How do you define 'tested users'?

A tested user is any visitor included in any experiment (A/B Testing, Personalization, or Survey) and visible in the reporting area. For example, if 500 users see the control page and 500 see the variation page in an A/B test, you consume 1,000 tested users.

Can the Omniconvert code be installed using Google Tag Manager?

Yes, you can install our code using GTM. However, this may slow down code deployment, causing issues like screen flickering during A/B tests or delayed triggering for popups.

Can Omniconvert be used for any type of website?

Omniconvert works for most self-hosted websites, including custom-coded sites, CMS platforms (e.g., WordPress, Joomla, Drupal), and eCommerce platforms (e.g., Shopify, Magento, BigCommerce). The main requirement is access to the source code to paste in Omniconvert's code.

Nexus Insights — Product Privacy Notice

Effective Date: February 25, 2026
Version: 1.0
Data Controller: Omniconvert SRL, 14 Vasile Stroescu Street, Bucharest 021374, Romania
Contact: privacy@omniconvert.com

This notice supplements the main Omniconvert Privacy Policy. It describes how Nexus Insights ("Nexus", "the Service") specifically processes data from your connected analytics integrations. Where this notice is silent, the main Omniconvert Privacy Policy applies.

1. What Is Nexus Insights?

Nexus Insights is an AI-powered analytics intelligence product that connects to your existing analytics platforms (e.g., Google Analytics 4, Omniconvert Reveal, ad platforms), detects anomalies and patterns across those sources, and generates actionable insights and A/B test hypotheses.

Nexus is a business-to-business (B2B) service. We process data on behalf of businesses (agencies, e-commerce brands) and do not directly collect data from their end customers. All data described in this notice belongs to you, the subscribing business.

2. Data We Access from Your Integrations

When you connect an integration to Nexus, we access only the data necessary to detect anomalies and generate insights. We never use your data to train our AI models or share it with third parties for their own purposes.

2.1 Google Analytics 4 (GA4)

Data accessed (legal basis: contract performance):

Traffic metrics — sessions, users, pageviews, bounce rate, engagement rate
Conversion data — conversion rates, funnel steps, goal completions, eCommerce transactions
Revenue data — revenue, average order value, transaction volume
Audience data — device type, channel, geographic region (country/region level only), new vs. returning
Product performance — product views, add-to-cart rate, product revenue
Site speed — Core Web Vitals, LCP, CLS, FID

We do NOT access: Individual user identifiers, IP addresses, precise geographic coordinates, or personally identifiable visitor data.

Google API Services Disclosure: Nexus uses Google Analytics Data API to access your GA4 property data. Your use of this integration is subject to Google's Terms of Service. Nexus's use and transfer of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

We use GA4 data only to operate Nexus (anomaly detection, insight generation, correlation analysis).
We do not sell or use GA4 data for advertising.
We do not allow humans to read your GA4 data unless you explicitly request support or it is required for security/legal obligations, and only after obtaining your consent.
You can revoke Nexus's access to your GA4 property at any time via your Google Account permissions page.

Retention: GA4 query results used for analysis are not stored raw. Only derived insights (anomaly descriptions, scores, recommendations) are stored in Nexus. When you disconnect your GA4 integration, no further data is queried. Historical insights remain available until you delete them.

2.2 Omniconvert Reveal

Data accessed (legal basis: contract performance):

Customer segments — RFM segment distribution (Champions, Loyal, At Risk, etc.) — aggregate counts only
Lifetime value — average CLV per segment, CLV trends
Purchase behavior — purchase frequency, recency distributions, repeat purchase rates (aggregated)
Retention metrics — churn indicators, segment migration rates
NPS data — NPS score, promoter/detractor ratios (aggregate)

We do NOT access: Individual customer email addresses, names, order histories, or any data that identifies specific end-customers.

Retention: Aggregated segment metrics used in analysis are not stored raw. Only derived insights are retained. On integration disconnect, no further data is queried.

2.3 CROBenchmark

Data accessed (legal basis: contract performance):

Audit scores — overall CRO score, category scores
Criteria status — pass/fail/partial status per audit criterion
Industry benchmarks — anonymous industry median metrics for comparison

Retention: Audit scores are stored to enable trend analysis and recurring opportunity detection. Data is deleted within 30 days of integration disconnect.

