Privacy Policy
Omnymous, LLC.
Last Updated: January 14, 2026
Effective Date: January 14, 2026
1. Introduction
Omnymous, LLC. ("Omnymous," "we," "us," or "our") operates an AI-powered marketing platform designed for e-commerce brands ("Platform" or "Service"). This Privacy Policy describes how we collect, use, disclose, and protect personal information when you use our Platform, visit our websites (omnymous.com, app.omnymous.com), or interact with us.
This Privacy Policy applies to business customers ("Customers"), their authorized users ("Users"), and visitors to our websites ("Visitors"). Omnymous provides services to businesses (B2B), not directly to consumers.
IMPORTANT NOTICE: This Privacy Policy provides information about our data practices. It does not constitute legal advice. Customers should consult qualified legal counsel for guidance on their own privacy compliance obligations, particularly regarding data they process through our Platform.
2. Data Controller and Contact Information
Data Controller: Omnymous, LLC. 1111b South Governors Ave STE 94887 Dover, DE, 19904 United States
Data Protection Contact: Email: legal@omnymous.com Subject Line: "Privacy Inquiry"
For EU/EEA and UK data subjects, we act as a data processor on behalf of our Customers, who remain the data controllers for their end-user data.
3. Information We Collect
3.1 Account Information
When you register for or use Omnymous, we collect:
- Identity Data: First name, last name, email address
- Authentication Data: Password (hashed), Google OAuth credentials (if using social login), session tokens
- Profile Data: Avatar URL, timezone, locale preferences
- Organization Data: Organization name, website, logo, plan type, billing information
- Role Data: User roles (owner, admin, member), permissions, team membership
3.2 Business and Store Data
When you connect e-commerce stores and advertising accounts:
- Shopify Store Data: Store name, domain, currency, timezone, products, product variants, product images, pages, access tokens (encrypted)
- Meta (Facebook/Instagram) Data: Business ID, business name, ad account information, campaign data, ad sets, ads, Meta pixel data, page access tokens (encrypted)
- Product Data: Product titles, descriptions, images, prices, cost of goods sold (COGS), variants, tags, collections
3.3 AI Generation and Content Data
When you use our AI-powered features:
- Generation Requests: Prompts, parameters, context data, knowledge pool references
- Generated Content: Market research reports, marketing variables, ad copy, image descriptions
- Usage Metrics: Token counts, credit usage, generation timestamps, AI model used, processing time
- Knowledge Pools: Uploaded documents, extracted text, generated insights, embeddings
3.4 Integration and API Key Data (BYOK)
For Customers using our Bring Your Own Key (BYOK) tier:
- Encrypted API Keys: OpenAI, Anthropic, and Google Gemini API keys (stored with AES-256-GCM encryption)
- Key Metadata: Last used timestamp, validation status, key hint (last 4 characters only)
- Provider: Which AI provider the key is associated with
Important: We do not have access to your decrypted API keys. Keys are encrypted using industry-standard AES-256-GCM encryption before storage. Only your organization can use these keys through our Platform.
3.5 Campaign and Advertising Data
- Campaign Data: Campaign names, objectives, budgets, targeting criteria, schedules, platform campaign IDs
- Ad Performance Data: Impressions, clicks, conversions, spend, revenue, ROAS, CTR, CPC
- Funnel Data: Landing pages, conversion pages, UTM parameters, conversion goals
3.6 Attribution and Analytics Data
Through our tracking pixel and attribution system:
- Pixel Events: Page views, product views, add-to-cart events, purchase events
- Session Data: Anonymous visitor IDs, session IDs, timestamps
- Attribution Data: Customer journey touchpoints, conversion attribution credits
- UTM Parameters: Source, medium, campaign, term, content parameters
- Technical Data: Hashed IP addresses (for fraud prevention), user agent strings, referrer URLs
Note: We hash IP addresses using one-way hashing. We do not store raw IP addresses for pixel tracking.
