Privacy Policy — Omniscia

1. Data Controller

Omniscia is operated by Omniscia Ltd, a company registered in England and Wales. For data protection enquiries, contact us at legal@omniscia.ai.

2. What We Collect

Account information — email address, name, and password (via Firebase Authentication)
Uploaded content — video ad creatives you upload for analysis. Encrypted at rest (AES-256-GCM)
Analysis results — scores, recommendations, transcripts, and frame-level data generated by our AI pipeline
Platform connections — OAuth tokens and read-only performance metrics from Meta, Google Ads, and TikTok (when you choose to connect). For Meta (paid plans), video creatives are also automatically downloaded and analysed through Lens
Usage data — page views and feature interactions via Firebase Analytics, only with your consent
Payment information — processed entirely by Paddle. We never see, store, or have access to your card details
Credit transactions — records of credit usage, top-ups, and bonuses within the platform

3. Lawful Basis for Processing

Under UK GDPR Article 6, we process your data on the following bases:

Contract performance — providing the service you signed up for: video analysis, creative scoring, ad publishing, Scia AI chat, Forge briefs, and all platform features
Legitimate interest — anonymised Cortex ML training (sharpening the model for all users), platform security, fraud prevention, and service reliability
Consent — Firebase Analytics cookies (you choose via the cookie banner) and optional marketing emails (you can unsubscribe at any time)

4. How We Use Your Data

Analysis pipeline — your videos are processed through frame extraction, AI vision analysis, audio transcription, and similarity scoring to generate creative quality reports
Cortex ML engine — when you link ad performance data to an analysis, Omniscia generates its own anonymised analytical outputs: creative classifications (e.g. "visual style: UGC") and aggregated performance metrics (e.g. average ROAS). These derived outputs are Omniscia's intelligence — not your personal data. They contain no video frames, audio, images, transcripts, filenames, or personal information and cannot be traced to any individual. As fully anonymised data under UK GDPR Recital 26, they fall outside the scope of personal data regulation and persist independently to maintain model accuracy for all users. Cortex training is integral to the platform's network-effect intelligence — every analysis contributes to a sharper model for all users
Meta auto-analyse — when you connect Meta (paid plans), we automatically download your video ad creatives via Meta's Graph API, analyse them through Lens, and link the results to your ad performance data. This trains your personal Cortex engine. Contributing to the cross-user Cortex pool is on by default so every user's data makes the engine smarter for everyone; you can turn it off any time in Profile > Settings
Platform sync — when you connect Meta, Google Ads, or TikTok, we read performance metrics (spend, CTR, ROAS) to correlate with your creative scores. We never modify your campaigns without explicit action
Email notifications — platform alerts, fatigue warnings, and monthly digests. You can opt out in Profile > Settings
Analytics — with your consent, we use Firebase Analytics to understand which features are used and improve the platform

5. Your Rights

Under UK GDPR, you have the following rights over your personal data:

Right of access (Art. 15) — download all your data in JSON format from Profile > Settings > Download My Data
Right to rectification (Art. 16) — update your name, email, and preferences in Profile > Settings
Right to erasure (Art. 17) — permanently delete your account and all associated personal data from Profile > Settings > Delete Account. Deletion is immediate and irreversible. Anonymised Cortex analytical outputs (which contain no personal information and cannot identify you) are retained as they constitute Omniscia's derived intelligence, not personal data under UK GDPR Recital 26
Right to data portability (Art. 20) — export your data in a structured, machine-readable JSON format via Download My Data
Right to restrict processing (Art. 18) — contact legal@omniscia.ai to request restricted processing
Right to object (Art. 21) — unsubscribe from marketing emails via the one-click link in any email. Decline analytics cookies via the cookie banner or your browser settings
Rights related to automated decision-making (Art. 22) — Cortex scoring and creative recommendations are advisory tools to inform your decisions. They are not used to make automated decisions with legal or similarly significant effects on you

To exercise any of these rights, email legal@omniscia.ai. We will respond within 30 days.

