Privacy Policy

1. Scope and definitions

This Policy applies to personal information processed by OmniLink when you visit our websites under omnilink-agents.com and related domains, sign in to the OmniLink Dashboard, generate or use Omni Keys, install the OmniLink Python library or VS Code extension, run the local runtime, call the OmniLink REST API, build or operate agents through OmniSim, or otherwise interact with the Services.

It does not apply to information collected by third-party AI providers under their own terms, to information processed locally by the OmniLink runtime on your own hardware and never transmitted to us, or to the practices of websites, devices, or applications that we do not operate.

Key terms used in this Policy

Customer: The individual, company, or other organization that has signed up for a workspace, agreed to our Terms of Service, and pays for or accesses the Services.
User: Any natural person who accesses the Services on behalf of a Customer, including the account owner, invited teammates, and end users of agents built on top of OmniLink.
Customer Content: The inputs, prompts, system instructions, memory entries, knowledge files, tool definitions, and configuration that a Customer or its Users submit to the Services, together with the outputs that AI models or tools generate in response.
Personal information: Information that identifies, relates to, describes, or could reasonably be linked with an identifiable individual or household. Equivalent to “personal data” under the GDPR and UK GDPR.
Processing: Any operation performed on personal information, including collection, recording, storage, retrieval, use, disclosure, transmission, restriction, erasure, or destruction.
Third-party AI provider: A foundation model or inference provider that we integrate with so that you can route reasoning through their models. At the time of writing this includes Anthropic, OpenAI, Google, and xAI.

2. Information we collect

We collect information in three ways: information you give us directly, information we collect automatically when you use the Services, and information we receive from third parties.

2.1 Information you provide directly

Account information. When you create an account we collect your name, email address, password credentials (stored only as a salted hash), profile picture if you choose to upload one, organization name, and timezone.
Billing information. When you upgrade or purchase credits, our payment processor (Stripe) collects your payment method, billing address, and tax identification number. OmniLink itself never sees full card numbers or bank details — we only receive a token, the last four digits, card brand, country, and the result of each charge.
Workspace configuration. The names, system prompts, tool definitions, routing rules, integration scopes, memory entries, knowledge files, and agent profiles you save to your workspace.
Customer Content. The prompts, conversations, files, voice clips, robot telemetry, and tool inputs you submit through the Services, along with the outputs returned by AI models and tools.
Support communications. Messages you send to our support team, feedback you submit through the dashboard, survey responses, and recordings of meetings you explicitly agree to record.
Marketing and event information. Information you provide if you subscribe to our newsletter, register for a webinar, attend an event, or apply for an open role.

2.2 Information collected automatically

Usage and telemetry. The endpoints you call, request and response sizes, timestamps, status codes, error codes, model selection, token counts, credit consumption, latencies, and the version of the SDK or library you use.
Device and environment data. IP address, browser type and version, operating system, screen size, language preferences, time zone, device identifiers, and crash diagnostics for the desktop or VS Code extension.
Log data. Server logs that record the time, origin, route, headers (minus secrets), and outcome of each API request, with secrets such as Omni Keys redacted before logs are written.
Cookies and similar technologies. See Section 12 for details on cookies, local storage, and session tokens.

2.3 Information from third parties

Identity providers. If you sign in with a third-party identity provider, we receive the email address and unique identifier associated with that account, and any profile information you authorize the provider to share.
Payment processors. Confirmation of payment, fraud signals, chargeback notifications, and subscription status from Stripe.
Customer administrators. If you are invited to a workspace, the account owner or workspace administrator may provide your email address and role.
Publicly available sources. We may receive information from publicly available sources, such as your company website or professional networks, when we are evaluating account integrity or sales prospects.

2.4 Sensitive information

We do not ask for sensitive personal information (such as government identifiers, financial account numbers, precise location, biometric data, or information about health, race, religion, sexual orientation, or political views) and we ask that you do not submit it through the Services. If you choose to put sensitive information into a prompt, memory entry, or knowledge file, you do so under your own responsibility and must have a lawful basis for that processing.

3. How we use information

We use information to operate, secure, and improve the Services. We do not use Customer Content to train our own foundation models, and we do not sell personal information.

3.1 Service delivery

Create and maintain your account, authenticate you, and establish secure sessions.
Route prompts through the third-party AI provider you select, execute tool calls, and return outputs to you.
Synchronize agent profiles, memory, and knowledge across the Dashboard and the local runtime.
Process payments, invoice you, calculate credit usage, and issue refunds or credits where applicable.
Provide customer support, respond to requests, and notify you about changes to your account or the Services.

