Privacy Policy

Our Commitment

We take your privacy seriously. This policy describes our practices in accordance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), the EU AI Act, and other applicable privacy laws. We only collect data necessary to provide our services and we never sell your personal information.

Definitions

To help you understand this policy, here are key terms we use:

• Personal Data: Any information that relates to an identified or identifiable individual
• Processing: Any operation performed on personal data (collecting, storing, using, sharing, deleting)
• Data Controller: The entity that determines the purposes and means of processing (us, when we process your data)
• Data Processor: An entity that processes data on behalf of the controller (our service providers)
• Data Subject: The individual whose personal data is being processed (you)

Data We Collect

Information You Provide

• Chat messages and conversations with our AI assistant
• Account registration information (email, business name)
• Payment information (processed securely by our payment provider)
• Support inquiries and feedback

Information Collected Automatically

• Session identifiers (anonymous, no personal data required)
• Website domain where the chat widget is installed
• Basic usage analytics (page views, chat interactions) — only with your analytics consent
• Device type, browser type, and operating system — only with your analytics consent
• IP address (anonymized for analytics) — only with your analytics consent
• Timestamps of interactions

Mobile Application (iOS)

When you use our iOS application, we additionally collect:

• Device model and operating system version (for compatibility and support)
• App version and build number (for troubleshooting)
• Session authentication tokens (stored securely in iOS Keychain)
• Conversation history (synced with your account on our servers)

We do not collect location data, contacts, photos, or other device data beyond what is listed above. The iOS app does not use third-party analytics SDKs — all analytics flow through our own server infrastructure.

Information from Third Parties

We may receive information from third-party integrations you connect:

• WooCommerce: Product catalogs, order information (when you enable this integration)
• Shopify: Store data, product information (when you enable this integration)
• Google Workspace: Calendar events, emails, documents, and contacts (when you enable this integration)
• Microsoft 365: Calendar events, emails, and Teams data (when you enable this integration)
• WhatsApp, Instagram, and Messenger: Customer messages and conversation history (when you enable these integrations)
• Slack: Team messages and notifications (when you enable this integration)
• Meta Ads: Campaign performance data (when you enable this integration)

Legal Basis for Processing (GDPR Article 6)

We process your personal data only when we have a valid legal basis to do so under GDPR:

Contract Performance (Art. 6(1)(b))

Processing necessary to provide our services to you:

• Providing the AI chat widget functionality
• Processing and responding to chat conversations
• Managing your account and subscription
• Providing customer support

Consent (Art. 6(1)(a))

Processing based on your explicit consent:

• Marketing communications and newsletters
• Non-essential cookies and analytics
• Optional product integrations

Legitimate Interests (Art. 6(1)(f))

Processing based on our legitimate business interests, balanced against your rights:

• Security monitoring and fraud prevention
• Service improvement and analytics
• Troubleshooting and technical support
• Enforcing our terms of service

Legal Obligation (Art. 6(1)(c))

Processing required to comply with legal obligations:

• Tax and accounting requirements
• Responding to lawful requests from authorities
• Data protection compliance and audit trails

AI and Automated Processing

Our service processes data in the following ways:

• Response Generation: Your messages are processed by AI models from Anthropic (Claude), OpenAI (GPT), and Google (Gemini) to generate contextually relevant responses
• Content Understanding: We crawl and index your website content to build a knowledge base for your specific products and services
• Multiple AI Providers: We use multiple AI providers and may route your data through any active provider based on capability and availability
• No Automated Decision-Making: We do not use AI to make automated decisions that have legal or similarly significant effects on you

Important limitations:

• AI responses may not always be accurate - users should verify important information
• AI cannot provide medical, legal, or financial advice
• AI responses are generated based on training data and may not reflect current information
• Human oversight is available through your account dashboard

You have the right to request human review of any AI-generated response or to opt out of AI processing where technically feasible. Contact us to exercise these rights.