6. Third-Party Sub-Processors

We use the following sub-processors to deliver the service. Where data is transferred outside the UK, we rely on UK adequacy decisions and Standard Contractual Clauses.

Provider	Purpose	Data Sent	Location	Retention
Anthropic	Claude Vision analysis	Video frames (base64 images only)	US	Zero — not stored or trained on
OpenAI	Whisper transcription	Audio files	US	Zero — not stored or trained on
Google (Gemini)	Summarisation, classification	Text content	US	Zero — not stored
Firebase (Google)	Authentication, analytics	Email, UID, events (with consent)	US	Account lifetime
Paddle	Payment processing	Billing details (we never see these)	UK/EU	Per Paddle's policy
Railway	Backend hosting	All platform data (encrypted in transit)	US	Active subscription
Vercel	Frontend hosting	Static assets only (no personal data)	Global CDN	N/A
Meta / Google Ads / TikTok	Ad platform sync	OAuth tokens, performance metrics	US	Revocable by you
Brave Search	Web search for Scia AI	Search queries (no personal data)	US	Per Brave's policy

AI providers (Anthropic, OpenAI, Google Gemini) operate on zero-retention APIs. Your content is processed and immediately discarded on their end — it is never stored, logged, or used to train their models.

7. International Data Transfers

Some of our sub-processors are based in the United States. For these transfers, we rely on the UK Government's adequacy regulations and, where applicable, Standard Contractual Clauses (SCCs) as approved by the ICO.

Critically, the AI providers we use (Anthropic, OpenAI, Google Gemini) operate zero-retention APIs — your content is processed in memory and never persisted. No personal data is stored in the US by these providers.

8. Data Retention

Account data — retained while your account is active. Deleted immediately and permanently when you delete your account
Analysis data — retained while your account is active. Deleted with your account
Uploaded videos — encrypted at rest (AES-256-GCM). Deleted with your account
Anonymised Cortex analytical outputs — these are Omniscia's derived intelligence: creative classifications and aggregated performance metrics generated by our AI pipeline. They contain no video frames, audio, images, transcripts, filenames, or personal information and cannot be traced to any individual. As fully anonymised, non-personal data (UK GDPR Recital 26), they persist after account deletion to maintain model accuracy for all platform users
Read notifications — automatically deleted after 90 days
Resolved platform errors — automatically deleted after 30 days
Signal intelligence articles — automatically deleted after 6 months
Payment records — retained by Paddle per their retention policy. We do not store payment details

9. Cookies and Tracking

Essential cookies — Firebase Authentication session token. Required for login. Cannot be disabled while using the service
Analytics cookies — Firebase Analytics. Tracks page views and feature usage to improve the platform. Only activated with your explicit consent via the cookie banner. You can change your preference at any time by clearing your browser data

We do not use any third-party advertising cookies, retargeting pixels, or tracking scripts. We do not sell or share analytics data with advertisers.

10. Data Security

All data in transit is encrypted via TLS 1.3
Uploaded videos are encrypted at rest using AES-256-GCM with per-user encryption keys
OAuth tokens for connected platforms (Meta, Google Ads, TikTok) are encrypted at rest using AES-256-GCM with a master key stored separately from the database
API rate limiting and DDoS protection (3-layer: IP rate limiting, request size limits, per-key limits)
No Omniscia staff can view your uploaded videos or analysis reports

For more details on our security architecture, see our Trust & Security page.

11. Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify affected users via email within 72 hours of confirming the breach, as required by UK GDPR Article 33.

Where required, we will also report the breach to the Information Commissioner's Office (ICO) within the same timeframe.

12. Children's Data

Omniscia is a business tool for advertising professionals. Our service is not directed at anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact legal@omniscia.ai and we will delete it immediately.

13. Supervisory Authority

If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Helpline: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

14. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email and an in-app notification before they take effect. The “last updated” date at the top of this page will always reflect the most recent version.

15. Contact

For any questions about this privacy policy, your data, or to exercise your rights, contact us at legal@omniscia.ai.