3.2 Reliability, abuse prevention, and safety

Detect and investigate abuse, fraud, account takeover, scraping, denial-of-service activity, and other violations of our Acceptable Use Policy.
Enforce rate limits, monitor system health, diagnose outages, and protect the security of the Services and other users.
Apply automated and, where appropriate, human review to a small sample of requests that trip safety filters, to verify that the Services are not being used for prohibited purposes. Reviewers see only the minimum information necessary and are subject to confidentiality obligations.

3.3 Product improvement and analytics

Measure aggregate usage of features, tools, and integrations to decide what to build, deprecate, or harden.
Improve the reliability and quality of our prompt orchestration, retrieval, and routing logic.
Generate de-identified or aggregated statistics that cannot reasonably be linked back to you or your workspace.

3.4 Communications

Send service messages such as confirmations, security alerts, billing notices, and policy updates. These cannot be opted out of while your account is active.
Send product news, launch announcements, or educational content if you have opted in. You can unsubscribe at any time from the link in those emails or from your Dashboard.

3.5 Legal and compliance

Comply with our legal obligations, respond to lawful requests from government authorities, and enforce our contracts and policies.
Establish, exercise, or defend legal claims, and protect the rights, property, or safety of OmniLink, our users, or others.

4. Legal bases for processing (EEA, UK, Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR and equivalent laws:

Performance of a contract to deliver the Services to you, set up your account, and process the requests you submit through the Services.
Legitimate interests in operating, securing, and improving the Services, preventing abuse, ensuring the integrity of our platform, and growing our business. Where we rely on legitimate interests, we balance our interests against your rights and freedoms.
Compliance with legal obligations when we are required to retain records for tax, accounting, or anti-fraud purposes, or to respond to lawful government requests.
Consent for optional activities such as marketing emails, certain cookies, and processing of information you choose to share beyond what is necessary to deliver the Services. You can withdraw consent at any time without affecting the lawfulness of prior processing.

You can ask us which legal basis we rely on for a specific processing activity by writing to privacy@omnilinktechnology.com.

5. How we share information

We share information only in the ways described below. We do not sell personal information for monetary consideration, and we do not share personal information for cross-context behavioral advertising.

5.1 Within your workspace

Customer administrators can see usage details, billing information, and audit logs for their workspace. Teammates with appropriate roles can see the configuration of agents and the activity of other users they collaborate with.

5.2 With service providers and subprocessors

We share information with vendors who help us operate the Services under written contracts that require them to protect your information and use it only for the purposes we authorize. See Section 6 for the current list.

5.3 With third-party AI providers you select

When you choose an AI engine for an agent, the prompts, system instructions, conversation history, tool outputs, and other inputs needed to run the model are transmitted to that provider over an authenticated, encrypted channel. The provider processes the request under their own terms and privacy commitments, which we have separately reviewed.

5.4 With business partners on your request

If you connect an external system (for example, a smart-home hub, a robotics controller, or a workflow tool), we will send the data necessary to fulfil that integration to the partner you have authorized. Tokens and credentials are stored encrypted at rest and used only to perform the actions you configure.

5.5 In corporate transactions

If OmniLink is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred to the relevant parties under appropriate confidentiality protections. We will give you advance notice and an opportunity to make choices about your information where required by law.

5.6 For legal and safety reasons

We may disclose information when we have a good-faith belief that it is necessary to comply with applicable law, lawful requests from public authorities, court orders, or subpoenas; to enforce our Terms of Service or Acceptable Use Policy; to protect the rights, property, or safety of OmniLink, our users, or the public; or to investigate fraud and security incidents. Where allowed, we will challenge overbroad government requests and notify affected users.

6. Service providers and subprocessors

We engage the following categories of subprocessors. A current list of named subprocessors is available on request to privacy@omnilinktechnology.com and we maintain a subprocessor change notification list that you can subscribe to.

Category	Example providers	Purpose
Cloud infrastructure	Google Cloud Run	Hosting of the OmniLink API and static frontend with managed autoscaling and DDoS protection.
Database, auth, and storage	Supabase (on AWS)	Managed PostgreSQL, authentication, row-level security, file storage, and vector embeddings.
Third-party AI providers	Anthropic, OpenAI, Google, xAI	Inference for the AI engine you select for a given agent.
Payments and billing	Stripe	Payment processing, subscription management, tax calculation, and fraud detection.
Email and notifications	Transactional email providers	Account verification, security alerts, billing receipts, and optional product updates.
Analytics and error tracking	Privacy-respecting analytics and crash reporters	Aggregate usage statistics, performance metrics, and error diagnostics.
Customer support tooling	Help-desk and ticketing tools	Handling support requests and tracking issue resolution.

