Privacy Policy

Effective date: June 2, 2026 Version: 2026.06 Applies to: omb.cloud and the OMB Cloud AES platform

OMB Cloud AES (“OMB Cloud,” “we,” “us” or “our”) is a multi-tenant SaaS platform that enables business customers to manage sales, marketing, content publishing and customer operations from a unified dashboard. This Privacy Policy explains how we collect, use, share, retain and protect personal data — including data we obtain through the Meta Platforms (Facebook and Instagram) APIs and the Google APIs (Gmail, Calendar, Drive) when our customers connect their own business accounts.

If you connected a Facebook Page or Instagram Business account to OMB Cloud: we only access the Pages and accounts you explicitly authorize, and we use that access only to perform the actions you request from inside our product (for example, publishing a post you composed). We do not sell or rent your data, and we do not use it for advertising targeting outside of the actions you initiate.

1. Who we are (Data Controller)

The data controller of personal data processed through omb.cloud and the OMB Cloud AES platform is the OMB® (Online Media Builders®) operating entity for your jurisdiction. Each user’s personal data is controlled by the OMB entity that signs the commercial relationship in that market:

Mexico and Latin America: the Mexican operating entity within the OMB network. Specific legal name and RFC are provided upon contractual engagement and upon any data-subject access request.
United States and Canada: the U.S. operating entity within the OMB network. Specific legal name and EIN are provided upon contractual engagement and upon any data-subject access request.
Spain and the European Economic Area: the Spanish operating entity within the OMB network. Specific legal name and CIF are provided upon contractual engagement and upon any data-subject access request.

We are currently consolidating cross-border entity registrations. Until that consolidation is complete, you may direct any data-protection inquiry, exercise of rights or legal request to privacy@omb.cloud and we commit to identifying the responsible legal entity for your jurisdiction and responding within five (5) business days. Meta Platform Data deletion requests, Google user data requests and other regulator-driven inquiries are handled through the same channel and timeline.

Privacy / data requests: privacy@omb.cloud
Legal service of process: legal@omb.cloud
General contact: hello@omb.cloud
Postal address: available upon request to legal@omb.cloud.

2. Scope

This Policy covers personal data processed when you:

Visit our marketing site at omb.cloud (and its localized versions).
Register for, or use, the OMB Cloud AES product as an account owner, administrator or end user (a “User”).
Communicate with us by email, chat or web form.
Connect third-party services to OMB Cloud — including Meta Platforms (Facebook and Instagram), Google services and other integrations you enable.

OMB Cloud customers (each a “Tenant”) act as data controllers of the personal data they upload to or collect through the platform. In that scenario OMB Cloud acts as a data processor or service provider on the Tenant’s behalf and processes data only according to their instructions.

3. Information we collect

3.1 Information you provide directly

Account & identity: name, work email, phone number, password (hashed), profile picture, role within your organization.
Tenant & business data: company name, fiscal identifiers (e.g. RFC, EIN, VAT number), invoicing address, currency, country.
Content you create: contacts, leads, deals, quotations, invoices, files, marketing copy, social-media drafts and any other content you store in the platform.
Payment data: processed by our payment provider; we store the last four digits and billing metadata only.
Communications: messages you send to us through email, chat or support tickets.

3.2 Information from connected platforms (third-party integrations)

When you authorize a connection between OMB Cloud and a third-party service, we receive data from that service through its official APIs. The specific data depends on the integration and the scopes you grant:

Meta Platforms (Facebook & Instagram): see Section 5 below for full disclosure.
Google services (Gmail, Calendar, Drive): only the scopes you authorize. We follow the Google API Services User Data Policy, including the Limited Use requirements.
Other integrations you may enable from inside the product, with the scopes you grant.

3.3 Information collected automatically

Usage and device data: IP address, user agent, language, device type, pages viewed, actions taken, timestamps.
Cookies and similar technologies: session cookies (mandatory for authentication), preference cookies, first-party analytics. A separate Cookies Policy will be published; until then, the relevant detail is in this Privacy Policy.
Logs: security and audit logs (for example, sign-ins, configuration changes, content publishing events).

