Privacy Policy

Welcome to Omnid ("we", "our", "us"), a product of CUPOC, INC (cupoc.io). We are committed to protecting your personal information and your right to privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our mobile application, web application, and backend services (collectively, the "Service").

If you do not agree with the terms of this Privacy Policy, please do not access the Service. This policy is accessible at any time at omnid.io/privacy-policy.

We collect information in the following categories:

2.1 Account & Identity Information
When you register or use the Service, we may collect: name, email address, phone number, username, profile photo, and authentication credentials (including passkeys / WebAuthn data).

2.2 Profile & Content Data
Any information you voluntarily add to your Omnid profile, including notes, ideas, connections, social links, and other user-generated content.

2.3 Device & Usage Data
We automatically collect certain technical information when you access the Service: IP address, device type, operating system version, app version, browser type, pages or screens viewed, access timestamps, and crash/error data.

2.4 Payment & Billing Information
If you purchase a subscription or paid feature, billing is processed by Stripe, Inc. We do not store your full credit card number, CVV, or bank account details on our servers. We receive limited billing metadata from Stripe (e.g., last four digits, card brand, billing address, subscription status) for account management purposes.

2.5 AI Interaction Data
When you use AI-powered features (powered by Grok/xAI, Anthropic Claude, or Google Gemini), the content of your prompts and the Service's responses may be processed by those providers. We may log these interactions for safety, quality assurance, and debugging purposes, subject to our retention policies.

2.6 Communications
If you contact us for support or send us feedback, we collect the content of those communications and your contact details.

2.7 Location Data (Minds on Maps Feature)
When you use the "Minds on Maps" nearby-discovery feature in the Omnid mobile app, we collect your device's GPS coordinates (latitude and longitude), altitude, movement speed, and compass heading via the device location services. This data is transmitted in real time over an encrypted WebSocket connection to our backend servers solely for the purpose of displaying nearby Omnid users on the map and estimating proximity.

Location data is stored temporarily on our servers for a maximum of 30 minutes and is automatically and permanently deleted after that window. It is never used for advertising, profiling, or sold to third parties. Location collection only occurs while the Minds on Maps screen is active and foreground; it stops immediately when you leave the screen or revoke the location permission in your device settings.

2.8 Bluetooth & NFC (Nearby Discovery)
The Omnid mobile app uses Bluetooth Low Energy (BLE) to broadcast a short-range advertisement beacon containing your anonymized Omnid identifier. This allows other nearby Omnid users to detect your presence and estimate proximity without transmitting your beacon data to our servers — the discovery happens entirely on the device. We do not collect, store, or share your raw Bluetooth scan results.

The app also uses NFC (Near Field Communication) to let you share your Omnid profile card by tapping devices. The NFC record contains only your public Omnid identifier and display name; no sensitive or private data is included. NFC interactions are not logged or transmitted to our servers.

2.9 Push Notifications
With your permission, the Omnid mobile app may send you push notifications (powered by Expo Notifications). To deliver notifications, your device's push token is registered with our servers and with Expo's push delivery service. Push tokens are stored only as long as your account is active and are deleted when you revoke notification permission or delete your account. We do not share push tokens with third parties other than Expo for the sole purpose of message delivery. You can opt out of push notifications at any time in your device settings or within the app.

2.10 Crash & Diagnostics Data (Sentry)
Our mobile app integrates Sentry(sentry.io) for crash reporting and performance monitoring. When the app crashes or encounters an error, Sentry automatically collects: the stack trace, device model, OS version, app version, a anonymized device identifier, and the sequence of in-app events ("breadcrumbs") leading up to the error. This data is used exclusively for debugging and improving app stability. No message content, cryptographic keys, or location history is included in Sentry reports. Sentry's data processing practices are governed by their Data Processing Agreement.

We use the information we collect to:

• Provide, operate, and maintain the Service.
• Authenticate users and maintain account security (including WebAuthn / passkeys).
• Process payments and manage subscriptions via Stripe.
• Send transactional emails (account verification, password resets, billing receipts) via Resend.
• Respond to support requests and provide customer service via Crisp.
• Monitor and improve the performance and reliability of the Service (error tracking via Sentry).
• Deliver AI-powered features using Grok (xAI), Anthropic Claude, and Google Gemini.
• Analyze usage patterns to improve the product.
• Comply with legal obligations and enforce our Terms of Service.
• Detect and prevent fraud, abuse, and security threats.

