Privacy Policy
Last updated:
OmniStudy ("we", "us", "our") provides an AI study platform at https://www.omnistudyai.com. This policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you have over it. It applies to visitors and registered users worldwide, and is written to comply with the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act and Privacy Rights Act (CCPA/CPRA), India’s Digital Personal Data Protection Act (DPDP), and Brazil’s Lei Geral de Proteção de Dados (LGPD).
1. Who we are
OmniStudy is the data controller for the personal data described in this policy. We are an early-stage indie operator (no formal company entity yet); inquiries, requests, and complaints can be sent to the contact email at the bottom of this page and we will respond within 30 days.
If you are based in the EU or UK and prefer to lodge a complaint with a supervisory authority, you may do so with the data protection authority of your country of habitual residence. A directory is available at edpb.europa.eu/about-edpb/about-edpb/members_en.
2. Data we collect
We collect only what we need to run the service and improve it. Categories:
Account data
- Your name, email address, and profile preferences (theme, language, study goals).
- Authentication identifiers from Firebase Authentication (UID, sign-in provider).
Content data
- PDFs, notes, images, and prompts you upload or paste.
- AI-generated study materials linked to your account (notes, flashcards, quizzes, mind maps, podcasts, live-class transcripts).
Usage data (analytics)
- Page views, traffic sources, and feature usage measured by PostHog. This includes session replay — a reconstruction of your clicks, scrolling, and the pages you view — used to find and fix usability problems. Everything you type into form fields is masked before it leaves your browser, so passwords and the text of your prompts and notes are never recorded; other content shown on screen as you navigate may be captured. In the EU, UK, and EEA analytics and replay run only after you opt in; elsewhere they run by default and you can opt out anytime.
- Aggregate generation counts, subscription tier, and limit-hit events used to size capacity and triage bugs.
Device data
- Browser, operating system, language, screen size, IP address (truncated for analytics, full in security logs).
Payment metadata
- Subscription tier, transaction identifiers, and billing status received back from our payment processor.
- We never see, store, or transmit your raw card or bank details — those go directly to Dodo Payments.
3. How we use your data
Each use below is tied to a GDPR legal basis. Where consent is the basis you can withdraw it at any time and we will stop the processing.
To deliver the service you signed up for (legal basis: contract)
- Authenticate you and protect your account.
- Generate, store, and serve your study materials.
- Bill you and provide receipts.
To improve OmniStudy and prevent abuse (legal basis: legitimate interests)
- Diagnose bugs from server logs and crash reports.
- Detect and block bots, scraping, and quota abuse.
- Measure aggregate feature usage so we know what to build.
To send you updates (legal basis: consent)
- Optional newsletter (one studied post per week). Every email has an unsubscribe link; we never email anyone who did not explicitly opt in via the footer form or signed-in toggle.
To run product analytics and session replay (legal basis: consent, or legitimate interests outside the EU/UK/EEA)
- We use PostHog to measure feature usage and to record session replays (clicks, scrolling, and the pages you view, with form inputs masked) so we can find and fix usability problems.
- For visitors in the EU, UK, and EEA this fires only after you opt in to the analytics category in our cookie banner — it defaults to off and sets no cookie until you opt in. For visitors elsewhere it runs by default under a legitimate-interests / notice basis, and you can opt out anytime from the cookie banner or the "Cookie preferences" link in the footer.
5. Sub-processors
We use the following third-party services to run OmniStudy. Each is contractually bound to handle your data only on our instructions.
Infrastructure & storage
- Google Firebase (Authentication, Firestore, Cloud Storage) — hosting, account data, content storage. US/EU regions.
- Google Cloud Run — backend API hosting. US/EU regions.
- Vercel — CDN and edge hosting for the marketing site. Global.
AI processing
- Google AI (Gemini API) — generates notes, flashcards, quizzes, mind maps, podcasts, and live-class content from your prompts. US.
Payments
- Dodo Payments — processes subscription payments. PCI-DSS compliant. We never see your raw card data.
Analytics & content
- PostHog — product analytics, session replay, and feature flags (consent-based: opt-in in the EU/UK/EEA, on-by-default with opt-out elsewhere). US-hosted.
- Notion — content management for the blog (only blog post content; no end-user data).
