Privacy policy

The OmniFlow application processes personal data in accordance with EU Regulation 2016/679 (GDPR) and, where applicable, Czech Act No. 110/2019 Coll.

1. Data controller and service operator

The controller of personal data that the customer enters into the service (users, contacts, documents, etc.) is typically the customer — the business (legal entity or self-employed person) using the service. For data-subject rights in that capacity, contact the customer’s designated contact.

The operator of the OmniFlow cloud service is OmniSys s.r.o., with registered office at Martinů 1342, 250 92 Šestajovice, Czech Republic, ID No. 24937282, VAT ID CZ24937282. In relation to data processed in the service for the customer, OmniSys acts as processor within the meaning of Article 4(8) GDPR (processing on the controller’s instructions and under the contract). Questions about processing by the operator may be sent to contact@omniflow.cz.

2. What data we process

• Users: name, e-mail, password (hashed), access permissions to companies
• Contacts and customers: name, company ID, VAT ID, address, e-mail, phone – data entered in the system
• Documents: invoices, quotes, deposits, purchase invoices – containing customer and supplier data
• Technical data: IP address on login, records of sent e-mails (for invoices, reminders)

3. Purpose and legal basis

We process data to run the invoicing system: issuing documents, contact records, sending invoices by e-mail, accounting and tax obligations. The legal basis is contract performance, legitimate interest of the controller or legal obligation.

4. Cookies

The application uses these cookies:

• omniflow_session (or another session name): technical cookie for the signed-in session. Required for the app to work. Valid until the browser is closed or after a period of inactivity.
• omniflow_cookie_consent: stores consent to cookies. Valid for 1 year. Set after accepting the cookie banner.

Cookies are set with HttpOnly, SameSite=Lax and, in production, Secure.

5. Retention

Accounting documents and related data are kept in line with applicable law (accounting, VAT – typically 10 years). User and contact data are kept for the duration of the contract and statutory periods after it ends.

Data your organisation enters into the service is not disclosed to third parties except the sub-processors listed below and except users authorised within your organisation or company, and the operator to the extent necessary for operations, support, security and the data-processing agreement. Where erasure is requested for data not subject to longer statutory retention, we erase it in active systems without undue delay. Copies may remain in backups for at most the operator’s normal backup rotation period (typically no longer than 30 days from when erasure is effective in live systems). The same applies to temporary technical records from rejected or unmatched bank-statement e-mails when erasure is requested.

6. Your rights

Under the GDPR you have the right of access, rectification, erasure, restriction, portability and objection. You may lodge a complaint with a supervisory authority (in the Czech Republic, the Office for Personal Data Protection). To exercise your rights, contact the data controller (see section 1).

7. Security and sharing

Data is stored in a secured database. Passwords are stored hashed (bcrypt). Operational data is accessible to users invited and authorised by the customer. Employees and, where applicable, contractors of the operator (OmniSys s.r.o.) may access data only to the extent necessary — in particular customer-requested technical support, security and availability of the service, incident handling and contract performance — and are bound by confidentiality or equivalent duties. We do not share data with third parties for marketing. Data may be disclosed where required by law (court, tax authority) or in connection with sending e-mail (your own SMTP or infrastructure listed under sub-processors).

8. Sub-processors

The operator of the OmniFlow service, OmniSys s.r.o., uses the following sub-processors (processors within the meaning of Article 28 GDPR), bound by appropriate agreements:

• Hetzner Online GmbH (Germany, EU) — server infrastructure (hosting) on which the OmniFlow application and related storage run.
• Seznam.cz, a.s. — transmission and delivery of e-mail sent from the service via the operator’s system (default) SMTP; message content and recipient data may pass through this provider’s infrastructure. If the customer uses their own SMTP server, sending usually does not involve this sub-processor (traffic goes to the customer’s chosen provider).
• WEDOS Internet, a.s. — hosting of the service’s marketing website (e.g. omniflow.cz), not the production application environment.

The list of sub-processors may be updated in the course of operations (e.g. change of provider while maintaining an adequate level of protection). The current version is always published on this page.

9. Changes

This policy may be updated. Material changes will be published on this page with the date of the last update.

The same default policy text is available in the app at https://app.omniflow.cz/privacy?lang=en. The page is available without signing in.