Privacy Policy — OmniGate

Legal

Effective: 1 April 2026 Version: 1.0 Regulation: GDPR · UK GDPR

Plain-English Summary: We collect only what we need to run OmniGate. We don't sell your data. You can request access, deletion, or a copy at any time. We're bound by GDPR and UK GDPR. Read on for the full details.

Contents

Who We Are
What Data We Collect
How We Use Your Data
Legal Basis for Processing
Data Retention
Third-Party Integrations & Processors
International Data Transfers
Cookies & Tracking
Your Rights
Children's Privacy
Security
Changes to This Policy
Contact & Complaints

1. Who We Are

OmniGate operates the autonomous AI integration platform available at omnigate.io and related subdomains. For the purposes of the GDPR and UK GDPR, OmniGate is the data controller of the personal data described in this policy.

Contact: omnigate@polsia.app

2. What Data We Collect

2.1 Account & Contact Data

Name, email address, and company name (provided at sign-up).
Billing information processed by our payment processor (we do not store full card details).
Communications you send us (email, support requests).

2.2 Usage & Technical Data

IP address, browser type, and operating system (from server logs).
Pages visited, features used, and session duration.
API call metadata (timestamps, endpoints, response codes — not payload content unless explicitly logged by you).
Error reports and diagnostic information.

2.3 Agent & Integration Configuration Data

API endpoints, schema mappings, and transformation rules you configure.
Agent activity logs generated within the platform.
Integration credentials (API keys, OAuth tokens) — stored encrypted at rest.

2.4 Customer Data (Processed on Your Behalf)

Where your agents process data from your integrated systems, that data is Customer Data under our Terms of Service. We process it only to deliver the Service and do not access it except for troubleshooting at your request or as required by law. A Data Processing Agreement (DPA) governs such processing — contact us to obtain one.

2.5 Data We Do Not Collect

We do not collect sensitive personal data (health, biometric, racial or ethnic origin, political opinions, etc.) unless you explicitly configure agents to process it, in which case a DPA is required.
We do not purchase or import third-party marketing databases.

3. How We Use Your Data

Purpose	Data Used	Legal Basis
Providing and operating the Service	Account, usage, configuration	Contract performance
Billing and payment processing	Account, billing	Contract performance
Customer support	Account, communications	Contract performance / Legitimate interest
Security monitoring & fraud prevention	Technical, usage	Legitimate interest
Product improvement & analytics	Anonymised usage data	Legitimate interest
Legal compliance	As required	Legal obligation
Marketing communications (opt-in only)	Email, name	Consent
AI model improvement (aggregate, de-identified only)	Anonymised interaction patterns	Legitimate interest

We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

4. Legal Basis for Processing

Under GDPR Article 6, we process personal data on the following bases:

Contract (Art. 6(1)(b)): Processing necessary to provide the Service you subscribed to.
Legitimate Interest (Art. 6(1)(f)): Security monitoring, product analytics, fraud prevention, and direct marketing to existing customers where they would reasonably expect it.
Legal Obligation (Art. 6(1)(c)): Compliance with tax, financial, and other regulatory requirements.
Consent (Art. 6(1)(a)): Marketing emails and non-essential cookies. You may withdraw consent at any time.

5. Data Retention

Data Type	Retention Period	Reason
Account & contact data	Duration of account + 30 days	Service delivery; post-termination export window
Billing records	7 years from transaction	Legal / tax obligation
Agent activity logs	90 days (configurable per plan)	Debugging, audit, compliance
Integration credentials	Deleted on revocation or account termination	Security
Customer Data (processed by agents)	As specified in DPA; default 30 days post-termination	Customer retention policy
Server access logs	30 days	Security monitoring
Marketing opt-in records	Until consent withdrawn + 1 year	Evidence of consent
Support communications	3 years	Reference for future support

After the relevant retention period, data is permanently deleted or anonymised such that it can no longer be linked to an individual.

