Privacy Policy

Last updated: March 10, 2026

This Privacy Policy applies to the website omnicreate.ai and all its subdomains (the "Sites"), together with the OmniCreate web applications and services (the "Services"), owned and operated by Florian Woelki (Sole Proprietor Business, collectively, "Florian Woelki", "we", "us", or "our"). This Privacy Policy describes how we collect, use, share, and secure the personal information you provide to us. It also describes your choices regarding use, access, correction, and deletion of your personal information. This Policy applies to all users worldwide. The rights and legal framework described herein are based on EU and German law because we are established in Germany.

For the purposes of the EU General Data Protection Regulation (GDPR), OmniCreate (Florian Woelki) acts as the data controller for personal data processed through the Sites and Services. Third-party service providers listed in this policy act as our data processors or sub-processors on our behalf.

1. Definitions

Personal information is any information about you which can be used to identify you. This includes information about you as a person (such as name, address, and date of birth), your devices, payment details, and even information about how you use a website or online service. When we refer to "personal information" in this policy, we use the term interchangeably with "personal data" as defined in Article 4(1) GDPR.

The marketing site refers to all public-facing informational pages on our website. This includes content such as homepage, about us, contact information, product descriptions, blog posts, and support resources. Essentially, it's any part of the site accessed from the main omnicreate.ai domain that provides information about our products and services but does not require user login or interaction with the core functionalities of the web application.

The web application refers to the authenticated, functional portions of the OmniCreate service. At the current pre-launch stage, no authenticated web application is available to users. The site currently provides a public landing page, a desktop application download, and payment processing. The definition of the web application will be updated when the service launches.

2. What Data We Collect

During the Waitlist (Pre-Launch Phase)

While OmniCreate has not yet launched, we collect email addresses from interested individuals who sign up for early access. All collection is based on your explicit consent given during signup.

When you join our waitlist, we collect:

• Email address
• Automatically generated signup token
• Timestamp of signup
• Terms of Use & Privacy Policy consent (terms_consent): a boolean record of your agreement, captured when you complete email verification
• Marketing email consent (marketing_consent): a boolean record of your optional opt-in to marketing emails, captured at email verification

Confirmation Email (Double Opt-In): After you submit your email, we send you a confirmation email with a verification link. When you open this link, you are presented with two consent checkboxes: (1) a required agreement to our Terms of Use and Privacy Policy, and (2) an optional opt-in to marketing emails. Your choices are stored as terms_consent and marketing_consent in our database. You must accept the Terms of Use and Privacy Policy to complete verification. This double opt-in process verifies your email address and records your explicit consents.

Legal basis for processing: Your explicit consent via the verification checkboxes (GDPR Art. 6(1)(a)). You may withdraw consent and delete your waitlist data at any time — see Section 5 (Data Retention) for details.

Note: Providing your email address is required to join the waitlist. Without it, you cannot receive early-access notifications or service updates.

After Account Creation (Full Application)

Once OmniCreate launches and you create an account, we additionally store the personal information necessary for authentication and account management. Email addresses collected during the waitlist phase will be used for passwordless authentication via one-time passcode (OTP) (a 6-digit code sent to your email that you enter to log in).

What we do store: Your email address, authentication tokens, account creation timestamps, and consent records. This data is stored in our Supabase database (EU region, Frankfurt, Germany) and is retained for as long as your account is active. When you delete your account, all associated personal data is permanently deleted from our databases within 30 days.

We do not save or store your notes or note metadata on our servers. Your notes remain entirely under your control and are stored locally on your device as Markdown files in your filesystem. These files are never transmitted to or accessible by OmniCreate servers except when you explicitly use AI-powered features (as described below).

If you use our AI-powered features, note content, user inputs, or metadata is transmitted through our server to our AI provider, Groq (US-based), for processing. Our server acts only as a routing intermediary and does not cache, log, or store any note content during this transmission. The note content is combined with processing instructions (prompts) and immediately forwarded to Groq. Groq acts as our data processor under a Data Processing Agreement. This information is used solely to provide you with the requested AI functionality (such as summarization or analysis).

Data Retention & Zero Data Retention (ZDR): We have enabled Groq's Zero Data Retention (ZDR) setting, which means your inputs and outputs are not retained by Groq after processing is complete and are not used for model training or model improvement. With ZDR enabled, limited non-identifiable usage metadata (e.g., API call counts, system performance metrics) may be retained by Groq for up to 30 days for system reliability and abuse monitoring, but this metadata does not contain your note content or personal identifiers. Processing occurs in Groq's US-based infrastructure (Google Cloud Platform), and data is encrypted in transit and at rest. For full details on how your data is handled, see Groq's data handling documentation and Privacy Policy.

