Legal
Privacy Policy
Effective date: 1 April 2025 · Last updated: 1 April 2025
1. Who We Are
OmniReach is operated by Omni Cyber Solutions LLC, a company registered in the United States. We provide a multi-tenant AI-driven B2B revenue growth platform that automates outbound sales outreach, account research, opportunity qualification, and meeting creation on behalf of our customers (each a "Tenant").
For questions about this policy or to exercise your privacy rights, contact our Privacy Officer at: privacy@omnicybersolutions.com
2. Key Definitions
- Tenant — a business entity that has subscribed to OmniReach and whose authorised users access the Platform.
- Tenant User — an individual employee or contractor of a Tenant who has been granted a login to the Platform.
- Prospect Data — information about third-party individuals and companies that Tenants upload to, or that the Platform researches on behalf of, a Tenant for the purpose of B2B sales outreach.
- Connected Account Data — data retrieved via OAuth integrations (e.g. Gmail, Google Calendar, Microsoft 365, LinkedIn) that a Tenant User has explicitly authorised.
- Platform Data — aggregated, de-identified, or non-personal data generated by use of the Platform, used to operate, secure, and improve the service.
3. Data We Collect
3.1 Account Registration Data
When a Tenant registers or when a Tenant User accepts an invitation, we collect: full name, work email address, company name, job title, and a hashed password.
3.2 Profile and Configuration Data
Tenant Users may provide additional profile information, product descriptions, ideal customer profiles (ICPs), sales sequences, and outreach templates stored in the Platform for use by AI agents.
3.3 Prospect Data
Tenants provide or direct the Platform to research B2B prospect information, including: company names, business contact details (professional email addresses, phone numbers, LinkedIn profiles), job titles, company size, industry, and publicly available buying-intent signals. This data relates to individuals acting in a professional/business capacity. Tenants are the data controllers for Prospect Data and are responsible for ensuring they have a lawful basis for its collection and use.
3.4 Connected Account Data (OAuth Integrations)
If you choose to connect a third-party account such as Gmail, Google Calendar, or Microsoft 365, we access only the data required to perform the specific function you have enabled:
- Gmail / Google Workspace: We access your mailbox to send outreach emails, read replies from prospects, and classify inbound responses on your behalf. We do not read, store, or process any emails unrelated to the outreach campaigns you operate through the Platform.
- Google Calendar: We read and write calendar events solely to schedule or update meetings generated by the Platform. We do not read personal calendar events unrelated to Platform activity.
- Microsoft 365 (Outlook / Exchange): Same scope as Gmail and Google Calendar above.
- LinkedIn: We access your public profile information (name, headline, and profile URL) to authenticate your identity. We do not post on your behalf or read private messages unless a Tenant explicitly enables LinkedIn outreach features.
- CRM systems (HubSpot, Salesforce, Zoho, etc.):We synchronise contact, company, and deal records as directed by the Tenant User to maintain consistency between OmniReach and the Tenant's CRM.
Google API Services User Data Policy:OmniReach's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to serve advertising, and we do not allow humans to read your Google data except as required for security purposes, to comply with law, or with your explicit permission.
3.5 Usage and Technical Data
We automatically collect: IP address, browser type and version, operating system, referring URLs, pages visited, features used, and timestamps of actions. This data is used exclusively for security monitoring, performance optimisation, and platform improvement.
3.6 AI Workflow Data
Interactions with AI agents within the Platform (including prompts, generated content, qualification scores, and workflow outcomes) are stored to provide the service, enable audit trails, and allow Tenants to review AI decisions. Anonymised patterns may be used to improve model performance, subject to Section 5 below.
4. How We Use Your Data
We use personal data for the following purposes:
- Service Delivery: Operating the Platform, executing AI workflows, sending outreach communications, scheduling meetings, and synchronising data with connected applications as instructed by the Tenant.
- Account Management: Creating and managing accounts, authenticating users, processing subscription payments, and providing customer support.
- Security and Fraud Prevention: Detecting and preventing unauthorised access, abuse, or security incidents.
- Legal Compliance: Meeting our obligations under applicable laws, including data protection, anti-spam, and telecommunications legislation.
- Platform Improvement: Using aggregated and de-identified data to improve AI model performance and product features. We will never use individually identifiable Google user data for this purpose.
- Communications: Sending service notifications, security alerts, and (with consent) product updates. We do not use your data for third-party advertising.
5. Legal Basis for Processing
Where applicable data protection law (including the GDPR and applicable US state privacy laws) requires a legal basis, we rely on:
- Contract: Processing necessary to perform our contract with the Tenant (e.g. operating the Platform and delivering the service).
- Legitimate Interests: Security monitoring, fraud prevention, and aggregated analytics, where our interests are not overridden by individual rights.
- Consent: Where you explicitly connect a third-party OAuth account or opt in to specific features. You may withdraw consent at any time.
- Legal Obligation: Compliance with applicable laws and regulatory requirements.
For B2B prospect outreach, Tenants are the data controllers and are responsible for establishing a lawful basis (typically legitimate interests for B2B contact) under applicable law. OCS acts as a data processor for Prospect Data.
