This Privacy Policy explains how AppOn Software Private Limited (“AppOn”, “we”, “us”) collects, uses, stores and protects information in connection with the OminiSight application (the “Service”) available at https://ominisight.net. OminiSight is an invite-only internal workspace used by AppOn personnel and authorised partner studios.
1. Who this policy applies to
This policy applies to every person who signs into OminiSight, every Google account that has been connected by an authorised administrator, and every visitor to the public-facing pages on ominisight.net. It does not apply to third-party services we link out to (such as Google’s own products), which have their own privacy policies.
2. Information we collect
2.1 Account information you give us directly
- Your full name and corporate email address.
- An encrypted password (bcrypt, work factor 12).
- The role and permissions assigned to you by an administrator.
- Optional preferences (theme, notification settings).
2.2 Information we collect when you use the Service
- Session identifiers stored in an
HttpOnly,SameSite=Strictcookie namedOMNISIGHT_SESSID. - A hashed session fingerprint derived from your IP address and User-Agent, used to detect session hijacking.
- Sign-in timestamps and audit-log entries for sensitive actions (administrative changes, permission edits, OAuth connect / disconnect events).
2.3 Information we receive from Google APIs
When an authorised administrator connects a Google account to OminiSight, we receive only the data covered by the OAuth scopes shown on Google’s consent screen. We do not request additional scopes silently. The exact scopes and what they let us read are listed below.
| Google API | OAuth scope(s) requested | What we read |
|---|---|---|
| Google Ads API | https://www.googleapis.com/auth/adwords |
Read: campaign, ad-group, ad and conversion performance, and account-level spend for accounts the signed-in user has access to. Write (user-driven, inside OminiSight only): campaign-level daily budget changes, target ROAS adjustments, ad-group CPC bid changes, and campaign targeting criteria updates (locations and demographics). Planned (future): programmatic campaign creation. Every write is initiated by an explicit user action inside the dashboard and is restricted to Google Ads accounts the signed-in user has direct access to. OminiSight never performs autonomous or bulk mutations. |
| AdMob API | admob.readonly, admob.report |
Read AdMob mediation and revenue reports for the signed-in publisher’s account. |
| Google Play Developer API | androidpublisher, devstorage.read_only |
Read sales reports, earnings and statistics for apps the signed-in user owns in Play Console. |
| Google Drive API | drive.file |
Open, read or write only the specific files the user explicitly selects using the Google Picker or that OminiSight itself creates on the user’s behalf. We never enumerate or browse the rest of the user’s Drive. |
| OpenID Connect | openid, email, profile |
Identify the connecting Google account by display name, email and account ID. |
| Firebase / GA4 Data API (service account) | Analytics Viewer IAM role | Query GA4 properties belonging to your Google Cloud project. The service-account JSON is uploaded by an administrator; no end-user OAuth is involved. |
| BigQuery (service account) | BigQuery Data Viewer IAM role | Read raw GA4 export tables and any dataset you grant the service account access to. |
2.4 What we do not collect
- We do not read your Gmail, Calendar, Contacts or any other Google product not listed above.
- We do not access files in your Drive other than those you explicitly pick or that we create.
- We do not collect biometric, financial-account or government-ID information.
- We do not run third-party analytics, advertising or behaviour-tracking scripts on OminiSight.
3. How we use information
We use the information described above strictly to provide the Service:
- Authenticate you and keep your session active.
- Display unified revenue, analytics and operations dashboards.
- Generate the advisory marketing-intelligence insights you request.
- Send the notifications you (or your administrator) configure.
- Maintain an audit log for security and compliance.
- Investigate and respond to security incidents and abuse.
We do not use information received from Google APIs to serve advertising, to build profiles for advertising, to train generalised AI/ML models, or to determine credit-worthiness. We do not sell or rent any personal information.
4. How we store and protect information
- OminiSight runs on infrastructure controlled by AppOn Software Private Limited. Data is stored in MongoDB.
- OAuth refresh tokens, service-account keys and OAuth client secrets are encrypted at rest using AES-256-GCM with keys derived from a server-side master secret.
- All connections to the Service are protected with TLS (HTTPS). HSTS is enabled.
- Session cookies are
HttpOnly,SameSite=StrictandSecure. - A strict Content Security Policy, X-Frame-Options
DENYand other defensive headers are applied to every response. - Access to administrative pages is gated by a granular permission model; only administrators can connect Google accounts or change OAuth credentials.
5. How long we keep information
- Account records — retained while your account is active. Deleted within 30 days of an administrator removing the account, unless retention is required by law.
- OAuth refresh tokens — retained until you (or an administrator) disconnect the Google account from OminiSight, or until Google revokes the token.
- Cached analytics data — Firebase event caches expire automatically (typically within 1–24 hours).
- Audit log — retained for up to 24 months for security review.
- Session records — expire automatically per the configured session lifetime.
6. Sharing of information
We do not sell, rent or trade personal information. We share information only in the following limited circumstances:
- With Google. When OminiSight makes an API request to a Google service on your behalf, your request is sent to Google. This is intrinsic to using a Google API.
- With other OminiSight users in your organisation. Dashboards, timelines and notifications you contribute to are visible to teammates whose permissions allow it.
- With service providers strictly needed to run the Service. For example, the cloud or hosting provider that runs our servers, under contractual confidentiality.
- When required by law. We may disclose information if required by a valid legal process in India or another applicable jurisdiction.
We never share Google user data with any third party for advertising, profiling or model training.
7. Your choices and rights
- Revoke OAuth access at any time from inside OminiSight (Settings → Connections → Disconnect) or from your Google account at myaccount.google.com/permissions. Revocation immediately stops further API access; we will delete the corresponding refresh token from our store.
- Request a copy of the personal information we hold about you.
- Request correction of information you believe is inaccurate.
- Request deletion of your account, subject to legal retention requirements.
- Object to processing or withdraw any consent you have given.
To exercise any of these rights, contact swaroop@appon.co.in. We respond within 30 days.
8. International transfers
AppOn Software Private Limited is based in India. By using the Service you understand that your information may be processed in India and other locations where our infrastructure providers operate. We use contractual and technical safeguards to keep your data protected wherever it is processed.
9. Children
OminiSight is an internal tool intended only for employees and authorised partner staff aged 18 or above. It is not directed at children and we do not knowingly collect information from anyone under 18.
10. Security incidents
If we become aware of a security incident that affects your information, we will notify the affected administrators and users without undue delay, and within any timeframe required by applicable law.
11. Changes to this policy
We may update this policy from time to time. We will post the updated version on this page and change the “Last updated” date. If the changes are material we will also notify administrators via email or in-app message before the changes take effect.
12. Contact us
AppOn Software Private Limited
Data Protection contact: swaroop@appon.co.in
Product: OminiSight — https://ominisight.net