All subprocessors are subject to written data-protection agreements that limit their use of personal information to the services they provide to us, require them to apply appropriate security measures, and obligate them to assist with subject requests where required by law.

7. AI inputs, outputs, and model training

Because OmniLink is an AI-agent platform, this section explains how prompts and responses are handled in more detail.

7.1 What gets sent to third-party AI providers

When you submit a prompt through the Services, we forward the minimum information required to run the request to the third-party AI provider you have chosen. This typically includes the system prompt, the user message, any tool definitions, relevant memory or knowledge passages, and prior conversation turns. We do not send your Omni Key, billing details, or unrelated workspace data to the model provider.

7.2 Training on Customer Content

We do not train OmniLink-owned foundation models, and we contractually opt out of training by third-party AI providers on Customer Content where the provider offers that option for API customers. Where a provider’s default API terms already exclude training on customer inputs and outputs, we rely on that default. We will update this Policy if any of our AI provider arrangements change.

7.3 Abuse and safety review

A limited subset of requests may be analyzed automatically for policy and safety violations. In rare cases, our trust and safety team or a third-party provider’s trust and safety team may perform human review of flagged content. Such review is governed by strict access controls, audit logging, and confidentiality obligations.

7.4 Outputs and accuracy

AI outputs are generated probabilistically and may be inaccurate, incomplete, or otherwise unsuitable for your use case. You are responsible for evaluating the accuracy and suitability of any output before relying on it, and for not using outputs in ways prohibited by the Terms of Service or Acceptable Use Policy.

7.5 Local-runtime data

The OmniLink local runtime executes tools on hardware you control. Inputs, sensor readings, file contents, and other tool-side state remain on that device unless the agent itself decides to send them back to the cloud as part of an action or analysis step. You can disable specific tools or restrict the information they expose at any time.

8. International data transfers

OmniLink is headquartered in the United States, and the Services are operated from infrastructure located in the United States and other regions. When you use the Services, your personal information may be transferred to, stored in, and processed in countries other than the one in which you reside, including jurisdictions whose data-protection laws may differ from those of your home country.

Where required, we rely on lawful transfer mechanisms such as the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, the Swiss Federal Data Protection and Information Commissioner’s model clauses, and adequacy decisions, supplemented by technical and organizational measures that take account of the destination country’s legal framework.

You can request a copy of the safeguards we have put in place for international transfers by writing to privacy@omnilinktechnology.com.

9. Data retention

We retain personal information for as long as needed to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

Category	Default retention	Notes
Account profile	Life of the account	Deleted within 30 days of account deletion, subject to legal holds.
Workspace configuration and agent profiles	Life of the workspace	Removable at any time from the Dashboard.
Short-term memory	Session-scoped	Cleared automatically on reset.
Long-term memory and knowledge files	Until you delete them	User-controlled with delete and export workflows.
Usage logs	Rolling 90 days	Aggregate, de-identified statistics may be retained longer.
Security logs and audit trails	Up to 18 months	Retained to detect and investigate security incidents.
Audio for speech-to-text and text-to-speech	Not stored	Streamed in memory and discarded after processing.
Billing records and invoices	7 years	Retained to meet tax and accounting obligations.
Support tickets and correspondence	Up to 3 years	Retained to handle follow-up issues and improve support.

When personal information is no longer required, we delete, anonymize, or aggregate it in a manner that prevents re-identification. Backups are retained for a limited period and overwritten on a rolling schedule.

10. How we protect information

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. The full program is described on our Security page. Key measures include:

Encryption of data in transit with TLS 1.2 or higher and encryption of data at rest using industry-standard algorithms.
Strict identity, authentication, and access management for internal personnel, including multi-factor authentication and least-privilege access.
Logical isolation of workspaces using row-level security at the database layer, so a compromised application server cannot bypass tenancy boundaries.
Continuous monitoring, log review, vulnerability scanning, and periodic third-party security testing.
A documented incident-response process, including breach notification consistent with applicable laws.

No method of transmission or storage is perfectly secure. You are responsible for keeping your credentials, Omni Keys, and devices safe. Notify us immediately if you suspect your account or any credentials have been compromised.

11. Your rights and choices

Depending on where you live and the role you have, you may have the following rights regarding your personal information. We honor these rights for all users where it is reasonable to do so, even if a specific law does not require it.

