Privacy Policy

Our Commitment

We take your privacy seriously. This policy describes our practices in accordance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), the EU AI Act, and other applicable privacy laws. We only collect data necessary to provide our services and we never sell your personal information.

Definitions

To help you understand this policy, here are key terms we use:

• Personal Data: Any information that relates to an identified or identifiable individual
• Processing: Any operation performed on personal data (collecting, storing, using, sharing, deleting)
• Data Controller: The entity that determines the purposes and means of processing (us, when we process your data)
• Data Processor: An entity that processes data on behalf of the controller (our service providers)
• Data Subject: The individual whose personal data is being processed (you)

Data We Collect

Information You Provide

• Chat messages and conversations with our AI assistant
• Account registration information (email, business name)
• Payment information (processed securely by our payment provider)
• Support inquiries and feedback

Information Collected Automatically

• Session identifiers (anonymous, no personal data required)
• Website domain where the chat widget is installed
• Basic usage analytics (page views, chat interactions)
• Device type, browser type, and operating system
• IP address (anonymized for analytics)
• Timestamps of interactions

Information from Third Parties

We may receive information from third-party integrations you connect:

• WooCommerce: Product catalogs, order information (when you enable this integration)
• Shopify: Store data, product information (when you enable this integration)

Legal Basis for Processing (GDPR Article 6)

We process your personal data only when we have a valid legal basis to do so under GDPR:

Contract Performance (Art. 6(1)(b))

Processing necessary to provide our services to you:

• Providing the AI chat widget functionality
• Processing and responding to chat conversations
• Managing your account and subscription
• Providing customer support

Consent (Art. 6(1)(a))

Processing based on your explicit consent:

• Marketing communications and newsletters
• Non-essential cookies and analytics
• Optional product integrations

Legitimate Interests (Art. 6(1)(f))

Processing based on our legitimate business interests, balanced against your rights:

• Security monitoring and fraud prevention
• Service improvement and analytics
• Troubleshooting and technical support
• Enforcing our terms of service

Legal Obligation (Art. 6(1)(c))

Processing required to comply with legal obligations:

• Tax and accounting requirements
• Responding to lawful requests from authorities
• Data protection compliance and audit trails

AI and Automated Processing

Our AI-powered service processes data in the following ways:

• Response Generation: Your messages are processed by state-of-the-art language models to generate contextually relevant responses
• Content Understanding: We scrape and analyze your website content to train the AI on your specific products and services
• No Automated Decision-Making: We do not use AI to make automated decisions that have legal or similarly significant effects on you

Important limitations of AI-generated content:

• AI responses may not always be accurate - users should verify important information
• AI cannot provide medical, legal, or financial advice
• AI responses are generated based on training data and may not reflect current information
• Human oversight is available through your account dashboard

You have the right to request human review of any AI-generated response or to opt out of AI processing where technically feasible. Contact us to exercise these rights.

Data Storage and Security

Where We Store Your Data

• Primary storage: Supabase (PostgreSQL) hosted in the European Union
• AI processing: OpenAI servers in the United States (see International Transfers)
• Content delivery: Globally distributed CDN for performance

Security Measures (GDPR Article 32)

We implement appropriate technical and organizational measures to protect your data:

• Encryption at Rest: All stored data is encrypted using AES-256
• Encryption in Transit: All data transfers use TLS 1.3
• Access Controls: Role-based access with principle of least privilege
• Domain Isolation: Customer data is logically separated by domain
• API Key Encryption: Customer API keys are encrypted before storage
• Regular Audits: Security reviews and vulnerability assessments
• Audit Logging: Comprehensive logs of data access and modifications

Data Retention

We retain your data for the following periods:

• Chat Conversations: 90 days (configurable in your dashboard)
• Website Content: Until manually refreshed or account deletion
• Analytics Data: 180 days
• Account Data: Duration of account plus 2 years for legal compliance
• Audit Logs: 24 months as required by regulations

You can configure shorter retention periods in your dashboard privacy settings.

International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including to countries that may not provide the same level of data protection.

