GDPR & Data Processing Addendum
Last updated · May 6, 2026
OmniVAI complies with the EU General Data Protection Regulation (GDPR), the UK GDPR, and the Swiss Federal Act on Data Protection (FADP). We act as a data controller for account profile, billing, and product telemetry, and as a data processor for the content you generate, upload, and store inside the studio.
Controller and processor roles
OmniVAI plays a dual role. We are the controller for information we collect to operate the service — your profile, billing identity, authentication events, and aggregated product telemetry. We are a processor for the prompts, references, and generated assets you create inside the studio: you decide the purpose and means of that processing and we execute it on your behalf.
A signed Data Processing Addendum (DPA) is available on request. Email dpo@omnivai.ai and we will return a counter-signed DPA within 5 business days.
Lawful basis for processing
- Contract performance — running the studio, processing generations, hosting your library.
- Legitimate interest — abuse detection, fraud prevention, aggregated analytics, service security.
- Consent — marketing emails, community publishing, optional cookies.
- Legal obligation — tax records, invoices, and other statutory retention requirements.
Your rights as a data subject
Under GDPR Articles 15–22 you may exercise the following rights:
- Access a copy of the personal data we hold about you (Art. 15).
- Rectify inaccurate or incomplete data (Art. 16).
- Erase your account and associated content (Art. 17).
- Restrict or object to specific processing activities (Art. 18 / 21).
- Port your data in a structured, machine-readable format (Art. 20).
- Withdraw consent at any time without affecting prior lawful processing (Art. 7).
- Lodge a complaint with your local supervisory authority.
To exercise any right, email privacy@omnivai.ai. We respond within 30 days as required by Article 12(3).
International transfers
When personal data leaves the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs), Modules 2 (controller→processor) and 3 (processor→processor), in their June 2021 form. For US-based providers certified under the EU-US Data Privacy Framework we additionally rely on the adequacy decision.
Supplementary measures include TLS 1.2+ in transit, AES-256 encryption at rest, logical tenant isolation in the database, and least-privilege access controls reviewed quarterly.
Sub-processors
A live list of all sub-processors — infrastructure, AI model providers, and operational tooling — is published at /legal/sub-processors. We provide at least 30 days' advance notice before any material change (new sub-processor, region change, expanded data category).
Data breach notification
If a personal data breach is likely to result in risk to your rights and freedoms, we notify the competent supervisory authority within 72 hours of becoming aware of it, as required by Article 33. Where the risk is high, we also notify affected users directly without undue delay, in line with Article 34.
Data Protection Officer
Our Data Protection Officer can be reached at dpo@omnivai.ai.
Retention
Account data is retained while your account is active. Upon deletion, we keep tax and audit records for 7 years to comply with statutory obligations and purge everything else within 30 days. Library content (generated images, videos, audio, project files) is deleted on account deletion unless you export it first.
Questions about this policy? Email legal@omnivai.ai
Back to OmniVAI