Tempo limitado · os mesmos modelos — GPT 95% off, Claude 70% off
OmniaKey
Entrar

Privacy Policy

Effective date: 2026-05-01 · Last updated: 2026-05-30

We respect your privacy. This Privacy Policy explains what data OmniaKey collects, why we collect it, how we use it, and your rights over it.

This policy applies to all visitors of OmniaKey regardless of location. Where your local law — including but not limited to the GDPR (EU / UK), CCPA / CPRA (California and similar US state laws), LGPD (Brazil), and PIPL (China) — grants stronger rights than what we describe below, those rights apply automatically. Email [email protected] to exercise a jurisdiction-specific right. The Service is not offered to users in mainland China, and we do not target the mainland China market (see our Terms of Service). OmniaKey is hosted outside mainland China; if the Service is nonetheless accessed from there, any resulting cross-border transfer of personal information is incidental and not solicited by us.

1. Information we collect

Account information

  • Email address — for sign-in, transactional emails, and account recovery.
  • Name — for personalization and email greetings.
  • Profile image (if signing in with Google/GitHub) — displayed in your account UI.
  • Hashed password (if using email + password sign-in) — never stored or transmitted in plaintext.
  • Preferred locale — to display the right language.

Usage information

  • IP address — for fraud prevention, rate-limiting, and security audit logs.
  • User agent — to render the right experience and debug issues.
  • Session activity — login times, last-seen timestamps.

Payment information

Payments are processed by Stripe. We never see or store your full card number, CVV, or bank details. Stripe sends us only:

  • A customer ID and subscription/order ID
  • The amount, currency, and status of each payment
  • The last four digits of your card (optional, for invoice display)

Email subscription (optional)

If you subscribe to our newsletter, your email address is shared with our email provider (currently Resend) for delivery purposes only. You can unsubscribe at any time from any email we send.

2. How we use your data

  • Provide the service — authentication, payments, content delivery.
  • Communicate — receipts, password resets, important product updates, and (if subscribed) the newsletter.
  • Improve the product — aggregate usage analytics. Individual data is never sold or shared with third parties for advertising.
  • Comply with the law — for tax records, fraud prevention, and lawful disclosure when required.

Under the GDPR and similar laws, every use of personal data needs a legal basis. Below is how each of our processing activities maps to a basis under GDPR Article 6:

  • Performance of a contract — creating and operating your account (sign-in, settings, locale), sending transactional emails (receipts, password resets, important product updates), and processing payments via Stripe.
  • Legitimate interests — security audit logs (IP, user agent, session activity), fraud and abuse prevention, and aggregate cookie-free product analytics (Vercel Analytics). We balance these interests against your privacy and only process what is genuinely necessary to keep the service safe and reliable.
  • Consent — newsletter subscription, marketing or promotional emails, and the optional analytics / marketing cookies (Google Analytics, Microsoft Clarity, affiliate referral). You can withdraw any consent at any time — see Your Privacy Choices below.
  • Legal obligation — retaining invoices and tax records, complying with anti-fraud regulations, and responding to lawful requests from courts and regulators.

In jurisdictions where additional or different bases apply (e.g., LGPD's "legitimate interest" under Article 7, X of the LGPD; PIPL's "necessity for contract performance"), we follow the locally applicable equivalent.

4. Data sharing

We share data only with the third-party services we use to operate the product:

  • Stripe — payment processing.
  • Resend — transactional and marketing email delivery.
  • Vercel — hosting and Vercel Analytics (aggregated traffic data, cookie-free).
  • Google / GitHub — only if you sign in via OAuth; we receive the bare minimum profile fields.
  • Google Analytics 4 (Google LLC) — only after you accept analytics cookies. Receives anonymized page views, session events, and aggregate engagement metrics.
  • Microsoft Clarity (Microsoft Corporation) — only after you accept analytics cookies. Receives anonymized session recordings and heatmap interaction data.
  • Cloudflare — DNS, CDN, anti-bot challenges (Turnstile). Receives standard request metadata (IP, headers) for traffic delivery and security.

We do not sell your personal data, ever. We do not share data with advertisers or data brokers.

Our service providers are based primarily in the United States and the European Union. International transfers rely on the safeguards described in §7 International data transfers.

Sensitive Personal Information. OmniaKey does not sell or share Sensitive Personal Information (as defined by the CCPA / CPRA), and has not done so in the preceding 12 months. We do not collect biometric data, government-issued IDs, precise geolocation, or other sensitive categories.

5. Your rights

You have the right to:

  • Access — request a copy of all data we hold about you.
  • Correct — update inaccurate information via your settings page.
  • Delete — close your account from the settings page; we will delete your data within 30 days, except where we are legally required to retain it (e.g., tax records, kept for 7 years per most jurisdictions).
  • Export — request your data in a machine-readable format.
  • Object — opt out of any non-essential data processing at any time.
  • Restrict processing — pause our use of your data while a request is pending.
  • Withdraw consent — for any consent-based processing, with effect from the moment of withdrawal (prior processing remains lawful).
  • Not be discriminated against — exercising any of these rights does not affect the price or quality of service you receive.

