Privacy Policy

Effective date: March 9, 2026

1. Data Controller

Omika ("we", "us", "our") is the data controller for personal data processed through Lelantos ("the Service"). For data protection inquiries, contact us at privacy@omika.ai.

2. Data We Collect

Account Data

  • Email address — required for account creation and communication
  • Name — display name for the dashboard
  • Password hash — bcrypt-hashed, never stored in plain text
  • OAuth identifiers — provider ID and linked email (GitHub, Google)
  • Avatar URL — from OAuth provider if available

Usage Data

  • Sandbox metadata — template, duration, resource allocation, timestamps
  • API key usage — hashed keys, last-used timestamps
  • Billing records — credit transactions, payment metadata via Stripe

Technical Data

  • IP addresses — for rate limiting and security
  • Session tokens — JWT tokens for authentication

3. Legal Bases for Processing (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)) — processing necessary to provide the Service (account management, sandbox execution, billing)
  • Legitimate interest (Art. 6(1)(f)) — security, fraud prevention, rate limiting, service improvement
  • Legal obligation (Art. 6(1)(c)) — tax records, accounting requirements
  • Consent (Art. 6(1)(a)) — analytics cookies and session recording (you can accept or decline via the cookie banner, and withdraw consent at any time by clearing your cookies); optional email communications

4. Data Sharing

We share personal data only with the following categories of recipients, and only as necessary:

  • Stripe — payment processing (Stripe acts as an independent controller for payment data; see Stripe's Privacy Policy)
  • OAuth providers (GitHub, Google) — only during authentication flows you initiate
  • Hetzner — infrastructure hosting (data processor, servers located in Germany)
  • PostHog — product analytics and session recording (data processor, EU Cloud instance hosted in Frankfurt, Germany; only activated if you accept analytics cookies; see PostHog's Privacy Policy)

We do not sell personal data. We do not share data with advertisers or data brokers.

5. Data Retention

  • Account data — retained while your account is active, deleted within 30 days of account deletion
  • Sandbox data — ephemeral, destroyed when sandbox expires or is killed
  • Billing records — retained for 7 years as required by EU tax law
  • Server logs — retained for 30 days, then automatically deleted
  • Database backups — retained for 30 days, then automatically deleted

6. Your Rights Under GDPR

As an EU data subject, you have the following rights:

  • Right of access (Art. 15) — request a copy of your personal data
  • Right to rectification (Art. 16) — correct inaccurate personal data
  • Right to erasure (Art. 17) — request deletion of your personal data
  • Right to restrict processing (Art. 18) — limit how we use your data
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
  • Right to object (Art. 21) — object to processing based on legitimate interest
  • Right to withdraw consent (Art. 7(3)) — withdraw consent at any time without affecting prior processing

To exercise any of these rights, contact us at privacy@omika.ai. We will respond within 30 days as required by GDPR.

You also have the right to lodge a complaint with a supervisory authority. For Denmark, this is the Danish Data Protection Agency (Datatilsynet).

7. International Data Transfers

All primary data processing occurs within the European Union. Our infrastructure is hosted on Hetzner servers located in Germany. We do not transfer personal data outside the EU/EEA except where third-party services (Stripe, GitHub, Google) may process data in accordance with their own GDPR-compliant transfer mechanisms (Standard Contractual Clauses or adequacy decisions).

8. Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Passwords hashed with bcrypt
  • API keys stored as SHA-256 hashes
  • TLS encryption for all data in transit
  • Hardware-level sandbox isolation via Firecracker microVMs
  • Rate limiting and SSRF protection
  • Daily encrypted database backups with 30-day retention

9. Cookies

Essential Cookies

These cookies are strictly necessary for the Service to function and do not require consent under the ePrivacy Directive:

  • lelantos_token — session authentication (HttpOnly, 7-day expiry)
  • lelantos_refresh — token refresh (HttpOnly, 7-day expiry)
  • lelantos_user — user display info (7-day expiry)
  • lelantos_consent — records your cookie consent choice (1-year expiry)

Analytics Cookies (Consent Required)

If you accept analytics cookies via the cookie consent banner, we use PostHog (EU Cloud) to collect anonymized usage data and session recordings. PostHog may set cookies and use localStorage to track page views, feature usage, and session replays. All inputs in session recordings are masked. These cookies are only set after you provide explicit consent.

You can withdraw consent at any time by clearing the lelantos_consent cookie from your browser. On your next visit, the consent banner will reappear and no analytics data will be collected until you accept again.

10. Children

The Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or dashboard notification at least 30 days in advance. The effective date at the top of this page indicates when the policy was last revised.

12. Contact

For privacy-related questions or to exercise your data rights, contact us at privacy@omika.ai.