OMNIS

Privacy Policy

Effective: May 20, 2026  ·  OMNIS, United States  ·  support@theomnisai.com

OMNIS is an AI platform company based in United States, that provides embeddable chat and voice agent technology for websites. We are committed to being transparent about how we handle your data. If you have any questions about this policy, contact us at support@theomnisai.com.

  1. This Privacy Policy ("Policy") is issued by OMNIS ("Company", "we", "us", "our"), a company registered in the State of Delaware, United States and operating the platform at https://theomnisai.com. This Policy applies to all visitors, registered users, customers, and end-users who interact with any OMNIS-powered product, widget, voice agent, or service (collectively the "Service"). By accessing or using the Service, you acknowledge that you have read, understood, and agree to the collection and use of your information as described in this Policy.
  2. OMNIS operates as both a data controller and a data processor depending on the context. When we collect and use data for our own business purposes (such as managing your account, processing your payment, and communicating with you), we act as a data controller. When we process data on behalf of our customers through the embedded chat and voice widgets deployed on third-party websites, we act as a data processor. This distinction is relevant under the UK General Data Protection Regulation (UK GDPR), the European Union General Data Protection Regulation (EU GDPR Regulation 2016/679), and analogous applicable data protection laws.
  3. We collect information you provide directly when you create an account, including your full legal name, email address, and a password which is stored in irreversibly hashed form using industry-standard cryptographic algorithms. We never store passwords in plain text. If you register or sign in using Google OAuth, we receive your name, email address, and a Google-issued token. We do not receive your Google account password.
  4. We collect billing and payment information when you subscribe to a paid plan. All payment card details are collected and processed exclusively by our third-party payment processor, which is PCI-DSS certified. OMNIS receives only a tokenised reference to your payment method, the last four digits of your card, card brand, expiry date, billing name, and billing country. We never have access to your full card number, CVV, or PIN. Our payment processor's privacy policy governs the handling of your full payment details.
  5. We collect information about how you use the OMNIS platform, including which features you access, configuration settings you apply to your AI agent, knowledge base documents you upload, the number and type of API requests made, credit consumption per session, agent performance metrics, error events, and the timestamps of all significant actions within the dashboard. This usage data is essential for providing the Service and for detecting abuse.
  6. When end-users interact with AI chat agents powered by OMNIS on third-party websites, the content of those conversations — including all messages, questions, responses, and lead capture data — is transmitted to our servers, processed by AI model providers, and stored in our databases. This data may include personal information about those end-users such as their names, email addresses, phone numbers, and any other information they voluntarily disclose during a conversation. Our customers (the website owners) are the data controllers for this end-user data; OMNIS processes it as a data processor acting on their instructions.
  7. When end-users or customers use the real-time voice agent feature, we capture, compress, and transmit audio data over encrypted connections to our text-to-speech and speech-to-text processing pipeline. This audio data is processed in real time to generate a response and is not retained beyond the duration of the interaction unless you have explicitly enabled conversation recording in your account settings. If recording is enabled, audio files are stored encrypted at rest.
  8. If you use the voice cloning feature, you upload audio samples of a human voice to our platform. These samples and the resulting voice model ("voice embedding") constitute biometric information under applicable law in certain jurisdictions, including the Illinois Biometric Information Privacy Act (740 ILCS 14/, "BIPA"), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code § 503.001, "CUBI"), and the Washington My Health MY Data Act. We treat voice data collected for cloning purposes as biometric data globally, regardless of the jurisdiction of the data subject, as a matter of policy. We obtain your express written consent before processing any voice cloning request, maintain a publicly available retention schedule, and will not sell, lease, trade, profit from, or otherwise disseminate biometric data to any third party without your separate written consent, except as required to provide the Service through our authorised sub-processors.
  9. We automatically collect certain technical information whenever you access the Service, including your Internet Protocol (IP) address, the type and version of your browser, your operating system, the device type and screen resolution, referring URLs, pages and features accessed, session duration, time zone, and language preferences. This data is collected through server logs, browser cookies, and similar tracking technologies. We use this data to maintain security, diagnose technical problems, prevent fraud, and understand aggregate usage patterns.
