Back to Home

Privacy Policy

Last updated: February 17, 2026

1. Who We Are

This privacy policy explains how Omnitas Consulting ("we", "us", "our") collects, uses, and protects your personal data when you use our platform Omniverse, including our website, OmniLearn learning management system, and any future products such as OmniSales. We are committed to protecting your privacy and being transparent about what data we collect and why. Omnitas Consulting is a Swedish company and operates under the EU General Data Protection Regulation (GDPR). If you have questions at any point, reach us at info@omnitas.com.

2. Data Controller

The data controller responsible for your personal data is Omnitas Consulting. This means we decide how and why your personal data is processed. You can contact us regarding any data protection matters at info@omnitas.com.

3. What Data We Collect

We collect different types of data depending on how you interact with our platform. Here is a breakdown by context:

3.1 Website Visitors

When you browse our website, we collect standard analytics data: page views, browser type, device type, and referring pages. This data is aggregated and does not directly identify you. If you use our contact form, we collect the information you provide: your name, email address, company name, and message content.

3.2 OmniLearn Accounts

When you create an OmniLearn account, we collect: your email address (required for authentication), display name (optional), avatar image (optional), short bio (optional), and locale/language preference. We also store your password in securely hashed form -- we never have access to your actual password.

3.3 OmniLearn Learning Activity

As you use OmniLearn, we track your learning progress to provide the service: course enrollments, lesson completions, course progress percentages, XP points earned, learning streaks, badges earned, and certificates issued. This data is essential to delivering the learning experience and tracking your achievements.

3.4 Organizations and Roles

If you join or are added to an organization on the platform, we store your organization membership and your role within that organization. We also store platform-level role assignments (such as admin, editor, or member) that determine what actions you can perform.

3.5 Invitations

When someone invites a user to the platform or an organization, we temporarily store the invited person's email address and a secure invite token. This data is deleted once the invitation is accepted or expires.

4. Legal Basis for Processing

Under GDPR, we need a legal reason to process your personal data. Here are the legal bases we rely on: (a) Consent -- when you create an account, you explicitly consent to our processing of your data by checking the consent box during registration. You can withdraw this consent at any time by deleting your account. (b) Legitimate interest -- we use aggregated, anonymous analytics data to understand how people use our website and improve the experience. This does not involve personally identifiable information. (c) Contract performance -- when we provide consulting services, we process your data as necessary to fulfill our contractual obligations. (d) Legal obligation -- we retain certain data (such as invoicing and financial records) as required by Swedish tax and accounting laws.

5. How We Use Your Data

We use your data for the following purposes: to provide and maintain the Omniverse platform and its services; to authenticate you and keep your account secure; to track and display your learning progress, achievements, and certificates in OmniLearn; to respond to inquiries submitted through our contact form; to send transactional communications (such as password resets and account confirmations); to display leaderboard rankings (only if you have opted in -- this is off by default); to improve our website and services through aggregated analytics; and to fulfill legal obligations such as tax reporting. We do not use your data for email marketing without your explicit consent. We do not use your data for automated decision-making or profiling.

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We never share your personal data with third parties for their own purposes. We share data only with the following service providers ("data processors") who help us operate the platform, and only to the extent necessary: (a) Supabase -- provides our database, authentication, and file storage. Your account data, learning progress, and uploaded files are stored in Supabase's EU infrastructure (Stockholm region, eu-north-1). Supabase processes data on our behalf under a Data Processing Agreement. (b) Vercel -- hosts our website frontend. Vercel may process request metadata (IP addresses, request headers) for content delivery and security purposes. (c) monday.com -- used as our internal work management platform. Customer-related data may flow through monday.com as part of our consulting delivery processes. monday.com operates exclusively on EU servers. (d) Make (formerly Integromat) -- used for workflow automation between our internal systems. Data may be routed through Make as part of automated processes. Make operates exclusively on EU servers. (e) MailerLite -- used for newsletters and email communications. If you subscribe to our newsletter, your email address and name are processed by MailerLite. MailerLite is an EU-based company and is fully GDPR compliant. All data processors are contractually bound to protect your data and only process it according to our instructions.

