Privacy Policy
Omnisio is NOT a medical device, NOT a doctor, NOT a hospital, and NOT a pharmacy. It is a wellness and longevity coaching application. Data, scores, and AI suggestions are NOT intended to diagnose, treat, cure, or prevent any disease. Always consult a qualified healthcare professional before acting on any insight from the app.
1. Who We Are
This Privacy Policy describes how Oney Finansal Danismanlik Turizm ve Dis Ticaret A.S. ("Omnisio", "we", "us") collects, uses, and shares your personal data when you use the Omnisio mobile application (iOS) and related services.
- Legal entity: Oney Finansal Danismanlik Turizm ve Dis Ticaret A.S.
- Registered in: Turkiye
- Tax ID: 6430768526
- Trade Registry: 386006-5
- VERBIS Registration No: 74691528
- Data controller contact: privacy@omnisio.app
- DPO inquiries: dpo@omnisio.app
2. Important Disclaimer
Omnisio is a wellness coach — it will NEVER prescribe medication, recommend specific supplement dosages, or replace your physician's judgement. If a wellness reference range looks off, please discuss the result with your physician.
3. Data We Collect
3.1 Account & Profile
- Name (full name, optional display name)
- Email address
- Date of birth
- Biological sex (for wellness calculations)
- Country / locale
- Avatar image (optional, uploaded by you)
- Sign-in provider (Apple ID, Google, or email/password)
3.2 Wellness & Wearable Data
- Heart rate (resting, continuous)
- Heart rate variability (HRV)
- Sleep duration and stages (light, deep, REM)
- Activity (steps, active minutes)
- Skin temperature (where supported by the wearable)
- Self-reported logs (mood, menstrual cycle if you opt-in)
3.3 Device & Usage Data
- Device model, iOS version, app version
- IP address (at the time of API request, for security)
- Crash logs and diagnostic events (anonymized)
- Push notification token (when you enable notifications)
3.4 Payment Data
We do NOT store credit card numbers. Subscription purchases are processed by Apple App Store and RevenueCat (our subscription management provider).
4. How We Use Your Data
| Purpose | Legal basis |
|---|---|
| Provide the Omnisio app and core features | Contract (service delivery) |
| Wellness insight calculation (recovery, HRV, sleep) | Contract |
| Optional AI personalization (Today's Insight, Food Scanner) | Explicit consent (you can revoke anytime) |
| Subscription management and billing | Contract |
| Account security and fraud prevention | Legitimate interest |
| Diagnostic and crash analytics | Legitimate interest |
| Service communications (account, billing, security) | Contract |
| Marketing emails (opt-in only) | Consent |
5. Apple Health (HealthKit) Integration
Omnisio can read health data from Apple Health if you grant permission in iOS Settings. We read:
- Heart rate, HRV, resting heart rate
- Active energy burned, steps, exercise minutes
- Sleep analysis (sleep stages where available)
- Body temperature, oxygen saturation (where available)
Apple Health data is processed on-device and sent to our servers only if you have an active Omnisio session and have not disabled cloud sync.
Per Apple HealthKit terms: We do NOT use HealthKit data for advertising or marketing. We do NOT share HealthKit data with third parties for their own purposes.
6. Wearable Device
Omnisio pairs with a consumer-grade wellness wearable via Bluetooth Low Energy. The wearable is CE-marked for general consumer wellness use and is NOT a medical device. It does not hold FDA, CE-MDR, or TITCK medical clearance.
Wearable data is read on-device, then uploaded to our servers when the app is open and you are signed in.
7. AI Service Data Sharing
7.1 What We Send
When you opt-in to AI-powered features (Today's Insight, Food Scanner), Omnisio sends the following data to Google Gemini 2.5 Flash via the fal.ai infrastructure:
- Today's Insight: Anonymized recovery score, HRV summary, sleep score, age range, biological sex
- Food Scanner: The food photo you capture
- All requests: Locale (e.g. "tr-TR") and a session identifier
7.2 What We Do NOT Send
- Your name, email, phone number
- Your location, IP address (the request is server-side from Omnisio backend; Gemini sees only Omnisio's IP)
- Medical history, medications, government identifiers
- Other users' data
7.3 Recipient & Retention
- Recipient: Google LLC ("Google Gemini API") — see Google's privacy policy
- Sub-processor: fal.ai (model routing infrastructure) — see fal.ai privacy policy
- Retention by Google: Per Gemini API terms — standard processing only, NOT used for model training when accessed via the paid API tier we subscribe to
- Retention by fal.ai: Standard logging for service reliability; no model training use
- Retention by Omnisio: AI responses are cached for up to 24 hours to reduce duplicate cost; no personal data is included in cached payloads
7.4 Your Consent
Before any AI feature is used, Omnisio shows the AI Consent Screen describing the above. You may:
- Accept — AI features are enabled
- Decline — AI features remain disabled; the app fully functions without them
- Revoke — anytime in Settings → Privacy → AI Personalization. Future AI requests stop immediately. Past requests cannot be recalled but no further data will be sent.
