Omnivast — Privacy Policy

1. INTRODUCTION

Omnivast is a software-as-a-service platform operated by Windy Oak Ventures LLC, a Pennsylvania limited liability company ("we," "us," or "our"). Omnivast provides customer relationship management, AI-assisted call preparation, contact intelligence, email synchronization, and related tools designed for manufacturers' representative agencies and independent sales professionals.

This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have with respect to your information. By creating an account or using the Omnivast platform, you agree to the practices described in this policy.

If you have questions about this policy, contact us at info at windyoakllc.com.

2. WHO THIS POLICY COVERS

This policy applies to:

• Account administrators (agency owners and managers) who purchase and manage an Omnivast subscription
• Individual users (field representatives) whose accounts are provisioned under a subscription
• Visitors to omnivast.app who have not yet created an account

All users of the Omnivast platform are business professionals. Omnivast is not directed at consumers or individuals under the age of 18. We do not knowingly collect personal information from minors.

3. INFORMATION WE COLLECT

3.1 Information You Provide Directly

When you create an account or use Omnivast, you may provide:

• Your name, email address, and password
• Your agency or company name and business address
• Contact and company records you enter into the CRM (names, phone numbers, email addresses, notes, and business information about your customers and principals)
• Call reports, activity logs, voice notes, and free-form text you enter
• Files and documents you upload to the platform
• Billing and payment information (processed by our payment processor — we do not store full payment card details)

3.2 Information Collected Automatically

When you use Omnivast, we automatically collect:

• Log data including your IP address, browser type, operating system, pages visited, and access timestamps
• Session data and authentication tokens
• Usage patterns and feature interaction data used to improve the platform
• Error logs and diagnostic information
• AI service usage logs, including the estimated cost of each AI feature call on a per-account basis, used for platform cost monitoring and credit calculation. Raw cost figures are not displayed to users — credits are the unit shown within the platform.

3.3 Information From Google OAuth (When Enabled)

Omnivast offers optional integration with Google services via OAuth 2.0. If you choose to connect your Google account, we may access:

• Your Google account email address and display name (used to identify your account)
• Gmail message data — specifically, emails you choose to sync or associate with CRM contacts and activities, as described in Section 3.4 below
• Google Calendar data, if you authorize calendar integration

Important disclosures regarding Google OAuth data:

• We access Google account data only to provide the specific features you have authorized.
• We do not sell, rent, or share your Google account data with third parties for advertising or marketing purposes.
• We do not use Gmail message content to serve advertisements.
• We do not use Gmail message content for any purpose other than providing the email synchronization and CRM activity logging features you have requested.
• You may revoke Omnivast's access to your Google account at any time through your Google Account settings at myaccount.google.com, or by disconnecting the account from Settings > My Connections within the platform.
• Revoking Google access does not delete your Omnivast account or CRM data.

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

3.4 Gmail Integration — Email Synchronization (When Enabled)

If you choose to connect your Gmail account to Omnivast, the following applies:

Scopes Requested:

• gmail.readonly — to read your inbox and identify emails with known CRM contacts, and to surface emails from unknown senders for your review
• gmail.send — to send emails on your behalf from the Omnivast compose window
• gmail.modify — to manage read/unread message state

What Omnivast Reads:
Omnivast reads incoming and outgoing emails to identify conversations with contacts stored in your CRM account. Omnivast does not read all email — it filters for emails matching known contact records and flags emails from unknown senders for your review.

What Omnivast Stores:
Omnivast does NOT store the full body of any email. For each email matched to a CRM contact, Omnivast logs an activity record consisting of: sender, recipient, subject line, timestamp, and an AI-generated summary (see below). This activity record becomes part of your contact's history in the CRM.

For emails from unknown senders that you have not actioned, Omnivast retains the queue metadata (sender, subject line, snippet, and timestamp) for up to 90 days, after which it is automatically purged. No full email body is stored.

On-Demand Email Viewing:
When you click to read a specific email inside Omnivast, the full email body is fetched in real time directly from Gmail at that moment and displayed within the platform. This content is not stored by Omnivast — it is retrieved on demand and is not retained after you close the view.

AI-Generated Email Summaries:
When an email is synced and matched to a CRM contact, Omnivast passes the email subject line and the first 500 characters of the email body to OpenAI to generate a 1-3 sentence activity summary. This summary is stored as part of the contact's activity record. The full email body is not passed to OpenAI.