3.7 Payment and Billing Data
- Stripe Integration: We use Stripe for payment processing. We store Stripe customer IDs and subscription IDs, but do not store complete credit card numbers, CVVs, or full payment credentials
- Credit Package Purchases: Purchase history, credit amounts, package tiers
- Subscription Data: Plan type, billing cycle, subscription status, trial periods
3.8 Communications Data
- Email Communications: Transactional emails, support correspondence
- Support Tickets: Ticket content, attachments, reply history
- Appointment Data: Scheduled consultation calls, calendar data
3.9 Technical and Usage Data
- Log Data: Access logs, error logs, API request logs
- Device Data: Browser type, operating system, device type
- Usage Analytics: Feature usage, session duration, workflow patterns
- Audit Logs: Security-relevant actions, configuration changes, access events
4. How We Use Your Information
4.1 Service Provision
- Operating and maintaining the Platform
- Processing AI generation requests
- Managing integrations with Shopify, Meta, and other platforms
- Providing attribution and analytics services
- Processing payments and managing subscriptions
- Delivering customer support
4.2 Service Improvement
- Analyzing usage patterns to improve features
- Developing new capabilities and features
- Monitoring and optimizing Platform performance
- Troubleshooting technical issues
4.3 Security and Compliance
- Protecting against unauthorized access and fraud
- Enforcing our Terms of Service
- Complying with legal obligations
- Maintaining audit trails for compliance
4.4 Communications
- Sending transactional emails (verification, password reset, invoices)
- Providing support responses
- Sending service-related announcements
- Trial ending notifications and subscription updates
5. AI Data Processing and Training
5.1 How We Process AI Requests
When you use our AI-powered features:
- Subscription/Credits Tier: Your requests are processed through our AI providers (OpenAI, Anthropic, Google) using our API keys, routed through Helicone for observability
- BYOK Tier: Your requests are processed using your own API keys, routed through Helicone for observability only
5.2 AI Training Policy
WE DO NOT USE YOUR DATA TO TRAIN AI MODELS.
- Your content, prompts, and generated outputs are NOT used to train, fine-tune, or improve any AI models
- Your data is NOT shared with AI providers (OpenAI, Anthropic, Google) for their training purposes
- Each AI provider has separate terms regarding their data practices; we recommend reviewing their respective privacy policies
5.3 AI Provider Data Practices
We use the following AI providers:
- OpenAI: API data is not used for model training per their API terms
- Anthropic: API data is not used for model training per their API terms
- Google (Gemini): API data is not used for model training per their API terms
BYOK customers are responsible for their own agreements with these providers.
5.4 Observability and Logging
We use Helicone for AI request observability. This includes:
- Request/response logging for debugging and support
- Token usage tracking for billing
- Performance monitoring
- No training of models on logged data
6. Data Sharing and Disclosure
6.1 Third-Party Service Providers
We share data with service providers who assist in operating our Platform:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Payment information, customer IDs |
| AWS (Amazon Web Services) | Cloud infrastructure, storage | All Platform data (encrypted at rest) |
| Helicone | AI observability and logging | AI requests, token usage |
| Shopify | E-commerce integration | OAuth tokens, store data |
| Meta | Advertising integration | OAuth tokens, ad account data |
| SMTP Provider | Email delivery | Email addresses, email content |
| Redis | Caching and job queues | Session data, job data |
6.2 Integration Partners
When you connect third-party integrations:
- Shopify: We exchange data necessary for store synchronization and webhook processing
- Meta (Facebook/Instagram): We exchange data necessary for ad account management and pixel integration
6.3 Legal Requirements
We may disclose information when required by:
- Valid legal process (subpoenas, court orders)
- Law enforcement requests
- Protection of our rights and safety
- Prevention of fraud or illegal activity
6.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will provide notice before your data is transferred to a new entity with different privacy practices.
6.5 No Sale of Personal Information
We do not sell personal information. We do not share personal information with third parties for their direct marketing purposes.
7. Data Retention
7.1 Retention Periods
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data | Duration of account + 30 days | Contract performance |
| Generated content | Duration of account | Service provision |
| Audit logs | 7 years | Legal compliance |
| Payment records | 7 years | Tax and legal compliance |
| Support tickets | 3 years after resolution | Service improvement |
| Pixel events | 2 years | Attribution analysis |
| Session tokens | Until expiration or logout | Security |
| Encrypted API keys (BYOK) | Duration of account | Service provision |
7.2 Account Deletion
Upon account deletion:
- Personal data is deleted within 30 days
- Generated content and library items are deleted
- Encrypted API keys are permanently destroyed
- Aggregate, anonymized analytics may be retained
- Data required for legal compliance is retained per applicable law
8. Data Security
8.1 Technical Measures
- Encryption in Transit: TLS 1.2+ for all data transmission
- Encryption at Rest: AES-256 encryption for stored data
- API Key Encryption: AES-256-GCM for stored third-party API keys
- Password Security: bcrypt hashing with salt
- Access Tokens: Encrypted storage for OAuth tokens
8.2 Organizational Measures
- Role-based access controls
- Audit logging of sensitive operations
- Regular security assessments
- Employee security training
- Incident response procedures
8.3 Infrastructure Security
- AWS cloud infrastructure with security certifications
- Network segmentation
- DDoS protection
- Regular security patching
9. International Data Transfers
9.1 Data Location
Primary data processing occurs in the United States. By using our Platform, you consent to the transfer of your data to the United States.
