Privacy Policy

Account Information

When you create an account, we collect your email address, username, and display name. If you sign up via GitHub or Google OAuth, we receive your public profile information (name, email, avatar URL, and GitHub username if applicable) from the OAuth provider.

Extension Publishing Data

When you publish an extension, we store your extension's metadata (name, description, version, permissions, tools), the compiled WASM binary, and your publisher profile information. This data is publicly visible on the marketplace.

Usage Data

We collect anonymized download counts and aggregate analytics (extension popularity, category trends). We do not track individual user behavior, browsing patterns, or search queries. Download tracking uses hashed IP addresses for deduplication — we never store raw IP addresses.

We use the information we collect to: provide, maintain, and improve the Omni Marketplace; authenticate your identity and manage your account; process extension submissions and run security scans; display publisher profiles and extension listings; generate aggregate statistics (download counts, ratings); send important account notifications (scan results, policy changes); and detect and prevent fraud, abuse, or security threats.

When you submit an extension, our automated security pipeline analyzes the WASM binary, manifest, and metadata. This includes pattern matching against known malicious signatures, heuristic analysis of permission requests and behavior, AI-powered code analysis using Anthropic's Claude API, and sandboxed execution testing in an isolated environment.

Scan results (scores, findings, verdicts) are stored and may be publicly visible on the extension's detail page. The AI analysis component sends your extension's manifest and extracted metadata to Anthropic's API for processing. No user data is included in these requests — only the extension's code and metadata.

Your data is stored securely using Supabase (PostgreSQL) with row-level security policies. WASM binaries are stored in Supabase Storage with access controls. API keys are stored as SHA-256 hashes — we never store your raw API key. All data transmission uses HTTPS encryption.

We use essential cookies for authentication session management (Supabase auth tokens). These cookies are necessary for the Service to function and cannot be disabled. We do not use advertising cookies, tracking cookies, or third-party analytics cookies.

We use the following third-party services: Supabase (database, authentication, file storage), Vercel (website hosting and deployment), GitHub and Google (OAuth authentication), and Anthropic (AI-powered extension scanning via Claude API). Each third-party service has its own privacy policy. We only share the minimum data necessary for each service to function.

Account data is retained for as long as your account is active. Extension data (metadata, WASM binaries, scan results) is retained for as long as the extension is published. Download statistics are retained in aggregate form indefinitely. When you delete your account, your profile data and API keys are permanently removed. Published extensions are unpublished but may be retained for a grace period of 30 days.

You have the right to: access and request a copy of all personal data we hold about you; correct inaccurate personal data; request deletion of your account and associated data; download your data in a machine-readable format; and object to specific uses of your data. To exercise any of these rights, contact us at privacy@omniapp.org. We will respond within 30 days.

The Omni desktop application runs entirely on your local machine. Conversations, LLM API keys, channel credentials, and extension data are stored locally and never transmitted to our servers. The marketplace website only receives data when you explicitly publish an extension, download an extension, or interact with the website. We do not collect telemetry, usage analytics, or crash reports from the desktop application.

The Service is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will promptly delete that information.

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or through a notice on the Service. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or our data practices, please contact us at privacy@omniapp.org.