Sending Email on Your Behalf:
When you compose or reply to an email through Omnivast, that email is sent through your connected Gmail account directly via Google's servers — not through Omnivast's email infrastructure. Omnivast acts as an authorized application on your behalf. Your email provider remains Google.

OAuth Token Storage:
To maintain the email connection between sessions, Omnivast stores your Gmail OAuth access token and refresh token in encrypted form using AES-256 encryption. These tokens are used solely to authenticate Omnivast's access to your Gmail account on your behalf.

Disconnecting Your Email Account:
You may disconnect your Gmail account at any time from Settings > My Connections. Disconnecting immediately stops future email synchronization and revokes Omnivast's access token. Email activity records previously logged to your CRM (sender, recipient, subject, AI summary) remain in your contact activity history as part of your CRM record — they are not deleted upon disconnect. If you wish to remove specific activity records, you may delete them from your contact records, or request full account deletion.

3.5 AI Processing

Omnivast uses artificial intelligence to generate call preparation briefs, contact summaries, email activity summaries, and related intelligence outputs. To provide these features, contact and company information you have entered into the platform, as well as limited email content as described in Section 3.4, may be processed by our AI service providers. See Section 5 for details.

AI-generated content is produced algorithmically from information you have provided and publicly available sources. It is provided for informational purposes only. We make no representations or warranties regarding the accuracy, completeness, or fitness for any particular purpose of AI-generated outputs. You are solely responsible for verifying AI-generated information before relying on it in any business context.

4. HOW WE USE YOUR INFORMATION

We use the information we collect to:

• Create and maintain your account and provide access to the Omnivast platform
• Generate AI-assisted call briefs, contact intelligence, email summaries, and other platform features you request
• Process your subscription payments and manage billing
• Calculate and display AI credit usage based on your plan and actual AI service costs (credits are displayed to users; raw cost figures are used internally)
• Send transactional emails including account verification, password resets, and service notifications
• Provide customer support and respond to your inquiries
• Monitor platform performance, diagnose technical problems, and improve reliability, including monitoring aggregate AI service costs across all accounts for anomaly detection and system integrity
• Enforce our Terms of Service and protect the security and integrity of the platform
• Comply with applicable laws and legal obligations

We do not sell your personal information. We do not use your CRM data, contact records, or email content for advertising purposes. We do not use your data to build profiles for sale to third parties.

5. THIRD-PARTY SERVICE PROVIDERS

We share information with third-party service providers only as necessary to operate the platform. These providers are contractually obligated to use your information only to provide services to us and are prohibited from using it for their own purposes. Current providers include:

• OpenAI — AI language model processing for call brief generation, contact intelligence, and email activity summary generation. Contact and company data you have entered, and limited email content (subject line and first 500 characters of email body for summary generation only), may be transmitted to OpenAI to generate AI outputs.
• Google LLC — Gmail API access for email synchronization, sending, and message state management (when Gmail integration is enabled). Also used for address geocoding and location data for territory mapping features via Google Maps / Google Places.
• Resend — Transactional email delivery (account verification, password resets, system notifications). Your email address is shared with Resend solely to deliver emails you have requested.
• Twilio — SMS delivery for system notifications. Your phone number, if provided, may be shared with Twilio to deliver SMS messages.
• Tavily — Web search service used to gather publicly available business information as part of the AI intelligence pipeline. Contact and company names may be included in search queries.
• DigitalOcean and Hetzner — Cloud infrastructure providers on whose servers the Omnivast platform and database are hosted. These providers do not have independent access to your data.

We do not currently share your information with any advertising networks, data brokers, or analytics platforms that use your data for purposes beyond operating our platform.

6. MULTI-TENANT DATA ISOLATION

Omnivast is a multi-tenant platform. This means multiple organizations (tenants) use the same underlying infrastructure. We implement technical controls to ensure that each tenant's data is logically isolated from all other tenants. Users affiliated with one organization cannot access data belonging to another organization through the platform.

Within an organization, account administrators have access to all data entered by users under their subscription, including contact records, activity logs, and usage information. Individual users have access to organization-wide CRM data as configured by their administrator.

