Privacy Policy

Last updated: May 1, 2026

OMRA AI (“we,” “us,” or “our”) operates the OMRA AI marketing platform (the “Service”). This policy explains what data we collect, how we use it, who we share it with, and the choices you have. It applies to the Service whether accessed at our production host (omra.marketing), staging host, or any custom domain operated by us or our customers.

1. Information we collect

1.1 Account information

When you create an OMRA AI account we collect your name, email address, profile photo, and authentication identifiers provided by our authentication partner Clerk. We never see or store your password.

1.2 Workspace and content data

When you use the Service we store the content you create or upload, including:

  • Brand profiles, logos, and assets you upload
  • Generated content (captions, scripts, images, videos, blog posts)
  • Competitor research and analysis you initiate
  • Campaign configurations and results

1.3 Connected platform data (Meta, Google, TikTok, LinkedIn, etc.)

When you connect a third-party platform such as Facebook, Instagram, Google Ads, TikTok, or LinkedIn through OMRA AI, we receive an OAuth access token and the data scopes you authorize. Specifically, when you connect a Meta (Facebook / Instagram) account we may receive:

  • Your name, profile photo, and Facebook user ID
  • The list of Pages and Instagram Business accounts you manage
  • The ability to publish posts to those Pages and Instagram accounts on your behalf
  • Engagement metrics (likes, comments, reach) for posts you create through OMRA AI

We do not access, store, or analyze your private messages, friends list, photos in your personal albums, or any data outside the Pages/Instagram Business accounts you explicitly authorize.

1.4 API keys

OMRA AI lets you bring your own API keys for AI providers (Anthropic, OpenAI, Flux, Stability AI, ElevenLabs, etc.). These keys are encrypted with AES-256-GCM at rest and decrypted only when needed to fulfill a request you initiated. We never display or share your decrypted keys.

1.5 Usage and device data

We collect standard server logs (IP address, browser, timestamps, requested URLs) for security, debugging, and rate limiting. We use first-party analytics to understand product usage in aggregate. We do not sell your data.

2. How we use your information

  • To operate the Service — generate content, run campaigns, schedule posts, and produce analytics on your behalf
  • To authenticate you and protect your account
  • To process payments through our payment processor
  • To send essential service emails (security alerts, billing receipts, trial expiration)
  • To improve the Service through aggregated, de-identified usage analysis
  • To comply with legal obligations

We do not use your content or your customers' data to train AI models. Content you generate stays in your workspace.

3. How we share your information

  • Service providers who help us operate the platform: Railway (hosting), Clerk (authentication), Postgres managed databases, BullMQ workers, and the AI providers you have configured. These providers process data only as needed to deliver their service.
  • Connected platforms when you publish content through them. For example, when you publish to Facebook, the post text and media are sent to Facebook's Graph API.
  • Legal compliance if required by law or to protect rights, safety, or property.
  • Business transfers in the event of a merger, acquisition, or asset sale (you will be notified).

We do not sell your personal information.

4. Meta (Facebook & Instagram) data — specific commitments

OMRA AI complies with Meta's Platform Terms and Developer Policies. Specifically:

  • We request only the OAuth permissions necessary to deliver features you have explicitly chosen to use
  • We retain Meta data only as long as needed to provide the Service to you
  • We delete Meta data within 30 days of account deletion or upon explicit deletion request
  • We do not transfer Meta data to data brokers or third parties for advertising purposes
  • We provide a deletion mechanism described in section 8 below

5. Data retention

We retain account and content data for as long as your account is active. When your account is deleted, we erase your data within 30 days, except for limited records we are legally required to keep (such as billing records). Encrypted backups roll off within 90 days.

6. Security

  • All connections use TLS 1.2+ encryption in transit
  • API keys and OAuth tokens are encrypted with AES-256-GCM at rest
  • Data is isolated per workspace via row-level security
  • Access to production systems is restricted, audited, and requires multi-factor authentication
  • We perform regular security reviews and dependency audits

7. Your rights

Depending on your jurisdiction, you may have rights to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data
  • Restrict or object to processing
  • Receive a portable copy of your data
  • Withdraw consent at any time

To exercise any right, email srijana@hiphype.co. We respond within 30 days.

8. Data deletion

You can delete your data in several ways:

  • In-app: Settings → Account → Delete Account permanently removes your account and all associated data within 30 days
  • Disconnecting Meta: Disconnecting Facebook/Instagram from OMRA AI immediately revokes our access and schedules deletion of all Meta-derived data within 30 days
  • From Facebook directly: Visit your Facebook Settings → Apps and Websites → remove OMRA AI. Meta will notify us via our deauthorization callback and we will delete your data within 30 days
  • Email request: Send a deletion request to srijana@hiphype.co

See our Data Deletion Instructions page for step-by-step guidance.

9. Children

The Service is not directed to children under 16. We do not knowingly collect data from children under 16. If you believe a child has provided us data, contact us and we will delete it.

10. International transfers

OMRA AI is operated from the United States and the European Union. By using the Service you consent to the transfer of your data to these regions. We rely on Standard Contractual Clauses where required.

11. Changes to this policy

We may update this policy from time to time. Material changes will be announced in-app and by email at least 14 days before taking effect. The “Last updated” date at the top reflects the most recent revision.

12. Contact

Questions about this policy? Email srijana@hiphype.co.