6. International data transfers
Several sub-processors above are based in the United States. When personal data is transferred outside the EU/UK/EEA we rely on safeguards approved by the European Commission and the UK ICO — primarily the Standard Contractual Clauses (SCCs) and, where the receiving entity is certified, the EU-US Data Privacy Framework.
If you would like a copy of the SCCs we rely on for a specific transfer, email us at the contact address below and we will share the relevant Article 28 documentation.
7. Data retention
How long we keep each category
- Account data: as long as your account is active. After you delete your account, removed from production within 30 days and from backups within 90 days.
- Content data (PDFs, notes, generations): until you delete them individually or delete your account.
- Analytics events and session replay recordings: 12 months, then aggregated or deleted.
- Server and security logs: 90 days.
- Payment records: retained as required by tax and accounting law (typically 7 years).
- Newsletter signups: until you unsubscribe.
8. Your rights
Regardless of where you live, you can email us to delete your account or download a copy of your data. The rights below depend on the law that applies to you.
EU / UK / EEA (GDPR and UK GDPR)
- Access — request a copy of your personal data.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion ("right to be forgotten").
- Restriction — pause processing while a dispute is resolved.
- Portability — receive a machine-readable export.
- Objection — object to processing based on legitimate interests, including direct marketing.
- Withdraw consent — for any processing that relies on consent.
- Lodge a complaint with your local supervisory authority.
California (CCPA / CPRA)
- Right to know what personal information we collect and how we use it.
- Right to delete the personal information we hold about you.
- Right to correct inaccurate personal information.
- Right to opt out of the sale or sharing of your personal information — we do not sell or share for cross-context behavioural advertising.
- Right to limit use of sensitive personal information — we do not use SPI for any purpose other than running the service.
- Right to non-discrimination for exercising any of the rights above.
India (DPDP Act)
- Access your personal data.
- Correct or update inaccurate data.
- Withdraw consent (may limit platform functionality).
- Grievance redressal: write to the contact email below and we will respond within 30 days.
Brazil (LGPD)
- Brazilian users have the same access, correction, deletion, portability, and objection rights as EU users above.
To exercise any right, email us with enough detail for us to verify your identity (the account email plus the request). We will reply within 30 days and may need to extend by another 60 days for complex requests, as the laws allow.
9. Children’s privacy
OmniStudy is available to users aged 13 and older. If you are between 13 and 15 and live in the European Union, your parent or legal guardian must consent to your use of the service on your behalf — we will ask for confirmation at signup. We do not knowingly collect data from anyone under 13. If you believe a child under 13 has signed up, please email us and we will delete the account.
10. AI processing
- Your prompts and uploads are sent to Google’s Gemini API to generate the requested output. Google processes them on our behalf under its API terms and does not use them to train its consumer models.
- We do not sell your personal data and we do not use your private prompts to train any model without your explicit opt-in.
- Aggregate, anonymised usage signals (e.g. how often the quiz tool is used) inform product decisions.
11. Marketing communications
You will only receive marketing emails from us if you opted in — via the newsletter form in the footer or the in-app "Subscribe with [your email]" button when signed in. Every email includes a one-click unsubscribe link.
We do not buy email lists and we never share your email with other companies for their marketing.
12. Security
- All traffic to OmniStudy is encrypted in transit with TLS 1.2 or higher.
- Account data and generations sit in Firestore with row-level Firebase Security Rules — you can only read and write your own documents (admins are a small allowlist).
- Authentication tokens are short-lived and signed by Google Firebase.
- We follow the principle of least privilege for all engineering access.
No internet service can be completely secure. If we ever discover a personal data breach that puts your rights at risk we will notify you and, where required, the relevant supervisory authority within 72 hours.
13. Changes to this policy
We update this policy when our practices change or the law requires it. The "Last updated" date at the top reflects the most recent change. For material changes — anything that affects how we collect or use your personal data — we will surface a notice in the app and, where required, ask you to re-consent.
14. Contact
Privacy questions, data subject requests, and grievances: suvedita7@gmail.com.
If you are not satisfied with our response, EU and UK residents can lodge a complaint with their local data protection authority. California residents can contact the California Privacy Protection Agency. Indian residents can write to the Data Protection Board of India.