Introduction
Omesta ("we", "our", or "us") operates a revenue recovery platform for businesses of all kinds. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and services at omesta.com.
We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the ePrivacy Directive, and all applicable data protection laws.
Data we collect
We collect the following categories of data:
- Account information: Name, email address, and authentication data when you create an account (via email/password or Google OAuth).
- Platform connection data:OAuth tokens for Meta Ads, Google Ads, and Stripe that you explicitly grant during onboarding. These are used to read your ad campaign and payment data, and — for the Google connection, which also grants the Google Data Manager scope (
datamanager) — to send your first-party conversion data back to Google for measurement. Consented Customer Match audiences are sent through Google Data Manager when you explicitly upload a list or enable the Converter Vault. See section 09 for the full Google disclosure. - Conversion tracking data: When you install our tracking pixel, we collect conversion events (event name, value, timestamps). All personal identifiers (email addresses, phone numbers) are hashed with SHA-256 before storage. We never store plaintext PII from your customers.
- Payment data: Failed payment information from Stripe (amounts, decline codes, invoice IDs). We do not store credit card numbers or full payment credentials.
- Usage data: Analytics data about how you use Omesta, collected via our first-party tracking system subject to your consent preferences.
- Fraud-prevention signals: To protect the free-access model and detect abuse, we record the IP address used at signup and technical signals from tracked traffic (such as device characteristics and interaction patterns used to score suspected bot activity). These signals are used solely for security, abuse prevention, and traffic-quality measurement — never sold or used for third-party advertising.
How we use your data
- Recovering failed payments through automated retry and dunning email campaigns
- Detecting attribution gaps and wasted ad spend in your advertising campaigns
- Providing conversion tracking and multi-touch attribution analysis
- Sending your first-party conversion events through Google Data Manager and consented Customer Match audiences through Google Data Manager to measure ad performance and improve targeting, when you connect a Google Ads account
- Generating AI-powered insights and recommendations for your business
- Sending dunning emails to your customers on your behalf for payment recovery
- Communicating with you about your account, service updates, and support
Legal basis for processing
- Contract performance: Processing necessary to provide our revenue recovery and ad optimization services as agreed.
- Consent: For analytics tracking and marketing communications, we obtain your explicit consent via our consent banner.
- Legitimate interest: For fraud prevention, service improvement, and security monitoring.
Data retention
We retain your account data for as long as your account is active. Conversion tracking data and recovery event logs are retained for 24 months. Hashed customer identifiers are retained for 12 months after last activity. You may request deletion of your data at any time.
Your rights
Under the GDPR, you have the following rights:
- Access: Request a copy of all personal data we hold about you.
- Rectification: Correct any inaccurate personal data.
- Erasure: Request deletion of your personal data ("right to be forgotten").
- Portability: Receive your data in a structured, machine-readable format.
- Restriction: Restrict processing of your personal data.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Withdraw consent at any time through your dashboard or our consent banner.
To exercise any of these rights, contact us at support@omestasystems.com. We will respond within 30 days as required by GDPR.
Third-party services
We integrate with the following third-party services to provide our platform:
- Supabase: Authentication and database hosting (EU data centers).
- Stripe: Payment processing for subscriptions and payment recovery.
- Meta (Facebook) Ads: Campaign data access and, when enabled, server-side conversion events through Meta's Graph and Conversions APIs.
- Google Ads & Google Data Manager: Campaign data access via the Google Ads API. Two OAuth scopes are requested at connect:
adwords, used in read mode by default (write actions occur only when you explicitly enable a specific Autopilot module, and every action is logged and reversible); anddatamanager, a write scope used to send your first-party conversion events and consented Customer Match audiences to Google. Data sent to Google is processed by Google as an independent controller under Google's own Privacy Policy and Customer Match policies. See section 09 (Google user data) for the full sharing disclosure required by the Google API Services User Data Policy. - Google Analytics: Website analytics, loaded only when you grant analytics-cookie consent. Google may receive online identifiers and usage information through its analytics cookies; see Google's Privacy Policy.
- Resend: Transactional email delivery for dunning campaigns.
- Anthropic: AI-powered insights and recommendations (no customer PII is shared).
- Vercel: Application hosting and serverless functions.
Google user data — sharing, transfer, and disclosure
Where you authenticate with Google Sign-In or connect a Google Ads account, Omesta's use, sharing, and transfer of the resulting Google user data is governed by the Google API Services User Data Policy, including the Limited Use requirements. This section enumerates the categories of Google user data we receive, the exact set of third parties to whom we share or transfer that data, and the purpose of each transfer.
What we receive from Google:
- Google Sign-In (scopes:
openid,email,profile): email address, basic profile information (name and avatar URL), and a stable user identifier. Used only to create and authenticate your Omesta account. - Google Ads API (scope:
adwords):campaign, ad group, ad, keyword, and conversion performance data for the ad accounts you explicitly link. Used to surface attribution gaps and wasted-spend recommendations, and — only when you explicitly enable a specific Autopilot module — to pause or adjust assets that the module is authorised to act on. - Google Data Manager API (scope:
datamanager):this is a write scope — it does not read data from your Google account. It authorises Omesta to send your first-party conversion data toGoogle on your behalf, as described in "Customer data we send to Google" below.
