Privacy Policy

1. Introduction

This Privacy Policy describes how OmniLayer Inc. ("OmniLayer", "we", "us", or "our"), a company registered in British Columbia, Canada under registration number BC-1187432, with its principal place of business at 1055 West Georgia Street, Suite 2400, Vancouver, BC V6E 3P3, collects, uses, discloses, and protects personal information obtained through our website at omnilayer.pro, our platform, and any related services (collectively, the "Services").

OmniLayer is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) at the federal level, as well as the Personal Information Protection Act (BC PIPA) of British Columbia. Where our activities touch individuals in the European Economic Area (EEA) or the United Kingdom, we also apply the principles of the General Data Protection Regulation (GDPR) and the UK GDPR respectively. Where we interact with residents of California, we comply with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described here, please discontinue use of our Services and contact us at [email protected] to request deletion of any data we may hold about you.

We have designated a Privacy Officer who is responsible for our compliance with applicable privacy legislation. You may reach our Privacy Officer through the contact details provided in Section 13 of this policy.

2. Data We Collect

We collect personal information only to the extent necessary to provide our Services and to fulfil the purposes described in this policy. The categories of personal information we may collect include:

2.1 Information You Provide Directly

• Contact and identity information: your full name, job title, company name, business email address, and telephone number when you fill in our contact form, request a demo, or subscribe to our communications.
• Account credentials: username, email address, and hashed password if you create a platform account.
• Payment and billing information: billing address and payment card details (processed by our PCI-DSS compliant payment processor; we do not store raw card numbers).
• Communications content: the content of messages you send us via email, our contact form, or support channels, including any attachments you choose to share.
• Professional information: industry, company size, and technology stack details you voluntarily disclose when requesting a consultation or scoping engagement.

2.2 Information Collected Automatically

• Log and usage data: IP address, browser type and version, operating system, referring URLs, pages visited, time and date of visits, and session duration.
• Device information: device type, screen resolution, and language preferences.
• Cookie and tracking data: identifiers placed by first-party and, where consented to, third-party cookies and similar technologies (see Section 7 for full details).
• Platform analytics: feature usage patterns, API call frequency, and error logs within our platform, used to improve reliability and performance.

2.3 Information from Third Parties

• Business partners and referrals: contact details shared by our partners when they refer a prospective client to us.
• Publicly available sources: professional profile information from publicly accessible business directories or LinkedIn, used solely for legitimate B2B outreach purposes.

We do not intentionally collect sensitive personal information such as health data, racial or ethnic origin, political opinions, religious beliefs, or biometric data. If you inadvertently share such information with us, we will delete it promptly upon becoming aware of it.

3. How We Use Your Data

We use the personal information we collect for the following purposes:

• Providing and improving the Services: to operate, maintain, and enhance our AI data intelligence platform, process transactions, and deliver technical support.
• Account management: to create and administer your account, verify your identity, and manage your subscription or licence.
• Communication: to respond to your enquiries, send service-related notices (e.g. billing confirmations, security alerts), and provide onboarding guidance.
• Marketing and business development: to send you information about OmniLayer products, case studies, webinars, and industry insights that we believe may be of interest to you, subject to your marketing preferences and applicable consent requirements.
• Analytics and product development: to understand how our Services are used, identify trends, troubleshoot issues, and inform decisions about new features and improvements.
• Security and fraud prevention: to detect, investigate, and prevent fraudulent transactions, unauthorised access, and other illegal activities.
• Legal compliance: to comply with applicable laws, regulations, court orders, and lawful requests from public authorities, and to enforce our Terms of Service.
• Contractual obligations: to perform contracts we have entered into with you or your organisation, including delivery of professional services engagements.

We do not sell your personal information, nor do we use it to make fully automated decisions that produce legal or similarly significant effects on you without human oversight.

4. Lawful Basis for Processing

Under PIPEDA and BC PIPA, we rely on your knowledge and consent as the primary basis for collecting, using, and disclosing personal information, except where the law permits or requires collection without consent (for example, to investigate a breach of an agreement, or for law enforcement purposes).