Transfer Mechanisms

When we transfer data outside the European Economic Area (EEA), we rely on:

• Standard Contractual Clauses (SCCs): EU Commission-approved data transfer agreements with our processors
• Adequacy Decisions: Transfers to countries recognized by the EU Commission as providing adequate protection
• Supplementary Measures: Additional technical and organizational safeguards where required

Third-Party Processors

The following processors may receive your data:

• OpenAI (United States): AI response generation - protected by SCCs and supplementary security measures
• Supabase (European Union): Primary data storage - EU-based processing
• Stripe (United States): Payment processing - PCI DSS compliant, protected by SCCs

Your Data Rights

Under GDPR and other applicable laws, you have the following rights regarding your personal data:

• Right to Access (Art. 15): Request a copy of your personal data and information about how it is processed
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing (Art. 18): Request limitation of how we process your data
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing
• Rights Related to Automated Processing (Art. 22): Not be subject to decisions based solely on automated processing
• Right to Withdraw Consent (Art. 7): Withdraw consent at any time where processing is based on consent

We will not discriminate against you for exercising your privacy rights. Your rights are subject to certain exemptions, such as where we need to retain data for legal compliance purposes.

Cookies and Tracking

We use cookies and similar technologies to provide and improve our services. You can manage your cookie preferences through our cookie consent banner.

Essential Cookies

These cookies are necessary for the service to function and cannot be disabled:

• Session management and authentication
• Chat persistence across page reloads
• Security and fraud prevention
• Load balancing and service delivery

Analytics Cookies (Optional)

With your consent, we use analytics cookies to:

• Understand how visitors use our service
• Measure the effectiveness of features
• Improve user experience based on usage patterns

Do Not Track

We respect browser "Do Not Track" signals. When enabled, we limit tracking to essential service functionality only.

Third-Party Services

We integrate with the following third-party services to provide our functionality. Each service processes data according to their own privacy policy:

• OpenAI - AI response generation. Your chat messages are sent to OpenAI for processing. See OpenAI Privacy Policy
• Supabase - Database and authentication services. See Supabase Privacy Policy
• Playwright and Crawlee - Web scraping for indexing your website content. Data is processed locally and stored in our systems.
• Stripe - Payment processing. We do not store your full payment card details. See Stripe Privacy Policy

Optional integrations (when enabled by you):

• WooCommerce - E-commerce product integration. Your encrypted credentials connect directly to your store.
• Shopify - E-commerce product integration. Uses OAuth for secure authorization.

We maintain data processing agreements with all our processors to ensure your data is protected according to GDPR requirements.

Children's Privacy

We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

If we become aware that we have collected personal data from a child without verification of parental consent, we will take steps to delete that information from our servers promptly.

Data Breach Notification

In the event of a personal data breach, we follow strict procedures in accordance with GDPR Articles 33 and 34:

• Authority Notification: We will notify the relevant supervisory authority (ICO for UK users) within 72 hours of becoming aware of a breach that poses a risk to individuals' rights and freedoms
• User Notification: If a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay
• Documentation: We maintain records of all breaches, including their effects and remedial actions taken

California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights:

Your California Rights

• Right to Know: Request information about what personal information we collect, use, disclose, and sell
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt out of the "sale" or "sharing" of personal information
• Right to Limit: Limit the use and disclosure of sensitive personal information
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your rights

Categories of Information Collected

In the past 12 months, we have collected the following categories of personal information:

• Identifiers (email address, IP address, session ID)
• Commercial information (purchase history via integrations)
• Internet activity (chat interactions, browsing behavior)
• Inferences (chat context and preferences)

To exercise your California privacy rights, visit our Data Rights Page or contact us at hello@omniops.co.uk.

Contact Us and Complaints

Data Controller

The data controller responsible for your personal information is:

Privacy Inquiries

For privacy-related questions or to exercise your data rights:

• Email: hello@omniops.co.uk
• Dashboard: Privacy Settings
• Data Requests: GDPR Rights Page

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe we have violated your privacy rights:

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements.

• Material Changes: We will notify you via email and/or a prominent notice on our website at least 30 days before changes take effect
• Minor Changes: Updates that don't affect your rights will be posted with an updated "Last Updated" date
• Continued Use: Your continued use of the Service after changes become effective constitutes acceptance of the revised policy

We encourage you to review this Privacy Policy periodically for the latest information on our privacy practices.