Access. Request a copy of the personal information we hold about you.
Correction. Request that we correct inaccurate or incomplete information.
Deletion. Request deletion of personal information, subject to limited exceptions (for example, where we are required to retain records by law).
Portability. Receive an export of personal information you provided to us in a structured, machine-readable format.
Restriction. Ask us to restrict certain processing of your personal information.
Objection. Object to processing that we base on legitimate interests, including for direct marketing.
Withdrawal of consent. Withdraw consent for processing that is based on consent, at any time.
Automated decision-making. Request human review of significant decisions made by automated means without meaningful human involvement. OmniLink does not use personal information to make decisions producing legal or similarly significant effects without human review.
Complaint. Lodge a complaint with your local data-protection authority. We would appreciate the chance to address your concerns first.

To exercise a right, email privacy@omnilinktechnology.com from the address associated with your account, or use the self-serve controls in the Dashboard. We may need to verify your identity before completing your request. We will respond within the time required by applicable law, typically within 30 days. You have the right not to be discriminated against for exercising your rights.

If your personal information was provided to us by a Customer (for example, because your employer uses OmniLink), we will forward your request to that Customer and support them in responding to you.

12. Cookies and similar technologies

We use a small number of cookies and similar technologies to run the Services, remember your preferences, and understand how the Services are used. We do not use cookies to deliver third-party behavioral advertising.

12.1 Categories

Strictly necessary. Required for the Services to function, such as authentication cookies, session tokens stored in httpOnly cookies, and cross-site request forgery protection.
Functional. Remember preferences such as theme, language, and which workspace you last visited.
Analytics. Help us understand aggregate usage of the Services and improve performance. Where required by law, we ask for your consent before setting these cookies.

12.2 Your choices

You can block or delete cookies through your browser settings, and most browsers offer a “do not track” or equivalent signal that we honor where required by law. Disabling strictly necessary cookies will break core features such as login.

13. Children’s privacy

The Services are not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided personal information to us, please contact privacy@omnilinktechnology.com so that we can delete the information and close the account. Customers building consumer-facing products on top of OmniLink are responsible for complying with applicable child privacy laws, including COPPA and the GDPR’s rules on consent of children.

14. Third-party services and integrations

The Services may link to or integrate with third-party websites, services, devices, and APIs that we do not own or control. When you connect a third-party service to OmniLink or follow a link off the platform, the third party’s privacy practices apply to the information they collect. We encourage you to review their notices before connecting them.

Third-party AI providers we forward inference requests to process your inputs under their own privacy policies. Information you import from third-party knowledge sources remains subject to the terms under which you obtained it.

15. Region-specific disclosures

15.1 European Economic Area, United Kingdom, and Switzerland

OmniLink acts as a controller for the personal information of account owners and Users when we operate the Services generally, and as a processor for Customer Content that Customers submit to deliver their own services. Our Data Processing Addendum, incorporating the Standard Contractual Clauses and the UK Addendum, is available on request and is deemed accepted by enterprise customers under our standard contracting terms.

15.2 California

Under the California Consumer Privacy Act as amended by the California Privacy Rights Act (the “CCPA”), California residents have the rights described in Section 11 and the following additional rights:

The right to know the categories of personal information we collect, the categories of sources, the business purposes, and the categories of third parties with whom we share personal information.
The right to opt out of the sale or sharing of personal information. OmniLink does not sell personal information for monetary consideration and does not share personal information for cross-context behavioral advertising.
The right to limit the use of sensitive personal information. We use the limited sensitive personal information we may receive only for permitted business purposes.

15.3 Other US states

Residents of Colorado, Connecticut, Virginia, Utah, Texas, and other states with comprehensive privacy laws have rights comparable to the CCPA. We honor these rights consistent with the requirements of each applicable law. To exercise them, use the contact details in Section 17.

15.4 Brazil

If the Brazilian General Data Protection Law (LGPD) applies, you have the rights of confirmation, access, correction, anonymization, blocking, deletion, portability, information about sharing, and revocation of consent. Our representative for LGPD matters can be reached through the contact details below.

15.5 Australia

If the Australian Privacy Act applies, you have the rights to access and correct your personal information and to make a complaint about how we handle it. You can complain to the Office of the Australian Information Commissioner if you are not satisfied with our response.

16. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated Policy on this page, updating the “Last updated” date at the top, and, where appropriate, sending a notice through the Dashboard or by email. We encourage you to review this Policy periodically. Your continued use of the Services after the effective date of a revised Policy indicates your acceptance of the changes.

17. How to contact us

If you have questions, complaints, or requests regarding this Policy or your personal information, contact us at:

Email (general privacy inquiries): privacy@omnilinktechnology.com
Email (data subject requests): privacy@omnilinktechnology.com with subject line “Data subject request.”
Email (security): security@omnilinktechnology.com
Postal mail: OmniLink Technology Inc., Attn: Privacy, available on request through the privacy email above.

If your data-protection authority requires a single point of contact in your region, we will provide one on request.

Privacy at a glance