How OMG Center Limited handles personal data
This policy explains how OMG Center Limited collects, uses, and protects personal data in connection with the Orca service.
It is important to understand what this policy covers, and what it does not.
This policy covers the limited personal data that OMG Center Limited handles directly as part of the commercial relationship with Orca clients. This includes data provided when booking a discovery call, entering into a service agreement, or communicating with us about the service.
This policy does not govern the data that Orca processes on your behalf when performing its function as your AI executive assistant: your emails, calendar events, meeting transcripts, contact records, tasks, or any other operational content.
That data is yours. It is processed within your own systems, using your own credentials and your own infrastructure. OMG Center Limited has no access to it, does not store it, and is not a data controller or processor in relation to it. The relevant data protection responsibilities for that data rest entirely with you as the client.
Orca is installed on your device and connects to your own systems using your own credentials. Your operational data, including emails, calendar events, meeting transcripts, and contact records, never passes through OMG Center's systems. We do not have access to it.
The data controller for the personal data described in this policy is:
OMG Center Limited builds, configures, and maintains the Orca software for each client. Our role is that of a software services provider. We are not an AI platform, a cloud data provider, or a managed service that handles your business data.
We collect only the personal data necessary to manage the commercial relationship with Orca clients and prospective clients. This comprises:
| Category | Data collected | Source |
|---|---|---|
| Contact details | Name, email address, job title | Provided by you via booking form or direct communication |
| Organisation details | Company name, approximate size or sector | Provided by you during onboarding or discovery |
| Billing information | Name, billing email, company name for invoicing | Provided by you; payment processing handled by a third-party provider |
| Communication records | Emails, call notes relating to the service relationship | Generated through our correspondence |
We do not collect special category data. We do not collect data from third parties. We do not use any automated profiling or tracking technologies beyond standard website analytics.
We use the personal data described above for the following purposes:
We do not sell personal data. We do not use personal data for marketing purposes beyond communications directly related to the Orca service and offerings from OMG Center Limited that are directly relevant to your existing engagement with us.
Our processing of personal data is based on the following lawful grounds under UK GDPR:
The primary basis for processing is the performance of the contract between OMG Center Limited and the client. This covers the use of contact and company details to deliver, configure, and support the Orca service.
We retain financial and billing records as required under UK company and tax law.
Where we retain communication records or conduct standard website analytics, we do so on the basis of legitimate interests: specifically, the interest in understanding the effectiveness of our communications and in maintaining accurate records of the service relationship. We have assessed that these interests are not overridden by client rights and freedoms.
Orca is designed around a clear principle: your operational data belongs to you and remains within your own systems at all times.
When Orca connects to your Microsoft 365 or Google Workspace account, it authenticates using OAuth tokens issued directly to your account. Those tokens are stored in your own operating system's secure credential store, not on any OMG Center server. Your emails, calendar events, and contact data are retrieved directly by the Orca application running on your device, processed locally or within your own Supabase database instance, and never transmitted to OMG Center.
The architecture means that:
If you use AI model APIs (such as OpenAI or Anthropic) within your Orca instance, those connections are made using your own API keys. Any data sent to those services is governed by your agreement with the relevant AI provider, not by this policy.
The following services may be connected to your Orca installation. In each case, these are connections made by your Orca application using your own credentials and accounts. OMG Center Limited is not a party to the data flows between Orca and these services.
| Service | Purpose | Your relationship |
|---|---|---|
| Microsoft 365 | Email, calendar, contacts, Teams meetings | Your Microsoft tenant; governed by your Microsoft agreement |
| Google Workspace | Email, calendar, contacts (alternative to M365) | Your Google Workspace account; governed by your Google agreement |
| Supabase | Your Orca database, storing contacts, meeting records, tasks | Your own Supabase project instance; you own the database |
| OpenAI / Anthropic | AI model access for Orca's assistant capabilities | Your own API keys; governed by your agreement with the provider |
| Recall.ai (if configured) | Meeting transcription | Your own Recall.ai account; governed by your agreement with Recall.ai |
OMG Center Limited uses Calendly to manage discovery call bookings. Calendly's data handling is governed by their own privacy policy. The personal data shared with Calendly (name, email, any information provided in booking notes) is handled by Calendly as data processor, with OMG Center as data controller for that data.
We retain personal data for the following periods:
| Data type | Retention period | Basis |
|---|---|---|
| Client contact and company details | Duration of licence + 2 years | Service relationship management |
| Billing and financial records | 7 years from transaction date | UK legal requirement (Companies Act, HMRC) |
| Pre-contract enquiries (no contract entered) | 12 months from last contact | Legitimate interests |
| Service correspondence | Duration of licence + 2 years | Service relationship management |
Once the relevant retention period has passed, personal data is securely deleted or anonymised.
As a data subject, you have the following rights in relation to the personal data described in this policy:
To exercise any of these rights, contact us at chris@omgcenter.org. We will respond within one calendar month. There is no charge for a request unless it is manifestly unfounded or excessive.
If you are not satisfied with how we have handled your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
Our own data handling operations are based in the UK. The personal data described in this policy is primarily stored and processed within the UK or the European Economic Area.
Where we use third-party tools such as Calendly, data may be transferred to and processed in the United States. In those cases, we rely on the service provider's own transfer mechanisms (such as Standard Contractual Clauses or equivalent frameworks) and their compliance with applicable data protection law.
The third-party services connected to your Orca instance (Microsoft 365, Google Workspace, Supabase, AI providers) are governed by your own agreements with those providers. Any international transfers arising from those connections are your responsibility and are governed accordingly.
We may update this policy from time to time. When we make material changes, we will notify active clients by email and update the version number and date at the top of this document. Continued use of the Orca service after notification constitutes acceptance of the revised policy.
The current version is always available at simmance.ai/legal/data-protection-policy.
For any queries about this policy, to exercise your rights, or to raise a concern about how your personal data is handled, contact:
We aim to respond to all data protection queries within five working days and to formal rights requests within one calendar month.