3.4 Contacts and recipients you manage

As part of the CRM, marketing, invoicing and collections features, you (the Tenant) upload or generate data about your own contacts, leads, customers and debtors — including names, email addresses, phone numbers, company details, invoices and amounts owed — and OMB Cloud records the communications that you (or the AI agents you configured) send to them. These communication records include emails, phone calls (including AI-assisted voice calls placed through our telephony providers), SMS and WhatsApp messages, together with their delivery status, timestamps and outcomes. For this data the Tenant is the data controller and OMB Cloud acts as data processor (see Sections 2 and 4.1).

4. How we use personal data

We use personal data for the following purposes:

To provide, operate, secure and improve the OMB Cloud AES platform.
To authenticate Users and protect the platform against fraud and abuse.
To execute the actions you request from inside the product, including publishing content to platforms you have connected.
To provide customer support and respond to your requests.
To send service-related notifications (security alerts, billing, updates).
To comply with legal obligations, including tax and anti-money-laundering rules where applicable.
To manage accounts receivable and collections on behalf of a Tenant (or, for OMB Cloud’s own clients, on our own behalf): generating payment reminders, scheduling follow-ups and contacting the relevant recipient until the matter is resolved.
To deliver multi-channel communications you trigger — email, phone calls (including AI voice agents), SMS and WhatsApp — through our communications and telephony providers, and to log their status and outcome for audit purposes.
To send marketing communications about OMB Cloud where permitted by law and where you have not opted out.

Legal bases (GDPR): performance of a contract, legitimate interests (security, service improvement, business-to-business marketing), compliance with legal obligations, and your consent (e.g. for non-essential cookies and certain marketing).

4.1 Collections and multi-channel contact (calls, SMS, WhatsApp)

When the collections and outbound-contact features are used, communications may be delivered by automated and AI-assisted means (including AI voice agents) across email, telephone, SMS and WhatsApp. Where OMB Cloud places these communications on behalf of a Tenant, the Tenant is the data controller and is responsible for having a lawful basis and any notice or consent required toward the recipient under applicable law (for example Mexico’s LFPDPPP, the EU GDPR, or U.S. TCPA and state law). OMB Cloud acts as processor and only contacts the recipients and uses the channels that the Tenant has enabled. Communications are conducted within applicable debt-collection rules: OMB Cloud does not threaten, harass, contact third parties to apply pressure, impersonate authorities, or misrepresent the sender. Call metadata and message records are retained with the related CRM record for audit; where a call recording or transcript is produced, it is processed only on the Tenant’s instructions. Recipients may exercise their rights (including ARCO rights in Mexico) with the responsible Tenant, and OMB Cloud will support such requests in its role as processor.

5. Meta Platform Data — Facebook and Instagram

OMB Cloud integrates with Meta Platforms (Facebook and Instagram) through Meta’s official Graph API. We only access Meta Platform Data with your explicit authorization, and only to perform the actions you initiate inside OMB Cloud. This section is provided to satisfy Meta’s Platform Terms and Developer Policies.

5.1 Permissions we request and why

Permission	Why we need it
`pages_show_list`	To display the list of Facebook Pages you administer so you can choose which Page to connect to OMB Cloud.
`pages_manage_posts`	To create, schedule, edit and delete posts on the Facebook Pages you have connected, only when you trigger that action from OMB Cloud.
`instagram_basic`	To read the public profile and recent media of the Instagram Business account linked to your connected Facebook Page (display name, profile picture, posts) so you can preview and manage content from our dashboard.
`instagram_content_publish`	To publish images, videos, carousels and Reels you compose inside OMB Cloud to the Instagram Business account you have connected, only when you trigger publication.

5.2 What we receive from Meta

The list of Facebook Pages you administer (name, ID, category, page access token).
Basic information about the Instagram Business account associated with each Page (username, ID, profile picture, follower count where available).
The content you create or publish through OMB Cloud, plus engagement metrics (likes, comments, reach) for that content.
OAuth access tokens issued to OMB Cloud for the User and the Pages you authorize.

