Privacy Policy

1. Introduction

Omni, Inc. (“Omni,” “we,” “us,” or “our”), a corporation organized under the laws of the State of Delaware, is committed to protecting your privacy. This Privacy Policy (“Policy”) explains how we collect, use, disclose, retain, and safeguard your information when you access or use the Omni platform, website located at useomni.org, and all related services, including OmniChat, OmniCalls, and OmniReach (collectively, the “Service”).

This Policy applies to all users of the Service, including business account holders (“Customers”) and the end users who interact with our Customers' AI agents (“End Users”). By accessing or using the Service, you acknowledge that you have read and understood this Policy.

This Policy is incorporated into and forms part of our Terms of Service. Capitalized terms not defined herein have the meanings assigned to them in the Terms of Service.

2. Data Controller & Data Processor

For purposes of applicable data protection laws, including the General Data Protection Regulation (“GDPR”):

• Omni as Data Controller: Omni acts as the data controller for personal data we collect directly from you when you create an account, visit our website, or interact with our marketing and support channels.
• Omni as Data Processor: When you use our AI agents to interact with your customers, Omni acts as a data processor on your behalf. You, as the Customer, are the data controller for any personal data of your End Users that is processed through the Service. You are responsible for ensuring that you have a lawful basis to collect and process such data and for providing appropriate privacy notices to your End Users.

If you require a Data Processing Agreement (“DPA”), please contact us at privacy@useomni.org.

3. Information We Collect

3.1 Information You Provide Directly

• Account Information: Name, email address, password (hashed), phone number, and profile details
• Billing Information: Payment card details and billing address, processed securely by our third-party payment processor, Stripe, Inc. Omni does not store your full payment card number on our servers.
• Business Information: Company name, industry, business description, service offerings, FAQs, booking rules, operating hours, and other information you provide to configure your AI agents
• Support Communications: Information you provide when contacting our support team, including email correspondence and any attachments
• User Content: Any data, text, files, or materials you upload to the Service

3.2 Information Collected Automatically

• Usage Data: Pages visited, features used, actions taken, session duration, click patterns, and interaction timestamps
• Device Information: Browser type and version, operating system, device type, screen resolution, and unique device identifiers
• Network Information: IP address, internet service provider, referring/exit URLs, and approximate geolocation derived from IP address
• Cookies & Tracking Technologies: Data collected through cookies, web beacons, pixels, and similar technologies (see Section 11 for details)
• Log Data: Server logs containing request timestamps, request/response details, error logs, and performance metrics

3.3 Information Processed by Your AI Agents

When your AI agents interact with your customers, the following data may be processed through the Service on your behalf:

• Conversation Data: Messages exchanged between your AI agents and your End Users across all channels (chat, SMS, email, web widget)
• Voice Data: Call recordings, voicemail recordings, and AI-generated transcripts processed through OmniCalls. Call recording is subject to applicable federal and state consent laws (see Section 8).
• Contact Information: Names, phone numbers, email addresses, and other contact details of your End Users collected during conversations
• Scheduling Data: Appointment bookings, calendar preferences, and scheduling metadata
• Outreach Data: Email and SMS campaign data, recipient lists, engagement metrics, and delivery status processed through OmniReach

3.4 Information from Third Parties

• Authentication Providers: If you sign in using a third-party service (e.g., Google), we receive basic profile information from that provider
• Channel Integrations: Data received through connected channels such as WhatsApp, Instagram, Facebook Messenger, and SMS gateways, as configured by you
• Analytics Providers: Aggregated and de-identified analytics data from third-party services we use to understand how the Service is used

4. Legal Bases for Processing (EEA/UK Users)

If you are located in the European Economic Area (“EEA”) or the United Kingdom (“UK”), we process your personal data on the following legal bases under the GDPR:

• Performance of a Contract (Art. 6(1)(b)): Processing necessary to provide the Service, manage your account, process payments, and fulfill our contractual obligations under the Terms of Service
• Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate business interests, including improving the Service, preventing fraud and abuse, ensuring network and information security, and conducting analytics — provided these interests are not overridden by your fundamental rights and freedoms
• Consent (Art. 6(1)(a)): Processing based on your freely given, specific, informed, and unambiguous consent, such as for marketing communications and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal.
• Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws, regulations, court orders, or legal processes

5. How We Use Your Information

We use the information we collect for the following purposes:

5.1 Service Delivery & Operations

• To provide, operate, maintain, and improve the Service and its features
• To process your AI agent interactions, generate responses, and deliver communications on your behalf
• To process payments, manage subscriptions, and send billing notifications
• To provide customer support and respond to your inquiries

5.2 Safety & Security

• To detect, investigate, and prevent fraud, abuse, unauthorized access, and other harmful activities
• To monitor and enforce compliance with our Terms of Service and Acceptable Use Policy
• To maintain the security, integrity, and availability of our systems and infrastructure

5.3 Analytics & Improvement

• To analyze usage patterns and trends to improve the Service
• To conduct research and development on AI agent performance and reliability
• To generate aggregated, de-identified statistics about Service usage

