FeaturesHow it worksPricingFAQ
Log inGet started

Privacy Policy

Last updated: April 10, 2026

1. Introduction

Omesta ("we", "our", or "us") operates a revenue recovery platform for e-commerce businesses. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and services at omesta.com.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the ePrivacy Directive, and all applicable data protection laws.

2. Data We Collect

We collect the following categories of data:

  • Account information: Name, email address, and authentication data when you create an account (via email/password or Google OAuth).
  • Platform connection data: OAuth tokens for Meta Ads, Google Ads, and Stripe that you explicitly grant during onboarding. These are used to access your ad campaign data and payment information in read-only mode.
  • Conversion tracking data: When you install our tracking pixel, we collect conversion events (event name, value, timestamps). All personal identifiers (email addresses, phone numbers) are hashed with SHA-256 before storage. We never store plaintext PII from your customers.
  • Payment data: Failed payment information from Stripe (amounts, decline codes, invoice IDs). We do not store credit card numbers or full payment credentials.
  • Usage data: Analytics data about how you use Omesta, collected via our first-party tracking system subject to your consent preferences.

3. How We Use Your Data

  • Recovering failed payments through automated retry and dunning email campaigns
  • Detecting attribution gaps and wasted ad spend in your advertising campaigns
  • Providing conversion tracking and multi-touch attribution analysis
  • Generating AI-powered insights and recommendations for your business
  • Sending dunning emails to your customers on your behalf for payment recovery
  • Communicating with you about your account, service updates, and support

4. Legal Basis for Processing (GDPR Article 6)

  • Contract performance: Processing necessary to provide our revenue recovery and ad optimization services as agreed.
  • Consent: For analytics tracking and marketing communications, we obtain your explicit consent via our consent banner.
  • Legitimate interest: For fraud prevention, service improvement, and security monitoring.

5. Data Retention

We retain your account data for as long as your account is active. Conversion tracking data and recovery event logs are retained for 24 months. Hashed customer identifiers are retained for 12 months after last activity. You may request deletion of your data at any time.

6. Your Rights (GDPR Articles 15-22)

Under the GDPR, you have the following rights:

  • Access: Request a copy of all personal data we hold about you.
  • Rectification: Correct any inaccurate personal data.
  • Erasure: Request deletion of your personal data ("right to be forgotten").
  • Portability: Receive your data in a structured, machine-readable format.
  • Restriction: Restrict processing of your personal data.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Withdraw consent at any time through your dashboard or our consent banner.

To exercise any of these rights, contact us at privacy@omesta.com. We will respond within 30 days as required by GDPR.

7. Cookies

We use strictly necessary cookies for authentication and session management. Our analytics and marketing cookies are only set with your explicit consent. See our Cookie Policy for full details.

8. Third-Party Services

We integrate with the following third-party services to provide our platform:

  • Supabase: Authentication and database hosting (EU data centers).
  • Stripe: Payment processing for subscriptions and payment recovery.
  • Meta (Facebook) Ads: Ad campaign data access via Conversions API (read-only).
  • Google Ads: Ad campaign data access via Google Ads API (read-only).
  • Resend: Transactional email delivery for dunning campaigns.
  • Anthropic: AI-powered insights and recommendations (no customer PII is shared).
  • Vercel: Application hosting and serverless functions.

9. Data Security

We implement industry-standard security measures including: encrypted connections (TLS/HTTPS), SHA-256 hashing of all customer PII before storage, Row-Level Security (RLS) on all database tables, secure webhook signature verification, rate limiting on all public endpoints, and timing-safe comparison for authentication secrets.

10. International Data Transfers

All primary data processing occurs in EU data centers. Where data is transferred outside the EU (e.g., to US-based service providers), we ensure appropriate safeguards are in place through Standard Contractual Clauses or equivalent mechanisms.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through a notice on our platform. Your continued use of Omesta after changes constitutes acceptance of the updated policy.

12. Contact Us

For any questions about this Privacy Policy or to exercise your data rights, contact us at:

Email: privacy@omesta.com

Revenue recovery for e-commerce stores. Automated.

Product

  • Features
  • How it works
  • Pricing
  • FAQ

Company

  • About
  • Blog
  • Careers
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • GDPR
  • Cookie Policy

© 2026 Omesta. All rights reserved.

GDPRSOC 2