Privacy Policy
Last updated: July 12, 2026
This Privacy Policy describes how OmaX AI ("OmaX", "we", "the Service") handles information when you use the application. OmaX is designed for self-hosted deployment; the organization operating your instance ("Operator") is the data controller for your deployment.
1. Information we collect
Depending on how your Operator configures OmaX, we may process:
- Account information — email address and hashed password when authentication is enabled
- Chat messages — questions and responses within your sessions
- Session context — company name, ticker, notes, and preferences you provide
- Uploaded files — Excel, PDF, Word, and image files you submit for analysis
- Parsed financial data — structured numbers and metadata extracted from uploads
- Usage metadata — timestamps, session IDs, tool calls, and error logs for operations
- Technical data — IP address, browser type, and request logs as recorded by the Operator's infrastructure
2. How we use information
We use collected information to:
- Provide financial analysis, chat, and export features
- Parse and store uploaded documents and company data you associate with your account
- Maintain chat history and session continuity
- Authenticate users and enforce access controls when enabled
- Improve reliability through logging and error diagnostics
- Comply with legal obligations as directed by the Operator
3. AI and third-party processing
OmaX sends prompts and relevant context to configured language model providers to generate responses. When you ask questions about public companies, the Service may query SEC EDGAR, market data APIs, exchange rate feeds, and optional web search providers (e.g. Tavily).
Your Operator controls which third-party services are enabled and where data is sent. Review your deployment configuration for details.
4. Data storage and retention
Data is stored in the Operator's database and file storage (typically PostgreSQL and local or cloud disk). Retention periods depend on Operator policy. Anonymous sessions may expire or be purged automatically. Authenticated users' chats, uploads, and company records persist until deleted by the user or Operator.
5. Data sharing
We do not sell your personal information. Data may be shared only:
- With service providers necessary to run the deployment (hosting, LLM APIs, data feeds)
- When required by law or valid legal process
- To protect the rights, safety, and security of users and the Operator
- With your consent
6. Security
The Operator is responsible for securing the deployment, including HTTPS, database access, API keys, and backup policies. Passwords are stored using industry-standard hashing when authentication is enabled. No system is completely secure; use strong passwords and report suspected breaches to your Operator.
7. Your rights
Depending on your jurisdiction, you may have rights to access, correct, delete, or export your personal data, and to object to or restrict certain processing. Contact your Operator to exercise these rights. If authentication is enabled, you can manage profile and company data through the profile page where available.
8. Cookies and local storage
OmaX uses browser local storage for authentication tokens, theme preferences, and session identifiers. We do not use third-party advertising cookies.
9. Children's privacy
The Service is not directed to children under 18. We do not knowingly collect information from children.
10. International transfers
If your Operator hosts OmaX or uses providers in other countries, your data may be processed across borders. The Operator is responsible for lawful transfer mechanisms where required.
11. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date will reflect changes. Continued use after updates constitutes acceptance where permitted by law.
12. Contact
Privacy questions should be directed to the administrator of your OmaX deployment. See also our Terms of Service and Legal Disclaimer.