Last updated: October 1, 2025.
Short, clear, and built with respect. If anything here feels unclear, please tell us, we’ll improve it.
1) Who we are (Data Controller)
OmniaSec AI (“Omnia”, “we”, “us”) is a small team from the University of Málaga (Spain) building an AI-powered cybersecurity platform and community.
Controller: Synthwise S.L. (trading as ‘OmniaSec AI’), Málaga (Spain)
Contact: info@omniasec.ai
We operate under EU and Spanish data protection law (GDPR and the Spanish LOPDGDD).
2) What we collect (the minimum we can)
- Account data: your email. If you sign in with Google, GitHub, Facebook, etc., we receive basic profile info from that provider (e.g., email, name/ID) to create your account.
- Conversations & files you choose to upload: your chats with Omnia and any files you send to analyze.
- Community content (optional): prompts, workflows, knowledge bases/RAGs, agents, and similar items you choose to publish. Publishing makes them visible to others under the settings you pick.
- Usage & security logs: IP address, device/browser info, timestamps, and actions needed to keep the service reliable, prevent abuse, and improve security.
- Connectors (“MCPs”) you use (optional): when you invoke external tools (e.g., VirusTotal or others), the query and necessary context are sent to that external provider so it can work.
We do not collect more than we need. No covert tracking. No selling of personal data.
3) Why we process your data (and our legal bases)
- Provide the service (create your account, run chats, save history if you want, process files, run MCP tools you invoke).
Legal basis: Contract (Art. 6(1)(b) GDPR). - Community features (publish and share what you choose to share).
Legal basis: Contract; Consent for the visibility choices you make. - Security & abuse prevention (detect misuse, keep the platform safe).
Legal basis: Legitimate interests (Art. 6(1)(f)). - Improve Omnia (basic analytics, quality, reliability).
Legal basis: Legitimate interests; where cookies are non-essential, Consent. - Legal compliance (handle requests from authorities or enforce our terms).
Legal basis: Legal obligation (Art. 6(1)(c)).
We don’t use your personal data for automated decisions producing legal or similarly significant effects.
4) Your choices & controls
- Chat history: saved per user for your convenience. You can delete any conversation (or all) at any time in the app. Deleted items are removed from active systems and then from backups on a rolling schedule.
- Community publishing: private by default. If you publish, you control visibility (e.g., public, link-only, team). You can unpublish later (others may still have copies if they already forked or downloaded).
- Connectors/MCPs: you decide what to send and when. If you don’t invoke a connector, we don’t send it data. Each external provider processes your data under its own privacy terms.
- Cookies: we use only essential cookies by default (e.g., session, CSRF). Any non-essential cookies (e.g., optional analytics) run only with your consent.
5) How long we keep data (retention)
- Account: kept until you delete your account.
- Chats & files: kept until you delete them (or your account).
- Security/usage logs: typically 12 months (up to 24 months for serious security incidents).
- Backups: time-limited and encrypted; items are purged on a rolling cycle.
We keep data only as long as needed for the purposes above or to meet legal requirements.
6) Who sees your data
- Our small team (under confidentiality) to run and improve the service.
- Processors (trusted vendors for hosting, storage, email, error logging, optional analytics) under GDPR-compliant contracts (Art. 28).
- Connectors/MCPs you choose to use (e.g., VirusTotal). We only send what’s needed to fulfill your request.
- Legal/dispute situations where we must disclose data to comply with the law or defend our rights.
We don’t sell your personal data. Ever.
7) International transfers
We aim to host in the EU/EEA where feasible. Some processors or connectors may operate outside the EEA. When transfers occur, we use EU Standard Contractual Clauses and additional safeguards where required.
8) Your rights (EU & Spain)
You can access, rectify, erase, or port your data; restrict or object to processing; and withdraw consent at any time (where processing is based on consent).
How: contact us at info@omniasec.ai or use in-product controls (e.g., delete chat, unpublish, delete account).
If you believe your rights were not respected, you can lodge a complaint with the Spanish Data Protection Authority (AEPD).
9) Kids
Omnia is for users 14+ (Spanish law sets 14 as the age of digital consent). We don’t knowingly collect personal data from children under 14.
10) Security (what we do, honestly)
We use industry-standard measures: encryption in transit and at rest, access controls, least-privilege, monitoring, and regular reviews. No system is perfect, but security is our craft and priority. If we ever suffer a breach affecting you, we’ll notify you as required by law.
11) Third-party connectors (MCPs) — important note
When you invoke a connector, relevant data (e.g., file hash, URL, snippet, IoCs) is sent to that provider so it can respond. That provider becomes an independent controller or processor under its own terms. Please review their privacy policies, especially if you handle sensitive or regulated data. If in doubt, don’t send it.
12) Changes to this policy
If we make material changes, we’ll let you know (for example, in-app or by email). We’ll post the updated policy here with a new “Last updated” date.
Questions, requests, or feedback (especially if something here isn’t crystal clear):
Email: info@omniasec.ai
Plain-English summary (not a substitute for the full policy)
- We only ask for your email to register.
- Your chat history is yours: keep it, copy it, or delete it.
- Publishing to the community is opt-in.
- Connectors only see data when you send it.
- No selling of personal data.
- You have full GDPR rights. We’re in Spain and play by the rules.