Privacy Policy

Last updated: March 24, 2026

Ombrex AI Inc. ("Ombrex", "we", "us", or "our") operates the platform at ai.ombrex.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. Please read this policy carefully.

1. Information We Collect

1.1 Account Information

When you register, we collect your name, email address, company name, and password (stored as a one-way bcrypt hash). We never store your password in plain text.

1.2 Call Data

When your AI assistants handle calls, we collect: call recordings (stored encrypted on Amazon S3), transcripts, caller phone numbers, call duration, and AI-generated insights (sentiment, summary). Recordings are only accessible via time-limited pre-signed URLs.

1.3 Calendar Integration Data

If you connect Google Calendar or Microsoft Outlook, we store OAuth access and refresh tokens encrypted in our database. We use these tokens solely to check availability and create calendar events on your behalf. We do not read, store, or sell existing calendar event content.

1.4 Billing Information

Payment processing is handled by Stripe, Inc. We do not store full card numbers on our servers. We receive and store billing metadata such as subscription plan, transaction IDs, and purchase history.

1.5 Usage Data

We collect log data including IP addresses, browser type, pages visited, timestamps, and feature usage for the purpose of improving the Service and resolving issues.

2. How We Use Your Information

  • Provide, operate, and maintain the Service
  • Process billing and manage your subscription
  • Send transactional emails (e.g., call summaries, invoices, password resets)
  • Enable AI features including call analysis and calendar booking
  • Detect and prevent fraud, abuse, and unauthorized access
  • Comply with legal obligations
  • Improve and develop new features (using aggregated, anonymized analytics)

We do not sell your personal data or call recordings to third parties. We do not use your customers' phone call content to train AI models.

3. Data Sharing and Third Parties

We share data only with service providers necessary to operate the platform:

ProviderPurposeData Shared
ElevenLabsAI voice generation and call handlingAgent config, call audio
Amazon Web ServicesCloud hosting, storage (S3), email (SES)Recordings, emails
StripePayment processingBilling details
Google / MicrosoftCalendar integration (if connected)OAuth tokens
OpenAICall transcript analysis and insightsAnonymized transcripts

4. Data Retention

  • Call recordings: Retained for 90 days, then permanently deleted from S3 unless you export them.
  • Transcripts and insights: Retained for 12 months from the call date.
  • Account data: Retained for the lifetime of your account. Upon deletion, we purge personal data within 30 days.
  • Calendar tokens: Deleted immediately when you disconnect the integration or delete your account.
  • Billing records: Retained for 7 years to comply with tax and accounting regulations.

5. Security

We implement industry-standard technical and organizational measures to protect your data:

  • All data in transit is encrypted using TLS 1.2+
  • Passwords are hashed using bcrypt with a cost factor of 10
  • OAuth tokens are stored encrypted at rest
  • Call recordings are stored in private S3 buckets, accessible only via time-limited signed URLs
  • Access to production infrastructure is restricted to authorized personnel
  • We use HMAC-signed state parameters to prevent CSRF in OAuth flows

Despite these measures, no system is 100% secure. If you discover a security vulnerability, please report it to security@ombrex.com.

6. Cookies and Tracking

We use essential session cookies to maintain your authenticated session (JWT stored in HttpOnly cookies). We do not use advertising trackers, third-party analytics pixels, or retargeting cookies. We do not use Google Analytics or similar tracking services.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data via your profile settings
  • Delete your account and associated personal data
  • Export your call transcripts and account data
  • Revoke calendar access at any time from your assistant settings
  • Object to processing of your data in certain circumstances

To exercise any of these rights, contact us at privacy@ombrex.com. We will respond within 30 days.

8. Children's Privacy

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us data, contact us immediately at privacy@ombrex.com.

9. International Transfers

Ombrex AI Inc. is based in Canada. Your data may be processed by our service providers in the United States. By using the Service, you consent to this transfer. We ensure all sub-processors offer adequate data protection under applicable law.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users by email and update the "Last updated" date at the top. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

11. Contact Us

For privacy-related questions or requests:

Ombrex AI Inc.

2980 Drew Rd, Unit 224

Mississauga, ON, Canada

Email: privacy@ombrex.com