  10. We use a strictly limited set of cookies and browser storage technologies. A refresh token cookie is set upon authentication solely to maintain your logged-in session and to issue new access tokens without requiring you to re-enter your credentials. This cookie is strictly necessary for the operation of the Service and does not require your consent under the EU ePrivacy Directive or UK PECR. We also use the browser localStorage API to store non-sensitive application state such as theme preferences, UI settings, and temporary session data. localStorage data never leaves your device and is not transmitted to any third party. We do not use advertising cookies, tracking cookies, analytics cookies, or any third-party cookies for behavioural profiling or retargeted advertising. We do not display a cookie consent banner because we do not set any non-essential cookies. If third-party services we integrate (such as Google OAuth) set their own cookies as part of their authentication flow, those are governed by the respective third party's own privacy policy and are outside our direct control. You can clear all cookies and localStorage data at any time through your browser settings, though doing so will log you out of the Service.
  11. We collect information when you contact us through the contact form, by email, or through any support channel. This includes your name, email address, the content of your message, any attachments you send, and metadata such as the date and time of contact. We retain this correspondence to respond to your enquiry and to maintain a record of our support history with you.
  12. We do not intentionally collect or process special categories of personal data as defined under GDPR Article 9, which include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person (except as described in the voice cloning section above where consent is obtained), health data, or data concerning a person's sex life or sexual orientation. You should not submit special category data through the platform unless it is strictly necessary and you have obtained appropriate consent from the relevant individuals.
  13. The legal bases on which we rely to process personal data under UK GDPR and EU GDPR are as follows: (a) Contract — processing necessary to perform our contract with you, including operating your account, processing payments, and delivering the Service; (b) Legitimate Interests — processing necessary for our legitimate business interests such as fraud prevention, security monitoring, platform improvement, and direct marketing to existing customers, where those interests are not overridden by your rights; (c) Consent — processing based on your freely given, specific, informed, and unambiguous consent, including non-essential cookies, voice cloning, and where otherwise required; (d) Legal Obligation — processing necessary to comply with applicable law, including financial record-keeping, responding to lawful government requests, and complying with court orders.
  14. We use the data we collect to provide, operate, maintain, and improve the OMNIS platform; to create and manage your account; to process transactions and send related information; to send transactional communications including email confirmation, password reset, billing alerts, and service notifications; to respond to your comments and questions and provide customer support; to send marketing communications where you have consented or where we have a legitimate interest in doing so under applicable law; to monitor and analyse usage and trends to improve the platform; to detect, investigate, and prevent fraudulent transactions, abuse, and other illegal activities; to comply with legal obligations; and to enforce our Terms of Service.
  15. We transmit chat message content, knowledge base documents, and conversation context to third-party artificial intelligence API providers in order to generate AI responses. The specific providers we use are not disclosed as this constitutes confidential commercial information, but all such providers are contractually bound by data processing agreements. We contractually require that AI providers do not use customer data to train their models unless separately agreed in writing. Data transmitted to AI providers is also subject to those providers' own privacy policies.
  16. We transmit text to third-party text-to-speech (TTS) providers to synthesise voice responses for the voice agent feature. The specific TTS providers we use are not disclosed as this constitutes confidential commercial information. Text sent to TTS providers is used solely to generate audio for the immediate request and is not retained beyond the synthesis operation by the TTS provider except as stated in their data processing agreements with us. We enter into data processing agreements with all TTS providers we use.
  17. We transmit audio data to third-party speech-to-text (STT) providers to convert spoken user input into text for processing by the AI agent. The specific STT providers we use are not disclosed as this constitutes confidential commercial information. STT providers process this audio in real time and do not retain it beyond the duration of the transcription operation except as specified in their data processing agreements with us.
  18. Our platform is hosted on third-party cloud infrastructure services. The specific providers we use are not disclosed as this constitutes confidential commercial information. All customer data is stored on servers within data centres that meet recognised industry security standards. We maintain data processing agreements with all infrastructure providers.
  19. We use a third-party payment processor to handle all billing transactions. Payment card data is collected and stored directly by our payment processor and is never transmitted to or stored by OMNIS in full. We use third-party transactional email services to deliver account-related communications. We may use third-party error monitoring and application performance tools to detect and diagnose technical issues; such tools may collect anonymised diagnostic data. The specific names of these providers are not disclosed as this constitutes confidential commercial information. A list of sub-processor categories is available upon written request to support@theomnisai.com.
  20. We do not sell, rent, trade, or lease your personal information to any third party for commercial purposes. We do not share your personal data with advertisers. We do not use your data for behavioural advertising or retargeted advertising purposes. We may share aggregated, anonymised, or de-identified data that cannot reasonably be used to identify you with third parties for industry research, analytics, or marketing purposes.
