Omesta
Pricing
Log inFree Until $1,000
GDPR

GDPR Policy

How Omesta complies with the EU General Data Protection Regulation, including the rights it grants you, the lawful bases we rely on, and how to exercise those rights.

Last updated · April 21, 2026
PrivacyTermsCookiesGDPR

On this page

01

Scope & who we are

This GDPR Policy explains how Omesta Systems LLC ("Omesta", "we", "us") processes personal data of individuals in the European Union, the European Economic Area, and the United Kingdom, in compliance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") and the UK GDPR.

Our registered address is 5830 E 2nd St, Ste 7000 #33555, Casper, WY 82609, United States. For GDPR matters you can reach our team at support@omestasystems.com.

02

Controller vs. Processor

Omesta acts in two capacities depending on the data:

  • Data Controller for account data (your name, email, billing information, account settings, telemetry on how you use Omesta itself).
  • Data Processor for the end-customer data you bring into the platform (your Stripe customers, Shopify orders, Meta ad audiences, etc.). In this capacity we process data on your documented instructions under a Data Processing Addendum (DPA).
03

Lawful bases for processing

We rely on the following lawful bases under Article 6 GDPR:

  • Contract (Art. 6(1)(b)), processing necessary to provide the Omesta Service under our Terms.
  • Legitimate interests (Art. 6(1)(f)), fraud prevention, service security, product improvement, and direct marketing to existing customers. You can object at any time.
  • Consent (Art. 6(1)(a)), for cookies that are not strictly necessary, and for marketing emails to prospects in the EU.
  • Legal obligation (Art. 6(1)(c)), tax, accounting, and anti-money-laundering record keeping.
04

Categories of personal data

In our capacity as Controller we process: identity data (name, email), billing data (invoice records, last-4 of card via Stripe), technical data (IP, device, browser), usage data (features used, timestamps, performance metrics), communication data (support tickets, email correspondence), and marketing preferences.

In our capacity as Processor we process the data you connect to Omesta. The full list of fields per integration lives on our Integration Data Disclosure page.

05

Your rights under the GDPR

You have the following rights in respect of the personal data we hold about you. We respond to verified requests within 30 days (extendable once by 60 days for complex cases).

  • Right of access (Art. 15), a copy of the data we hold about you and information about how we use it.
  • Right to rectification (Art. 16), correct inaccurate data; most account fields are self-editable in settings.
  • Right to erasure / "right to be forgotten" (Art. 17), deletion of your account and associated data, subject to legal retention requirements.
  • Right to restriction (Art. 18), require us to pause processing while a dispute is resolved.
  • Right to data portability (Art. 20), receive your data in a structured, machine-readable format; we provide JSON and CSV exports.
  • Right to object (Art. 21), object to processing based on legitimate interests, including direct marketing.
  • Right to withdraw consent, where processing is based on consent, you can withdraw it at any time without affecting past processing.
  • Right to lodge a complaint, with your local supervisory authority; contact details for every EEA authority are published by the European Data Protection Board.

To exercise any of these rights, email support@omestasystems.com from the email address associated with your account. For security we may ask for additional verification before acting on an erasure or portability request.

06

International data transfers

Our production infrastructure is hosted in the United States (AWS us-east-1 and us-west-2) with an EU option available on request. When personal data is transferred out of the EEA or UK, we rely on one of the following safeguards under Chapter V GDPR:

  • The European Commission’s Standard Contractual Clauses (module 2 for Controller-to-Processor transfers) signed as part of our DPA.
  • The UK International Data Transfer Addendum where transfers originate in the UK.
  • Technical and organisational measures (encryption in transit and at rest, access controls, audit logging) described on our Data Security page.
07

Data retention

We retain personal data only as long as necessary for the purposes described here.

  • Account data, for the life of your account, plus 30 days after closure.
  • Billing records, 7 years (tax and accounting requirements).
  • Customer-provided data, 18 months rolling, or until you disconnect the integration, whichever is shorter.
  • Support correspondence, 3 years from last contact.
  • Backups, 30 days; deletion requests propagate to backups on a rolling basis.
08

Automated decision-making

Omesta does not use personal data for solely automated decision-making that produces legal or similarly significant effects on you (within the meaning of Article 22 GDPR). Leak detection and recovery recommendations are generated automatically but always reviewable, overridable, and pausable by a human operator.

09

Data Processing Addendum (DPA)

If you are a customer processing EU personal data through Omesta, you should execute our Data Processing Addendum. Our standard DPA is available in one click from your account settings or by emailing support@omestasystems.com. It incorporates the EU Standard Contractual Clauses and the UK Addendum by reference.

10

Sub-processors

Omesta engages vetted sub-processors to deliver the Service. Our current sub-processor list includes:

  • Amazon Web Services, Inc., primary infrastructure hosting (US, EU on request).
  • Supabase, Inc., database and authentication (US).
  • Vercel, Inc., application edge hosting and CDN (global).
  • Stripe Payments, Inc., subscription billing and payment processing.
  • Resend, Inc., transactional email delivery (US).
  • Anthropic PBC, AI-powered dunning email generation (US).

We notify DPA customers at least 30 days before adding or replacing a sub-processor. To subscribe to change notices, email support@omestasystems.com.

11

Data breach notifications

In the event of a personal data breach that is likely to result in a risk to affected individuals’ rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it (Art. 33 GDPR), and notify affected individuals without undue delay where required (Art. 34 GDPR).

12

Changes to this policy

We may update this GDPR Policy to reflect changes in our practices, infrastructure, or applicable law. Material changes will be communicated by email to account holders and posted on this page with an updated "Last updated" date at least 30 days before they take effect.

13

Contact

Email: support@omestasystems.com
Postal: Omesta Systems LLC, 5830 E 2nd St, Ste 7000 #33555, Casper, WY 82609, USA

Need something else?

Reach our team at support@omestasystems.com. We respond within one business day.

Find the money your store is losing. To failed payments, dead ad spend, and silent churn. And put it back in your bank account. Free until we recover $1,000 for you.

Contact

Omesta Systems LLC
5830 E 2nd St
Ste 7000 #33555
Casper, WY 82609
Support@omestasystems.com

Product

  • Omesta

Solutions

  • For Ecommerce Brands
  • For Marketing Agencies
  • For Growth Teams
  • Multi-Brand Management

Resources

  • Integrations
  • Pricing
  • Blog
  • Roadmap
  • Help Center
  • Partner Program
  • Contact Support
  • Careers
  • Press

Security & Trust

  • Data Security
  • Privacy Policy
  • Terms & Conditions
  • Cookie Policy
  • GDPR Policy
  • Integration Data Disclosure
  • Refund Policy
  • System Status

As featured in

See all 500+ features →
AP NewsNewsBreakBoston HeraldInternational Business TimesStar TribuneStreet InsiderMilwaukee Journal SentinelBarchart
Secure Platform
Encrypted Connections (HTTPS)
API-Based Integrations
Privacy-First Data Handling

© 2026 Omesta Systems LLC. All rights reserved.