5.4 Communications

• To send transactional communications (account verification, password resets, billing receipts, service alerts)
• To send marketing communications where you have opted in or where permitted by applicable law (you may opt out at any time)

5.5 Legal & Compliance

• To comply with applicable laws, regulations, legal processes, and governmental requests
• To establish, exercise, or defend legal claims

6. Data Sharing & Disclosure

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We may disclose your information in the following limited circumstances:

6.1 Service Providers (Sub-Processors)

We engage trusted third-party companies to perform services on our behalf, including:

• Cloud Infrastructure: Hosting and data storage providers
• Payment Processing: Stripe, Inc. for payment and subscription management
• AI Model Providers: Third-party AI services used to power agent responses. Data sent to AI providers is transmitted securely and is not used by such providers to train their models (subject to our agreements with those providers).
• Communication Providers: Telephony, SMS, and email delivery services
• Analytics: Services that help us understand Service usage and performance

All service providers are contractually bound to use your data only for the purposes specified by Omni and in accordance with this Policy. See Section 7 below for a complete list of our current sub-processors.

6.2 Legal Requirements

We may disclose your information if required to do so by law, or in the good faith belief that such action is necessary to: (a) comply with a legal obligation, court order, subpoena, or governmental request; (b) protect and defend the rights, property, or safety of Omni, our users, or the public; (c) investigate potential violations of our Terms of Service; or (d) detect, prevent, or address fraud, security issues, or technical problems.

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service before your personal information is transferred and becomes subject to a different privacy policy.

6.4 With Your Consent

We may share your information with third parties when you have given us your explicit consent to do so.

6.5 Aggregated & De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you. Such data is not considered personal information under this Policy.

7. Sub-Processors & Third-Party Service Providers

The following table identifies the third-party sub-processors that may process personal data on our behalf in connection with the Service. We maintain contractual agreements with each sub-processor to ensure they process data only as instructed by Omni and in accordance with applicable data protection laws.

We will update this list when we add or replace sub-processors. If you subscribe to sub-processor change notifications, we will notify you by email at least fifteen (15) days before authorizing a new sub-processor. To subscribe, email privacy@useomni.org with the subject line “Sub-Processor Notifications.”

Each sub-processor's privacy policy, linked above, governs how that provider handles data independently. We encourage you to review their policies for full details.

8. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. Specific retention periods include:

• Account Data: Retained for the duration of your active account and for up to ninety (90) days after account deletion to facilitate recovery and comply with legal obligations
• Conversation & Agent Data: Retained for the duration of your subscription. Upon termination, this data is deleted within ninety (90) days unless you request earlier deletion.
• Call Recordings & Transcripts: Retained for the duration of your subscription or as required by applicable law, whichever is longer
• Billing Records: Retained for seven (7) years to comply with tax and financial record-keeping obligations
• Log & Usage Data: Retained for up to twenty-four (24) months for analytics and security purposes
• Marketing Preferences: Retained until you withdraw consent or unsubscribe

Upon expiration of a retention period, data is either securely deleted or irreversibly anonymized. You may request earlier deletion of your data by contacting privacy@useomni.org, subject to applicable legal retention requirements.

9. Call Recording & Consent

OmniCalls may record and transcribe phone calls on your behalf. You acknowledge and agree that:

• You are solely responsible for complying with all applicable federal and state call recording laws, including one-party and two-party (all-party) consent jurisdictions
• You must configure appropriate disclosure and consent mechanisms (e.g., call recording announcements) as required by the laws of your jurisdiction and the jurisdiction of the individuals you call
• Omni provides tools to enable recording disclosures, but does not provide legal advice regarding compliance with specific recording consent laws
• Call recordings are stored securely and encrypted at rest. Access to recordings is limited to authorized account users

10. Data Security

We implement administrative, technical, and physical security measures designed to protect your personal information, including:

• Encryption: Data is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256 or equivalent industry-standard encryption
• Access Controls: Role-based access controls, multi-factor authentication for internal systems, and principle of least privilege for employee access
• Infrastructure Security: Hosting on SOC 2-compliant cloud infrastructure with regular vulnerability scanning and penetration testing
• Monitoring: Continuous logging, anomaly detection, and alerting for security events
• Incident Response: Documented incident response procedures for detecting, containing, and remediating security incidents

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

11. Data Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, Omni will:

• Notify affected users without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, as required by applicable law
• Notify the relevant supervisory authority where required by GDPR or other applicable data protection laws
• Provide a description of the nature of the breach, the categories and approximate number of affected individuals, the likely consequences of the breach, and the measures taken to address and mitigate the breach

12. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to collect and store information about your interactions with the Service. The types of cookies we use include:

12.1 Strictly Necessary Cookies

Essential for the Service to function. These cookies enable core functionality such as authentication, session management, and security. They cannot be disabled.

12.2 Analytics Cookies

Help us understand how visitors interact with the Service by collecting information about pages visited, time spent, and navigation patterns. This data is aggregated and anonymized where possible.

12.3 Functional Cookies

Enable enhanced functionality and personalization, such as remembering your preferences, language settings, and display options.

Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling certain cookies may impair the functionality of the Service. For more information about cookies and how to manage them, visit allaboutcookies.org.

