omega123.ai
Documentation
Legal

© 2026 OSOS/Omega. All rights reserved.

Omega version: 0.1.0

Privacy Policy

Last updated: April 2026

1. Controller

The controller within the meaning of the GDPR is:

Osos AI GmbH

Cosimastraße 121, 81925 Munich, Germany

Email: info@ososomega.com

Represented by: Dr. Hải Vân Lê Jorks

2. Scope and User Group

(1) This Privacy Policy applies to the use of the web-based ALM software OSOS/Omega (hereinafter "the App").

(2) The App is intended exclusively for entrepreneurs within the meaning of § 14 BGB (German Civil Code) and for legal entities under public law or special funds under public law with their registered office in a member state of the European Union. Use by consumers (§ 13 BGB) or from non-EU countries is not intended.

3. Purpose of Data Processing

We process personal data for the following purposes:

  • Provision and operation of the ALM software (incl. authentication and role-based permissions)
  • Storage and processing of requirements, test cases, and related project artifacts
  • Provision of AI-powered features (generation of requirements, tests, and traceability suggestions)
  • Billing and contract administration (subscription and boost purchases)
  • Ensuring technical operation, including monitoring and error diagnosis
  • Further development of the product (based on aggregated, non-personal metrics)
  • Fulfillment of statutory obligations (e.g., commercial and tax law retention)

4. Categories of Data Processed

4.1 When visiting the website without login

  • IP address, timestamp
  • HTTP headers, technical access data (log files)

4.2 For registered users (Free Trial and paying Companies)

  • Email address, name, role within the Company
  • Authentication data (tokens, hashed passwords)
  • Usage data within the App (access events, actions)
  • Content data: requirements, specifications, test cases, comments, and attachments entered or uploaded by the user
  • AI requests and AI-generated responses (prompts and responses)
  • AI consumption metrics (tokens, models, costs)

4.3 For paying customers, additionally

  • Billing address, VAT-ID (if provided)
  • Stripe Customer ID
  • Payment method tokens (managed by Stripe; not stored in plaintext at our end)

5. Storage Duration

Data type Retention
Account master data until account deletion by the Company Admin or by us after contract end
Usage and audit logs until account deletion
Content of AI requests (prompts and responses) 90 days from the request, then automatic deletion of the content; reduced metrics (tokens, costs, model) remain indefinitely
Reduced AI consumption metrics (without content) indefinitely, for pricing calibration and scaling analysis
Billing and accounting data as required by commercial and tax law (typically 10 years)
Log files (access data without login) maximum 30 days

After contract termination, all account data shall be deleted within 30 days. Anonymized aggregate metrics may continue to be used by us.

6. Hosting and Technical Infrastructure

The App is hosted via:

  • Supabase Inc. as Backend-as-a-Service (database, authentication, file storage)
  • AWS in the eu-central-1 region (Frankfurt am Main)

Data processing therefore takes place within the European Union.

In addition, we use:

  • Upstash Inc. for fast counters and session caches (Redis-based), hosted in the EU.

Data Processing Agreements pursuant to Art. 28 GDPR are in place with all hosting and infrastructure providers.

7. Use of External AI Services

(1) The App uses the API of Mistral AI SAS (registered office: France, EU) for AI-powered features.

(2) When making an AI request, the inputs required for the respective function are transmitted to Mistral. Transmission is encrypted.

(3) Mistral does not process the transmitted content for training its own models. This is contractually guaranteed.

(4) Mistral is based within the EU; no transfer to third countries takes place.

For further information on data processing by Mistral: <https://mistral.ai/terms#privacy-policy>

Legal basis: Art. 6(1)(b) GDPR (performance of contract) or Art. 6(1)(f) GDPR (legitimate interest in AI-powered functionality).

8. Product Improvement

We may use usage and AI consumption metrics in anonymized or pseudonymized form to improve our product and to calibrate pricing.

We do not train our own Large Language Model. Content (prompts, responses) is not used for training purposes.

9. Payment Processing

For billing of subscriptions and boost purchases, we use Stripe Payments Europe Ltd. (registered office: Ireland, EU).

When making a purchase, you will be redirected to the Stripe Checkout page. Payment method data is processed exclusively by Stripe; we receive only confirmations of successful payments and a reference (customer ID).

Stripe is PCI-DSS Level 1 certified. A Data Processing Agreement pursuant to Art. 28 GDPR is in place.

For further information on data processing by Stripe: <https://stripe.com/privacy>

Legal basis: Art. 6(1)(b) GDPR (performance of contract).

10. Legal Bases

Data processing is carried out on the basis of:

  • Art. 6(1)(b) GDPR (performance of contract)
  • Art. 6(1)(f) GDPR (legitimate interest, in particular product quality, security, and fraud prevention)
  • Art. 6(1)(c) GDPR (legal obligation, in particular commercial and tax law retention obligations)

11. Recipients and Disclosure to Third Parties

Disclosure of personal data is made exclusively to the following processors:

Processor Purpose Location
Supabase Inc. (on AWS Frankfurt) Database, authentication, file storage EU
Mistral AI SAS LLM API for AI features France (EU)
Stripe Payments Europe Ltd. Payment processing Ireland (EU)
Upstash Inc. Cache and counter (Redis) EU

No further disclosure to third parties takes place unless required by law.

A complete and up-to-date list of sub-processors is part of the Data Processing Agreement (see /legal/dpa).

12. Data Processing Agreement (DPA)

We conclude a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR with paying customers. The standard text is available at /legal/dpa (English) or /legal/avv (German).

13. Rights of Data Subjects

Data subjects have the right to:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection (Art. 21 GDPR)

Please send requests to: info@ososomega.com

The right to lodge a complaint with a supervisory authority remains unaffected. The competent supervisory authority for our registered office is:

> Bavarian State Office for Data Protection Supervision (BayLDA)

> Promenade 18, 91522 Ansbach, Germany

> <https://www.lda.bayern.de>

14. Data Security

We employ technical and organizational measures pursuant to Art. 32 GDPR, in particular:

  • Encryption in transit (TLS 1.2+)
  • Encryption at rest (AES-256)
  • Role-based access control and audit logging
  • Tenant separation at the database level
  • Regular security updates and penetration tests

A complete description of the measures is part of the Data Processing Agreement (Annex 2).

Despite all care, data transmission over the internet may have security gaps. Complete protection against unauthorized access is not possible.

15. Changes to This Privacy Policy

We reserve the right to amend this Privacy Policy in the event of changes to our processing activities. The current version is available on our website. In case of material changes, we will inform registered users by email.