Zero Ops Oy · Y-tunnus 3606514-8
Privacy Policy
Effective date: 15 June 2026
1. Data Controller
The data controller for personal data processed in connection with OmniVocal is:
Zero Ops Oy (Zero Ops Ltd)
Business ID (Y-tunnus): 3606514-8
Incorporated in Finland
Privacy enquiries: [email protected]
A Data Protection Officer is not mandatorily required at our current scale of processing under GDPR Art. 37. Direct all privacy enquiries to the contact above.
2. Data We Collect
2.1 Data You Provide Directly
- Account registration data: your email address, name, and password (stored as a salted hash via Supabase Auth).
- Profile data: optional display name, avatar URL, and organisation name.
- Content: articles, changelogs, release notes, or other text you create or paste into OmniVocal for publishing.
- Connected platform credentials: OAuth tokens or API keys you provide to connect third-party publishing platforms (e.g., GitHub, dev.to, Hashnode). These are stored encrypted and are never exposed in the UI after entry.
- Support communications: messages you send to us via email or in-app support.
2.2 Data Collected Automatically
- Usage data: IP address (truncated after 24 hours for analytics), HTTP request method and path, response status, request duration, User-Agent string, and referring URL.
- API usage metadata: API key identifier (never the key itself), endpoint called, and timestamp — used for rate limiting and billing.
- Authentication tokens: short-lived JSON Web Tokens (JWTs) issued by Supabase Auth for authenticated sessions, stored in memory or a secure HttpOnly cookie. We do not store authentication tokens in browser localStorage.
2.3 Data from Third Parties
- OAuth identity providers (GitHub, Google): if you sign in via GitHub or Google, we receive your name, email address, and provider user ID from the OAuth exchange. We do not receive your password.
- Paddle (billing): Paddle acts as Merchant of Record for paid subscriptions. Paddle shares with us your customer ID, subscription status, plan identifier, and billing country. We do not receive or store full payment card data.
3. How We Use Your Data
We process personal data only for the purposes listed below. For each purpose we identify the applicable lawful basis under GDPR Art. 6.
| Purpose | Data categories | Lawful basis (GDPR Art. 6) |
|---|---|---|
| Providing and operating OmniVocal | Account data, content, API usage metadata, authentication tokens | Art. 6(1)(b) — Performance of a contract |
| Managing your subscription, processing payments, and issuing invoices | Account data, Paddle customer ID, billing country | Art. 6(1)(b) — Performance of a contract; Art. 6(1)(c) — Legal obligation (Finnish Accounting Act) |
| Security monitoring, fraud detection, rate limiting, and abuse prevention | Usage data, API usage metadata, IP address | Art. 6(1)(f) — Legitimate interests (security of the Service) |
| Sending transactional communications (account confirmations, password resets, billing receipts) | Account data | Art. 6(1)(b) — Performance of a contract |
| Sending product update and feature announcement emails | Account data (email) | Art. 6(1)(f) — Legitimate interests (informing existing customers of material changes to a service they use, under the ePrivacy "soft opt-in" exception for existing customers). Every such email includes an unsubscribe link; you may opt out at any time. |
| Improving, debugging, and developing OmniVocal | Anonymised aggregations of usage data | Art. 6(1)(f) — Legitimate interests (product improvement; data is anonymised before use) |
| Delivering optional Telegram approval notifications | Your Telegram chat ID and notification message content | Art. 6(1)(a) — Consent (you actively enable this feature in Settings; processing does not occur unless you do so; you may withdraw consent at any time by disabling it in Settings → Notifications) |
| Complying with legal obligations (tax records, regulatory requests) | Account data, billing data | Art. 6(1)(c) — Legal obligation |
We will not use your content to train AI models without your explicit, separate, freely-given, and revocable opt-in consent. Such consent is never a condition of accessing OmniVocal.
4. How We Share Your Data
We do not sell your personal data. We do not share your personal data with third parties for their own marketing or advertising purposes.
We share personal data with the following processors solely to the extent necessary to operate OmniVocal:
| Recipient | Role | Data shared | Location |
|---|---|---|---|
| Cloudflare, Inc. | Data processor — hosting, edge compute (Workers), database (D1), storage (R2), DNS, DDoS protection | All data processed in the course of operating OmniVocal transits or is stored on Cloudflare infrastructure | USA (EU-US Data Privacy Framework participant) |
| Supabase, Inc. | Data processor — user authentication and identity management | Account registration data, OAuth identity tokens, session data | USA / EU region (EU-US Data Privacy Framework participant; EU region selected where available) |
| Paddle.com Market Ltd | Merchant of Record and independent data controller — Paddle independently determines the purposes and means of processing payment card data and related billing information. Paddle is not our data processor; it acts as an independent controller for payment processing. We receive only the data described in the "Data shared" column. | Account email, billing country, subscription status, and Paddle customer ID. Paddle independently collects and processes full payment card data, which we never receive or store. | United Kingdom |
| Brevo (Sendinblue SAS) | Data processor — transactional email delivery (account confirmations, billing receipts, product notifications) | Account email address and the content of each transactional message. Tracking pixels and open-tracking are suppressed at the API call level. | France / EU (EU-incorporated; no adequacy decision required for EEA transfers) |
| Telegram Messenger Inc. | Data processor — delivery of publishing approval notifications via Telegram bot | Your Telegram chat ID and notification message content. Only processed if you explicitly enable Telegram approval notifications in your OmniVocal settings. You can disable this at any time in Settings → Notifications, which permanently ceases data transfer to Telegram. | UAE / international infrastructure (transfers under Standard Contractual Clauses) |
| GitHub, Inc. (Microsoft) | Data processor — content deployment via GitHub integration (only if you connect a GitHub account) | Content committed to repositories you connect; no account personal data unless you link a GitHub OAuth account | USA (EU-US Data Privacy Framework participant) |
We may also disclose personal data to competent authorities, courts, or regulators where required by applicable law, or to protect the rights, safety, or property of Zero Ops Oy, our users, or third parties.