To exercise any of these, email [email protected].

Identity verification

Before acting on a request, we may need to verify it came from you. If your request is sent from the email address associated with your account, that usually suffices. Otherwise we may ask you to confirm details we already hold (e.g., the date of a recent transaction). We only ask for what is necessary to confirm identity and never request sensitive categories of data.

Authorized agent (CCPA / CPRA)

Under the CCPA / CPRA, you may designate an authorized agent — in writing or by power of attorney — to make a request on your behalf. We may still verify your identity directly and confirm the agent's authorization before acting on the request.

Right to appeal

If we deny your request, or you are dissatisfied with our response, you have the right to appeal. Email [email protected] with the subject line "Privacy Appeal". You may also file a complaint with your local data protection authority — for example:

  • EU residents — your member-state DPA, or the Irish Data Protection Commission (lead authority for many cross-border cases).
  • UK residents — the Information Commissioner's Office (ICO).
  • California residents — the California Privacy Protection Agency (CPPA) or the California Attorney General.
  • Brazil residents — the Autoridade Nacional de Proteção de Dados (ANPD).
  • China residents — the Cyberspace Administration of China (CAC).

Global Privacy Control (GPC)

We honor the Global Privacy Control opt-out signal. When your browser sends Sec-GPC: 1 (Brave, DuckDuckGo Privacy Browser, Firefox with the GPC extension, and others), we automatically opt you out of optional analytics and marketing cookies — no banner interaction required. This is the universal opt-out mechanism mandated by the California CPRA and recognized by Microsoft, Mozilla, and others as the consensus signal.

6. Data retention

We keep account data for as long as your account is active. After account deletion, we delete personal data within 30 days, except for legally required records (invoices, tax data) which are retained per local law (typically 7 years). Retention periods follow the GDPR's storage-limitation principle — we keep data only as long as necessary for the purpose for which it was collected.

7. International data transfers

Several of the third parties we use to operate OmniaKey are headquartered in the United States, including Stripe, Resend, Google (Analytics), Microsoft (Clarity), Vercel, and Cloudflare. When data moves from your country to theirs, we rely on one or more of the following legal mechanisms:

  • Adequacy decisions — for transfers to countries that the European Commission, the UK ICO, or comparable regulators have formally recognized as providing an adequate level of protection.
  • EU-U.S. Data Privacy Framework (DPF) and its UK Extension — for U.S.-based recipients certified under the DPF. Stripe, Google LLC, Microsoft Corporation, Vercel, and Cloudflare are all DPF-certified.
  • EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and equivalent transfer instruments under LGPD, PIPL, and other regional laws — for any transfer not otherwise covered.

These are the same mechanisms used by Stripe, Microsoft, and other Schrems II-aligned data exporters. If the legal basis for a transfer changes (for example, if the DPF is struck down by a court), we update both this policy and the underlying data-processing agreements.

8. Cookies

We use cookies in three categories. The first is required for the site to work; the other two are optional and only set after you opt in via our cookie banner. You can change your choices any time from the Cookie Preferences link in the footer.

Strictly necessary (always on)

  • Better Auth session — keeps you signed in.
  • CSRF token — protects against cross-site request forgery.
  • Stripe checkout session — drives the payment flow.
  • Cloudflare Turnstile — anti-bot challenge for sign-up / reset / newsletter.
  • NEXT_LOCALE — remembers your language choice.
  • vbs_consent — stores your cookie preferences themselves.

Analytics (opt-in)

Set only after you click Accept on the cookie banner. Used to understand traffic patterns and where users drop off — aggregated, never tied back to you personally.

  • Google Analytics 4_ga (client ID, 2-year retention),_ga_<measurement_id> (session state, 2-year retention). Operated by Google LLC; data may transit to the United States.
  • Microsoft Clarity_clck (user ID, 1-year retention),_clsk (session, 1-day retention), MUID (Microsoft cross-site ID, 13-month retention). Operated by Microsoft Corporation.

Marketing (opt-in)

  • vbs_ref — affiliate referral tracking. Set only when you arrive via a referral link, only if you opted in. 60-day retention.

If you decline analytics or marketing later, we erase those cookies from your browser on the next page load.

9. Children's privacy

OmniaKey is not intended for use by children under 16. We do not knowingly collect data from children. If you become aware that a child has provided us with personal information, please contact us so we can delete it. (In jurisdictions where COPPA-13 or a local equivalent imposes a different age limit, the local rule applies.)

10. Changes to this policy

Material changes will be announced via the changelog and emailed to active customers. The "Last updated" date at the top reflects the most recent revision.

11. Your Privacy Choices

Wherever you live, you can opt out of optional analytics and marketing cookies at any time. The mechanism is the same for every visitor:

  • Click Reject all on the cookie banner, or
  • Open Cookie Preferences from the footer and turn off the categories you don't want, or
  • Email [email protected] with the subject line "Privacy Choices", or
  • Send the Sec-GPC: 1 header from your browser — see Global Privacy Control in §5 above. We honor it as an automatic opt-out.

