Privacy Policy

How Omni Flash collects, uses, and shares personal data — including data handed off to Stripe for payment processing and to third-party AI model providers.

2026/05/20

Last updated: 20 May 2026.

1. Who we are

Omni Flash ("we", "us", "the service") operates the AI video creation platform at omniflash-ai.com. We are an independent service and are not affiliated with Google. Gemini, Gemini Omni, Omni Flash, Veo, YouTube Shorts, and related names are trademarks of their respective owners.

For privacy questions or to exercise your rights under this policy, contact us at support@omniflash-ai.com.

2. Information we collect

We collect only what is needed to operate the service.

CategoryExamples
Account dataEmail, hashed password or third-party authentication identifier (e.g. Google), display name
Usage dataPrompts you submit, workflow choices, generated outputs, credit balances, activity timestamps
Device & connection dataIP address, user agent, OS, approximate region — used for security, abuse prevention, and aggregate analytics
CommunicationsMessages you send to support or via the contact form
Billing & subscription dataPlan, status, billing email, last 4 digits of card, country, ZIP/postal code. We do not see or store full card numbers, CVCs, or expiry dates — those go directly to Stripe

We do not collect special-category data (race, religion, biometric data, etc.) and do not knowingly collect data from children under 13.

3. How we use information

  • To operate the service: run generations, allocate credits, fix bugs, maintain security.
  • To authenticate you and protect accounts from abuse.
  • To bill subscriptions and process credit purchases through Stripe.
  • To send transactional emails (sign-in links, billing receipts, account notifications). Marketing email requires a separate opt-in.
  • To meet legal obligations, respond to lawful requests, and enforce our Terms of Service.

We do not sell your personal data, and we do not use prompts or generated outputs to train AI models.

4. Payment processing (Stripe)

When you subscribe to a paid plan or buy credits, payment is handled by Stripe, Inc. (https://stripe.com), a PCI-DSS Level 1 certified payment processor.

  • Card details are entered directly into Stripe's secure form and never reach our servers.
  • Stripe stores, processes, and protects card data under its own privacy policy: stripe.com/privacy.
  • We receive only billing metadata: plan, subscription status, last 4 digits of card, ZIP/postal code, and a Stripe customer ID used to issue refunds and manage subscriptions.
  • Stripe may use device fingerprinting and other signals for fraud prevention, governed by its own policies.
  • Stripe processes payment data on our behalf as a "service provider" under California law and as a "processor" under EU/UK law, under appropriate Data Processing Agreements.

If you initiate a chargeback through your bank, Stripe and your bank will receive transaction information necessary to handle the dispute. See Section 9 of the Terms of Service for our refund and chargeback policy.

5. Third-party AI model providers

Omni Flash is designed to work with available AI video generation backends. When you submit a prompt or upload reference media:

  • Your prompt and any uploaded media are transmitted to the selected model provider (for example, providers exposing Veo 3 / Veo 3.1).
  • The provider processes the input under its own terms and privacy policy.
  • Generated outputs are returned to Omni Flash and stored in association with your account.
  • We do not sell prompts or generated outputs to third parties, and we do not allow providers to train their general-purpose models on your inputs unless their terms explicitly permit and you have agreed.

Provider terms and capabilities may evolve. By using the service you acknowledge that prompts and uploads are shared with the selected model provider as needed to generate the requested output.

6. Other service providers (sub-processors)

We rely on a small set of vetted service providers to run the service. Each is bound by contract and processes data only as instructed by us.

ProviderPurposeRegion
Cloudflare, Inc.Hosting, CDN, edge runtime, D1 (database), R2 (object storage)Global edge
Stripe, Inc.Payment processing, subscription billingUS, with PCI-compliant global coverage
Google LLC (Sign-in with Google)Optional OAuth sign-inUS
Resend, Inc. / Cloudflare EmailTransactional email delivery (configurable)US / EU
AI model providersGenerative video and prompt enhancement (see §5)Provider-dependent

The current list may evolve; we will update this page when new sub-processors are added.

7. Cookies and similar technologies

We use cookies and similar technologies for: sign-in sessions, CSRF protection, UI preferences (theme), aggregate analytics, and Stripe's checkout/fraud-detection flow. See the Cookie Policy for details and your choices.

8. Data retention

  • Account data is retained while your account is active and for up to 90 days after deletion for security, dispute resolution, and legal compliance.
  • Prompts and generations are retained for the lifetime of your account, unless you delete them through the product or request deletion.
  • Billing records are retained for at least 7 years to meet tax and accounting obligations.
  • Server logs are retained for 30–90 days.

9. International data transfers

The service runs on global edge infrastructure (Cloudflare) and your data may be processed in regions other than where you reside, including the United States. Where required, we rely on appropriate safeguards for cross-border transfers, such as Standard Contractual Clauses for transfers from the European Economic Area and the United Kingdom, and equivalent mechanisms for other regions.

10. Your rights

Depending on your jurisdiction, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your account and associated data ("right to erasure").
  • Restrict or object to certain processing.
  • Port your data in a structured, machine-readable format.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with your local data protection authority.

To exercise any of these, email support@omniflash-ai.com. We respond within 30 days.

California residents (CCPA / CPRA)

We do not sell personal information and do not share it for cross-context behavioral advertising. California residents may request access to or deletion of personal information, and may designate an authorized agent to make those requests. We do not discriminate against users who exercise their rights.

EEA / UK / Swiss residents (GDPR / UK GDPR / FADP)

Our legal bases for processing are: contract (to operate the service you signed up for), legitimate interests (security, fraud prevention, product improvement), legal obligation (tax, accounting), and consent (marketing email, where applicable).

11. Children

The service is not intended for children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect data from children under 13. If you believe a child has provided us data, contact us and we will delete it.

12. Voice, likeness, and AI-avatar workflows

AI avatar and voice-related workflows must only be used with proper consent and rights to the underlying voice and likeness. We do not permit impersonation, unauthorized voice cloning, deepfakes of real people without consent, or other deceptive identity misuse. Accounts that violate this are suspended and may be reported to law enforcement where appropriate. See the Acceptable Use section of our Terms.

13. Security

We use industry-standard practices, including:

  • Encrypted connections (HTTPS / TLS 1.2+) everywhere.
  • Hashing of passwords (where stored locally) using modern KDFs.
  • Isolated cloud infrastructure with least-privilege access.
  • Payment data handled exclusively by Stripe under PCI-DSS Level 1 certification.

No system is perfectly secure. You are responsible for safeguarding your account credentials and for using a unique password.

14. Changes to this policy

We may update this policy from time to time. Material changes will be announced via the service or by email at least 7 days before they take effect. Continued use after the effective date constitutes acceptance.

15. Contact

For privacy questions, data subject requests, or to designate an authorized agent, email support@omniflash-ai.com.