Important: Outside of AI feature usage, our servers never receive your notes, note metadata, or any analytics about your note-taking activities. All note creation, editing, and storage occurs entirely on your device.

Our Legal Bases for Processing

We collect both information you knowingly and actively provide us when using or participating in any of our services and promotions, and any information automatically sent by your devices in the course of accessing our products and services.

We only collect and use your personal information when we have a legitimate reason for doing so. In each instance, we rely on one of the following legal bases as required by the General Data Protection Regulation (GDPR):

• Consent: For example, when you check the verification checkboxes during waitlist signup, or when you agree to the use of cookies or optional features.
• Contractual necessity: When processing is required to provide our services to you, such as account creation and authentication.
• Legal obligation: When we are required by law to process certain data. We do not currently rely on this basis for any active processing activity, but it may apply in the future, for example in the event of a data breach record-keeping obligation or a legally mandated data disclosure.
• Legitimate interests: For purposes such as improving our services and ensuring security, provided these interests are not overridden by your rights and interests.

We do not sell your personal information or any data you enter into our Services in any way.

Legal Basis for Each Processing Activity

Legitimate Interests Assessment

Where we rely on legitimate interests (specifically for security logging, error tracking, website delivery via Cloudflare, and desktop app software update checks), our interests are: maintaining site security and integrity, preventing fraud and unauthorized access, diagnosing technical issues, and ensuring reliable website delivery. We have assessed that these interests are not overridden by your rights and freedoms, as the data collected is minimal, stored securely, and retained only as long as necessary.

Third-party Services and Sub-processors

We share certain information with companies that may be considered our "sub-processors" under GDPR. We have Data Processing Agreements (DPAs) in place with all service providers listed below, either through explicit agreements or automatically via their standard Terms of Service. Please note that some providers — such as Cloudflare and Simple Analytics — may also act as independent controllers for certain limited purposes of their own (e.g. ensuring network security or providing their own anonymised analytics). In those cases, they process data in accordance with their own privacy policies, in addition to acting on our instructions where applicable. This information is limited to the following:

Required for the Marketing Site

The following services are required for the operation of the OmniCreate marketing site:

• Cloudflare: We use Cloudflare as a DNS server, load balancer, and to host our static assets and client-side code. Cloudflare's DPA is automatically incorporated into their Self-Serve Subscription Agreement. Privacy Policy for Cloudflare.
• Simple Analytics: We use Simple Analytics for privacy-friendly, cookieless website analytics on our marketing site only. Simple Analytics does not collect IP addresses, does not use cookies, and anonymizes all visitor data. Privacy Policy for Simple Analytics.

Required for the Waitlist, Web Application, and Desktop Application

The following services, in addition to the services required for the marketing site, are necessary for the OmniCreate waitlist, web application, and desktop application:

• Supabase: We use Supabase to store waitlist data (email addresses, signup tokens, timestamps, and consent records) and, after launch, user authentication information. We also use Supabase to host serverless edge functions. We have a GDPR-compliant Data Processing Agreement in place with Supabase. No note content or metadata is stored in Supabase. Privacy Policy for Supabase.
• Brevo: We use Brevo to send transactional emails (such as login OTP codes and account security notifications) and marketing communications. Brevo's DPA is automatically incorporated into their General Terms and Conditions, which we have accepted. For transactional emails, Brevo records only anonymized, aggregated delivery statistics (e.g. overall bounce rate) that do not identify individual recipients. For marketing emails, we have disabled individual recipient tracking in Brevo's campaign settings: no per-recipient tracking pixel is embedded and no individually tracked redirect links are used. Campaign-level statistics (total opens, total clicks) are aggregated by Brevo before we access them and cannot be traced back to any individual recipient. Privacy Policy for Brevo. Legal basis for transactional emails: Contractual necessity (GDPR Art. 6(1)(b)) for email delivery. We have configured Brevo so that we only receive anonymised, aggregated campaign statistics (e.g. total open or click rate) that do not allow us to identify individual recipients; we therefore do not process personal data for this specific analytics purpose and no separate legal basis is required on our part. Any personal data processed by Brevo as our service provider is governed by our Data Processing Agreement. Retention at Brevo: Your email address is retained in Brevo for as long as you remain a waitlist subscriber or registered user. Upon unsubscribe or deletion request, your email is removed from Brevo contact lists within 30 days. Anonymized campaign statistics (containing no personal data) may be retained by Brevo indefinitely for reporting purposes.
• Groq: We use Groq as our AI provider for natural language processing features. See Section 2 for full details on data handling. Data transfers to the US are protected by Standard Contractual Clauses. Privacy Policy for Groq.

