Privacy Policy

Last updated: 20 April 2026

Short version: we store your inventory data on Supabase in Mumbai, we don’t sell it, we don’t embed ad trackers, and we don’t read your data for product improvement unless you explicitly share a report. Full detail below.

1. Data we collect

Account data — the name, email, and password hash you provide at signup. Password is stored as a bcrypt hash (cost 12); we cannot see the plaintext.
Business data— the products, warehouses, orders, customers, suppliers, payments, and any CSVs you upload. This is your tenant’s data and belongs to you.
Operational telemetry — request logs (IP, timestamp, route, status code) retained for 30 days for security and debugging. Error reports via Sentry with PII scrubbing applied.

2. Where your data lives

All customer data is stored in Supabase Postgres in the Asia Pacific (Mumbai) region. Backups are retained for 7 days in the same region. Transient email content passes through Resend (EU/US regional routing) only when transactional emails are sent (signup verification, password reset, dispatch alerts).

3. How we use data

We use your data only to:

operate the features you interact with;
respond to your support requests (our team accesses your workspace only with your consent on a specific ticket, and the access is audit-logged);
detect and prevent abuse (aggregate rate-limit counters);
send transactional notifications you opted into (order dispatched, invoice overdue, stock count completed).

We do not sell, rent, or share your data with advertisers. We do not embed ad-network scripts or third-party trackers on authenticated pages.

4. Cookies

We set one first-party session cookie (authjs.session-token) to keep you signed in and a CSRF cookie for form posts. No third-party marketing cookies are set on authenticated pages. The marketing site uses privacy-friendly analytics (PostHog, EU-hosted, no cross-site tracking).

5. Tenant isolation

OmniStock is multi-tenant. Every row in the database carries an organizationId column that scopes it to your workspace. Both the application layer and the database (PostgreSQL Row-Level Security policies) enforce that no user can read or write data belonging to another organization.

6. Your rights

You can export your data at any time via the CSV exports inside each module or via the API. Deletion on request: email privacy@aimanger.tech and we remove your tenant within 30 days (longer retention applies to audit logs required by tax law).

7. Data breach response

If we detect a security incident affecting your data, we notify affected admins within 72 hours with scope, timeline, and mitigation steps, and we file the required notifications with regulators where applicable.

8. Grievance Officer (India / DPDP Act 2023)

In accordance with § 5(7) and § 13 of India’s Digital Personal Data Protection Act, 2023, the Data Fiduciary has designated the following Grievance Officer to address concerns regarding the processing of personal data:

Name: [TO BE FILLED — counsel review pending]
Role: Grievance Officer
Email: grievance@aimanger.tech
Response SLA: Acknowledged within 7 business days; resolved within 30 days of receipt.

A Data Principal whose rights under § 11 (access), § 12 (correction / erasure), or § 13 (grievance) of the Act remain unaddressed after the SLA window may approach the Data Protection Board of India.

9. International transfers (GDPR Art. 28)

For customers in the European Economic Area, OmniStock acts as a Data Processor under GDPR. Customer Data is stored in Supabase Mumbai (ap-south-1); transactional email passes through Resend with EU regional routing. Standard Contractual Clauses are available on request from dpo@aimanger.tech.

10. Contact

Privacy questions: privacy@aimanger.tech
Security: security@aimanger.tech
Grievance Officer (DPDP): grievance@aimanger.tech
Data Protection Officer (GDPR): dpo@aimanger.tech

1. Data we collect

Account data — the name, email, and password hash you provide at signup. Password is stored as a bcrypt hash (cost 12); we cannot see the plaintext.

Business data— the products, warehouses, orders, customers, suppliers, payments, and any CSVs you upload. This is your tenant’s data and belongs to you.

Operational telemetry — request logs (IP, timestamp, route, status code) retained for 30 days for security and debugging. Error reports via Sentry with PII scrubbing applied.

2. Where your data lives

3. How we use data

We use your data only to:

operate the features you interact with;

respond to your support requests (our team accesses your workspace only with your consent on a specific ticket, and the access is audit-logged);

detect and prevent abuse (aggregate rate-limit counters);

send transactional notifications you opted into (order dispatched, invoice overdue, stock count completed).

We do not sell, rent, or share your data with advertisers. We do not embed ad-network scripts or third-party trackers on authenticated pages.

8. Grievance Officer (India / DPDP Act 2023)

Name: [TO BE FILLED — counsel review pending]

Role: Grievance Officer

Email: grievance@aimanger.tech

Response SLA: Acknowledged within 7 business days; resolved within 30 days of receipt.