6. Data Sharing and Disclosure
We do not sell your personal data. We may share data as follows:
6.1 Sub-processors and Service Providers
We engage third-party service providers to help operate the Platform. All sub-processors are contractually bound to process data only as directed by us and to implement appropriate security measures. Key categories include:
- Cloud infrastructure and hosting (database, compute, storage)
- Email delivery (SendGrid)
- SMS and voice communications (Twilio)
- AI model inference (Anthropic Claude API)
- Error monitoring and logging
- Payment processing
6.2 Between Tenants
Tenant data is strictly isolated. No Tenant can access another Tenant's data under any circumstances. Our architecture enforces tenant isolation at the database query level on every request.
6.3 Legal Requirements
We may disclose data when required by law, court order, or to protect the rights, property, or safety of OCS, our users, or the public. We will notify affected parties where legally permitted to do so.
6.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring party subject to equivalent data protection commitments. Affected parties will be notified prior to any transfer.
7. Data Retention and Deletion
We retain data for as long as necessary to provide the service and meet our legal obligations:
- Account and Tenant Data: Retained for the duration of the subscription plus 90 days after termination to allow for data export, then permanently deleted.
- Prospect Data:Retained for the duration of the Tenant's subscription. Tenants may request deletion of specific records at any time.
- Connected Account (OAuth) Tokens: Deleted immediately upon disconnection. You can revoke access at any time via your Google Account settings at myaccount.google.com/permissions.
- Audit Logs: Retained for 12 months for security and compliance purposes.
- Backups: Database backups are retained for 30 days and then purged.
To request deletion of your account or data, email privacy@omnicybersolutions.com. We will process deletion requests within 30 days.
8. Google API Limited Use Disclosure
OmniReach's access to Gmail and Google Calendar is governed by the Google API Services User Data Policy. The following limited use commitments apply:
- We only request access to Google user data that is necessary for the features you explicitly enable within the Platform.
- We do not use Gmail or Google Calendar data to develop, improve, or train generalised AI or machine learning models.
- We do not allow any human to read your Gmail or Google Calendar data except: (a) with your express permission, (b) as necessary for security or abuse investigation, or (c) as required by applicable law.
- We do not use or transfer Google user data for advertising purposes.
- We do not sell Google user data or use it for any purpose other than providing and improving the specific feature you connected.
- You may revoke OmniReach's access to your Google account at any time via myaccount.google.com/permissions.
9. Security
We implement technical and organisational measures to protect personal data, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Encrypted storage of all third-party API credentials and OAuth tokens
- HMAC-signed OAuth state parameters to prevent CSRF attacks
- JWT-based authentication with short-lived access tokens
- Role-based access control with tenant isolation enforced at every database query
- Structured audit logging of all significant platform actions
- Regular security reviews and penetration testing
Despite these measures, no system is completely secure. In the event of a data breach affecting your rights, we will notify you and relevant authorities as required by applicable law, within 72 hours where mandated by the GDPR.
10. Your Privacy Rights
Depending on your jurisdiction, you may have the following rights with respect to your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate data.
- Deletion: Request deletion of your personal data (subject to legal retention obligations).
- Portability: Receive your data in a structured, machine-readable format.
- Restriction: Request that we restrict processing of your data in certain circumstances.
- Objection: Object to processing based on legitimate interests.
- Withdraw Consent: Disconnect OAuth integrations at any time within the Platform settings.
To exercise any right, contact privacy@omnicybersolutions.com. We will respond within 30 days. We may require identity verification before fulfilling requests.
If you are in the EEA or UK and believe we have not handled your data lawfully, you have the right to lodge a complaint with your local supervisory authority.
11. International Data Transfers
OCS is based in the United States. If you are accessing the Platform from outside the United States, your data may be transferred to and processed in the United States or other countries where our infrastructure providers operate. We ensure appropriate safeguards are in place for any such transfers, including standard contractual clauses approved by the European Commission where required for EU/EEA data.
13. Children's Privacy
The Platform is designed for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will delete it promptly.
14. Anti-Spam Compliance
OmniReach includes built-in anti-spam controls to assist Tenants in complying with applicable laws including the CAN-SPAM Act (USA), GDPR (EU/EEA), CCPA (California), and CASL (Canada). Tenants are responsible for ensuring their outreach campaigns comply with all applicable laws in their jurisdiction. OCS provides suppression list management, unsubscribe handling, and quiet hours enforcement, but Tenants retain legal responsibility for the content and targeting of their campaigns.
15. US State Privacy Rights
If you are a resident of California, Virginia, Colorado, Connecticut, or another US state with applicable consumer privacy law, you may have additional rights including: the right to know what personal information we collect; the right to delete personal information; the right to opt out of the sale of personal information (we do not sell personal information); and the right to non-discrimination for exercising your rights.
Note that OmniReach is a B2B platform and personal data processed through the Platform primarily relates to individuals acting in a professional business capacity. Exemptions applicable to business-to-business communications under applicable state privacy laws may apply.
To exercise any applicable rights, contact privacy@omnicybersolutions.com.
16. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified to Tenant administrators by email and via an in-platform notice at least 14 days before taking effect. Continued use of the Platform after the effective date constitutes acceptance of the updated policy. The "Last updated" date at the top of this page indicates the most recent revision.
17. Contact Us
For privacy-related enquiries, data subject requests, or complaints:
Omni Cyber Solutions LLC
Attn: Privacy Officer
Email: privacy@omnicybersolutions.com
Website: omnireach.omnicybersolution.com