If you do not use the AI-powered features, no note content, user inputs, or metadata is sent to Groq.

Timing of Data Transfer:Supabase receives your personal information from two points in time: first when you join the waitlist (email address, signup token, timestamps, and consent records), and again once you create a full user account (authentication tokens and account metadata). Brevo may receive your email address during waitlist signup (if you are a waitlist subscriber) or after account creation, to deliver transactional and service-related emails. Cloudflare receives your IP address on every request to our website.

International Data Transfers

Data Processing Agreements: All service providers acting as data processors have contractual obligations under Data Processing Agreements, either through explicit signed agreements (Supabase, Groq) or automatically via their standard Terms of Service (Cloudflare, Brevo), ensuring GDPR Article 28 compliance.

Additionally, some of our service providers are located outside the European Economic Area (EEA) or may process data in non-EEA countries. When we transfer your personal data internationally, we ensure appropriate safeguards are in place:

• Supabase: Supabase acts as our data processor and processes personal data only on our instructions under our Data Processing Agreement. We use EU-region hosting (Frankfurt, Germany) for data storage. All personal data stored in Supabase (email addresses, signup tokens, timestamps, consent records, authentication tokens, and account metadata) is hosted exclusively within the EU region. Supabase personnel may access data for support purposes under strict confidentiality obligations, and all such access is governed by Standard Contractual Clauses (SCCs) approved by the European Commission.
• Groq (US): Transfers are protected by Standard Contractual Clauses. Data is processed in real-time and not retained after processing.
• Cloudflare: Operates under Standard Contractual Clauses and the EU-US Data Privacy Framework.
• Brevo: EU-based (France). While Brevo is EU-based, Brevo's sub-processors (email delivery, analytics) may be located in the US or other regions. Data transfers are protected by Standard Contractual Clauses.

You may request copies of these safeguards by contacting us at [email protected].

3. How We Collect Information

The full list of data collected is described in Section 2 (What Data We Collect) above, which distinguishes between the waitlist phase and the full application.

Information That You Provide to Us About Yourself

When you sign up for the Services, we request the following information:

• Your email address, used both as your contact information and to authenticate you via a 6-digit one-time passcode (OTP) sent to your email — no passwords are stored or required.

Information Collected Automatically

When you visit our website, our servers automatically log standard data provided by your web browser. This may include your device's Internet Protocol (IP) address, your browser type and version, the pages you visit, the time and date of your visit, the time spent on each page, and other details about your visit.

Additionally, if you encounter certain errors while using the site, we may automatically collect data about the error and the circumstances surrounding its occurrence. This data may include technical details about your device, what you were trying to do when the error occurred, and other technical information related to the problem. You may or may not receive notice of such errors, even in the moment they occur, or what the nature of the error is.

Server-side logging: Our security and error logs are maintained server-side within our Supabase infrastructure and are not shared with third-party monitoring services. These logs may contain IP addresses, timestamps, request paths, HTTP status codes, and error messages. Logs are retained for a maximum of 90 days for security and debugging purposes, then automatically deleted.

Desktop App Update Check Data When the desktop application checks for updates, the request IP address, app version, and OS type are logged as part of our standard server-side infrastructure logs and are subject to the same 90-day retention period described above, after which they are automatically deleted.

Please be aware that while this information may not be personally identifying by itself, it may be possible to combine it with other data to personally identify individual persons.

Desktop Application Data Practices

The OmniCreate Desktop App is a locally installed native application. The following applies specifically to the desktop application and supplements the general data practices described above:

• No telemetry or usage analytics: The desktop application does not collect usage analytics, session recordings, or behavioral data. No usage information is transmitted to our servers during normal note-taking activity.
• Software update checks: The desktop application may contact our servers to check for available updates. This transmits your IP address (inherent to any network request), current application version, and operating system type. No note content is transmitted. Legal basis: legitimate interests (GDPR Art. 6(1)(f)) to maintain software security and integrity.
• Authentication:Login via 6-digit OTP code requires a one-time internet connection to verify your session with our Supabase backend (EU region, Frankfurt). After authentication, a session token is stored locally on your device only. We do not log desktop app sessions separately from web app sessions.
• AI features: When you use AI-powered features in the desktop app, only the content you explicitly select is transmitted — identical to the web application behavior described in the AI features section above.
• Local file access: The desktop app reads and writes Markdown files in the directory you choose on your device. We have no access to your local filesystem or any files stored on your device.
• Crash reports: The desktop application does not automatically submit crash reports. If you choose to report a bug manually, only the information you explicitly provide is transmitted.

