LEGAL_PROTOCOL_V1.0

Privacy &
Data Sovereignty Policy

OMEGA is not a service. It is a tool. We provide the code; you provide the infrastructure. This architecture ensures that we cannot see, store, or sell your data because we never touch it.

Data Sovereignty Manifesto

Privacy is not a setting; it is the architecture. OMEGA operates on a Zero-Knowledge basis regarding your financial life.

// THE CORE PRINCIPLE

"Your data never touches our servers because OMEGA does not operate servers for your financial data."

User-Managed Data Processing

All data processing occurs within your personal infrastructure. You are the Data Controller and the Data Processor.

OMEGA-CORE (Docker)

  • API Keys (Binance, OpenAI, etc.)
  • Raw Financial Balances
  • Asset Tickers & Allocations

Resides on your hardware (Raspberry Pi, VPS, Localhost).

OMEGA-CLOUD (Supabase)

  • Historical Snapshots
  • User Authentication (Auth)
  • Row Level Security (RLS) Policies

Hosted in your personal Supabase project.

Third-Party API Integration

OMEGA acts as a bridge between your local environment and external services. These connections are direct and do not pass through OMEGA infrastructure.

Supabase (BaaS)

You contract directly with Supabase. Your database credentials (service_role_key, anon_key) are stored in your local .env file. OMEGA has no access to your instance.

Groq & LLMs

When using AI features, data sent for analysis (e.g., "Summarize this portfolio performance") is transmitted directly from your omega-core container to the provider (Groq, OpenAI). This data is subject to your personal API agreement with those providers.

Exchanges & Market Data

The Engine queries exchanges (Binance, Coinbase) and data providers (Yahoo Finance) directly from your IP address. No proxy servers are used.

Security Responsibility

Shared Responsibility Model: OMEGA provides secure code patterns (RLS, Environment Variable management), but you are responsible for:

  • Securing the hardware running omega-core.
  • Managing access to your Supabase project.
  • Keeping your API keys private and rotating them if compromised.
  • Ensuring your Docker container is not exposed to the public internet without proper safeguards (VPN, Reverse Proxy).

GDPR & Data Rights

Under GDPR, you have the Right to Access, Rectify, and Erase your data. In the OMEGA architecture, these rights are intrinsically fulfilled by your ownership:

Right to Access

You have direct SQL access to your entire database via Supabase.

Right to Rectify

You can modify any record directly in your database tables.

Right to Erasure

Deleting your Supabase project permanently destroys all data.

Changes to this Policy: While our core architecture of "Zero-Knowledge" will not change, we may update this document to reflect new features or legal requirements. Check this page periodically.

Last Updated: January 2026