This Privacy Policy explains how we collect, use, disclose, and protect personal data in connection with (i) our website and (ii) our business-to-business software services, including our AI chat and knowledge-base features (the “Services”).

Omago is a B2B service provider. If you use our Services as an employee, contractor, or representative of a customer organization, your organization controls the data submitted to the Services and may have its own privacy notices and policies.

Scope and Roles (Controller vs Processor)

1.1 Website visitors and business contacts

When you visit our website, contact us, request a demo, or otherwise interact with Omago directly, we generally act as the data user/controller for that personal data.

1.2 Customer content processed in the Services

When our customers use the Services to process conversations, knowledge-base content, or related data, we generally act as a data processor/service provider on our customers’ instructions, and the customer is responsible for determining what data is submitted and the purposes for which it is used.

Personal Data We Collect

We may collect the following categories of personal data:

2.1 Information you provide to us (website and business communications)

• Name, email address, phone number

• Company name, job title

• Content of your messages to us (e.g., inquiry forms, emails)

2.2 Account and service information (when you use the Services)

• Account identifiers (e.g., name, email)

• Workspace settings and configurations

• Authentication and security-related logs necessary to operate the Services

2.3 Customer-submitted content (processed within the Services)

Our customers (and their end users) may submit content into the Services, which may include personal data depending on what they choose to upload or input, such as:

• Chat messages and conversation content

• Knowledge-base content and files uploaded by the customer

• Customer configurations (e.g., prompt instructions, routing rules)

Important: We do not monitor, filter, or redact personal data from customer inputs before processing (see Section 5).

2.4 Device and usage data (limited)

When you access our website or Services, we may collect limited technical data such as:

• Basic device and browser information

• Approximate location derived from IP address (e.g., country/region-level)

• Logs necessary for security and service reliability

How We Use Personal Data

We use personal data for the following purposes:

3.1 To provide and operate the Services

• Create and administer accounts and workspaces

• Authenticate users and maintain sessions

• Provide core product functionality, including AI responses and knowledge-base retrieval

• Maintain reliability, performance, and security

3.2 To communicate with you

• Respond to inquiries and support requests

• Send service-related notices (e.g., security, billing, updates)

3.3 To improve the Services (aggregated/de-identified analytics)

We may use aggregated and/or de-identified data (i.e., data that does not identify individuals) for:

• Analytics and reporting

• Quality assurance

• Product improvement and development

We do not use customer content to train our own proprietary AI model (see Section 6).

3.4 To comply with legal obligations

• Meet applicable legal and regulatory requirements

• Prevent, detect, and investigate fraud, abuse, and security incidents

Cookies and Similar Technologies

We aim to keep our website and Services clean and minimal.

4.1 Essential cookies

We use essential cookies (or similar technologies) that are necessary to:

• Maintain login sessions

• Provide core functionality

• Support security and fraud prevention

4.2 Optional analytics (if introduced)

If we introduce optional analytics cookies or similar tracking tools in the future, we will provide notice and, where required by law, offer choices through a cookie banner or settings.

Customer Responsibility and Sensitive Data

5.1 No PII filtering

We do not perform automated PII filtering, redaction, or masking on customer inputs before processing.

5.2 Strong discouragement of sensitive personal data

Customers and users should not submit sensitive personal data into the Services unless it is strictly necessary and they have a lawful basis to do so. Sensitive personal data may include, for example:

• Health or medical information

• Biometric identifiers

• Financial account or payment card information

• Government identification numbers

• Information about minors

The Services are not designed for specialized handling of sensitive personal data beyond our standard security measures.

AI Processing and Third-Party Model Providers

6.1 Data sent to AI providers

To generate AI outputs, customer inputs may be transmitted to:

• OpenRouter, and

• the model provider selected by the customer through OpenRouter

Based on our current implementation, this may include:

• user messages

• knowledge-base content and uploaded files

We do not intentionally send device metadata (such as IP address or user-agent) as part of the AI request payload. However, third-party providers may receive network-level information as part of standard internet communications.

6.2 Zero Data Retention (ZDR) — Default ON

We configure Zero Data Retention (ZDR) as default ON where supported to help reduce retention and training risks.

6.3 Third-party policies and limitations

Even with ZDR enabled, whether data is stored or used by a third-party provider may depend on the selected provider’s policies and technical behavior. We do not control third-party model providers’:

• availability, uptime, or performance

• internal retention practices

• policy changes

Customers are responsible for selecting providers/models that meet their compliance needs.

Sharing and Disclosure of Personal Data

We do not sell personal data.

We may share personal data with:

• Infrastructure and hosting providers used to operate the Services (e.g., cloud storage, databases, security services)

• AI service providers as described in Section 6

• Professional advisors (e.g., legal, accounting) where necessary

• Authorities if required by law or to protect rights, safety, and security

We require vendors to protect data through appropriate contractual and security obligations.

International Data Transfers

We use third-party cloud and infrastructure providers (such as Supabase and Cloudflare) to deliver the Services. As a result, data may be stored or processed outside Hong Kong, depending on service architecture and provider operations.

Data Retention

We retain personal data only as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements.

For customer content within the Services, our current retention and deletion approach follows our product process, including:

• soft deletion, and

• deletion timelines consistent with our service operation and backups

Customer workspace deletion: If a customer cancels or deletes a workspace, deletion follows the configured process and may take time to fully remove from backups and logs.

(Your customer contract/Terms may describe retention timelines in more detail.)

Security

We implement reasonable technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction.

No method of transmission or storage is completely secure. You acknowledge that security risks may still occur despite reasonable safeguards.

Your Rights and Requests

Depending on your relationship with Omago and applicable laws, you may request:

• access to personal data we hold about you

• correction of inaccurate data

• deletion of personal data (where applicable)

• withdrawal of consent (where processing is based on consent)

To make a request, email privacy@omago.ai. We may need to verify your identity and authority.

If your request relates to data processed on behalf of one of our customers (e.g., end-user conversations), we may direct you to contact the relevant customer organization, as they control that data.

Children

Our Services are intended for business use and are not directed to children. We do not knowingly collect personal data from children.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If changes are material, we will provide reasonable notice via email and/or in-app notifications. We will update the “Effective Date” at the top of this page.

Contact Us

If you have any questions or requests regarding this Privacy Policy, please contact:
Email: privacy@omago.ai
Omago.ai is operated by MAKING MEDIA LIMITED.