6. Third-Party Integrations & Processors

We use carefully selected sub-processors to operate the Service. All sub-processors are bound by data processing agreements and subject to GDPR-equivalent protections:

Sub-processor	Purpose	Location
Render	Cloud infrastructure & hosting	USA (SCCs applied)
Neon (PostgreSQL)	Database hosting	USA (SCCs applied)
Anthropic	AI model inference	USA (SCCs applied)
Stripe	Payment processing	USA/EU (SCCs applied)
Postmark / SendGrid	Transactional email	USA (SCCs applied)
Cloudflare	CDN, DDoS protection	Global (EU region available)

We do not permit sub-processors to use your data for their own purposes beyond providing the contracted service. Our full list of sub-processors is available on request.

7. International Data Transfers

Some of our sub-processors operate outside the European Economic Area (EEA) or UK. Where personal data is transferred to countries not recognised as providing an adequate level of protection, we rely on:

EU Standard Contractual Clauses (SCCs) — Commission Decision (EU) 2021/914.
UK International Data Transfer Agreements (IDTAs) for transfers from the UK.
Binding Corporate Rules where applicable.

You may request a copy of the applicable transfer mechanism by contacting us at omnigate@polsia.app.

8. Cookies & Tracking

8.1 Cookies We Use

Cookie Name	Type	Purpose	Duration
Session token	Strictly necessary	Keeps you logged in	Session
_og_visitor	Analytics (first-party)	Anonymous visitor ID for usage analytics	1 year
_og_prefs	Functional	Remembers your dashboard preferences	1 year
_stripe_*	Payment (third-party)	Fraud prevention by Stripe	Session / 1 year

8.2 Managing Cookies

Strictly necessary cookies cannot be disabled without breaking the Service. For analytics and functional cookies, you may opt out via your browser settings or our cookie preference centre. Most browsers allow you to block or delete cookies — consult your browser documentation for instructions.

8.3 No Third-Party Ad Tracking

We do not use advertising networks, retargeting pixels, or third-party tracking tools that track your behaviour across other websites.

9. Your Rights

Under GDPR and UK GDPR, you have the following rights regarding your personal data. We will respond to all valid requests within 30 days (extendable to 90 days for complex requests, with notice).

Right of Access

Obtain a copy of the personal data we hold about you.

Right to Rectification

Correct inaccurate or incomplete personal data.

Right to Erasure

Request deletion of your personal data where we have no legal basis to retain it.

Right to Restriction

Ask us to restrict processing while a dispute is resolved.

Right to Portability

Receive your data in a structured, machine-readable format (JSON or CSV).

Right to Object

Object to processing based on legitimate interest or direct marketing.

Automated Decision Rights

Request human review of any purely automated decisions that significantly affect you.

Withdraw Consent

Withdraw consent at any time without affecting prior lawful processing.

To exercise any of these rights, email omnigate@polsia.app with the subject line "Data Subject Request". We will verify your identity before processing the request. Requests are free of charge unless manifestly unfounded or excessive.

10. Children's Privacy

The Service is directed at businesses and professionals aged 18 and over. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us at omnigate@polsia.app and we will delete it promptly.

11. Security

We implement technical and organisational measures appropriate to the risk, including:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
Integration credentials stored with envelope encryption; plaintext never written to disk.
Role-based access controls; principle of least privilege for internal systems.
Regular dependency audits and vulnerability scanning.
Incident response procedures aligned with GDPR Article 33 notification timelines (72 hours).

No system is perfectly secure. In the event of a personal data breach that poses risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and update the "Effective" date above. Continued use of the Service after notification constitutes acceptance of the updated policy. For significant changes (e.g., new processing purposes), we will obtain fresh consent where required.

13. Contact & Complaints

For privacy-related queries or to exercise your rights:

OmniGate Privacy Team
Email: omnigate@polsia.app
Subject: "Privacy Request — [Your Name]"

If you are not satisfied with our response, you have the right to lodge a complaint with:

UK: Information Commissioner's Office (ICO) — ico.org.uk
EU: Your local data protection authority — edpb.europa.eu