5. International Transfers
Zero Ops Oy is incorporated in Finland and operates within the EEA. Several of our data processors are located in the United States or other third countries.
Transfers to the United States are made on the basis of:
- The EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795) for recipients certified thereunder (Cloudflare, Supabase, GitHub/Microsoft); and
- Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) where DPF certification is not applicable.
Transfers to Paddle.com Market Ltd in the United Kingdom are made on the basis of: (i) the EU Commission's adequacy decision for the UK (Commission Implementing Decision (EU) 2021/1772), to the extent it remains in force; and (ii) Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as a supplementary safeguard. We will update this section promptly if the UK adequacy status changes.
Transfers to Telegram Messenger Inc. are made under Standard Contractual Clauses and are optional — you can disable Telegram notifications at any time in Settings.
6. Cookies and Tracking Technologies
We use a minimal set of cookies. We do not use advertising cookies, tracking pixels, or cross-site behavioural tracking of any kind.
| Cookie | Purpose | Duration | Required? |
|---|---|---|---|
| Session authentication cookie (HttpOnly, Secure) | Maintains your authenticated session in the OmniVocal dashboard. Set by Supabase Auth. | Session / 7 days (persistent login) | Yes — functional; no consent required |
| CSRF token cookie | Protects authenticated requests against cross-site request forgery. | Session | Yes — functional; no consent required |
| Cloudflare cookies (_cf_bm, cf_clearance) | Bot management and DDoS protection set by Cloudflare at the network layer. | 30 minutes / 24 hours | Yes — functional; no consent required |
The OmniVocal marketing pages (omnivocal.io) do not set any cookies unless you initiate an authenticated session.
7. Data Retention
| Data category | Retention period | Basis |
|---|---|---|
| Account data (email, name, hashed password) | Duration of your account, plus 30 days after account deletion to allow recovery requests | Performance of contract |
| Content submitted for publishing | Retained only for the duration necessary to deliver the requested result; drafts are retained as long as you save them. Deleted immediately upon account deletion. | Performance of contract |
| API usage logs (endpoint, timestamp, API key ID) | 90 days (rolling), then automatically deleted | Legitimate interests (abuse prevention, billing verification) |
| Billing records and invoices | 7 years from the date of the transaction | Legal obligation — Finnish Accounting Act (Kirjanpitolaki, 1336/1997), Ch. 2 § 10 |
| Security and access logs (IP address, HTTP status, timestamp) | 30 days, after which IPs are truncated and logs are retained in anonymised form for a further 60 days | Legitimate interests (security) |
| Support correspondence | 3 years from last communication, unless a legal claim is pending | Legitimate interests (service quality, legal defence) |
8. Your Rights
8.1 Rights Under GDPR (EEA and UK Users)
If you are located in the EEA or the United Kingdom, you have the following rights under the GDPR and UK GDPR:
- Access (Art. 15): request a copy of the personal data we hold about you.
- Rectification (Art. 16): request correction of inaccurate or incomplete personal data.
- Erasure (Art. 17): request deletion of your personal data, subject to our legal retention obligations.
- Restriction (Art. 18): request that we restrict processing of your personal data in certain circumstances.
- Portability (Art. 20): receive your personal data in a structured, machine-readable format and transfer it to another controller, where processing is based on contract or consent.
- Objection (Art. 21): object to processing based on legitimate interests. You have an unconditional right to object at any time to processing of your personal data for direct marketing purposes (Art. 21(2)); upon such objection we will cease all such processing immediately without requiring a balancing assessment.
- Withdraw consent (Art. 7(3)): where processing is based on consent (e.g., optional AI training contribution), withdraw consent at any time without affecting prior lawful processing.
To exercise any of these rights, email [email protected]. We will respond within 30 days. We may ask you to verify your identity before processing your request.
8.2 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), PO Box 800, 00521 Helsinki, Finland, tietosuoja.fi.
9. Children's Privacy
OmniVocal is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at [email protected] and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy at any time. We will notify you of material changes by email or via a prominent notice on OmniVocal at least 30 days before the change takes effect. The "Effective date" at the top of this page will always reflect the current version.
11. Contact
For any privacy-related questions or to exercise your rights, contact:
Zero Ops Oy (Zero Ops Ltd)
Business ID (Y-tunnus): 3606514-8
Incorporated in Finland (European Union)
Privacy enquiries: [email protected]