Data Storage and Security

Where We Store Your Data

• Primary storage: Supabase (PostgreSQL) hosted in the European Union
• AI processing: Anthropic (Claude), OpenAI, and Google (Gemini) servers in the United States
• Production hosting: Hetzner Cloud servers in Germany (EU)
• Content delivery: Cloudflare CDN (globally distributed)

Security Measures (GDPR Article 32)

We implement appropriate technical and organizational measures to protect your data:

• Encryption at Rest: All stored data is encrypted using AES-256
• Encryption in Transit: All data transfers use TLS 1.3
• Access Controls: Role-based access with principle of least privilege
• Domain Isolation: Customer data is logically separated by domain
• API Key Encryption: Customer API keys are encrypted before storage
• Regular Audits: Security reviews and vulnerability assessments
• Audit Logging: Comprehensive logs of data access and modifications

Infrastructure Monitoring and Recovery

We maintain continuous monitoring and recovery capabilities to protect service availability and your data:

• Uptime Monitoring: External health checks run every 5 minutes with automated alerting on service degradation
• Error Tracking: Application errors are monitored via Sentry with automated triage and alerting
• Database Backups: Automated daily backups with integrity verification and secure offsite storage
• Zero-Downtime Deployments: Code updates are deployed using a warm-standby pattern with instant rollback capability
• Incident Response: Multi-channel alerting (email, messaging) with documented response procedures and post-incident reviews
• Disaster Recovery: Automated server provisioning and documented recovery procedures with tested restoration from backups

Data Retention

We retain your data for the following periods:

• Chat Conversations: 90 days (configurable in your dashboard)
• Website Content: Until manually refreshed or account deletion
• Analytics Data: 180 days
• Account Data: Duration of account plus 2 years for legal compliance
• Audit Logs: 24 months as required by regulations

You can configure shorter retention periods in your dashboard privacy settings.

International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including to countries that may not provide the same level of data protection.

Transfer Mechanisms

When we transfer data outside the European Economic Area (EEA), we rely on:

• Standard Contractual Clauses (SCCs): EU Commission-approved data transfer agreements with our processors
• UK International Data Transfer Agreement (IDTA): UK-approved transfer mechanism for data originating from the United Kingdom (post-Brexit requirement)
• Adequacy Decisions: Transfers to countries recognized by the EU Commission as providing adequate protection
• Supplementary Measures: Additional technical and organizational safeguards where required

Third-Party Processors

The following processors may receive your data:

• Anthropic (United States): Primary AI agent (Claude) — protected by SCCs and UK IDTA
• OpenAI (United States): AI response generation — protected by SCCs and UK IDTA
• Google (United States): AI processing (Gemini) — protected by SCCs and UK IDTA
• Supabase (European Union): Primary data storage — EU-based processing
• Hetzner Cloud (Germany): Production hosting — EU-based processing
• Cloudflare (Global): CDN and DDoS protection — EU Points of Presence, protected by SCCs
• Sentry (United States): Error monitoring — protected by SCCs and UK IDTA
• Resend (United States): Transactional emails — protected by SCCs and UK IDTA
• Stripe (United States): Payment processing — PCI DSS compliant, protected by SCCs

Optional integrations transfer data per their own data processing agreements. See our Data Processing Agreement for details.

Your Data Rights

Under GDPR and other applicable laws, you have the following rights regarding your personal data:

• Right to Access (Art. 15): Request a copy of your personal data and information about how it is processed
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing (Art. 18): Request limitation of how we process your data
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing
• Rights Related to Automated Processing (Art. 22): Not be subject to decisions based solely on automated processing
• Right to Withdraw Consent (Art. 7): Withdraw consent at any time where processing is based on consent

We will not discriminate against you for exercising your privacy rights. Your rights are subject to certain exemptions, such as where we need to retain data for legal compliance purposes.

Cookies and Tracking

We use cookies and similar technologies to provide and improve our services. You can manage your cookie preferences through our cookie consent banner.