For individuals in the EEA or UK, we rely on the following lawful bases under the GDPR / UK GDPR:

• Contract (Article 6(1)(b)): processing necessary to perform a contract with you, or to take steps at your request before entering into a contract.
• Legitimate interests (Article 6(1)(f)): processing necessary for our legitimate interests, including improving our Services, preventing fraud, and conducting B2B marketing, provided those interests are not overridden by your rights and freedoms.
• Legal obligation (Article 6(1)(c)): processing necessary to comply with a legal obligation to which we are subject.
• Consent (Article 6(1)(a)): where we have obtained your explicit consent, for example for non-essential cookies or for direct marketing to individuals (as opposed to corporate contacts).

You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. To withdraw consent, please contact us using the details in Section 13.

5. Sharing with Third Parties

We do not sell, rent, or trade your personal information. We may share it with the following categories of recipients, strictly for the purposes described in this policy:

5.1 Service Providers

We engage trusted third-party companies to perform functions on our behalf, including cloud infrastructure hosting, payment processing, customer relationship management, email delivery, analytics, and cybersecurity monitoring. These service providers are contractually bound to process personal information only on our documented instructions and to maintain appropriate security measures. They are not permitted to use your data for their own purposes.

5.2 Business Partners

Where you have engaged us through a mutual business partner or reseller, we may share relevant account and project information with that partner to the extent necessary to deliver the agreed services. Any such sharing is governed by a data processing agreement.

5.3 Professional Advisors

We may disclose personal information to our lawyers, accountants, auditors, and insurers where necessary in the course of the professional services they provide to us, subject to obligations of confidentiality.

5.4 Legal and Regulatory Authorities

We may disclose personal information where required to do so by law, court order, or governmental authority, or where we believe disclosure is necessary to protect the rights, property, or safety of OmniLayer, our clients, or the public.

5.5 Corporate Transactions

In the event of a merger, acquisition, reorganisation, sale of assets, or insolvency proceeding, personal information may be transferred to a successor entity. We will notify you via email or a prominent notice on our website before your personal information is transferred and becomes subject to a different privacy policy.

6. Cookies & Tracking Technologies

Our website uses cookies and similar technologies (such as web beacons and local storage) to distinguish you from other visitors, remember your preferences, and improve your experience. When you first visit our website, we present a cookie consent banner that allows you to accept or decline non-essential cookies.

Types of Cookies We Use

• Strictly necessary cookies: essential for the website to function correctly, such as session management and security tokens. These cannot be disabled.
• Functional cookies: allow the website to remember choices you make (such as your cookie consent preference) to provide enhanced, personalised features.
• Analytics cookies: help us understand how visitors interact with our website by collecting and reporting information anonymously, enabling us to improve the site's structure and content.
• Marketing cookies: used to track visitors across websites to display relevant and engaging advertisements. We deploy these only with your explicit consent.

Most web browsers allow you to control cookies through their settings. You can set your browser to refuse cookies, delete existing cookies, or alert you when cookies are being sent. Note that disabling certain cookies may affect the functionality of our website. For more information about managing cookies, visit www.allaboutcookies.org.

We do not currently respond to browser "Do Not Track" signals, as there is no industry-wide standard for doing so. However, you may opt out of analytics tracking by adjusting your cookie preferences at any time.

7. Data Retention

We retain personal information only for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Specifically, we apply the following retention guidelines:

• Active client and account records: retained for the duration of the contractual relationship and for seven (7) years thereafter, in accordance with British Columbia's Limitation Act and federal tax obligations.
• Prospective client enquiries and marketing contacts: retained for up to three (3) years from the date of last meaningful interaction, after which we will either refresh consent or delete the record.
• Website analytics data: aggregated and anonymised after twenty-six (26) months; raw log files are retained for up to twelve (12) months for security and debugging purposes.
• Support communications: retained for three (3) years from the date of resolution to assist with future support requests and quality assurance.
• Cookie consent records: retained for three (3) years as evidence of consent.

When personal information is no longer required, we securely delete or anonymise it in accordance with our internal data destruction procedures. Backup copies are purged within ninety (90) days of the scheduled deletion date.

8. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights with respect to your personal information. We are committed to honouring these rights without undue delay and at no charge, unless a request is manifestly unfounded or excessive.

8.1 Right of Access

You have the right to request confirmation of whether we process personal information about you, and if so, to receive a copy of that information together with details of how it is used.

8.2 Right to Correction (Rectification)

You have the right to request that we correct any inaccurate or incomplete personal information we hold about you. We will act on verified correction requests within thirty (30) days.