9.2 Transfer Mechanisms
For transfers from the EU/EEA or UK, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Data Processing Agreements with appropriate safeguards
9.3 EU-US Data Privacy Framework
We are committed to complying with applicable data transfer frameworks and will update our practices as regulatory guidance evolves.
10. Your Rights
10.1 Rights for All Users
Regardless of your location, you may:
- Access your personal data
- Correct inaccurate data
- Request deletion of your data
- Export your data (data portability)
- Opt out of non-essential communications
10.2 Additional Rights for EU/EEA and UK Residents
Under GDPR, you have additional rights to:
- Object to processing based on legitimate interests
- Restrict processing in certain circumstances
- Withdraw consent (where processing is based on consent)
- Lodge a complaint with a supervisory authority
10.3 California Residents (CCPA/CPRA)
California residents have rights to:
- Know what personal information is collected
- Request deletion of personal information
- Opt out of the sale of personal information (we do not sell data)
- Non-discrimination for exercising privacy rights
- Limit use of sensitive personal information
10.4 Exercising Your Rights
To exercise your rights:
- In-App: Use account settings for data export or deletion
- Email: Contact legal@omnymous.com
- Response Time: We respond within 30 days (45 days for complex requests)
11. Cookies and Tracking
11.1 Essential Cookies
We use essential cookies for:
- Authentication and session management
- Security and fraud prevention
- Load balancing
11.2 Analytics
We may use analytics tools to understand Platform usage. These can be disabled through your browser settings.
11.3 Pixel Tracking
Our attribution pixel collects:
- Anonymous visitor identifiers
- Page view and e-commerce events
- UTM parameters
- Session information
The pixel does not collect personal information unless explicitly provided by end customers during purchase events.
12. Customer Responsibilities
12.1 Data Controller Obligations
As a business customer, you are the data controller for:
- Your end customers' personal data processed through our Platform
- Data collected through our pixel on your websites
- Employee/user data within your organization
You are responsible for:
- Providing appropriate privacy notices to your end customers
- Obtaining necessary consents for data collection
- Responding to data subject requests from your end customers
- Ensuring lawful basis for data processing
12.2 Data Processing Agreement
Enterprise customers may request a Data Processing Agreement (DPA) that:
- Defines our role as data processor
- Specifies processing instructions
- Includes Standard Contractual Clauses for international transfers
- Documents technical and organizational security measures
12.3 BYOK Responsibilities
If you use the BYOK tier:
- You are responsible for your API key security and management with providers
- You are bound by each provider's terms of service
- API usage and costs are your direct responsibility
- We are not liable for provider service disruptions or policy changes
13. Children's Privacy
Omnymous is a business-to-business platform not directed to children under 16. We do not knowingly collect personal information from children. If we learn we have collected data from a child, we will delete it promptly.
14. Changes to This Policy
We may update this Privacy Policy periodically. Changes will be:
- Posted on this page with an updated "Last Updated" date
- Communicated via email for material changes
- Effective immediately unless otherwise stated
Continued use of the Platform after changes constitutes acceptance of the updated policy.
15. Contact Us
For privacy-related inquiries:
Email: legal@omnymous.com
Mail: Omnymous, LLC. 1111b South Governors Ave STE 94887 Dover, DE, 19904 United States
16. Supplemental Notices
16.1 Notice for European Economic Area (EEA) Residents
Legal Basis for Processing:
| Processing Activity | Legal Basis |
|---|---|
| Account management | Contract performance |
| Service provision | Contract performance |
| Security and fraud prevention | Legitimate interests |
| Legal compliance | Legal obligation |
| Service improvement | Legitimate interests |
| Marketing communications | Consent |
16.2 Notice for California Residents
Categories of Personal Information Collected (past 12 months):
- Identifiers (name, email, IP address)
- Commercial information (subscription data, purchase history)
- Internet activity (usage data, browsing history on our Platform)
- Professional information (business data, organization membership)
- Inferences drawn from the above
We do not sell personal information as defined by the CCPA.
Do Not Track: Our Platform does not respond to "Do Not Track" browser signals.
16.3 Notice for Brazilian Residents (LGPD)
Brazilian data subjects have rights under Lei Geral de Protecao de Dados (LGPD) similar to those listed in Section 10. Contact legal@omnymous.com for requests.
Document Version: 1.0 Classification: Public