5.3 What we do with Meta Platform Data

Display the connected Pages and Instagram Business accounts in your OMB Cloud dashboard.
Publish, schedule, edit or delete content only when you (or another authorized User of the same Tenant) instructs us to do so.
Show you basic engagement metrics for content you published through OMB Cloud.
Maintain audit logs of publication actions for security and accountability.

5.4 What we do NOT do with Meta Platform Data

We do not sell, rent or trade Meta Platform Data.
We do not use Meta Platform Data for advertising targeting, ad networks, data brokerage or to build advertising profiles.
We do not use Meta Platform Data to develop, train or fine-tune machine-learning models that operate independently of the User who provided the data.
We do not access Pages, accounts or content that you have not explicitly connected to OMB Cloud.

5.5 Storage, retention and deletion of Meta Platform Data

We will only use Meta Platform Data for the limited purposes described in this Privacy Policy, will not retain it longer than necessary for those purposes, and will delete it when no longer needed (or sooner if you revoke our access or close your account).
OAuth tokens are stored encrypted at rest and used only to call Meta’s APIs on your behalf.
Content you publish through OMB Cloud and its associated metadata are retained while your account is active and for up to 90 days after disconnection or account closure, after which they are deleted or anonymized, except where longer retention is required by law.
You can revoke OMB Cloud’s access at any time from your Facebook account’s “Business Integrations” settings or from inside OMB Cloud (Settings → Connected Accounts → Disconnect). Revoking access stops further access to your Meta Platform Data.
To request deletion of your Meta Platform Data, email privacy@omb.cloud with the subject line “Meta data deletion” and the connected Page or Instagram username. We will confirm deletion within 30 days.

6. Google API Data — Gmail, Drive, Calendar, Search Console, Analytics, Ads and Business Profile

OMB Cloud integrates with Google services through Google’s official APIs across several product modules: the inbox and document workflows in our CRM (Gmail, Drive, Calendar) and our marketing modules (Search Console for SEO, Google Analytics for traffic insights, Google Ads for paid-media management and keyword research, and Google Business Profile for local presence management). We only access Google API Data with your explicit OAuth authorization, and only to perform the actions you initiate inside OMB Cloud. This section is provided to satisfy the Google API Services User Data Policy, including the Limited Use requirements.

Limited Use disclosure (verbatim): OMB Cloud’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

6.1 Scopes we request and why

Scope	Why we need it
`userinfo.email` `userinfo.profile`	To identify the Google account being connected and display its email address, name and avatar inside OMB Cloud so you know which inbox is linked.
`gmail.readonly`	To display incoming and existing messages from your Gmail inside the OMB Cloud inbox view, so you can triage customer leads, quotations and collections without leaving the CRM.
`gmail.send`	To send messages from your own Gmail address when you (or an AI agent you configured) compose a reply, quotation, invoice or follow-up inside OMB Cloud.
`drive.file`	To create and read only the specific files that OMB Cloud generates on your Drive (PDF quotations, invoices, exported reports, web-form attachments). This scope does not grant access to any other files in your Drive.
`calendar` (where applicable)	To create, update and read calendar events related to follow-ups, meetings and reminders that you schedule from OMB Cloud.
`webmasters.readonly` (`webmasters` when needed)	Google Search Console — to read indexing status, search analytics, sitemaps and verified-site lists for the properties you authorize, and to display them in the OMB Cloud SEO module. Write access is requested only when you explicitly use OMB Cloud to submit a sitemap or request reindexing.
`analytics.readonly`	Google Analytics 4 — to read property metadata, dimensions and metrics for the GA4 properties you authorize, and to display reports inside OMB Cloud’s analytics dashboards.
`adwords`	Google Ads — to read campaign performance, manage campaigns, ad groups, ads, budgets and bidding, and to query the Keyword Planner for the Google Ads accounts you authorize. All actions are triggered explicitly from inside OMB Cloud.
`business.manage`	Google Business Profile — to read and update business listings (info, hours, photos, posts, services), respond to reviews and view insights for the locations you authorize.

Some Google APIs (notably Google Ads and Google Business Profile) require additional product-level approvals beyond OAuth scope authorization. We will only invoke those APIs after we have obtained the corresponding access from Google and you have explicitly authorized the connection inside OMB Cloud.

