Privacy Policy
Last updated: 1 May 2026
1. Who we are
OmyaAI (“we”, “our”, “us”) is an ISO 27001 compliance SaaS platform operated by OmyaAI Ltd, registered in England and Wales. Our registered address and data controller contact is: privacy@omyaai.com.
2. What data we collect
We collect the following categories of personal data:
- Account data: Email address, display name, authentication provider (Google or email/password via Firebase Authentication).
- Subscription data: Stripe customer ID, plan, subscription status, billing period. We do not store card details — Stripe handles payment information directly.
- Usage data: AI tool usage counts, conversation history, readiness check responses, and audit room data you create (risks, evidence, actions).
- Technical data: IP address, browser type, pages visited, timestamps (collected via standard server logs and Firebase Analytics).
3. How we use your data
- To provide and improve the OmyaAI service
- To process payments and manage subscriptions via Stripe
- To enforce plan limits and rate limits
- To send transactional emails (account confirmation, password reset) via SendGrid
- To comply with legal obligations
4. Legal basis (GDPR)
Our processing is based on: (a) performance of contract — to provide the service you signed up for; (b) legitimate interests — to improve the platform and prevent fraud; (c) legal obligation — where required by applicable law.
5. Third-party processors
| Processor | Purpose | Location |
|---|---|---|
| Google Firebase | Authentication, analytics | EU/US |
| Google Cloud Platform | Hosting, database, file storage | EU (europe-west2) |
| Stripe | Payment processing | US/EU |
| SendGrid (Twilio) | Transactional email | US |
| Anthropic | AI model inference | US |
6. Data retention
We retain your data for as long as your account is active. If you delete your account, we will permanently delete your personal data within 30 days, except where we are required to retain it for legal or financial compliance purposes (e.g. Stripe invoice records for 7 years).
7. Your rights
Under GDPR, you have the right to: access your data, correct inaccurate data, erase your data, restrict processing, data portability, and object to processing. To exercise these rights, email privacy@omyaai.com.
8. Cookies
We use strictly necessary cookies for authentication and session management, and optional analytics cookies via Firebase Analytics. You can opt out of analytics cookies in your browser settings.
9. International transfers
Some of our processors (Stripe, Anthropic, SendGrid) are based in the United States. Transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission.
10. Contact
For privacy enquiries, contact our Data Protection Officer at privacy@omyaai.com.