Privacy Policy

Omfang AB — omfang.io

Effective date: 1 June 2026

1. Introduction

Omfang AB ("Omfang", "we", "us") is the data controller for personal data processed through the Omfang platform. This Privacy Policy explains what data we collect, why we collect it, how we protect it, and your rights under the General Data Protection Regulation (GDPR).

This policy applies to all users of the Omfang platform. If you have questions, contact us at max@omfang.io.

2. Data Controller

Omfang AB

Organisationsnummer: 559958-2819

Email: max@omfang.io

Website: omfang.io

3. Personal Data We Collect

3.1 Account and Identity Data

When you create an account, we collect your first name, surname, and work email address. This data is used to identify you, authenticate your login, and communicate with you about your account. Legal basis: performance of contract.

3.2 Team and Invitation Data

When you invite colleagues to your workspace, we collect their email addresses. Invitation records are automatically deleted 30 days after the invitation expires. Legal basis: legitimate interests (enabling team collaboration).

3.3 Authentication Credentials

Passwords are stored as one-way bcrypt hashes. We never store or have access to your plaintext password.

3.4 Connected Platform Credentials

When you connect a third-party platform (LinkedIn, Meta, Google Analytics, Google Tag Manager, WordPress, Shopify), we store the OAuth tokens or credentials required to operate the Service on your behalf:

  • OAuth access tokens and refresh tokens for social media and Google services.

  • WordPress application passwords and Shopify access tokens for CMS integration.

  • FTP credentials for direct file publishing, encrypted at rest using industry-standard symmetric encryption.

These credentials are used solely to carry out actions you authorise through the platform. When you disconnect a service, the access token is immediately deleted from our systems. Connection metadata (your page name, preferences) is retained so you can reconnect easily. Legal basis: performance of contract.

3.5 AI Feature Usage Logs

We log which AI features you use, the AI model invoked, token counts, and estimated cost. This data is used for billing, usage cap enforcement, and internal cost analysis. It is linked to your user ID and account. Records are automatically deleted after 365 days. Legal basis: legitimate interests (billing and service integrity).

3.6 AI-Generated Content and Assets

Content produced by the platform (text, images, video) is stored in your workspace and retained for the life of your account. Your approval and rejection actions on content are recorded and attributed to your user ID. Legal basis: performance of contract.

3.7 Knowledge Base Data

The knowledge agent extracts and stores information about your company — brand identity, personas, products, tonality. Personas are AI-generated archetypes; they are not profiles of real individuals. Feedback you provide on knowledge agent outputs is retained to improve accuracy within your workspace. Legal basis: performance of contract.

3.8 Website Crawl Data

The SEO agent crawls pages on your connected website to identify issues. Raw HTML snapshots taken during SEO fix operations are automatically deleted after 30 days. Crawl metadata (page URLs, technical SEO signals) is retained for the life of your account. Legal basis: performance of contract.

3.9 Website Cookies and Analytics

The Omfang marketing website (omfang.io) uses Google Analytics to measure traffic. Analytics cookies are only set with your consent via the cookie banner. You can withdraw consent at any time.

4. Sub-Processors

We share data with the following third-party processors to operate the Service. Each processor has signed a Data Processing Agreement and is subject to adequate data protection safeguards.

  • Anthropic (United States) — AI language model processing. Standard Contractual Clauses apply.

  • OpenAI (United States) — AI image generation (GPT Image 2). Standard Contractual Clauses apply.

  • Runway AI (United States) — AI video generation. Standard Contractual Clauses apply.

  • Stripe (United States/Ireland) — Payment processing and subscription billing. Adequacy decision / SCCs apply.

  • Railway (United States) — Backend hosting and database. Standard Contractual Clauses apply.

  • Vercel (United States) — Frontend hosting. Standard Contractual Clauses apply.

  • Google (United States/Ireland) — Analytics, Tag Manager, and OAuth. Adequacy decision / SCCs apply.

5. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy. Key retention periods:

  • Account data (name, email): retained for the life of your account, deleted within 30 days of account closure.

  • Invite email addresses: deleted 30 days after the invitation expires.

  • Connected platform credentials: deleted immediately on disconnection.

  • AI feature usage logs: deleted automatically after 365 days.

  • SEO HTML snapshots: deleted automatically after 30 days.

  • All other account data: deleted within 30 days of account closure.

6. Your Rights Under GDPR

As a data subject, you have the following rights:

  • Right of access — you may request a copy of the personal data we hold about you.

  • Right to rectification — you may request correction of inaccurate data.

  • Right to erasure — you may request deletion of your personal data, subject to our legal obligations.

  • Right to restriction — you may request that we restrict processing of your data in certain circumstances.

  • Right to data portability — you may request your data in a machine-readable format.

  • Right to object — you may object to processing based on legitimate interests.

To exercise any of these rights, contact us at max@omfang.io. We will respond within 30 days. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, www.imy.se).

7. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. These include:

  • Passwords stored as one-way bcrypt hashes.

  • CMS and FTP credentials encrypted at rest using symmetric encryption.

  • OAuth tokens zeroed immediately on disconnection.

  • Access to production systems restricted to authorised personnel only.

  • Automated data deletion jobs for time-limited retention categories.

8. International Transfers

Several of our sub-processors are based in the United States. Where personal data is transferred outside the European Economic Area, we ensure adequate protection through Standard Contractual Clauses approved by the European Commission, or rely on an adequacy decision where applicable.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you by email or via the platform when material changes are made. The current version is always available at omfang.io/privacy.

10. Contact

For any questions about this Privacy Policy or how we handle your data:

Omfang AB

Email: max@omfang.io

Website: omfang.io

Adress: Östra Farmvägen 19BA, 21216, Malmö, Sweden

omfang logo

Follow us on social media

Instagram

Facebook

LinkedIn

Contact us

Contact us

Join the waitlist

Learn more about omfang

About us

How it works

Legal

Privacy

Terms of Service

omfang logo

Follow us on social media

Instagram

Facebook

LinkedIn

Contact us

Contact us

Join the waitlist

Learn more about omfang

About us

How it works

Legal

Privacy

Terms of Service

omfang logo

Follow us on social media

Instagram

Facebook

LinkedIn

Contact us

Contact us

Join the waitlist

Learn more about omfang

About us

How it works

Legal

Privacy

Terms of Service