6.2 What we receive from Google

Basic profile information of the connected Google account (email address, display name, avatar URL).
Email metadata and content for the Gmail messages displayed in the OMB Cloud inbox view (sender, recipients, subject, body, attachments) for as long as the account is connected.
The content of messages you compose and send through OMB Cloud, plus the corresponding Gmail message IDs and thread IDs.
OAuth access and refresh tokens issued by Google to OMB Cloud for the User and scopes you authorized. Tokens are stored encrypted at rest.
Files that OMB Cloud creates on your Drive on your behalf (e.g. quotation PDFs) and their metadata.
Search Console data for the verified properties you authorize: queries, clicks, impressions, CTR, average position, indexing status, sitemaps and crawl errors.
Google Analytics 4 data for the properties you authorize: dimensions and metrics covering traffic, audience, acquisition, behavior and conversions, plus property metadata.
Google Ads data for the accounts you authorize: campaign, ad group, ad and keyword definitions; performance metrics (impressions, clicks, conversions, cost); audience and bidding configurations; and Keyword Planner query results when you run keyword research inside OMB Cloud.
Google Business Profile data for the locations you authorize: business listing fields, posts, photos, reviews, Q&A and insights.

6.3 What we do with Google API Data

Display your Gmail inbox, threads and messages inside OMB Cloud so you can triage and respond from the same workspace where your CRM, leads and invoices live.
Send emails from your authorized Gmail address only when you (or an AI agent you configured) trigger that action from inside OMB Cloud.
Attach automatically generated documents (PDF quotations, invoices, reports) to the Drive folder created by OMB Cloud, and link them in outbound messages.
Process the content of incoming messages with AI features that you have enabled (classification, summarization, draft replies). See Section 6.4 below.
Show Search Console performance and indexing data for your verified properties inside the OMB Cloud SEO module, and submit sitemaps or reindex requests when you trigger them.
Show Google Analytics traffic, audience and conversion reports inside OMB Cloud’s analytics dashboards, including AI-generated narrative summaries of your performance when AI features are enabled.
Manage Google Ads campaigns, ad groups, ads, keywords, budgets and bidding from the Google Ads management module, including running Keyword Planner queries for keyword research, only when you initiate those actions.
Manage Google Business Profile listings (info, hours, photos, posts, reviews) from the local-presence module, only when you initiate those actions.
Maintain audit logs of send and modify actions for security, abuse prevention and accountability.

6.4 AI processing of Google API Data

OMB Cloud offers optional AI-assisted features (the “AI Workforce”): classification of incoming messages, summarization, drafting of replies, and execution of workflows that you explicitly configure. When these features are enabled by your Tenant administrator:

Email content from your connected Gmail account may be sent to enterprise large-language-model (LLM) providers under written contracts that prohibit training on customer data and enforce zero retention beyond the immediate API call required to produce the requested output.
OMB Cloud does not use Google API Data — including Gmail content, Drive files or Calendar events — to develop, improve or train generalized or third-party artificial-intelligence or machine-learning models.
Outputs produced by AI agents (e.g. drafted replies, summaries) are clearly attributed to the agent inside the product and, when sent as email, are signed with the agent’s name and role on behalf of your Tenant — never impersonating you as the human user.
You can disable AI features at the Tenant or per-user level at any time without losing access to the rest of OMB Cloud.

6.5 What we do NOT do with Google API Data

We do not sell, rent or trade Google API Data.
We do not use Google API Data for advertising, ad targeting, ad networks, data brokerage or to build advertising profiles.
We do not use Google API Data to develop, improve or train generalized or third-party AI/ML models, including foundational models.
We do not allow humans to read your Google API Data, except (a) with your explicit consent (e.g. for a support ticket you opened), (b) for security investigations into specific abuse or fraud, (c) to comply with applicable law or valid legal process, or (d) in aggregated and anonymized form that cannot reasonably be used to identify any individual.
We do not access mailboxes, files or calendar events that you have not explicitly authorized through the OAuth consent screen.