  21. We may disclose your personal data to third parties in the following limited circumstances: (a) with your express consent; (b) to our sub-processors acting on our instructions as described in this Policy; (c) when required by applicable law, court order, subpoena, or governmental authority with proper jurisdiction; (d) to enforce our Terms of Service or protect the rights, property, or safety of OMNIS, our customers, or the public; (e) in connection with a merger, acquisition, reorganisation, sale of assets, or bankruptcy, in which case the acquiring entity will be required to honour the commitments made in this Policy.
  22. We transfer personal data from the United Kingdom and the European Economic Area to third countries (primarily the United States) where our sub-processors are located. Such transfers are made subject to appropriate safeguards as required by UK GDPR Chapter V and EU GDPR Chapter V, including: (a) Standard Contractual Clauses (SCCs) as adopted by the European Commission in Decision 2021/914 of 4 June 2021, together with any applicable UK addendum; (b) UK International Data Transfer Agreements (IDTAs) as approved by the UK Information Commissioner; (c) adequacy decisions by the European Commission or UK Secretary of State where applicable. Copies of the transfer safeguards applicable to specific transfers are available upon written request.
  23. We retain personal data for no longer than is necessary for the purposes for which it was collected, subject to legal retention obligations. Account data is retained for the duration of your account and for 90 days following account deletion, after which it is permanently erased. AI conversation histories are retained for the duration of your active subscription and for 30 days thereafter; you may delete individual conversations at any time from the dashboard. Voice models created through voice cloning are retained until you delete them or close your account, and in any event for no more than 3 years from the date of creation. Biometric data is destroyed within 90 days of account termination or within 3 years of collection, whichever occurs first, in compliance with applicable biometric privacy laws. Billing and transaction records are retained for 7 years to comply with financial and tax regulations. Server access logs are retained for 90 days. Support correspondence is retained for 3 years from the date of the last communication. Anonymised and aggregated data that cannot identify any individual may be retained indefinitely.
  24. Under UK GDPR and EU GDPR, if you are located in the United Kingdom or European Economic Area, you have the following rights in relation to your personal data: the right to be informed about how we collect and use your data; the right of access to obtain a copy of your personal data and supplementary information; the right to rectification of inaccurate or incomplete data; the right to erasure ("right to be forgotten") to request deletion of your data where there is no compelling reason for its continued processing; the right to restrict processing in certain circumstances; the right to data portability to receive your data in a structured, commonly used, machine-readable format; the right to object to processing based on legitimate interests or for direct marketing purposes; rights in relation to automated decision-making and profiling under Article 22 GDPR. To exercise any of these rights, contact us at support@theomnisai.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.
  25. Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California residents have the right to know what personal information we collect, the purposes for which it is used, and the categories of third parties with whom it is shared; the right to access specific pieces of personal information we have collected; the right to delete personal information we have collected, subject to certain exceptions; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information (we do not sell or share personal information as defined under CCPA); the right to limit the use and disclosure of sensitive personal information; and the right to non-discrimination for exercising any of the above rights. California residents may submit requests by emailing support@theomnisai.com with the subject "CCPA Request". We will respond within 45 days.
  26. We honour the Global Privacy Control (GPC) browser signal as a valid opt-out of the sale and sharing of personal information as required under the California Privacy Rights Act (CPRA) and applicable California regulations. Although we do not sell or share personal information as those terms are defined under CPRA, if your browser transmits a GPC signal when you visit our website, we will treat it as an opt-out request and process it accordingly. No further action is required on your part beyond enabling GPC in your browser or browser extension.
  27. Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Montana (MPDPA), Iowa (ICDPA), Indiana (ICDPA), Tennessee (TIPA), Oregon (OCPA), Delaware (DPDPA), and other US states that have enacted comprehensive privacy legislation have rights broadly similar to those described above including the right to access, correct, delete, obtain a portable copy, and opt out of targeted advertising, sale of personal data, and profiling in furtherance of significant decisions. We honour these rights for residents of all applicable states. To submit a request, email support@theomnisai.com with "State Privacy Request" in the subject line along with your state of residence.
  28. Illinois residents have specific rights under the Biometric Information Privacy Act (BIPA, 740 ILCS 14/). Before collecting biometric identifiers or biometric information from Illinois residents, we: (a) inform you in writing that biometric data is being collected and the specific purpose and length of term for which it is being collected, stored, and used; (b) obtain a written release from you; (c) make this written policy publicly available. We will not sell, lease, trade, or otherwise profit from biometric data of Illinois residents. We will not disclose or disseminate biometric data to anyone other than authorised sub-processors unless (i) you consent, (ii) disclosure is required by state or federal law or municipal ordinance, or (iii) disclosure is required pursuant to a valid warrant or subpoena. Biometric data of Illinois residents is destroyed within 3 years of collection or within 90 days of the termination of your relationship with us, whichever occurs first.
