Privacy Policy

Unless we state otherwise for a specific feature or integration, Omen is the controller of the personal data described in this Privacy Policy.

Service name: Omen
Legal entity: [Placeholder: add legal entity name]
Mailing address: [Placeholder: add registered mailing address]
Privacy contact: [Placeholder: add privacy contact name or team]
Email: [email protected]

If you have questions about this Privacy Policy or want to exercise privacy rights, contact us at [email protected].

Depending on how you use Omen, we may collect the following categories of personal data:

• Account and authentication data, including email address, encrypted authentication credentials, auth provider details, and session or security data managed through Supabase.
• Onboarding and profile data, including first name, last name, company, position, and organization membership details.
• Organization and invite data, including organization name, membership role, invite tokens, invite email restrictions when used, invite creator, acceptance timestamps, and related administrative records.
• Linked Instagram account data, including usernames, profile images, profile metadata, and identifiers needed to associate accounts with an organization.
• Public social-media content and metadata that you ask Omen to analyze, including captions, comments, engagement metrics, media URLs, locations, hashtags, tagged users, co-authors, public profile fields, and similar Instagram post or account data.
• AI processing data, including prompts, generated descriptions, generated insights, semantic embeddings, and related model inputs or outputs derived from content processed through Omen.
• Support and communications data, including messages you send to us by email or through product support channels.
• Usage and technical data, including page visits, feature interactions, request metadata, approximate device and browser information, and service logs used for security, debugging, and performance analysis.

We use personal data only where we have an applicable legal basis. The legal basis depends on the context in which the data is processed.

• To provide the service, create accounts, authenticate users, manage organizations, honor invite flows, and operate connected product features. Legal basis: contract performance or steps taken at your request before entering a contract.
• To ingest, organize, and analyze linked Instagram account data and public content that you instruct us to process. Legal basis: contract performance and our legitimate interests in operating the service.
• To generate AI-powered descriptions, insights, trend summaries, predictions, and embeddings. Legal basis: contract performance and our legitimate interests in delivering requested product functionality.
• To secure accounts, prevent abuse, investigate incidents, enforce our Terms, and maintain system integrity. Legal basis: legitimate interests and, where applicable, compliance with legal obligations.
• To understand product usage, improve performance, debug issues, and plan roadmap decisions. Legal basis: legitimate interests.
• To respond to support requests, service notices, and legal or compliance inquiries. Legal basis: legitimate interests, contract performance, or legal obligation, depending on the request.
• To comply with applicable laws, lawful requests, court orders, tax or accounting requirements, and similar obligations. Legal basis: legal obligation.

We do not sell personal data. We do not use the data described here for unrelated advertising profiles or cross-site behavioral advertising.

• Directly from you when you sign up, complete onboarding, create organizations, or contact us.
• From authentication providers when you use supported sign-in methods such as Google OAuth.
• From Instagram profile and post data that you connect, request us to analyze, or instruct us to sync.
• From third-party service providers that support product infrastructure, analytics, scraping, model inference, embeddings, storage, and security.
• Automatically from your browser or device when you use the website or app.

We share personal data only as needed to operate Omen, comply with law, or protect the service.

• Supabase for authentication, database storage, and account administration.
• Vercel and Vercel Analytics for hosting, application delivery, and aggregate product analytics.
• Bright Data when you trigger supported social-media scraping or sync workflows.
• Google Gemini, OpenRouter, and Voyage AI for AI inference, generated outputs, and embedding-related processing where those features are enabled.
• Professional advisers, law enforcement, regulators, or counterparties when disclosure is reasonably necessary to comply with law, enforce our rights, or protect users and the service.
• A buyer, investor, or successor entity in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality and transition protections.

If a listed provider is not active in a given production environment, we will not intentionally send that environment's user data to that provider.

Some of our service providers process or store data outside the country where you are located, including outside the European Economic Area. When that happens, we rely on appropriate transfer mechanisms where required by applicable law, such as adequacy decisions, contractual safeguards, or comparable lawful transfer tools.

By using Omen, you understand that your data may be transferred to and processed in countries whose data protection laws may differ from those in your jurisdiction.

We retain personal data only for as long as reasonably necessary for the purposes described above.

• Account, organization, and profile records are generally retained while your account or organization is active and for a limited period afterward for security, dispute handling, backup integrity, and legal compliance.
• Invite records, administrative logs, and support records may be retained after completion or expiration to document account history, access changes, and abuse prevention.
• Synced Instagram data, generated insights, generated descriptions, and embeddings are typically retained until you delete the associated account or organization, request deletion where applicable, or we no longer need the data for product operation, legal compliance, or security.
• Technical logs and analytics data are generally retained for shorter operational periods unless they are needed for incident investigation, fraud prevention, or legal obligations.

We may delete, aggregate, or anonymize data when retention is no longer required. Account and organization deletion tools in the product may not immediately remove every backup or log copy, but we aim to complete deletion workflows within a reasonable operational period.

Depending on where you live, you may have rights to request access to your personal data, correction of inaccurate data, deletion, data portability, restriction of processing, objection to certain processing, and withdrawal of consent where processing depends on consent.

To exercise a request, email [email protected]. We may need to verify your identity before completing a request. If we cannot fulfill a request in full, we will explain the reason unless the law does not allow us to do so.

If you are in the EEA, UK, or another jurisdiction with data protection complaint rights, you may also complain to the supervisory authority in your usual place of residence, workplace, or the place of the alleged infringement.

Omen uses authentication and session technologies necessary to keep you signed in, secure your account, and operate the application. These may include cookies or comparable browser storage managed directly by our authentication stack.

We also use Vercel Analytics to understand aggregate usage of the site and product. Vercel describes its Web Analytics product as privacy-focused and cookie-free by default, but we still treat analytics-related event data as part of our transparency obligations and disclose that analytics processing here.

If URLs, query parameters, or page paths could contain sensitive values in future product changes, we may further limit or redact analytics event data before transmission.

Omen is not directed to children under 13, and you may not use the service if you are under 13. If local law requires a higher minimum age for data processing or online consent, that higher age applies.

If you believe a child has provided personal data to us in violation of this policy, contact [email protected].

We use reasonable technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, or alteration. No system is perfectly secure, and we cannot guarantee absolute security.

You are responsible for maintaining the confidentiality of your login credentials and for notifying us if you believe your account has been compromised.

We may update this Privacy Policy from time to time to reflect product changes, legal developments, or operational requirements. If we make a material change, we will update the date above and may provide additional notice through the product or by email where appropriate.

Questions about this Privacy Policy can be sent to [email protected].