7. ADMINISTRATIVE ACCESS BY WINDY OAK VENTURES LLC

Personnel at Windy Oak Ventures LLC who operate and maintain the Omnivast platform may access your account data in limited circumstances, including:

• To investigate and resolve technical problems, bugs, or service outages you have reported or that affect platform reliability
• To provide customer support at your request
• To perform routine platform maintenance, security monitoring, and infrastructure operations
• To monitor aggregate AI service usage and costs across the platform for system integrity and anomaly detection. This monitoring is conducted at the aggregate level — we review system-wide cost totals and usage patterns, not individual account content.
• To investigate suspected violations of our Terms of Service
• To comply with applicable law or respond to valid legal process

We limit administrative access to what is necessary to perform these functions. We do not access your CRM data, contact records, email content, or AI-generated content for any commercial purpose.

8. DATA RETENTION

We retain your account data for as long as your subscription is active. If you cancel your subscription, we will retain your data for a period of 30 days following cancellation to allow for account reactivation or data export. After 30 days following cancellation, your data may be permanently deleted from our systems.

For Gmail integration specifically:

• Email activity records (sender, recipient, subject, AI summary) logged to your CRM are retained as part of your account data and are subject to the same 30-day post-cancellation retention period described above.
• Queue metadata for ignored/unactioned emails from unknown senders is retained for 90 days and then automatically purged, regardless of account status.
• Full email body content is never stored by Omnivast and therefore has no retention period.

Backup copies of data may persist in encrypted backup storage for up to 90 days following deletion from primary systems.

We may retain certain information for longer periods where required by law or where necessary to resolve disputes or enforce our agreements.

9. DATA SECURITY

We implement industry-standard security measures to protect your information, including:

• Encrypted storage of sensitive credentials, API keys, and OAuth tokens (AES-256 encryption)
• HTTPS encryption for all data transmitted between your browser and our servers
• Authentication tokens with limited validity periods
• Restricted administrative access to production systems

No method of electronic transmission or storage is 100% secure. While we take reasonable steps to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

10. YOUR RIGHTS AND CHOICES

You have the following rights with respect to your personal information:

• Access — You may request a summary of the personal information we hold about you.
• Correction — You may correct inaccurate account information directly within the platform or by contacting us.
• Deletion — You may request deletion of your account and associated personal information. Note that CRM data you have entered about third parties (your customers and contacts) is owned by your organization and subject to your organization's data handling practices.
• Data portability — You may request an export of your account data in a standard format.
• Google OAuth revocation — You may revoke Omnivast's access to your Google account at any time through Google Account settings at myaccount.google.com, or through Settings > My Connections within the platform.
• Gmail disconnect — You may disconnect your Gmail integration at any time from Settings > My Connections. This stops future email synchronization immediately but does not delete previously logged activity records.

To exercise any of these rights, contact us at info at windyoakllc.com. We will respond to verifiable requests within a reasonable time.

11. CALIFORNIA PRIVACY RIGHTS (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information. Because Omnivast serves business-to-business customers, much of the information we process relates to individuals in their professional capacity, which may be exempt from certain CCPA provisions. However, we extend the following rights to all California users:

• The right to know what personal information we collect, use, and disclose
• The right to request deletion of your personal information
• The right not to be discriminated against for exercising your privacy rights

We do not sell personal information as defined under the CCPA. We do not share personal information with third parties for cross-context behavioral advertising.

12. INTERNATIONAL USERS

Omnivast is operated from the United States. If you access the platform from outside the United States, your information will be transferred to and processed in the United States, where privacy laws may differ from those in your jurisdiction. By using Omnivast, you consent to this transfer and processing.

If you are located in the European Economic Area (EEA) or United Kingdom, additional rights under the General Data Protection Regulation (GDPR) may apply to you. We are a small business operator and do not currently have a formal GDPR compliance program. If you have GDPR-related inquiries, contact us and we will address them in good faith. We recommend that users located in the EEA or United Kingdom contact us before using the platform to discuss applicable requirements.

13. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a notice within the platform at least 14 days before the changes take effect. Your continued use of Omnivast after the effective date of any update constitutes acceptance of the revised policy.

The current version of this policy is always available at omnivast.app/privacy.

14. CONTACT US

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

Windy Oak Ventures LLC
Email: info at windyoakllc.com
Website: omnivast.app