13. Do Not Track Signals

Some browsers transmit “Do Not Track” (“DNT”) signals. Because there is no common industry standard for interpreting DNT signals, the Service does not currently respond to DNT signals. We will revisit this policy if a uniform standard is adopted.

14. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

14.1 Rights Under the GDPR (EEA/UK)

• Right of Access (Art. 15): Request a copy of the personal data we hold about you
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
• Right to Erasure (Art. 17): Request deletion of your personal data (“right to be forgotten”), subject to applicable legal exceptions
• Right to Restriction (Art. 18): Request that we restrict the processing of your data in certain circumstances
• Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes
• Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing
• Right to Lodge a Complaint: File a complaint with your local data protection supervisory authority

14.2 Rights Under U.S. State Privacy Laws

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or other states with comprehensive privacy laws, you may have additional rights, including:

California (CCPA/CPRA)

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share personal information
• Right to Delete: Request deletion of your personal information, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: We do not sell your personal information or share it for cross-context behavioral advertising
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights
• Right to Limit Use of Sensitive Personal Information: We only use sensitive personal information for purposes authorized by the CPRA

Categories of personal information collected in the preceding twelve (12) months are described in Section 3. We do not sell personal information, nor do we use or disclose sensitive personal information for purposes other than those permitted under the CPRA.

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA) & Similar State Laws

• Right to access your personal data
• Right to correct inaccuracies
• Right to delete your personal data
• Right to obtain a portable copy of your data
• Right to opt out of targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects

14.3 Exercising Your Rights

To exercise any of the rights described above, please contact us at privacy@useomni.org. We will respond to verified requests within the timeframes required by applicable law (generally thirty (30) days for GDPR requests and forty-five (45) days for CCPA/CPRA requests, with extensions where permitted).

We may need to verify your identity before processing your request. If we cannot verify your identity, we may decline the request. You may also designate an authorized agent to submit a request on your behalf, subject to our verification procedures.

If we deny your request, you have the right to appeal. To appeal, contact us at privacy@useomni.org with the subject line “Privacy Rights Appeal.”

15. Automated Decision-Making & AI Processing

The Service uses artificial intelligence to process data and generate content on your behalf. This includes:

• Generating automated chat and voice responses to End User inquiries
• Qualifying leads and routing conversations based on AI-assessed criteria
• Transcribing voice calls and generating conversation summaries
• Scheduling appointments based on conversational context
• Personalizing outreach content based on contact data

These automated processes are performed to deliver the Service as requested by you, the Customer. Omni does not use automated decision-making to make decisions that produce legal or similarly significant effects on individuals without human involvement. If you are an End User and have concerns about automated processing, please contact the business (Customer) that deployed the AI agent.

16. International Data Transfers

Omni is based in the United States. Your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate, which may have data protection laws that differ from those in your jurisdiction.

If you are located in the EEA, UK, or Switzerland, we rely on the following legal mechanisms to transfer your personal data outside of those regions:

• Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (and the UK Addendum, where applicable) for transfers to countries that have not received an adequacy decision
• Adequacy Decisions: Where the European Commission or UK authorities have determined that a country provides an adequate level of data protection
• Data Privacy Framework: Where applicable service providers have certified under the EU-U.S. Data Privacy Framework

To obtain a copy of the safeguards we use for international transfers, contact us at privacy@useomni.org.

17. Third-Party Links & Services

The Service may contain links to third-party websites, applications, or services that are not operated or controlled by Omni. This Policy does not apply to those third-party services. We are not responsible for the privacy practices, content, or security of any third-party services. We encourage you to review the privacy policies of any third-party services you access.

18. Children's Privacy

The Service is not intended for, directed to, or designed to attract individuals under the age of eighteen (18). We do not knowingly collect, solicit, or maintain personal information from children under 18, or knowingly allow such persons to use the Service.

In compliance with the Children's Online Privacy Protection Act (“COPPA”), if we become aware that we have collected personal information from a child under the age of thirteen (13) without verified parental consent, we will take steps to delete such information promptly. If you believe we have inadvertently collected information from a child, please contact us immediately at privacy@useomni.org.

19. Marketing Communications

With your consent or where permitted by applicable law, we may send you marketing communications about our products, features, and offers. You may opt out of marketing communications at any time by:

• Clicking the “unsubscribe” link in any marketing email
• Updating your notification preferences in your account settings
• Contacting us at privacy@useomni.org

Please note that even if you opt out of marketing communications, we may still send you transactional or service-related communications (e.g., account notifications, billing confirmations, and security alerts).

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will provide notice by: (a) posting the updated Policy on our website with a revised “Last updated” date; and (b) sending an email notification to the address associated with your account at least fifteen (15) days prior to the changes taking effect.

Your continued use of the Service after the effective date of any modifications constitutes your acceptance of the updated Policy. If you do not agree to the updated Policy, you must discontinue use of the Service before the changes take effect.

We encourage you to review this Policy periodically to stay informed about how we protect your information.

21. Contact Information

If you have any questions, concerns, or complaints regarding this Privacy Policy or our data processing practices, please contact us: