Solutions

Who it's for Accountants Lawyers Agencies Consultancies Sales teams Marketing teams Operations Founders Partners Agency owners

Use cases

Never miss a follow-up Inbox zero by 9am Calendar conflicts What Orca replaces

Pricing

See pricing

Resources

Guide Advisory 40-Minute Moment Help Articles See pricing

Data Protection Policy

How OMG Center Limited handles personal data

Version 1.0  |  Last updated: March 2026  |  OMG Center Limited  |  Company No. 14169551

1. Overview

This policy explains how OMG Center Limited collects, uses, and protects personal data in connection with the Orca service.

It is important to understand what this policy covers, and what it does not.

What this policy covers

This policy covers the limited personal data that OMG Center Limited handles directly as part of the commercial relationship with Orca clients. This includes data provided when booking a discovery call, entering into a service agreement, or communicating with us about the service.

What this policy does not cover

This policy does not govern the data that Orca processes on your behalf when performing its function as your AI executive assistant: your emails, calendar events, meeting transcripts, contact records, tasks, or any other operational content.

That data is yours. It is processed within your own systems, using your own credentials and your own infrastructure. OMG Center Limited has no access to it, does not store it, and is not a data controller or processor in relation to it. The relevant data protection responsibilities for that data rest entirely with you as the client.

Orca is installed on your device and connects to your own systems using your own credentials. Your operational data, including emails, calendar events, meeting transcripts, and contact records, never passes through OMG Center's systems. We do not have access to it.

2. Who we are

The data controller for the personal data described in this policy is:

  • Company name: OMG Center Limited
  • Company number: 14169551
  • Registered in: England and Wales
  • ICO registration: Registered (number to be completed)
  • Contact: chris@simmance.ai
  • Website: simmance.ai

OMG Center Limited builds, configures, and maintains the Orca software for each client. Our role is that of a software services provider. We are not an AI platform, a cloud data provider, or a managed service that handles your business data.

3. What personal data we collect

We collect only the personal data necessary to manage the commercial relationship with Orca clients and prospective clients. This comprises:

Category Data collected Source
Contact details Name, email address, job title Provided by you via booking form or direct communication
Organisation details Company name, approximate size or sector Provided by you during onboarding or discovery
Billing information Name, billing email, company name for invoicing Provided by you; payment processing handled by a third-party provider
Communication records Emails, call notes relating to the service relationship Generated through our correspondence

We do not collect special category data. We do not collect data from third parties. We do not use any automated profiling or tracking technologies beyond standard website analytics.

4. How we use your data

We use the personal data described above for the following purposes:

  • Responding to enquiries and conducting discovery conversations about the Orca service
  • Setting up and managing your Orca licence and configuration
  • Communicating with you about the service, including updates, maintenance notices, and support
  • Processing billing and maintaining financial records
  • Complying with legal and regulatory obligations

We do not sell personal data. We do not use personal data for marketing purposes beyond communications directly related to the Orca service and offerings from OMG Center Limited that are directly relevant to your existing engagement with us.

5. Lawful basis for processing

Our processing of personal data is based on the following lawful grounds under UK GDPR:

Contract performance (Article 6(1)(b))

The primary basis for processing is the performance of the contract between OMG Center Limited and the client. This covers the use of contact and company details to deliver, configure, and support the Orca service.

Legal obligation (Article 6(1)(c))

We retain financial and billing records as required under UK company and tax law.

Legitimate interests (Article 6(1)(f))

Where we retain communication records or conduct standard website analytics, we do so on the basis of legitimate interests: specifically, the interest in understanding the effectiveness of our communications and in maintaining accurate records of the service relationship. We have assessed that these interests are not overridden by client rights and freedoms.

6. Your operational data

Orca is designed around a clear principle: your operational data belongs to you and remains within your own systems at all times.

When Orca connects to your Microsoft 365 or Google Workspace account, it authenticates using OAuth tokens issued directly to your account. Those tokens are stored in your own operating system's secure credential store, not on any OMG Center server. Your emails, calendar events, and contact data are retrieved directly by the Orca application running on your device, processed locally or within your own Supabase database instance, and never transmitted to OMG Center.

The architecture means that:

  • You are the data controller for all operational data processed by Orca
  • You are also the data processor, in that the processing takes place within your own infrastructure
  • OMG Center Limited does not act as a data processor in relation to your operational data
  • OMG Center Limited cannot access, retrieve, or view your operational data
  • No data subject access request directed to OMG Center would yield any of your operational data, because we do not hold it

If you use AI model APIs (such as OpenAI or Anthropic) within your Orca instance, those connections are made using your own API keys. Any data sent to those services is governed by your agreement with the relevant AI provider, not by this policy.

7. Third-party services your Orca instance connects to

The following services may be connected to your Orca installation. In each case, these are connections made by your Orca application using your own credentials and accounts. OMG Center Limited is not a party to the data flows between Orca and these services.

Service Purpose Your relationship
Microsoft 365 Email, calendar, contacts, Teams meetings Your Microsoft tenant; governed by your Microsoft agreement
Google Workspace Email, calendar, contacts (alternative to M365) Your Google Workspace account; governed by your Google agreement
Supabase Your Orca database, storing contacts, meeting records, tasks Your own Supabase project instance; you own the database
OpenAI / Anthropic AI model access for Orca's assistant capabilities Your own API keys; governed by your agreement with the provider
Recall.ai (if configured) Meeting transcription Your own Recall.ai account; governed by your agreement with Recall.ai

OMG Center Limited uses Calendly to manage discovery call bookings. Calendly's data handling is governed by their own privacy policy. The personal data shared with Calendly (name, email, any information provided in booking notes) is handled by Calendly as data processor, with OMG Center as data controller for that data.

8. Data retention

We retain personal data for the following periods:

Data type Retention period Basis
Client contact and company details Duration of licence + 2 years Service relationship management
Billing and financial records 7 years from transaction date UK legal requirement (Companies Act, HMRC)
Pre-contract enquiries (no contract entered) 12 months from last contact Legitimate interests
Service correspondence Duration of licence + 2 years Service relationship management

Once the relevant retention period has passed, personal data is securely deleted or anonymised.

9. Your rights under UK GDPR

As a data subject, you have the following rights in relation to the personal data described in this policy:

  • Right of access: You may request a copy of the personal data we hold about you.
  • Right to rectification: You may request correction of inaccurate or incomplete personal data.
  • Right to erasure: You may request deletion of your personal data where there is no lawful basis for continued processing.
  • Right to restriction: You may request that we restrict processing in certain circumstances, for example while a rectification request is being assessed.
  • Right to data portability: Where processing is based on consent or contract and is carried out by automated means, you may request a machine-readable copy of your data.
  • Right to object: You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • Rights related to automated decision-making: We do not make automated decisions that have legal or similarly significant effects on individuals. This right is not currently applicable.

To exercise any of these rights, contact us at chris@simmance.ai. We will respond within one calendar month. There is no charge for a request unless it is manifestly unfounded or excessive.

If you are not satisfied with how we have handled your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. International transfers

Our own data handling operations are based in the UK. The personal data described in this policy is primarily stored and processed within the UK or the European Economic Area.

Where we use third-party tools such as Calendly, data may be transferred to and processed in the United States. In those cases, we rely on the service provider's own transfer mechanisms (such as Standard Contractual Clauses or equivalent frameworks) and their compliance with applicable data protection law.

The third-party services connected to your Orca instance (Microsoft 365, Google Workspace, Supabase, AI providers) are governed by your own agreements with those providers. Any international transfers arising from those connections are your responsibility and are governed accordingly.

11. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify active clients by email and update the version number and date at the top of this document. Continued use of the Orca service after notification constitutes acceptance of the revised policy.

The current version is always available at simmance.ai/legal/data-protection-policy.

12. Contact

For any queries about this policy, to exercise your rights, or to raise a concern about how your personal data is handled, contact:

  • Chris Simmance, OMG Center Limited
  • Email: chris@simmance.ai
  • Company No. 14169551, registered in England and Wales

We aim to respond to all data protection queries within five working days and to formal rights requests within one calendar month.