Ombai
ESLog in

Privacy policy

Last updated: April 14, 2026

1. Data controller

The data controller for your personal data is Ombai, based in Madrid, Spain. You can contact us at hola@ombai.io.

2. Data we collect

We collect the following types of data:

  • Account data: name, email, profile image (provided by Google OAuth or entered manually).
  • Billing data: managed by Stripe. We do not store card numbers on our servers.
  • Google Maps data: public business information (reviews, photos, address, hours, category) obtained through authorized APIs.
  • Uploaded files: documents that you voluntarily upload (menus, logos, price lists).
  • Usage data: pages visited, actions performed, IP address, browser type and device.

3. Purpose of processing

  • Service provision: generating and hosting your website.
  • Account management: authentication, billing and support.
  • Service improvement: aggregate usage analysis to improve the platform.
  • Communications: transactional emails (confirmations, plan changes) and, with your consent, newsletters.

4. Legal basis for processing

  • Contract performance: processing is necessary to provide the contracted service.
  • Legitimate interest: aggregate usage analysis to improve the service.
  • Consent: for marketing communications and non-essential cookies.

5. Data sharing

We do not sell your personal data. We share data only with:

  • Stripe: payment processing.
  • AI providers (Anthropic, OpenAI, Google): content processing to generate websites. Data sent is limited to public business information.
  • Hosting providers: Vercel and Cloudflare for hosting and CDN.
  • Resend: transactional email delivery.

6. Data security

We implement technical and organizational measures to protect your data, including encryption in transit (TLS) and at rest (AES-256 for sensitive credentials), role-based access control, and administrative action auditing.

7. Data retention

We retain your data for as long as you maintain an active account. If you cancel your account, we will delete your personal data within a maximum of 30 days, unless there is a legal obligation to retain it (for example, billing data for 5 years).

8. Your rights

Under the GDPR, you have the right to:

  • Access: request a copy of your personal data.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request the deletion of your data.
  • Portability: receive your data in a structured format.
  • Objection: object to processing based on legitimate interest.
  • Restriction: request the restriction of processing.

To exercise these rights, contact us at hola@ombai.io. We will respond within a maximum of 30 days.

9. International transfers

Some of our providers (Stripe, Vercel, AI providers) are based in the United States. Transfers are carried out under appropriate protection mechanisms, such as standard contractual clauses approved by the European Commission.

10. Contact

For any privacy queries, contact us at hola@ombai.io.

. You can also file a complaint with the Spanish Data Protection Agency (AEPD).

Privacy policy — Ombai | Ombai