OmegaPLC

Privacy policy

Last updated: 2026-05. This document is a working draft and should be reviewed by qualified counsel before public launch.

1. Controller

OmegaPLC (the "Service") is operated by the OmegaPLC project owner. For questions about this policy contact the operator at the address listed in the application footer.

2. Data we collect

  • Account data — email and display name (provided by Clerk on sign-up). Email is stored encrypted at rest using libsodium XChaCha20-Poly1305 envelope encryption; a deterministic SHA-256 hash is also stored to enable duplicate detection.
  • Workspace data — workspace name, slug, member list, and member roles.
  • Audit content — L5X / XG5000 files you upload, the resulting findings, and any AI explanations produced by your own Gemini API key. Source bytes are deleted from the processing store after the audit completes.
  • Provider keys — Gemini API keys you register (BYOK). Keys are encrypted at rest with the same KMS envelope. We never log or transmit your plaintext key outside the audit pipeline.
  • Operational logs — request method, URL, truncated IP hash, user-agent hash, audit event metadata (no payload bodies). Retained 90 days.

3. Third-party processors

  • Clerk — authentication. Receives your email, name, and authentication factors.
  • Neon (Postgres) — primary database.
  • Upstash (Redis) — audit job queue.
  • Vercel — web frontend hosting.
  • Fly.io — API and worker process hosting.
  • Google Cloud (Gemini API) — receives the finding text plus minimal project context (controller name, tag and module counts) using your BYOK key. We do not send full L5X source content to Gemini.
  • Sentry — error monitoring (optional, may be disabled by the operator).

4. Legal basis (GDPR)

We process personal data on the basis of (a) the contract you enter into by signing up, (b) our legitimate interest in operating and securing the Service, and (c) your consent for optional analytics cookies where applicable.

5. Your rights

Under GDPR and Korean PIPA you may request access, rectification, erasure, portability, or restriction of your personal data, and object to processing. To exercise these rights, contact the operator. We respond within 30 days.

6. Data retention

Account and workspace data are retained while your account is active. Audit reports and findings are retained until you delete them or close your account. Operational logs are retained 90 days. Backups are retained 30 days after which they are securely destroyed.

7. International transfers

Production infrastructure is hosted in Tokyo (Fly.io nrt, Neon and Upstash equivalent). Gemini API requests may be processed in any region where your Google Cloud project routes them. We rely on standard contractual clauses where applicable.

8. Changes

We will post material changes to this policy on this page and update the "Last updated" date. Significant changes will also be sent to your registered email.