Join us at Gitex Asia @ Marina Bay Sands (Singapore) 9-10 April. Register

Privacy Policy

Effective date: February 19, 2026

eomer AI (“eomer AI”, “we”, “our”, or “us”) is incorporated in Singapore and acts as the data controller for personal data processed through this website (eomer.ai). This Privacy Policy explains what data we collect, why we collect it, how we use and protect it, and your rights regarding that data.

If you have questions, contact us at contact@eomer.ai.

1. Data We Collect

We collect only the data necessary to operate and secure the service.

Account data

  • Name and email address (required for registration)
  • Company name (optional, provided at registration)
  • Password - stored as a bcrypt hash only; the plaintext password is never retained
  • A normalised (lowercased) email hash used internally for lookups
  • Privacy consent timestamp - the date and time you accepted this policy at registration

Session data

  • Session ID, creation time, last-seen time, and expiry (7-day TTL)
  • A hashed representation of your IP address and browser user-agent at session creation - used for anomaly detection only

Authentication audit log

  • Event type (e.g. login, logout, password reset), timestamp, success flag
  • Hashed email and hashed IP - no plaintext PII is stored in audit records
  • Browser user-agent string

Lead and demo-request data

  • Name, email, company, and an optional message submitted through our contact or demo-request forms

Technical data

  • IP address - used transiently for rate limiting; hashed before any persistent storage
  • Browser and device information via HTTP user-agent header

2. How We Use Your Data

  • Account management - to create, authenticate, and maintain your account
  • Email communications - to send email verification links, password-reset emails, and, where you have consented, product updates
  • Security and fraud prevention - rate limiting abusive requests, detecting anomalous session activity, and maintaining an audit trail
  • Product improvement - understanding aggregate usage patterns (no individual profiling)
  • Legal compliance - meeting obligations under applicable law

3. Legal Basis for Processing

We process personal data under the following legal bases:

  • Consent - you provide explicit consent at registration (recorded as privacyConsentAt)
  • Contract performance - processing necessary to provide your account and the services you request
  • Legitimate interests - security monitoring, fraud prevention, and rate limiting, where our interests do not override your fundamental rights

For users in the EU/EEA, these bases correspond to GDPR Article 6(1)(a), (b), and (f) respectively. For users in Singapore, processing is conducted in accordance with the Personal Data Protection Act 2012 (PDPA).

4. Third-Party Processors

We share data with the following sub-processors solely to operate the service:

  • Vercel - application hosting and global CDN; receives all server-side request data including IP addresses
  • Neon - managed PostgreSQL database; stores all account, session, audit, and lead records
  • Resend - transactional email delivery; receives recipient email addresses and message content for verification and password-reset emails
  • Upstash - Redis-based distributed rate limiting; receives only hashed IP+email keys - no plaintext PII is transmitted
  • Cloudflare Turnstile (optional) - bot-protection challenge on sign-up and password-reset forms; processes browser signals to distinguish humans from automated requests
  • Have I Been Pwned (Pwned Passwords) (optional) - password breach screening; only the first 5 characters of a SHA-1 hash of your password are transmitted using the k-anonymity protocol; your email address and account identity are never sent

We do not sell personal data to any third party.

5. Data Retention

  • Sessions - expire automatically after 7 days; you may revoke sessions at any time via account settings
  • Authentication audit logs - retained for 12 months from the date of each event, then deleted
  • Account data - retained until you request deletion (see Your Rights below)
  • Lead/demo-request data - retained for as long as necessary for legitimate business purposes; you may request deletion at any time by contacting us
  • Password reset tokens - expire after 1 hour and are single-use; the plaintext token is never stored (only a SHA-256 hash)

6. Your Rights

You have the following rights regarding your personal data:

  • Access - request a copy of all data we hold about you via GET /api/privacy/export (requires authentication)
  • Deletion - request deletion of your account and associated data via POST /api/privacy/delete (requires authentication); this performs a soft-delete and revokes all active sessions
  • Correction - contact us to correct inaccurate data
  • Portability - the export endpoint returns data in machine-readable JSON format

Users in the EU/EEA additionally have rights under GDPR Articles 15–22, including the right to object to processing and to lodge a complaint with a supervisory authority.

To exercise any right, contact us at contact@eomer.ai. We will respond within 30 days.

7. Security

We implement industry-standard security controls, including:

  • Passwords hashed with bcrypt (never stored in plaintext)
  • Sessions managed via HS256-signed JWTs stored in HTTP-only, Secure, SameSite=Strict cookies
  • HTTPS enforced with HTTP Strict Transport Security (HSTS)
  • Nonce-based Content Security Policy (CSP) to mitigate XSS attacks
  • Distributed rate limiting on all authentication endpoints
  • No plaintext PII in audit logs (hashed values only)

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Cookies

We use a single strictly necessary session cookie. For full details, see our Cookie Policy.

9. Children

Our service is not directed to individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, contact us immediately and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the effective date at the top of this page and, for material changes, notify registered users by email.

11. Contact

For privacy-related enquiries, to exercise your rights, or to report a concern:

eomer AI
Singapore
contact@eomer.ai