7.5 Equal Protection
Both Google and fal.ai contractually provide protection equivalent to or stronger than this Privacy Policy. We have reviewed their data processing agreements (DPAs) and are satisfied they meet GDPR Article 28 and KVKK Article 12 requirements.
8. Subscription & Payment
Subscriptions are sold and processed by Apple App Store. We use RevenueCat as our subscription receipt aggregator. RevenueCat receives:
- Your anonymous Apple User ID (a long opaque string, not your email)
- Receipt verification token from Apple
- Subscription product ID and renewal status
- Country code (for tax compliance)
RevenueCat does NOT receive your name or email. See RevenueCat privacy policy.
9. Other Third-Party Services
| Service | Purpose | Data shared |
|---|---|---|
| Firebase Authentication (Google) | Sign-in (Apple, Google, email) | Email, sign-in token |
| Apple App Store | Subscription purchases | Apple User ID, receipt |
| RevenueCat | Subscription receipt management | Anonymous user ID, receipt |
| Google Gemini API (via fal.ai) | Optional AI features (consent required) | See §7 |
| Sentry / crash reporting | Crash diagnostics | Crash stack trace (no PII) |
| Apple Push Notifications | Notifications | Device push token |
10. Data Storage & Transfers
- Primary data centers: Turkiye and European Union (AWS Frankfurt eu-central-1)
- Cross-border transfers: Apple, Google, RevenueCat are based in the United States. Transfers from the EU are covered by Standard Contractual Clauses (SCC) and the EU-US Data Privacy Framework. Transfers from Turkiye use KVKK Article 9 (commitment letter) framework.
11. Your Rights (KVKK / GDPR / CCPA)
You have the right to:
- Access your data and receive a copy (in-app: Settings → Data & Privacy → Export)
- Rectify inaccurate data
- Delete your account and data (Settings → Data & Privacy → Delete)
- Restrict processing
- Object to processing based on legitimate interests
- Portability — receive your data in machine-readable format
- Withdraw consent for AI features (Settings → Privacy → AI Personalization)
- Lodge a complaint with KVKK (Turkiye), your EU supervisory authority, or your local data protection authority
To exercise these rights: privacy@omnisio.app. We respond within 30 days (KVKK Article 13).
12. Data Retention
| Data type | Retention period |
|---|---|
| Account profile | Until you delete your account |
| Wellness / wearable data | Until you delete your account (or 36 months of inactivity) |
| AI feature requests (cached) | Up to 24 hours |
| AI feature audit log (who consented, when) | Until you delete your account |
| Crash diagnostics | 90 days |
| Subscription receipts | 7 years (tax / accounting requirement) |
| Marketing email opt-in records | Until you unsubscribe |
13. Children
Omnisio is NOT intended for users under 16 years of age. We do not knowingly collect data from users under 16. If you believe we have collected such data, contact privacy@omnisio.app and we will delete it.
14. Security
We use:
- HTTPS / TLS 1.3 for all network communication
- Encryption at rest (AES-256-GCM) for sensitive fields
- Bcrypt hashing for password storage (where applicable)
- Multi-factor authentication available for accounts
- Audit logging for all administrative actions
- Annual third-party penetration testing (target: Q4 2026)
No system is 100% secure. If you suspect a breach: security@omnisio.app
15. Changes to This Policy
We will notify you of material changes via:
- In-app banner on next launch
- Email to your registered address (if material)
- Updated "Effective Date" at the top of this page
Continued use after notification constitutes acceptance.
16. Contact
- General privacy: privacy@omnisio.app
- DPO inquiries: dpo@omnisio.app
- Security disclosures: security@omnisio.app
- KVKK requests: kvkk@omnisio.app
- Phone: +90 532 666 00 77
- Postal: Oney Finansal Danismanlik Turizm ve Dis Ticaret A.S., Esentepe mah, Kore Sehitleri cad, Yonca Apt A blok No:1-3, Kat:1, Daire:6, 34394 Sisli/Istanbul/Turkiye