Privacy Policy

Last updated: May 8, 2026

1. Introduction

Receipt Roller Inc. ("we", "us", "our") operates OmniCon ("the Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, and password when you register
• Profile Information: Company name, phone number, and other details you choose to provide
• Content: Articles, pages, media files, and other content you create or upload
• Contact Inquiries: Name, email, company, phone, and message when you submit our contact form
• Payment Information: Billing details processed securely through Stripe (we do not store credit card numbers)

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, and interactions with the Service
• Device Information: Browser type, operating system, and device identifiers
• IP Address: Used for analytics, security, and approximate geolocation
• Cookies: We use cookies and similar technologies to maintain sessions and improve the Service

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Process your transactions and manage your account
• Respond to your inquiries and provide customer support
• Send service-related notifications and updates
• Monitor and analyze usage patterns and trends
• Detect, prevent, and address technical issues and security threats
• Comply with legal obligations

4. Sharing of Information

We do not sell your personal information. We may share your information with:

• Service Providers: Third-party vendors who assist in operating the Service (e.g., hosting, email delivery, payment processing)
• Legal Requirements: When required by law, regulation, or legal process
• Business Transfers: In connection with a merger, acquisition, or sale of assets

5. Third-Party Services

The Service integrates with third-party services including:

• Microsoft Azure: Cloud hosting and data storage
• Stripe: Payment processing
• SendGrid: Email delivery
• Google Analytics: Usage analytics
• Google reCAPTCHA: Bot protection
• Shopify: Storefront integration via the Omnicon Shopify App (see Section 6)

Each third-party service has its own privacy policy governing the use of your information.

6. Shopify Integration Data

If you install the Omnicon Shopify App from the Shopify App Store, we collect and store a small set of shop-level data needed to operate the integration. We do not collect, store, or process data about your end customers (your shop's buyers).

6.1 Data we store about your shop

• Shop domain (e.g. your-shop.myshopify.com) — identifies the installed shop.
• Shop owner email and shop name — used once on install to find or create your linked Omnicon account; not used for marketing.
• Encrypted Shopify offline access token — required to call the Shopify Admin API on your behalf. Sealed with a per-deployment Data Protection key and never stored in plaintext.
• Granted OAuth scopes — currently read_products, read_content, write_content.
• Channel-to-blog mappings — which Omnicon Channels publish to which Shopify blogs.
• Article sync records — for each Omnicon article published to your shop: the Shopify article id, last push timestamp, and current sync status (Synced / Drift / Error). We do not duplicate the article body in this record.
• Subscription state — Shopify subscription id, plan, price, interval, status, and timestamps for the recurring app charge.
• Scheduled publish intents — for any future-dated publish you queue: article id, channel id, target time, attempt count, and any error from a failed run.

6.2 Data we explicitly do NOT store

• Customer names, emails, addresses, order history, or any other end-customer data from your shop.
• Payment instruments — Shopify processes app charges directly; we never see card data.
• Product or collection details beyond what's loaded on demand to assist AI generation (and only for the duration of the request).

6.3 GDPR compliance webhooks

We implement the three Shopify-mandated GDPR webhooks:

• customers/data_request — we acknowledge the request and confirm that no customer-level data is held by Omnicon.
• customers/redact — same response; nothing to delete because we hold no customer data.
• shop/redact — typically fires 48 hours after you uninstall. On receipt we permanently delete the shop row and all associated channel mappings, article sync records, subscription history, and scheduled publish records.

6.4 Behavior on uninstall

When you uninstall the Omnicon Shopify App, we receive an app/uninstalled webhook from Shopify. We immediately mark your shop as inactive, wipe the stored access token, and cancel any active recurring charges. The remaining shop-level integration data is kept for up to 48 hours so that reinstalling the app within that window restores your configuration; after that, the shop/redact webhook deletes it permanently.

6.5 Your Omnicon account

Installing the Shopify App may create or link to an Omnicon account associated with your shop owner email. Account-level data (your Omnicon profile, channels, articles) is governed by the rest of this Privacy Policy and is not deleted automatically when you uninstall the Shopify App — it remains available the next time you sign in to omnicon.cloud directly. To delete the underlying Omnicon account, see Section 9.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. We apply the following retention schedules:

7.1 Account Data

• Unconfirmed accounts (email not verified) are deleted after 7 days
• Inactive accounts (no login for 12 months, or 6 months on the free tier) are first suspended, then deleted after an additional 90-day grace period
• Upon account deletion, personal data is removed and audit references are anonymized

7.2 Content Data

• Active content is retained for the lifetime of your account
• Archived content is retained for up to 365 days (paid plans) or 90 days (free plans), after which it may be permanently deleted
• Content in shared channels created by a deleted user is reassigned to a system account, not deleted

7.3 Analytics and Logs

• Raw page impression records are deleted after 90 days
• Aggregated hourly analytics are deleted after 1 year
• Administrative audit logs are deleted after 3 years

If retention is required by law or for legitimate business purposes (such as fraud prevention), data may be retained beyond these periods.

8. Data Security

We implement appropriate technical and organizational measures to protect your information, including encryption in transit (TLS/SSL) and at rest. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access: Access the personal information we hold about you
• Correction: Request correction of inaccurate information
• Deletion: Request deletion of your personal information (GDPR "right to erasure"). Upon request, we will delete your account and associated personal data without delay.
• Restriction: Object to or restrict processing of your information
• Portability: Request a portable export of your data. We provide a downloadable ZIP archive containing your profile, content, media metadata, and organization data.
• Withdrawal: Withdraw consent where processing is based on consent

To exercise any of these rights, please contact us.

10. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected such information, we will take steps to delete it.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including Japan where our servers are located. We ensure appropriate safeguards are in place for such transfers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date.

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us.