Customer data we send to Google (Data Manager API and Google Ads Customer Match):
When you connect Google Ads, Omesta may send your own first-party customer data to Google through the Google Data Manager API for offline and enhanced conversions and Customer Match. This is customer data you collected directly from your customers (through your website, checkout, or events you run) — we share it with Google as a third party to perform ad-measurement and audience services on your behalf. Specifically:
- What we send: Google click identifiers (
gclid,gbraid,wbraid) captured by our tracking, and hashed customer identifiers — email addresses and phone numbers that are irreversibly hashed with SHA-256 before they leave Omesta (phone numbers in E.164 form). We do not send plaintext email addresses or phone numbers, and we do not send end-customer names or addresses. - Why we send it:(a) to report offline and enhanced conversions so your Google Ads reporting and Smart Bidding reflect real outcomes; and (b) to build a Customer Match "proven converters" audience for the single ad account you linked, which Google uses to improve targeting and bidding. Each audience is scoped to one merchant and is never combined across Omesta customers.
- How Google handles it:once sent, this data is processed by Google as an independent party under Google's own Privacy Policy, the Google Ads Customer Match policies, and the Google EU User Consent Policy. Google matches the identifiers to Google accounts and discards identifiers that do not match.
- Consent and rights:where required by law or by Google's policies (including for customers in the EEA, UK, and Switzerland), the data is uploaded only with the consent signal Google requires, and only where you, the merchant, have obtained the necessary consents and have the right to share the data with Google. Your responsibilities for obtaining that consent are set out in section 06 of our Terms of Service. You can disable this send-back at any time by disconnecting Google Ads or contacting us.
With whom we share, transfer, or disclose Google user data, and why:
- Supabase, Inc.(authentication and primary database, EU region) — stores your Omesta account record (including the Google email and profile fields above) and the encrypted OAuth refresh token that authorises Google Ads API calls on your behalf. This transfer is necessary to keep you signed in and to make API calls in response to your use of the Service.
- Vercel, Inc.(application hosting and serverless functions) — serves the HTTP requests that read and process Google user data in transit. Vercel does not retain Google user data outside of short-lived request logs used for operational debugging.
- Anthropic, PBC(AI insight generation) — receives only aggregated and derived performance metrics (for example: "account X spent $Y on keyword theme Z without conversions"). Raw Google user data, email addresses, profile fields, OAuth tokens, and end-customer identifiers are never transmitted to Anthropic, and prompts are configured with the no-training flag so content is not used to improve Anthropic's models.
- Resend, Inc.(transactional email delivery) — receives the email address on your Omesta account to deliver service-related emails (sign-in links, billing receipts, account notices). Resend does not receive any Google Ads campaign data.
We do not share, transfer, or disclose Google user data to any other third party beyond those listed above, except where required to comply with applicable law or a binding legal process, in connection with a merger or acquisition with prior notice to you, or with your separate, specific consent.
What we do not do with Google user data:
- We do not sell, rent, or licence Google user data to any third party.
- We do not transfer Google user data to data brokers, ad networks, or marketing platforms.
- We do not use Google user data to train, fine-tune, or otherwise improve generalised machine-learning or AI models — our own or any third party's.
- We do not use Google user data — the account, campaign, and performance data wereceive fromGoogle, described above — for advertising, including remarketing, audience building, or personalised ad targeting. (The Customer Match audiences described above are built only from your own first-party customer data that you direct us to send to Google, not from data we receive from Google.)
- We do not allow humans (Omesta staff, contractors, or subprocessors) to read your Google user data except where: (a) you have given specific consent in a support conversation, (b) it is necessary to investigate a security incident, (c) it is required to comply with applicable law or a binding legal request, or (d) the data has first been aggregated or de-identified such that it cannot be re-associated with you.
Retention and revocation:You may revoke Omesta's access to your Google account at any time from your Google Account permissions page or from your Omesta dashboard. Revocation immediately invalidates the stored refresh token; cached Google Ads performance data is deleted within thirty (30) days of revocation or, in the case of full account deletion, within the thirty-day deletion grace period described in our Terms of Service.
Data security
We implement industry-standard security measures including: encrypted connections (TLS/HTTPS), SHA-256 hashing of all customer PII before storage, Row-Level Security (RLS) on all database tables, secure webhook signature verification, rate limiting on all public endpoints, and timing-safe comparison for authentication secrets.
International data transfers
All primary data processing occurs in EU data centers. Where data is transferred outside the EU (e.g., to US-based service providers), we ensure appropriate safeguards are in place through Standard Contractual Clauses or equivalent mechanisms.
Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through a notice on our platform. Your continued use of Omesta after changes constitutes acceptance of the updated policy.
Contact us
For any questions about this Privacy Policy or to exercise your data rights, contact us at support@omestasystems.com.
Need something else?
Reach our team at support@omestasystems.com. We respond within one business day.