Privacy Policy

Omesta ("we", "our", or "us") operates a revenue recovery platform for businesses of all kinds. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and services at omesta.com.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the ePrivacy Directive, and all applicable data protection laws.

We collect the following categories of data:

• Account information: Name, email address, and authentication data when you create an account (via email/password or Google OAuth).
• Platform connection data: OAuth tokens for Meta Ads, Google Ads, and Stripe that you explicitly grant during onboarding. These are used to access your ad campaign data and payment information in read-only mode.
• Conversion tracking data: When you install our tracking pixel, we collect conversion events (event name, value, timestamps). All personal identifiers (email addresses, phone numbers) are hashed with SHA-256 before storage. We never store plaintext PII from your customers.
• Payment data: Failed payment information from Stripe (amounts, decline codes, invoice IDs). We do not store credit card numbers or full payment credentials.
• Usage data: Analytics data about how you use Omesta, collected via our first-party tracking system subject to your consent preferences.

• Recovering failed payments through automated retry and dunning email campaigns
• Detecting attribution gaps and wasted ad spend in your advertising campaigns
• Providing conversion tracking and multi-touch attribution analysis
• Generating AI-powered insights and recommendations for your business
• Sending dunning emails to your customers on your behalf for payment recovery
• Communicating with you about your account, service updates, and support

• Contract performance: Processing necessary to provide our revenue recovery and ad optimization services as agreed.
• Consent: For analytics tracking and marketing communications, we obtain your explicit consent via our consent banner.
• Legitimate interest: For fraud prevention, service improvement, and security monitoring.

We retain your account data for as long as your account is active. Conversion tracking data and recovery event logs are retained for 24 months. Hashed customer identifiers are retained for 12 months after last activity. You may request deletion of your data at any time.

Under the GDPR, you have the following rights:

• Access: Request a copy of all personal data we hold about you.
• Rectification: Correct any inaccurate personal data.
• Erasure: Request deletion of your personal data ("right to be forgotten").
• Portability: Receive your data in a structured, machine-readable format.
• Restriction: Restrict processing of your personal data.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Withdraw consent at any time through your dashboard or our consent banner.

To exercise any of these rights, contact us at support@omestasystems.com. We will respond within 30 days as required by GDPR.

We use strictly necessary cookies for authentication and session management. Our analytics and marketing cookies are only set with your explicit consent. See our Cookie Policy for full details.

We integrate with the following third-party services to provide our platform:

• Supabase: Authentication and database hosting (EU data centers).
• Stripe: Payment processing for subscriptions and payment recovery.
• Meta (Facebook) Ads: Ad campaign data access via Conversions API (read-only).
• Google Ads: Campaign data access via Google Ads API. The OAuth scope (`adwords`) is used in read mode by default; write actions are taken only when you explicitly enable a specific Autopilot module from your dashboard, and every action is logged and reversible. See section 09 (Google user data) for the full Google-user-data sharing disclosure required by the Google API Services User Data Policy.
• Resend: Transactional email delivery for dunning campaigns.
• Anthropic: AI-powered insights and recommendations (no customer PII is shared).
• Vercel: Application hosting and serverless functions.

Where you authenticate with Google Sign-In or connect a Google Ads account, Omesta's use, sharing, and transfer of the resulting Google user data is governed by the Google API Services User Data Policy, including the Limited Use requirements. This section enumerates the categories of Google user data we receive, the exact set of third parties to whom we share or transfer that data, and the purpose of each transfer.

What we receive from Google:

• Google Sign-In (scopes: openid, email,profile): email address, basic profile information (name and avatar URL), and a stable user identifier. Used only to create and authenticate your Omesta account.
• Google Ads API (scope: adwords):campaign, ad group, ad, keyword, and conversion performance data for the ad accounts you explicitly link. Used to surface attribution gaps and wasted-spend recommendations, and — only when you explicitly enable a specific Autopilot module — to pause or adjust assets that the module is authorised to act on.

With whom we share, transfer, or disclose Google user data, and why:

• Supabase, Inc.(authentication and primary database, EU region) — stores your Omesta account record (including the Google email and profile fields above) and the encrypted OAuth refresh token that authorises Google Ads API calls on your behalf. This transfer is necessary to keep you signed in and to make API calls in response to your use of the Service.
• Vercel, Inc.(application hosting and serverless functions) — serves the HTTP requests that read and process Google user data in transit. Vercel does not retain Google user data outside of short-lived request logs used for operational debugging.
• Anthropic, PBC(AI insight generation) — receives only aggregated and derived performance metrics (for example: "account X spent $Y on keyword theme Z without conversions"). Raw Google user data, email addresses, profile fields, OAuth tokens, and end-customer identifiers are never transmitted to Anthropic, and prompts are configured with the no-training flag so content is not used to improve Anthropic's models.
• Resend, Inc.(transactional email delivery) — receives the email address on your Omesta account to deliver service-related emails (sign-in links, billing receipts, account notices). Resend does not receive any Google Ads campaign data.

We do not share, transfer, or disclose Google user data to any other third party beyond those listed above, except where required to comply with applicable law or a binding legal process, in connection with a merger or acquisition with prior notice to you, or with your separate, specific consent.

What we do not do with Google user data:

• We do not sell, rent, or licence Google user data to any third party.
• We do not transfer Google user data to data brokers, ad networks, or marketing platforms.
• We do not use Google user data to train, fine-tune, or otherwise improve generalised machine-learning or AI models — our own or any third party's.
• We do not use Google user data for advertising, including remarketing, audience building, or personalised ad targeting.
• We do not allow humans (Omesta staff, contractors, or subprocessors) to read your Google user data except where: (a) you have given specific consent in a support conversation, (b) it is necessary to investigate a security incident, (c) it is required to comply with applicable law or a binding legal request, or (d) the data has first been aggregated or de-identified such that it cannot be re-associated with you.

Retention and revocation:You may revoke Omesta's access to your Google account at any time from your Google Account permissions page or from your Omesta dashboard. Revocation immediately invalidates the stored refresh token; cached Google Ads performance data is deleted within thirty (30) days of revocation or, in the case of full account deletion, within the thirty-day deletion grace period described in our Terms of Service.

We implement industry-standard security measures including: encrypted connections (TLS/HTTPS), SHA-256 hashing of all customer PII before storage, Row-Level Security (RLS) on all database tables, secure webhook signature verification, rate limiting on all public endpoints, and timing-safe comparison for authentication secrets.

All primary data processing occurs in EU data centers. Where data is transferred outside the EU (e.g., to US-based service providers), we ensure appropriate safeguards are in place through Standard Contractual Clauses or equivalent mechanisms.

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through a notice on our platform. Your continued use of Omesta after changes constitutes acceptance of the updated policy.

For any questions about this Privacy Policy or to exercise your data rights, contact us at support@omestasystems.com.