We process your personal data on the following legal bases (where applicable under GDPR): contract performance (to provide the Service you signed up for), legitimate interests (security, fraud prevention, product improvement), consent (marketing communications, where required), and legal obligation.

We do not sell your personal data. We share your information only in the following circumstances:

4.1 Subprocessors
We use the following third-party service providers ("subprocessors") to operate the Service. Each has been evaluated for data protection practices:

CUPOC, INC is headquartered in the United States. Several of our subprocessors are also based in the United States. If you are accessing the Service from outside the United States (including from the European Economic Area, United Kingdom, or Switzerland), your data may be transferred to and processed in the United States and other countries.

For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) as the legal mechanism for cross-border data transfers, as incorporated in the Data Processing Agreements (DPAs) with each subprocessor listed above.

We implement industry-standard administrative, technical, and physical security measures to protect your personal information, including:

• Encryption of data in transit (TLS/HTTPS).
• Encryption of sensitive data at rest.
• Passkey / WebAuthn-based authentication to eliminate password vulnerabilities.
• Access controls and least-privilege principles for internal systems.
• Real-time error and anomaly monitoring via Sentry.
• Cloudflare DDoS protection and Web Application Firewall (WAF).

Payment card data is processed exclusively by Stripe and is never transmitted to or stored on our servers. Stripe is a PCI DSS Level 1 certified service provider.

No method of transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

We retain your personal information for as long as your account is active or as needed to provide you the Service. When you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal, regulatory, or fraud-prevention purposes.

Location data collected via the Minds on Maps feature is retained for a maximum of 30 minutes and is automatically and permanently purged from our servers after that period.

Billing records are retained for up to 7 years to comply with tax and accounting obligations. Error logs (including Sentry crash reports) and security logs may be retained for up to 90 days.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

8.1 For All Users

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data ("right to be forgotten").
• Portability: Request a machine-readable export of your data.

8.2 EEA / UK Users (GDPR)
In addition to the rights above, you have the right to object to processing, the right to restrict processing, and the right to lodge a complaint with your local supervisory authority.

8.3 California Residents (CCPA / CPRA)
California residents have the right to know what personal information is collected, the right to delete, the right to opt-out of sale (we do not sell your data), and the right to non-discrimination for exercising these rights.

8.4 Account & Data Deletion
You may request deletion of your account and all associated personal data (profile, location history, social connections, notification tokens) by emailing privacy@omnid.io with the subject line "Account Deletion Request". We will complete the deletion within 30 days and send you a confirmation. Note that location data is automatically purged after 30 minutes regardless of account status (see Section 2.7).

To exercise any other rights, contact us at privacy@omnid.io. We will respond within 30 days (or as required by applicable law).

We use essential cookies and similar tracking technologies to operate the Service (e.g., session tokens, authentication state). We do not currently use third-party advertising or tracking cookies.

You can control cookies through your browser settings. Disabling essential cookies may affect the functionality of the Service.

Omnid includes AI-powered features that process your inputs using large language models (LLMs) provided by third-party AI providers (Grok/xAI, Anthropic Claude, and Google Gemini). When you use these features:

• Your prompts and content are sent to the relevant AI provider for processing.
• Each provider's privacy policy and data processing agreement governs how they handle that data.
• We do not use your personal data to train AI models without your explicit consent.
• AI outputs are generated automatically and may not always be accurate. Do not rely on AI responses for legal, medical, or financial advice.

The Service is not directed to anyone under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete that information promptly.

If you believe we have collected data from a child, please contact us at privacy@omnid.io.

We may update this Privacy Policy from time to time. When we do, we will update the "Effective Date" at the top of this page and, where required by law, notify you by email or in-app notification. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

For privacy-related questions, data subject requests, or concerns about this policy, please contact us:

CUPOC, INC
1013 Centre Road, Suite 403-B
Wilmington, DE 19805
United States
Phone: 302-497-7115
Email: privacy@omnid.io
Website: omnid.io