  29. We do not knowingly collect personal data from children under the age of 13 in the United States (pursuant to the Children's Online Privacy Protection Act, COPPA) or under the age of 16 in the European Economic Area or United Kingdom (pursuant to GDPR Article 8 and national implementing legislation). The Service is not directed at children and we do not knowingly permit children to register accounts. Our customers are prohibited from deploying OMNIS-powered agents on websites directed primarily at children without implementing appropriate parental consent mechanisms and without notifying us. If you believe a child has provided personal data to us, please contact us immediately at support@theomnisai.com and we will delete that data as soon as practicable.
  30. We implement technical and organisational security measures designed to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These measures include encryption of data in transit using TLS 1.2 or higher; encryption of sensitive data at rest using AES-256 or equivalent; access controls and role-based permissions limiting employee access to personal data on a need-to-know basis; multi-factor authentication for administrative systems; regular security assessments and penetration testing; logging and monitoring of access to personal data; vendor security assessments before onboarding sub-processors; and incident response procedures. However, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee the absolute security of your data and cannot accept liability for unauthorised access beyond what is required by applicable law.
  31. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority (in the UK, the Information Commissioner's Office; in the EU, the lead supervisory authority under GDPR Article 56) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by Article 33 UK GDPR / GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay under Article 34 UK GDPR / GDPR. We maintain a data breach register in accordance with our accountability obligations.
  32. We may use automated processing and profiling to: (a) detect and prevent fraudulent activity; (b) calculate credit consumption and trigger automated account notifications when balances are low; (c) generate AI-powered session summaries from conversation transcripts. We do not make automated decisions that produce legal or similarly significant effects about individuals without human review, except where such decisions are necessary for the performance of a contract with you, authorised by applicable law, or made with your explicit consent. You have the right to request human review of any automated decision that significantly affects you.
  33. Our marketing website may contain links to third-party websites, services, and resources that are not owned or controlled by OMNIS. This Policy applies only to data processed by OMNIS. We are not responsible for the privacy practices of third-party sites. We encourage you to review the privacy policies of any third-party sites you visit. The inclusion of a link does not imply our endorsement of that site.
  34. The OMNIS platform is operated by a company registered in the State of Delaware, United States. Our primary supervisory authority for GDPR purposes is the Information Commissioner's Office (ICO) for UK residents, or your local EU Data Protection Authority. If you are located in an EU member state, your local Data Protection Authority (DPA) also has jurisdiction. You have the right to lodge a complaint with any competent supervisory authority if you believe we have processed your data unlawfully. We would, however, appreciate the opportunity to address your concerns before you approach a regulator — please contact us first at support@theomnisai.com.
  35. OMNIS has assessed its data processing activities and has determined that it is not currently required to appoint a Data Protection Officer (DPO) under Article 37 of UK GDPR or EU GDPR, as our core activities do not consist of large-scale systematic monitoring of individuals or large-scale processing of special category data. We keep this determination under review and will appoint a DPO if and when our processing activities require it. In the meantime, all data protection enquiries should be directed to support@theomnisai.com.
  36. We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will provide at least 14 days' prior notice by sending an email to the address associated with your account and by posting a prominent notice on the platform. The date of the most recent update is shown at the top of this Policy. Your continued use of the Service after the effective date of any updated Policy constitutes your acceptance of the changes. If you do not agree to a material change, you must stop using the Service and may request deletion of your data.
  37. This Policy is governed by and construed in accordance with the laws of the State of Delaware, United States, without prejudice to any mandatory privacy rights you have under the law of the jurisdiction in which you reside. Nothing in this Policy is intended to limit any rights you have under applicable mandatory law including EU GDPR, UK GDPR, CCPA/CPRA, BIPA, or other applicable data protection legislation.
  38. For all privacy-related enquiries, data subject access requests, complaints, or requests to exercise any of your rights under this Policy, please contact our privacy team at: support@theomnisai.com. Address: OMNIS, United States. We aim to acknowledge all requests within 5 business days and to provide a substantive response within 30 days. For complex or high-volume requests, we may extend this period by a further 60 days with notice to you, as permitted by applicable law.
Terms of Service →← Home