2.4 BrandFeel.ai

Data accessed (legal basis: contract performance):

Sentiment scores — overall sentiment score, sentiment trends
Topic analysis — aggregated review topics and theme distributions
Issue tracking — reported issue types and frequencies

We do NOT access: Individual review text, reviewer names, or any data that identifies specific reviewers.

Retention: Aggregated sentiment metrics are not stored raw. Only derived insights are retained.

2.5 Meta Ads (Ad Intelligence Module)

Own advertising data via Meta Marketing API (legal basis: contract performance):

Ad performance — CTR, CPA, ROAS, impressions, spend, conversions
Creative data — your own ad creative (images, video, copy) for performance correlation
Campaign structure — campaign names, ad set configurations

Competitor ad data via Meta Ad Library — public data (legal basis: legitimate interests):

Public competitor ads — ad creative, messaging, duration active, impression range (publicly disclosed by Meta)

This data is publicly available in Meta's Ad Library and is accessed programmatically to inform your ad intelligence briefs. We only collect ads for competitors you explicitly specify.

2.6 Google Ads (Ad Intelligence Module)

Own advertising data via Google Ads API (legal basis: contract performance):

Ad performance — CTR, CPA, ROAS, quality score, spend, conversions
Creative data — your own ad copy, extensions, responsive search ad assets

Competitor ad data via DataForSEO API — public data (legal basis: legitimate interests):

Public competitor search ads — visible ad copy from public search results

2.7 TikTok Ads (Ad Intelligence Module)

Own advertising data via TikTok Marketing API (legal basis: contract performance):

Ad performance — CTR, CPA, ROAS, video play rate, spend, conversions
Creative data — your own video ad thumbnails and copy

Competitor/trending ad data via TikTok Creative Center — public data (legal basis: legitimate interests):

Public trending ads — top-performing ad patterns publicly featured by TikTok

2.8 Gorgias (Ad Intelligence Module)

Data accessed (legal basis: contract performance):

Support ticket themes — categories of customer issues, topic frequencies (extracted by AI — see §3)
CSAT scores — customer satisfaction scores (aggregate)

PII in Support Tickets: Gorgias tickets may contain customer names, email addresses, and order details. Before any ticket content is processed by our AI or stored, it is automatically anonymized: customer names, email addresses, order numbers, phone numbers, and other direct identifiers are replaced with generic placeholders using pattern detection. Only anonymized, thematic content is processed and stored.

Retention: Anonymized extracted themes are retained for up to 90 days to enable trend analysis. Raw ticket content is never stored by Nexus.

3. How Artificial Intelligence Processes Your Data

Nexus uses a multi-agent AI system (built on LangGraph) to analyze your connected data and generate insights. Here is exactly how AI is used:

3.1 What AI Does

Detects statistically significant anomalies in your metrics
Correlates patterns across multiple data sources
Generates natural-language descriptions of insights (headlines, summaries, root cause analyses)
Creates A/B test hypotheses and recommendations
Decomposes ad creatives into structured components (hook, body, offer, CTA) for the Ad Intelligence module
Synthesizes competitive intelligence from your ad data and competitor public ads

3.2 Anonymization Before AI Processing

Before any data is sent to an external AI model, it is anonymized. Specifically:

Customer names, email addresses, phone numbers, and order IDs are removed from support ticket data
Individual user identifiers are not included in AI prompts
Prompts contain only aggregated metrics, percentages, and anonymized thematic content

External AI providers used to process your anonymized data:

Anthropic (Claude) — text insight generation, ad copy analysis, brief creation; receives anonymized metrics, ad copy text, thematic summaries
Google (Gemini) — video ad analysis; receives anonymized video content for structural analysis
OpenAI — ad image generation, ad copy generation; receives brief specifications and style directives (no customer data)
fal.ai (Flux, Kling) — image and video generation; receives creative briefs (no customer data)
Runway ML — video generation; receives creative briefs (no customer data)

3.3 No AI Training on Your Data

Your data is never used to train AI models — neither by Omniconvert nor by our AI sub-processors. All AI sub-processor contracts include explicit prohibitions on using customer data for model training.