OmniaKey does not sell or share your personal information for advertising. We don't pass it to advertising networks, data brokers, or third parties for their own marketing. The optional analytics cookies (Google Analytics, Microsoft Clarity) involve cross-context data flows that California's CCPA / CPRA classifies as "sharing" and the GDPR treats as processing requiring consent — that's why they're behind explicit opt-in.

Named regional rights. The legally-named "Do Not Sell My Personal Information" right (California CCPA / CPRA), the GDPR Article 21 right to object (EU / UK), the LGPD right to oppose processing (Brazil), the PIPL right to refuse processing (China), and the equivalent rights under the laws of Australia, Japan, South Korea, Canada, Switzerland, and Singapore are all exercised via the steps above. See §12 Jurisdiction-specific provisions for the relevant supervisory authority and any threshold-conditional measures that may apply to your country.

Opting out has no effect on what you can do here — the site works the same with or without analytics on.

12. Jurisdiction-specific provisions

Privacy laws vary by location. Below is how this Policy maps to the privacy laws most likely to apply to our users. Where your local law gives you stronger rights, those rights apply automatically (see the introduction).

European Economic Area (EEA) / United Kingdom

The GDPR (and the UK GDPR for UK residents) applies. Legal bases are listed in §3 and cross-border transfer safeguards in §7. To exercise rights, email [email protected]; to complain, contact your member-state Data Protection Authority, the Irish Data Protection Commission (lead authority for many cross-border cases), or the UK Information Commissioner's Office (ICO). OmniaKey relies on the GDPR Article 27 "occasional processing" exemption for EU representative designation; if our processing of EU personal data ceases to be occasional, we will appoint an EU representative as the law requires.

United States

California: the CCPA / CPRA applies — see §5 (Authorized agent, Right to appeal, Global Privacy Control) and §11 (opt-out from "sale" / "sharing"). Other US states with comprehensive privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, Montana MCDPA, and others as enacted) grant equivalent rights; we honor them on parity with California. To complain, contact the California Privacy Protection Agency (CPPA), the California Attorney General, or your own state's Attorney General as applicable.

Brazil

The Lei Geral de Proteção de Dados (LGPD) applies. Exercise rights via [email protected]; the supervisory authority is the Autoridade Nacional de Proteção de Dados (ANPD).

China (mainland)

OmniaKey does not offer the Service to users in mainland China and does not target the mainland China market. OmniaKey is hosted outside mainland China; if the Service is nonetheless accessed from there, any resulting cross-border transfer of personal information is incidental rather than solicited by us. To the extent the Personal Information Protection Law (PIPL) nonetheless applies on an extraterritorial basis, the supervisory authority is the Cyberspace Administration of China (CAC), and you may exercise your PIPL rights via the contact above.

Canada

The federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies. Exercise rights via [email protected], or contact the Office of the Privacy Commissioner of Canada (OPC). If you reside in Quebec, the Act Respecting the Protection of Personal Information in the Private Sector (as amended by Quebec Bill 64 / Law 25) also applies; Quebec residents may contact the Commission d'accès à l'information (CAI). When OmniaKey processes Quebec residents' personal information at the scale that requires it, we will designate a named Privacy Officer accessible to Quebec residents.

Australia

The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) apply. We comply with APPs 1–13 (open and transparent management, anonymity / pseudonymity, collection of solicited personal information, notification, use and disclosure, direct marketing, cross-border disclosure with consent, government identifiers, quality, security, access, and correction). Exercise rights via [email protected];complaints can be lodged with the Office of the Australian Information Commissioner (OAIC).

Japan

The Act on the Protection of Personal Information (APPI / 個人情報保護法) applies. Exercise rights via [email protected]; the supervisory authority is the Personal Information Protection Commission (PPC / 個人情報保護委員会). Cross-border transfers are made only to recipients in countries the PPC has recognized as providing equivalent protection, or under contractual safeguards equivalent to those required by the PPC.

South Korea

The Personal Information Protection Act (PIPA) applies. Exercise rights via [email protected]; the supervisory authority is the Personal Information Protection Commission (PIPC). If OmniaKey's processing crosses PIPA Article 31-2 thresholds (typically 1M+ Korean users or KRW 10 billion+ in Korea-related annual revenue), we will appoint a domestic representative as the law requires.

Switzerland

The revised Federal Act on Data Protection (FADP / nFADP, in force since September 2023) applies. Exercise rights via [email protected]; the supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC). Transfers to the United States rely on the Swiss-U.S. Data Privacy Framework where the recipient is certified, or on Standard Contractual Clauses adapted for Switzerland.

Singapore

The Personal Data Protection Act 2012 (PDPA) applies. Exercise rights via [email protected]; the supervisory authority is the Personal Data Protection Commission (PDPC). We rely on consent and, where the PDPA permits, "deemed consent" as the legal basis for processing.

13. Contact

Privacy questions? Email [email protected].

Política de Privacidade · OmniaKey