider, acting as a data processor.

Stripe — our payment processor. If you subscribe to a paid plan, Stripe handles your payment as an independent data controller under their own privacy policy.

Resend — our transactional email provider, acting as a data processor.

PostHog — our anonymised analytics provider.

Your organisation administrator: if you accept a team invitation, your administrator can see your name, archetype, and dimension scores through the team dashboard. They cannot see your individual question responses.

We do not sell your personal data. We do not share your data with advertisers. We do not use your assessment responses to train AI models.

6. Third-party AI services (Hello Li)

The Hello Li iOS application uses three third-party AI services to generate the conversational responses, voice transcription, and voice synthesis that make the app function. These services are not used by the Leadership Index web platform at otamedia.ai. Each is disclosed below by name, what data is sent, and how that data is handled. The Hello Li app surfaces this disclosure in-app immediately after sign-in, and no data is transmitted to any of these vendors until you have explicitly tapped “I understand — Continue”.

Anthropic Claude (conversational reasoning — provided by Anthropic, PBC, San Francisco, USA). When you send a message to Li or speak to Li in voice mode, the text of your message and the immediate prior conversation context required for Li to respond coherently is transmitted to Anthropic’s Claude API. Anthropic does not use API inputs to train its models and does not retain inputs or outputs beyond the duration of the API call. Vendor terms: Anthropic Privacy Policy and Commercial Terms of Service.

OpenAI Whisper (speech-to-text transcription — provided by OpenAI, OpCo, LLC, San Francisco, USA). When you tap the microphone in voice mode and speak, your voice is recorded locally on your device, then transmitted as an audio file to OpenAI’s Whisper API for transcription. The Whisper service returns the transcribed text, which is then passed into Anthropic Claude as described above. OpenAI does not use API inputs to train its models and discards transcribed audio after returning the transcript. Vendor terms: OpenAI Privacy Policy and API Data Usage Policy.

ElevenLabs (voice synthesis — provided by ElevenLabs, Inc., New York, USA). When Li responds to you in voice mode, the text of Li’s response is transmitted to ElevenLabs’ text-to-speech API. ElevenLabs returns the synthesised audio, which Hello Li plays back to you on your device. ElevenLabs does not retain text inputs or generated audio for training and discards both after the API call. Vendor terms: ElevenLabs Privacy Policy.

Your name, email, profile data, and assessment results are never shared with Anthropic, OpenAI, or ElevenLabs. We do not sell your data to anyone. We do not use your conversations to train any AI model. We do not allow third parties to retain or re-use your conversations beyond the API call required to serve you.

Future vendor changes. When we change the AI vendor list — for example, when we replace OpenAI Whisper and ElevenLabs with NVIDIA Riva for voice in Hello Li v1.1 — the in-app disclosure will re-prompt you with the updated vendor set, and this section will be revised to match. We will not silently substitute one vendor for another.

7. International data transfers

Our primary database is hosted by Supabase in the EU. Some of our processors (Vercel, Resend, PostHog) may process data in the United States. Where data is transferred outside the UK or EU, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission and the UK Information Commissioner.

8. How long we keep your data

Assessment data: retained for as long as your account is active, so you can track your leadership development over time. If you delete your account, your assessment data is permanently deleted within 30 days.

Account data: retained for as long as your account exists. You can request deletion at any time.

Server logs: retained for up to 90 days for security and debugging purposes, then automatically deleted.

Analytics data: anonymised and retained indefinitely as it cannot be linked back to you.

9. Your rights

Under UK GDPR, you have the following rights. To exercise any of them, email us at info@otamediagroup.com.

Right of access: request a copy of the personal data we hold about you.

Right to rectification: ask us to correct inaccurate personal data.

Right to erasure: ask us to delete your personal data. We will do so unless we have a lawful reason to retain it.

Right to restrict processing: ask us to limit how we use your data while a concern is being resolved.

Right to data portability: request your data in a structured, machine-readable format.

Right to object: object to processing based on legitimate interest. We will stop unless we have compelling grounds to continue.

We aim to respond to all requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk.

10. Cookies

The Leadership Index uses essential cookies for authentication (keeping you signed in) and session management. These are strictly necessary for the platform to function and do not require consent.

We use PostHog for anonymised product analytics. PostHog sets a cookie to distinguish unique visitors. This data is not used for advertising and is not shared with third parties.

We do not use advertising cookies, tracking pixels, or third-party marketing tools.

11. Children

The Leadership Index is designed for professionals and is not directed at anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to this policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email or through a notice on the platform. The “last updated” date at the top of this page indicates when the policy was most recently revised.