Privacy policy

1. Who is responsible for your data

The data controller for Omit is laFlow, contactable at [email protected]. This address is reserved for legal and privacy correspondence; for product help, use the support form or the in-extension support function in the Omit side panel.

2. What data Omit handles

Data that stays on your device

The Omit extension stores all of your bookmarks, vault entries, ghost archive, settings, and your AI-provider API key in your browser's local storage (chrome.storage.local). This data does not leave your machine through any system we operate.

• We do not run analytics, telemetry, error reporting, or session recording.
• We do not assign you an account, user ID, or device identifier.
• We do not see what you save, what you read, or what you query.

Data we do receive

We only receive personal data in two narrow cases:

• Purchase email. When you buy Omit Pro, our payment processor passes us the email address you used at checkout, so we can issue your license and your invoice. See Payments.
• Correspondence. If you write to [email protected] or use the support form, we receive whatever you put in your message. Form submissions are routed to our private GitHub issue tracker so we can reply.

3. AI features and your own LLM key

Pro features (Ask AI, Smart Summaries, Reading Identity, link summaries) call a large-language-model provider directly from your browser using an API key that you provide. Omit supports the following providers:

• Google Gemini
• OpenAI
• Anthropic
• DeepSeek
• OpenRouter

When you trigger an AI action, the request goes from your browser to the provider you configured. It does not pass through any server we operate. Whatever the provider does with the request is governed by their privacy policy, not this one. You are responsible for choosing a provider whose terms you are comfortable with.

Some Pro features fetch the readable text of a page through the Jina Reader service (r.jina.ai) before sending it to your AI provider. The page URL and content are passed through Jina; the request originates from your browser.

4. Payments

One-time Pro payments are processed by Stripe. laFlow is the merchant of record. Stripe collects the data needed to take a payment (card details, billing country, email, and — where applicable for EU VAT — your tax status). We never see your full card details.

What we receive from Stripe and store on our payment infrastructure (omit-pay.aydinfer.workers.dev):

• The email address you used at checkout
• The Stripe payment / customer reference
• The amount, currency, and country, for VAT and bookkeeping purposes
• The license token issued to your installation

The legal basis for this processing is the contract between you and us (Art. 6(1)(b) GDPR) and our legal obligation to keep tax records (Art. 6(1)(c) GDPR).

5. Cookies and storage

The marketing site at getomit.pro sets no cookies, runs no analytics, and embeds no third-party tracking scripts or fonts. All assets — including web fonts — are served from our own origin, so no IP address is shared with any third party as a side effect of loading the page. Because no information is read from or written to your device beyond what is strictly necessary to render the site, no consent banner is required under Art. 5(3) of the ePrivacy Directive.

The Omit extension uses your browser's local storage to keep your bookmarks. This is strictly necessary to provide the service you installed and is therefore exempt from a separate consent prompt.

If you submit the support form, the data you enter is sent to a Cloudflare Worker we operate (omit-support.aydinfer.workers.dev) which forwards it to our public-ish issue tracker on GitHub (aydinfer/Omit). Your IP address is processed in transit by Cloudflare for the duration of the request only.

6. Your rights under GDPR / AVG

If you are in the EU/EEA, you have the following rights:

• Access — ask us what personal data we hold about you
• Rectification — ask us to correct it
• Erasure — ask us to delete it
• Portability — ask for a machine-readable copy
• Restriction — ask us to pause processing
• Objection — object to processing based on legitimate interest
• Complaint — lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl) or the regulator in your country of residence.

To exercise any of these, write to [email protected] from the email address tied to your purchase. We respond within 30 days.

Note: most of your data is on your own device and is fully under your control. To delete it, uninstall the extension; to export it, use the export function inside the side panel.

7. How long we keep data

• Payment and invoice records: seven years, as required by Dutch tax law (Art. 52 Algemene wet inzake rijksbelastingen).
• Correspondence and support tickets: kept as long as needed to handle the case, then deleted within 12 months unless they form part of a payment record.
• Local data inside the extension: kept until you delete it or uninstall the extension. We have no copy.

8. International transfers

Stripe processes EU payments through Stripe Payments Europe Ltd. (Ireland); transfers to Stripe entities outside the EEA rely on the European Commission's Standard Contractual Clauses (SCCs).

The AI providers listed in section 3 are based in the United States or other non-EEA jurisdictions. If you choose to use them, your queries and your provided API key travel from your browser to the provider you selected; we do not act as an intermediary. Each provider's transfer mechanism applies (most rely on SCCs and, where available, self-certification under the EU–US Data Privacy Framework). Review your chosen provider's privacy policy before configuring it.

Notion sync, when enabled, transfers the bookmarks you choose to send to Notion Labs Inc. (United States) under SCCs.

9. Changes to this policy

If we change this policy in a way that affects how we handle your data, we update the date at the top and note the change in the changelog. We do not silently revise it.

10. Contact

Privacy questions, GDPR requests, and complaints: [email protected].