Analytics (Marketing Site Only)

On our marketing site (public-facing informational pages), we use Simple Analytics, a privacy-friendly, cookieless analytics service. Simple Analytics collects anonymized visitor data such as page views, referrer information, browser type, and device type without using cookies or collecting IP addresses. This data cannot be used to identify individual visitors. While this technically does not require consent under GDPR, we have chosen to load Simple Analytics only after you accept the analytics category in your cookie preferences as an additional privacy measure. Simple Analytics does not track users across websites or create user profiles. Privacy Policy for Simple Analytics.

Important: We do not use analytics tools in the web application or desktop application. No usage analytics, session recordings, or behavioral tracking occurs within the authenticated portions of OmniCreate.

Cookies and Similar Technologies

We use cookies and similar technologies to provide and improve our Services. In Germany, the storage of and access to information on your device is additionally governed by § 25 TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz), which requires your prior consent for all non-essential cookies and similar technologies — independently of GDPR. Only strictly necessary technologies are loaded without consent. For a complete overview, please see our Cookie Policy.

Strictly Necessary Cookies & Local Storage: We use the following strictly necessary technologies that do not require your consent under GDPR or § 25 TDDDG, as they are essential for the service to function:

• cc_cookie: Stores your cookie consent preferences. This cookie is essential for the consent mechanism to function and is automatically enabled.
• Authentication tokens stored in local storage (not cookies) to maintain your login session. These are strictly necessary for the functioning of the application and are deleted when you log out or your session expires.

Functional Technologies: With your consent, we use:

• theme (localStorage): Remembers your preferred color theme (light, dark, or system) between visits. Only set when you accept functional cookies.

Analytics & Third-Party Technologies: See the "Analytics (Marketing Site Only)" section above. We do not use advertising cookies, tracking pixels, or other third-party trackers.

Important: No cookies or tracking technologies are used within the authenticated web application or desktop application beyond what is strictly necessary for authentication (local storage tokens).

4. Security

The security of your personal information is important to us. We implement adequate measures to protect the personal information submitted to us, both during transmission and once it is received. All data transmissions use industry-standard encryption (TLS/SSL), and data at rest is encrypted within our hosting infrastructure. As a sole proprietor, access to personal information is restricted to Florian Woelki and any contracted third-party service providers acting under confidentiality obligations. Contracted service providers are bound by their respective Data Processing Agreements and applicable law. If you have any questions about the security of your personal information, you can contact us at the contact information below.

We do not use your personal data for automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you. The AI-powered features process your data solely to provide the requested functionality and do not result in automated decisions about you.

We do not intentionally collect or process special categories of personal data as defined in Art. 9 GDPR (such as health data, biometric data, or data revealing racial or ethnic origin, political opinions, or religious beliefs). If you choose to include such data in content submitted through AI-powered features, it is processed solely to fulfill your request and deleted immediately after processing under Groq's Zero Data Retention policy. We strongly advise against submitting special category data through AI features.

Data Breach Notification

In the event of a personal data breach, we will comply with GDPR notification requirements:

• Notification to supervisory authority (GDPR Article 33): We will notify the Berlin Commissioner for Data Protection and Freedom of Information without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to your rights and freedoms.
• Notification to you (GDPR Article 34): If the breach is likely to result in a high risk to your rights and freedoms, we will also communicate the breach to you without undue delay. The notification will describe the nature of the breach, likely consequences, and measures taken or proposed to address it.

We maintain technical and organizational measures to detect, contain, and respond to data breaches promptly, including server-side security logging and regular security reviews of our infrastructure and sub-processors.

5. Data Retention

Waitlist Email Addresses: We retain your email address for as long as necessary to:

• Notify you when OmniCreate launches or reaches important milestones
• Provide you with product updates relevant to your interests
• Respond to your inquiries

You can permanently delete all your waitlist data at any time by clicking the unsubscribe link in any email we send you. Unsubscribing removes your email address and all associated records from our systems entirely. You can also request deletion directly at [email protected]. Upon your request, we will delete your data from our systems within 30 days.

If we do not receive any communication from you for 24 months, we may automatically remove your email from our active waitlist and delete your personal data, unless you have explicitly asked us to retain it.

Where we are required by law to retain data beyond these periods (e.g. tax or accounting obligations), we will retain only the minimum data required and for no longer than legally mandated.

Account Data Deletion: All personal data stored in our databases (such as your email address, authentication tokens, and account metadata) will be deleted within 30 days of you deleting your account. Any remaining copies in backups will be purged within 3 months after account deletion.

Note Files: Note content is never stored on our servers and therefore is not subject to server-side deletion. You remain in full control of deleting your note files on your own device. If you have used AI features, those requests are not stored by OmniCreate or Groq after processing.

If you wish for your personal data to be completely removed from all third-party services and our platforms, please send us an explicit request via email to[email protected]. Include your user details and a brief description of your request to facilitate the prompt processing of your data deletion.

Special Notice: Your Right to Object

6. Rights with respect to your information

You have the right to access, correct, delete, restrict, or export your personal data, and to withdraw consent or object to processing at any time — all free of charge. You may also unsubscribe from marketing communications at any time using the link in any email we send. The full list of your rights under GDPR, including how to exercise them, is set out below.

If you believe that we have breached a relevant data protection law and wish to make a complaint, please contact us using the details below and provide us with full details of the alleged breach. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take to deal with your complaint. You also have the right to lodge a complaint with the Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit) or your local supervisory authority.

How to exercise these rights

To exercise your rights, such as requesting or deleting your data, please contact us through the contact details provided below. Requests can be exercised free of charge and will be addressed by us as early as possible and within one month of receipt. In complex cases, we may extend this period by up to two additional months, and we will inform you of any such extension within one month of receiving your request, along with the reasons for the delay.

When you exercise your rights, we may ask you to verify your identity to protect your personal information from unauthorized access. We may request additional information necessary to confirm your identity, which we will only use for verification purposes.

Your Rights under GDPR

You have the following rights at any time:

• Right of Access (Art. 15 GDPR): Information about your stored data and the right to obtain a copy of your personal data
• Right to Rectification (Art. 16 GDPR): Correction of inaccurate or incomplete data
• Right to Erasure (Art. 17 GDPR): Deletion of your data under certain circumstances
• Right to Restriction (Art. 18 GDPR): Restriction of processing under certain conditions
• Right to Data Portability (Art. 20 GDPR): Where processing is based on your consent (Art. 6(1)(a)) or contractual necessity (Art. 6(1)(b)) and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller. This applies to your account data (email address, consent records) but not to data processed under legitimate interests (e.g., security logs).
• Right to Object (Art. 21 GDPR): See the Special Notice: Your Right to Object section above, which is presented separately as required by Art. 21(4) GDPR.
• Right to Withdraw Consent (Art. 7(3) GDPR): Withdrawal of your consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal)
• Right to Lodge a Complaint (Art. 77 GDPR): File a complaint with a supervisory authority if you believe your data protection rights have been violated

Contact for Data Protection Inquiries: [email protected]

Competent Supervisory Authority:

Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit)
Alt-Moabit 59-61
10555 Berlin, Germany
Phone: +49 30 13889-0
Email: [email protected]
Website: https://www.datenschutz-berlin.de

7. Children's information

The Services are not directed to children under 16 (or other age as required by local law), and we do not knowingly collect personal information from children. If you learn that your child has provided us with personal information without your consent, you may contact us at [email protected]. If we learn that we have collected a child’s personal information in violation of applicable law, we will promptly take steps to delete such information and terminate the child’s account.

8. Limits of our policy

Our website may link to external sites that are not operated by us. Please be aware that we have no control over the content and policies of those sites, and cannot accept responsibility or liability for their respective privacy practices.

9. Changes to this policy

At our discretion, we may change our privacy policy to reflect updates to our business processes, current acceptable practices, or legislative or regulatory changes. If we decide to change this privacy policy, we will post the changes here at the same link by which you are accessing this privacy policy.

If the changes are significant, we will notify all waitlist subscribers and registered users via email at least 14 days before the changes take effect (this is a transactional notification sent regardless of your marketing email preference).

Where a change affects processing activities based on your consent (Art. 6(1)(a) GDPR) in a way that materially alters the scope of that consent, we will request fresh consent before proceeding. For all other changes, continued use of the Services after the effective date constitutes acknowledgement of the updated policy.

10. Contact

If you have questions or concerns about this privacy policy, please contact us at [email protected].