Essential Cookies

These cookies are necessary for the service to function and cannot be disabled:

• Session management and authentication
• Chat persistence across page reloads
• Security and fraud prevention
• Load balancing and service delivery

Analytics Cookies (Optional)

With your consent, we use analytics cookies to:

• Understand how visitors use our service
• Measure the effectiveness of features
• Improve user experience based on usage patterns

For a complete list of cookies including names and durations, see our Cookie Policy.

Do Not Track

We respect browser "Do Not Track" signals. When enabled, we limit tracking to essential service functionality only.

Third-Party Services

We integrate with the following third-party services to provide our functionality. Each service processes data according to their own privacy policy:

Core services (always active):

• Anthropic — Primary AI agent (Claude). See Anthropic Privacy Policy
• OpenAI — AI response generation and embeddings. See OpenAI Privacy Policy
• Google (Gemini) — AI processing for creative and website features. See Google Privacy Policy
• Supabase — Database and authentication services. See Supabase Privacy Policy
• Hetzner Cloud — Production hosting (Germany). See Hetzner Privacy Policy
• Cloudflare — CDN and DDoS protection. See Cloudflare Privacy Policy
• Sentry — Error monitoring. See Sentry Privacy Policy
• Resend — Transactional emails. See Resend Privacy Policy
• Google Analytics — Website usage analytics (consent-gated; only active when you accept analytics cookies). See Google Privacy Policy
• UptimeRobot — External uptime monitoring (health checks only, no user data processed). See UptimeRobot Privacy Policy
• Playwright and Crawlee — Web scraping for indexing your website content. Data is processed locally and stored in our systems.
• Stripe — Payment processing. We do not store your full payment card details. See Stripe Privacy Policy

Optional integrations (when enabled by you):

• WooCommerce — E-commerce product integration. Your encrypted credentials connect directly to your store.
• Shopify — E-commerce product integration. Uses OAuth for secure authorization.
• Google Workspace — Calendar, Gmail, Drive, Contacts, Sheets, and Forms (when enabled)
• Microsoft 365 — Calendar, Outlook, and Teams (when enabled)
• WhatsApp Business — Customer messaging (when enabled)
• Instagram — Customer messaging (when enabled)
• Facebook Messenger — Customer messaging (when enabled)
• Slack — Team notifications (when enabled)
• Meta Ads — Advertising management (when enabled)

A complete list of sub-processors with locations and purposes is available in our Data Processing Agreement.

Children's Privacy

We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

If we become aware that we have collected personal data from a child without verification of parental consent, we will take steps to delete that information from our servers promptly.

Data Breach Notification

In the event of a personal data breach, we follow strict procedures in accordance with GDPR Articles 33 and 34:

• Authority Notification: We will notify the relevant supervisory authority (ICO for UK users) within 72 hours of becoming aware of a breach that poses a risk to individuals' rights and freedoms
• User Notification: If a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay
• Documentation: We maintain records of all breaches, including their effects and remedial actions taken

California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

Your California Rights

• Right to Know: Request information about what personal information we collect, use, disclose, and sell
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information
• Right to Limit: Limit the use and disclosure of sensitive personal information
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your rights

Categories of Information Collected

In the past 12 months, we have collected the following categories of personal information:

• Identifiers (email address, IP address, session ID)
• Commercial information (purchase history via integrations)
• Internet activity (chat interactions, browsing behavior)
• Inferences (chat context and preferences)

To exercise your California privacy rights, visit our Data Rights Page or contact us at hello@omniops.co.uk.

Contact Us and Complaints

Data Controller

The data controller responsible for your personal information is:

Privacy Inquiries

For privacy-related questions or to exercise your data rights:

• Email: hello@omniops.co.uk
• Dashboard: Privacy Settings
• Data Requests: GDPR Rights Page

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe we have violated your privacy rights:

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements.

• Material Changes: We will notify you via email and/or a prominent notice on our website at least 30 days before changes take effect
• Minor Changes: Updates that don't affect your rights will be posted with an updated "Last Updated" date
• Continued Use: Your continued use of the Service after changes become effective constitutes acceptance of the revised policy

We encourage you to review this Privacy Policy periodically for the latest information on our privacy practices.