8.3 Right to Erasure (Deletion)

You have the right to request deletion of your personal information where it is no longer necessary for the purposes for which it was collected, where you withdraw consent and there is no other lawful basis for processing, or where you object to processing and there are no overriding legitimate grounds. We may retain certain information where required by law or for the establishment, exercise, or defence of legal claims.

8.4 Right to Restrict Processing

In certain circumstances, you may request that we restrict the processing of your personal information — for example, while the accuracy of the data is being verified, or while an objection is being considered.

8.5 Right to Data Portability

Where processing is based on your consent or on a contract, and is carried out by automated means, you have the right to receive your personal information in a structured, commonly used, machine-readable format, and to transmit it to another controller where technically feasible.

8.6 Right to Object

You have the right to object at any time to processing of your personal information for direct marketing purposes. You also have the right to object to processing based on our legitimate interests, on grounds relating to your particular situation. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

8.7 Right to Withdraw Consent

Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.

8.8 Right to Lodge a Complaint

If you are located in Canada, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca, or with the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) at www.oipc.bc.ca.

If you are in the EEA, you have the right to lodge a complaint with the supervisory authority in your member state. If you are in the UK, you may contact the Information Commissioner's Office (ICO) at ico.org.uk.

We encourage you to contact us first at [email protected] so that we can try to resolve your concern directly. We will respond to all requests within thirty (30) calendar days. If your request is complex or numerous, we may extend this period by a further two months, in which case we will notify you.

9. Security

We take the security of your personal information seriously and implement a range of technical and organisational measures designed to protect it against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

• Encryption of data in transit using TLS 1.2 or higher, and encryption of sensitive data at rest using AES-256.
• Role-based access controls and the principle of least privilege, ensuring that only authorised personnel can access personal information on a need-to-know basis.
• Multi-factor authentication (MFA) required for all internal systems that store or process personal data.
• Regular vulnerability assessments and penetration testing conducted by qualified third-party security specialists.
• Continuous monitoring of our systems and networks for anomalous activity and potential security incidents.
• A formal incident response plan, including procedures for notifying affected individuals and relevant authorities in the event of a reportable data breach within the timeframes required by applicable law (72 hours under GDPR; as soon as feasible under PIPEDA).
• Employee training on data protection and security awareness conducted at least annually.

While we strive to use commercially acceptable means to protect your personal information, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to continuous improvement of our security posture.

10. International Transfers

OmniLayer is headquartered in Vancouver, British Columbia, Canada. Your personal information is primarily stored and processed in Canada, which the European Commission has recognised as providing an adequate level of protection for personal data under PIPEDA.

In the course of providing our Services, we may transfer personal information to service providers or partners located in other countries, including the United States and countries within the European Economic Area. Where such transfers occur, we ensure that appropriate safeguards are in place, which may include:

• Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with processors located outside of adequate-protection countries.
• Binding Corporate Rules, where applicable.
• Adequacy decisions by the relevant supervisory authority.
• Your explicit consent, where required and where no other transfer mechanism applies.

You may request a copy of the safeguards we have put in place for international transfers by contacting us at [email protected].

11. Children's Privacy

Our Services are designed for and directed at business professionals and organisations. They are not intended for, and we do not knowingly collect personal information from, individuals under the age of 16 (or such higher age as may be applicable in the relevant jurisdiction). If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us immediately at [email protected]. We will take prompt steps to delete such information from our records.

If we become aware that we have inadvertently collected personal information from a child under the applicable minimum age without verifiable parental consent, we will delete that information as quickly as practicable.

12. Updates to This Policy

We review and update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, and other factors. When we make material changes, we will notify you by:

• Posting the revised policy on this page with an updated "Last updated" date at the top;
• Sending an email notification to registered account holders where the changes are significant; and/or
• Displaying a prominent notice on our website for a reasonable period following the change.

We encourage you to review this Privacy Policy regularly to stay informed about how we are protecting your information. Your continued use of the Services after any changes to this policy constitutes your acceptance of the revised terms, to the extent permitted by applicable law. Where consent is required for material changes, we will seek that consent before the changes take effect.

Previous versions of this Privacy Policy are available upon request by contacting our Privacy Officer.

13. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or our data protection practices, or if you wish to exercise any of your rights described in Section 8, please contact our Privacy Officer using any of the following methods: