← Omora

Privacy Policy

Effective 24 March 2026

Omora is a personal home-inventory app. We store what you give us, process it to make the app work, and don't sell or share your data with advertisers. This policy explains exactly what we collect, why, and what you can do about it.

1. Who We Are

Omora is operated by Philip Skinner ("we", "us"). Our contact details are at the bottom of this page. Our backend infrastructure runs on Supabase (hosted in the EU).

2. What We Collect

Data	Purpose	Linked to You
Email address	Account creation, sign-in, verification	Yes
Name, phone, address	Account profile, coverage personalisation	Yes
Product records	Inventory tracking, warranty reminders	Yes
Receipts, photos, documents	Proof storage, AI extraction	Yes
Country & currency	Warranty rules, formatting	Yes
Purchase details	Coverage calculation, claims export	Yes
Crash & performance data	Stability monitoring via Sentry	No
Lightweight analytics events	Feature usage (no PII, no third-party SDK)	No

3. What We Don't Collect

• Advertising identifiers (IDFA)
• Location data
• Contacts or calendar data
• Browsing or search history
• Data from other apps on your device

4. How Data Is Processed

On your device

Omora prefers on-device processing wherever possible. Receipt OCR and PDF text extraction happen locally using Apple's Vision framework. Extraction caches, pending uploads, and reminder schedules stay on your device.

Backend services

Your product records, documents, photos, and profile are stored in our Supabase backend (EU region) so they sync across your devices. Row-level security ensures you can only access your own data.

AI processing

After on-device text extraction, Omora may send relevant receipt text or product context to a backend AI service (currently DeepSeek, routed through our Supabase Edge Functions) to structure receipt data, answer inventory questions, or suggest product matches. Only the text needed for the specific feature is sent. The AI is limited to Omora-related tasks and is not a general-purpose chatbot.

AI provider API keys are managed server-side and never stored in the app.

Password security

Passwords are validated locally for strength and checked against known breaches using the Have I Been Pwned k-anonymity API. Only a 5-character hash prefix is sent, never the password itself.

Crash reporting

We use Sentry for crash and performance monitoring. Sentry receives a pseudonymised user identifier, crash data, and app performance metrics. It does not receive your email, name, product data, or documents. Default PII collection is disabled.

5. Legal Basis (GDPR)

• Contract performance (Art. 6(1)(b)) — processing your product records, documents, and profile to deliver the service you signed up for
• Legitimate interest (Art. 6(1)(f)) — crash reporting and lightweight analytics to maintain app stability and improve the product
• Consent (Art. 6(1)(a)) — push notifications (you can revoke any time in iOS Settings)

6. Data Sharing

We do not sell your data. We do not share it with advertisers. Your data is only processed by:

• Supabase (database, auth, storage, edge functions) — EU-hosted
• Sentry (crash reporting) — under a data processing agreement
• AI providers (receipt parsing, assistant) — text only, routed through our backend, no direct client connection
• Apple (App Store, StoreKit for subscriptions, Sign in with Apple)

7. Data Retention

We keep your data for as long as your account is active. When you delete your account:

• All product records, documents, and photos are permanently deleted from our backend
• Your profile and authentication credentials are removed
• Crash logs that may contain your pseudonymised ID are retained by Sentry for up to 90 days per their retention policy

8. Your Rights

Under GDPR and UK GDPR, you have the right to:

• Access your data — use the GDPR Export feature in Settings
• Rectify inaccurate data — edit your profile and products in the app
• Delete your data — use the account deletion flow in Settings > Privacy & Data
• Port your data — export produces a machine-readable JSON file
• Object to processing — contact us at the address below
• Withdraw consent for notifications — via iOS Settings at any time

You may also lodge a complaint with your local data protection authority.

9. Children's Privacy

Omora is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with data, please contact us and we will delete it.

10. Security

We protect your data with:

• HTTPS for all network communication
• Row-level security on all database tables
• On-device file protection (iOS data protection)
• Server-side API key management
• Multi-factor authentication (optional, app-based TOTP)
• Breach-checked passwords at signup

11. International Transfers

Our primary infrastructure is EU-hosted (Supabase). Sentry and AI providers may process data outside the EU/EEA under standard contractual clauses or equivalent safeguards.

12. Changes to This Policy

We may update this policy to reflect changes in the app or legal requirements. Material changes will be communicated through the app. The effective date at the top will always reflect the latest version.

13. Contact