Security & Privacy

How Omniops protects your business data and your customers' privacy.

Is my data secure?

Yes. All data is encrypted in transit and at rest using industry-standard encryption (AES-256). Each organisation's data is fully isolated — your business information, conversations, and credentials are never shared with or accessible to other businesses.

We treat security as a baseline, not a feature. Isolation between organisations is enforced at the database level, not just the application level.

Are you GDPR compliant?

Yes. We support all GDPR rights:

  • Right of access — export your data at any time
  • Right to erasure — request full deletion of your account and data
  • Right to portability — download your data in a standard format
  • Audit trail — records of data access and processing

A cookie consent banner is included with the customer-facing chat widget. A Data Processing Agreement (DPA) — a formal document some businesses need to show how their suppliers handle personal data — is available on request.

Are you CCPA compliant?

Yes. California consumer privacy rights are fully supported, including the right to know what data is collected, the right to delete personal information, and the right to opt out of data sales. We do not sell personal data.

Who can see my business data?

Only team members you've invited, with the role you've assigned. Admins see everything. Editors can manage content and conversations. Viewers have read-only access.

Omni processes your data to serve you — answering your questions, managing your tools, and helping your customers. Your data is never used to train models or shared with third parties.

How are my API keys and credentials stored?

All credentials — API keys, access tokens, and authorised connections — are encrypted with industry-standard encryption (AES-256) before storage. They are never logged, never displayed in the interface after entry, and never included in error reports or analytics.

If you need to update a credential, you replace it entirely rather than viewing the existing one. This is by design.

Can customers see my internal business data?

No. The customer-facing chat widget operates in a restricted mode. It can only access:

  • Product information (names, descriptions, pricing, availability)
  • Order lookups (when a customer provides their order number or email)
  • Contact details and opening hours
  • Content you've trained it on (FAQs, policies, service descriptions)

Your financials, margins, internal notes, supplier information, team communications, and business intelligence are never exposed to customers. This boundary is enforced at the system level, not just the prompt level.

What about my customers' personal data?

Customer data collected through the chat widget is handled in full compliance with GDPR and CCPA:

  • Data retention — configurable retention periods. You decide how long conversation history is kept.
  • Customer deletion — customers can request deletion of their personal data, and we process these requests promptly.
  • Minimal collection — we only collect what's needed to handle the conversation. No hidden tracking or profiling beyond what you've configured.
  • Cookie consent — the widget includes a consent mechanism for jurisdictions that require it.

For more detail on our security and privacy practices, see the Security Overview and Privacy Policy.