Omesta
ProductHow it worksWhy OmestaPricingFAQ
Sign inGet Free Audit
GDPR

GDPR Policy

How Omesta complies with the EU General Data Protection Regulation, including the rights it grants you, the lawful bases we rely on, and how to exercise those rights.

Last updated · April 21, 2026
PrivacyTermsCookiesGDPRData Deletion

On this page

01

Scope & who we are

This GDPR Policy explains how Omesta Systems LLC ("Omesta", "we", "us") processes personal data of individuals in the European Union, the European Economic Area, and the United Kingdom, in compliance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") and the UK GDPR.

Our registered address is 5830 E 2nd St, Ste 7000 #33555, Casper, WY 82609, United States. For GDPR matters you can reach our team at support@omestasystems.com.

02

Controller vs. Processor

Omesta acts in two capacities depending on the data:

  • Data Controller for account data (your name, email, billing information, account settings, telemetry on how you use Omesta itself).
  • Data Processor for the end-customer data you bring into the platform (your Stripe customers, Shopify orders, Meta ad audiences, etc.). In this capacity we process data on your documented instructions under a Data Processing Addendum (DPA).
03

Lawful bases for processing

We rely on the following lawful bases under Article 6 GDPR:

  • Contract (Art. 6(1)(b)), processing necessary to provide the Omesta Service under our Terms.
  • Legitimate interests (Art. 6(1)(f)), fraud prevention, service security, product improvement, and direct marketing to existing customers. You can object at any time.
  • Consent (Art. 6(1)(a)), for cookies that are not strictly necessary, and for marketing emails to prospects in the EU.
  • Legal obligation (Art. 6(1)(c)), tax, accounting, and anti-money-laundering record keeping.
04

Categories of personal data

In our capacity as Controller we process: identity data (name, email), billing data (invoice records, last-4 of card via Stripe), technical data (IP, device, browser), usage data (features used, timestamps, performance metrics), communication data (support tickets, email correspondence), and marketing preferences.

In our capacity as Processor we process the data you connect to Omesta. The full list of fields per integration lives on our Integration Data Disclosure page.

05

Your rights under the GDPR

You have the following rights in respect of the personal data we hold about you. We respond to verified requests within 30 days (extendable once by 60 days for complex cases).

  • Right of access (Art. 15), a copy of the data we hold about you and information about how we use it.
  • Right to rectification (Art. 16), correct inaccurate data; most account fields are self-editable in settings.
  • Right to erasure / "right to be forgotten" (Art. 17), deletion of your account and associated data, subject to legal retention requirements.
  • Right to restriction (Art. 18), require us to pause processing while a dispute is resolved.
  • Right to data portability (Art. 20), receive your data in a structured, machine-readable format; we provide JSON and CSV exports.
  • Right to object (Art. 21), object to processing based on legitimate interests, including direct marketing.
  • Right to withdraw consent, where processing is based on consent, you can withdraw it at any time without affecting past processing.
  • Right to lodge a complaint, with your local supervisory authority; contact details for every EEA authority are published by the European Data Protection Board.

To exercise any of these rights, email support@omestasystems.com from the email address associated with your account. For security we may ask for additional verification before acting on an erasure or portability request.

06

International data transfers

Our production infrastructure is hosted in the United States (AWS us-east-1 and us-west-2) with an EU option available on request. When personal data is transferred out of the EEA or UK, we rely on one of the following safeguards under Chapter V GDPR:

  • The European Commission’s Standard Contractual Clauses (module 2 for Controller-to-Processor transfers) signed as part of our DPA.
  • The UK International Data Transfer Addendum where transfers originate in the UK.
  • Technical and organisational measures (encryption in transit and at rest, access controls, audit logging) described on our Data Security page.
07

Data retention

We retain personal data only as long as necessary for the purposes described here.

  • Account data, for the life of your account, plus 30 days after closure.
  • Billing records, 7 years (tax and accounting requirements).
  • Customer-provided data, 18 months rolling, or until you disconnect the integration, whichever is shorter.
  • Support correspondence, 3 years from last contact.
  • Backups, 30 days; deletion requests propagate to backups on a rolling basis.
08

Automated decision-making

Omesta does not use personal data for solely automated decision-making that produces legal or similarly significant effects on you (within the meaning of Article 22 GDPR). Leak detection and recovery recommendations are generated automatically but always reviewable, overridable, and pausable by a human operator.

09

Data Processing Addendum (DPA)

If you are a customer processing EU personal data through Omesta, you should execute our Data Processing Addendum. Our standard DPA is available in one click from your account settings or by emailing support@omestasystems.com. It incorporates the EU Standard Contractual Clauses and the UK Addendum by reference.

10

Sub-processors

Omesta engages vetted sub-processors to deliver the Service. Our current sub-processor list includes:

  • Amazon Web Services, Inc., primary infrastructure hosting (US, EU on request).
  • Supabase, Inc., database and authentication (US).
  • Vercel, Inc., application edge hosting and CDN (global).
  • Stripe Payments, Inc., subscription billing and payment processing.
  • Resend, Inc., transactional email delivery (US).
  • Anthropic PBC, AI-powered dunning email generation (US).

We notify DPA customers at least 30 days before adding or replacing a sub-processor. To subscribe to change notices, email support@omestasystems.com.

11

Data breach notifications

In the event of a personal data breach that is likely to result in a risk to affected individuals’ rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it (Art. 33 GDPR), and notify affected individuals without undue delay where required (Art. 34 GDPR).

12

Changes to this policy

We may update this GDPR Policy to reflect changes in our practices, infrastructure, or applicable law. Material changes will be communicated by email to account holders and posted on this page with an updated "Last updated" date at least 30 days before they take effect.

13

Contact

Email: support@omestasystems.com
Postal: Omesta Systems LLC, 5830 E 2nd St, Ste 7000 #33555, Casper, WY 82609, USA

Need something else?

Reach our team at support@omestasystems.com. We respond within one business day.

Omesta

The standard for revenue recovery. Protecting payments, attribution, and ad spend.

Contact

Omesta Systems LLC
5830 E 2nd St
Ste 7000 #33555
Casper, WY 82609
support@omestasystems.com
Product
  • Platform
  • Pricing
  • Integrations
  • AI revenue recovery
  • How it works
  • Developers
Solutions
  • Local businesses
  • E-commerce
  • Marketing agencies
  • Growth teams
  • Multi-brand
Resources
  • Blog
  • Case studies
  • Glossary
  • Compare
  • Help center
  • Roadmap & feedback
  • Changelog
  • System status
Company
  • About
  • Careers
  • Partners
  • Press
  • Security
  • Contact
  • Privacy
  • Terms
  • Refund policy
  • Data disclosure

As featured in

See all 500+ features →
AP NewsNewsBreakBoston HeraldInternational Business TimesStar TribuneStreet InsiderMilwaukee Journal SentinelBarchart

© 2026 Omesta Systems. All rights reserved.

Privacy PolicyTerms of Service