6.1 Partner and Client Data

As a consulting company, we may receive client information from our business partners in the course of delivering services. This data is processed strictly for the purpose of fulfilling our consulting engagements. We do not share client information with any third party unless the client has expressed a direct and explicit interest in a specific partner's products or services. We never sell, distribute, or otherwise disclose client data to third parties outside of this limited scope.

7. International Data Transfers

Your data is stored and processed within the European Union. Our primary database is hosted in Stockholm, Sweden (Supabase eu-north-1 region). Our frontend is served by Vercel's edge network, which primarily serves content from EU locations for EU visitors. Our internal tools (monday.com, Make) operate exclusively on EU servers. MailerLite is an EU-based company processing data within the EU. We do not intentionally transfer your personal data outside of the EU/EEA. If any sub-processor processes data outside the EU, appropriate safeguards (such as Standard Contractual Clauses) are in place.

8. Data Retention

We keep your data only as long as necessary for the purposes described in this policy. Here are our retention periods: Active account data (profile, learning progress, achievements) -- retained for as long as your account exists. You can delete your account at any time from your profile page, which will remove all your personal data. Contact form submissions -- retained for up to 12 months after your inquiry is resolved, then deleted. Analytics data -- retained in aggregated, anonymized form. This data cannot identify you. Invitation data -- invite tokens and associated email addresses are deleted once the invitation is accepted or after 30 days, whichever comes first. Financial records (invoices, tax documents) -- retained for 7 years as required by Swedish law (Bokforingslagen). When your data is deleted, it is permanently removed from our active systems. Backups containing deleted data are overwritten within 30 days.

9. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights: Right of access -- you can request a copy of all personal data we hold about you. Right to rectification -- you can ask us to correct inaccurate or incomplete data. Most profile data can be updated directly in your account settings. Right to erasure ("right to be forgotten") -- you can delete all your data by deleting your account from your profile page. You can also contact us to request deletion. Right to data portability -- you can request your data in a structured, machine-readable format. Right to restriction -- you can ask us to temporarily stop processing your data while we resolve a concern. Right to object -- you can object to processing based on legitimate interest. Right to withdraw consent -- you can withdraw your consent at any time. The easiest way is to delete your account. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal. We will respond to any rights request within 30 days. All rights requests are free of charge.

10. How to Exercise Your Rights

You have several options: Self-service account deletion -- go to your profile page in OmniLearn and use the account deletion feature. This permanently deletes all your personal data, learning progress, achievements, and organization memberships. This action cannot be undone. Profile updates -- edit your display name, avatar, bio, and preferences directly in your account settings. Leaderboard visibility -- toggle your leaderboard visibility on or off in your profile settings. It is off by default. Contact us -- for any other rights request (access, portability, restriction, objection), email us at info@omnitas.com. Please include enough information for us to verify your identity.

11. Cookies and Tracking

Our website uses the following types of cookies: Essential cookies -- required for the website to function. These include authentication session cookies (secure, HTTP-only) and locale preferences. You cannot opt out of these as they are necessary for the site to work. Analytics cookies -- we may use analytics tools to understand aggregate usage patterns. These do not track you across other websites. You can control analytics cookies through your browser settings. We do not use advertising cookies. We do not engage in cross-site tracking. We do not sell data to advertisers.

12. Children's Privacy

Our platform is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has created an account or provided us with personal data, please contact us at info@omnitas.com and we will promptly delete the data.

13. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our services, legal requirements, or best practices. When we make significant changes, we will update the "Last updated" date at the top of this page. For material changes that affect how we process your data, we will notify registered users via email. We encourage you to review this policy periodically.

14. Contact and Complaints

If you have questions about this privacy policy, want to exercise your rights, or have concerns about how we handle your data, contact us at info@omnitas.com. We take every concern seriously and aim to resolve issues quickly. If you are not satisfied with our response, you have the right to lodge a complaint with the Swedish data protection authority: Integritetsskyddsmyndigheten (IMY), Box 8114, 104 20 Stockholm, Sweden. Website: www.imy.se. You also have the right to lodge a complaint with any EU data protection authority in the member state where you live, work, or where the alleged infringement took place.