6.6 Storage, retention and deletion of Google API Data

OAuth access tokens and refresh tokens are stored encrypted at rest and used only to call Google’s APIs on your behalf.
Email content is fetched on-demand and cached temporarily to display the inbox view; cached message bodies are purged within 30 days unless explicitly archived by you (e.g. attached to a CRM record).
Sent message metadata (recipients, subject, timestamp, message ID) is retained while the related CRM record is active so you can audit communications history.
Drive files created by OMB Cloud remain in your Drive under your control; we keep references to them in our database, not duplicate copies.
You can revoke OMB Cloud’s access at any time from your Google Account permissions page or from inside OMB Cloud (Settings → Connected Accounts → Disconnect). Revoking access stops further calls to Google APIs and triggers deletion of stored Google API Data within 30 days, except where retention is required by law.
To request deletion of your Google API Data, email privacy@omb.cloud with the subject line “Google data deletion” and the connected Google email address. We will confirm deletion within 30 days.

7. How we share data

We do not sell personal data. We share it only in the following circumstances:

Service providers: we use a small number of vetted vendors for cloud hosting, transactional email, error monitoring and customer support tooling. They act as our processors under written agreements that bind them to confidentiality and our security standards.
Within the same Tenant: data uploaded by your organization is shared with the Users your administrator authorizes.
Legal requirements: when required by law, court order, or to protect our rights, our Users or the public.
Business transfers: in connection with a merger, acquisition or asset sale, with notice to affected Users.

8. Data retention

Active accounts: we retain personal data for as long as your account is active.
Closed accounts: personal data is deleted or anonymized within 90 days of account closure, except where longer retention is required by law (e.g. invoicing records).
Meta Platform Data: see Section 5.5.
Google API Data: see Section 6.6.
Server logs: typically 90 days.
Backups: rolling 35-day window; deletion requests are honored on the next backup rotation.

9. Your rights

Subject to applicable law, you have the right to:

Access the personal data we hold about you.
Rectify inaccurate or incomplete data.
Request deletion (right to be forgotten).
Restrict or object to processing.
Receive your data in a portable format.
Withdraw consent at any time, where processing is based on consent.
Lodge a complaint with your local data protection authority.

California residents: under the CCPA/CPRA you also have the right to know what categories of personal information we collect, the right to delete and the right to opt out of any “sale” or “sharing” of personal information — we do not sell or share personal information for cross-context behavioral advertising.

Mexican residents: pursuant to LFPDPPP you may exercise ARCO rights (Access, Rectification, Cancellation, Opposition) and revoke consent. Requests can be sent to privacy@omb.cloud.

Residents of any other jurisdiction: the rights listed above are a baseline we extend to every user, regardless of location. In addition, we honor the rights granted to you by the data-protection law applicable in your country or region of residence — for example the EU/UK GDPR, Brazil’s LGPD, Canada’s PIPEDA, or any other applicable regime — even where that law is not specifically named in this policy. Where local law grants you broader or different rights, those rights prevail for you. To exercise any right, contact privacy@omb.cloud and we will respond as required by the law applicable to you. References to specific laws in this policy are illustrative and not exhaustive.

10. International data transfers

OMB Cloud is operated globally. Personal data may be transferred to and processed in jurisdictions outside your country of residence, including the United States and the European Union. Where required, transfers are protected by appropriate safeguards such as the European Commission’s Standard Contractual Clauses.

11. Security

TLS 1.2+ for all data in transit.
Encryption at rest for OAuth tokens, passwords (hashed with modern KDFs) and sensitive fiscal data.
Role-based access control with least-privilege, plus full audit logging.
Multi-tenant isolation enforced at the application layer.
Periodic security reviews and dependency scanning.

No system is 100% secure. If we learn of a security incident affecting your personal data, we will notify you and the relevant authorities as required by law.

12. Children’s privacy

OMB Cloud is a business product and is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact privacy@omb.cloud and we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. The “Effective date” at the top reflects the latest revision. Material changes will be notified to active Users by email or in-product notice.

14. Contact

For any privacy or data-protection question, including requests under GDPR, CCPA/CPRA, LFPDPPP or LGPD, write to privacy@omb.cloud. For Meta Platform Data deletion specifically, use the subject line “Meta data deletion” and identify the Page or Instagram account involved.