OmniDrop Inc. ("OmniDrop," "we," "us," or "our") is committed to protecting the privacy and rights of individuals in the European Economic Area (EEA), United Kingdom, and Switzerland in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR.
This page supplements our Privacy Policy with GDPR-specific information about how we collect, process, store, and protect personal data of EEA, UK, and Swiss residents.
1. Data Controller
OmniDrop Inc. acts as the data controller for personal data collected directly through the platform (account data, usage data, billing data). For inquiries related to data protection, contact our Data Protection Officer:
- Name: OmniDrop Data Protection Officer
- Email: dpo@omnidrop.io
- Address: OmniDrop Inc., 548 Market Street, Suite 36879, San Francisco, CA 94104, United States
2. Legal Basis for Processing
We process personal data under one or more of the following legal bases as defined in Article 6(1) of the GDPR:
| Legal Basis | Processing Activity |
|---|---|
| Contract Performance (Art. 6(1)(b)) | Account creation, subscription management, service delivery, payment processing, connected store integrations |
| Legitimate Interest (Art. 6(1)(f)) | Service improvement through aggregated analytics, fraud prevention and security monitoring, customer support optimization |
| Consent (Art. 6(1)(a)) | Marketing emails and newsletters, optional analytics cookies, feature usage surveys |
| Legal Obligation (Art. 6(1)(c)) | Tax record retention, regulatory compliance, law enforcement requests |
3. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights. You may exercise any of these rights by contacting us at privacy@omnidrop.io:
3.1 Right of Access (Art. 15)
You have the right to obtain confirmation that we process your personal data and to receive a copy of that data. You can initiate a data export directly from Settings > Privacy > Export My Data in the OmniDrop dashboard.
3.2 Right to Rectification (Art. 16)
You may correct inaccurate or incomplete personal data at any time from your account settings, or by contacting us.
3.3 Right to Erasure (Art. 17)
You can request deletion of your personal data. We will comply within 30 days, except where we are legally required to retain certain records (e.g., billing data for tax purposes). Account deletion can be initiated from Settings > Account > Delete Account.
3.4 Right to Data Portability (Art. 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON). The export includes your profile, products, campaigns, and activity history.
3.5 Right to Restrict Processing (Art. 18)
You may request that we limit the processing of your data in certain circumstances, such as when you contest the accuracy of the data or object to processing.
3.6 Right to Object (Art. 21)
You may object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
3.7 Right Not to Be Subject to Automated Decision-Making (Art. 22)
Our AI features generate content recommendations and marketing materials, but no automated decisions with legal or significant effects are made about you without human oversight. You can always review and override AI-generated output before publishing.
4. International Data Transfers
OmniDrop's primary infrastructure is located in the United States. When we transfer personal data of EEA/UK residents outside the EEA/UK, we use one or more of the following safeguards:
- Standard Contractual Clauses (SCCs): We execute the European Commission's approved SCCs (Module 1: Controller-to-Controller, Module 2: Controller-to-Processor) with each relevant data importer.
- Supplementary Measures: We implement additional technical safeguards including end-to-end encryption, pseudonymization where feasible, and strict access controls.
- Adequacy Decisions: Where the European Commission has determined a country provides adequate data protection, we rely on that adequacy decision.
5. Data Retention
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account profile data | Duration of account + 30 days | Contract performance |
| Billing & invoice records | 7 years from transaction date | Legal obligation (tax) |
| Usage analytics (aggregated) | 24 months | Legitimate interest |
| Support tickets | 3 years from resolution | Legitimate interest |
| Security logs | 12 months | Legitimate interest |
6. Sub-Processors
We use the following vetted sub-processors to deliver the Service. Each is bound by data processing agreements with appropriate safeguards:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Vercel | Frontend hosting and edge delivery | United States |
| DigitalOcean / AWS | Backend infrastructure and data storage | United States |
| Stripe | Payment processing and billing | United States |
| OpenAI / Anthropic / Google | AI model inference (no PII in prompts) | United States |
| Resend / SendGrid | Transactional email delivery | United States |
| Redis Cloud | Caching and real-time data | United States |
A full, up-to-date list of sub-processors is available upon request by emailing dpo@omnidrop.io.
7. Data Breach Notification
In the event of a personal data breach that poses a risk to the rights and freedoms of data subjects, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Art. 33).
- Notify affected data subjects without undue delay if the breach poses a high risk (Art. 34).
- Document the breach, its effects, and the remedial actions taken in our internal breach register.
8. Complaints
If you believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with your local supervisory authority. You can find your local authority at the European Data Protection Board website.
We encourage you to contact us first at dpo@omnidrop.io so we can address your concerns directly.