3.4 No Automated Decisions with Legal Effects

Nexus does not make automated decisions that produce legal effects or similarly significant impacts on any individual. All AI-generated insights are recommendations for your review and action.

4. Sub-Processors

We use the following sub-processors to deliver the Nexus service. All sub-processors have been assessed for GDPR compliance and have signed Data Processing Agreements with Omniconvert.

Anthropic, PBC (USA) — LLM inference (insight generation, ad analysis) — Privacy Policy
Google LLC (USA) — Gemini LLM inference (video analysis) — Google DPA
OpenAI, LLC (USA) — GPT image generation, ad copy generation — Privacy Policy
fal.ai (USA) — Flux image generation, Kling video generation — fal.ai DPA
Runway AI, Inc. (USA) — Runway ML video generation — Privacy Policy
DigitalOcean, LLC (EU) — cloud infrastructure, database hosting (PostgreSQL) — DigitalOcean DPA
Amazon Web Services (EU) — S3 object storage for generated ad creative assets — AWS DPA

International Transfers: AI sub-processors are based in the USA. Data transfers to these processors are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission, which provide equivalent protection to EU data protection law.

Sub-Processor Changes: We will notify you at least 30 days before adding or replacing any sub-processor that processes your data. You may object within this period; if the objection cannot be resolved, you may terminate your Nexus subscription.

5. Agency Multi-Property Model

If you use Nexus as an agency managing multiple client properties:

Data isolation: Each client property's data is strictly isolated. Users assigned to Property A cannot access data from Property B, even within the same agency account.
Access control: You control which team members can access each property.
Client responsibility: As an agency, you are responsible for having a lawful basis to connect your clients' analytics accounts to Nexus and for informing your clients about this processing.
Property deletion: When you remove a property from Nexus, all derived insights for that property are deleted within 30 days. No further data from that property is queried.

6. Data Retention

AI-generated insights and recommendations — until you delete them, or 12 months after last activity on the property
Analysis run metadata (no raw data) — 90 days
Ad intelligence briefs — until you delete them, or 12 months after generation
Gorgias anonymized ticket themes — 90 days
HITL review queue entries — 30 days after resolution
Insight feedback (your own feedback) — 24 months
Integration credentials (encrypted) — until you disconnect the integration

On Account Termination: All data associated with your Nexus account is deleted within 30 days of account closure, except where retention is required by law.

7. Security

Encryption at rest — all stored data is encrypted using AES-256
Encryption in transit — all API communication uses TLS 1.2 or higher
Credential security — integration API keys and OAuth tokens are stored encrypted using pgcrypto; keys are never logged
Access control — role-based access with property-level isolation
Anonymization — PII in support ticket data is automatically stripped before AI processing and storage
ISO 27001 — Omniconvert is ISO 27001 certified
Audit logging — all access to integration credentials and data is logged

8. Your Rights

As a subscriber (data controller for your own analytics data), you have the following rights regarding the data Nexus processes on your behalf:

Access — view all insights and data in your Nexus dashboard at any time
Deletion — delete individual insights via the dashboard, or request full account deletion by emailing privacy@omniconvert.com
Portability — export your insights as CSV or PDF from the dashboard
Disconnection — disconnect any integration at any time from Settings → Integrations
Correction — update your account information via Settings
Objection — if you object to a processing activity, contact privacy@omniconvert.com; we will assess and respond within 30 days

9. Contact

Data Controller: Omniconvert SRL 14 Vasile Stroescu Street Bucharest 021374, Romania Email: privacy@omniconvert.com General: contact@omniconvert.com

For data protection inquiries related to Nexus: privacy@omniconvert.com

10. Changes to This Notice

We will notify you via email and in-app notification at least 14 days before making material changes to this privacy notice. The current version is always available at https://www.omniconvert.com/privacy-policy-nexus/.

———

Google User Data

Nexus Insights ("Nexus", "we", "our") integrates with Google APIs to provide eCommerce performance intelligence on behalf of merchants who explicitly authorize the connection through Google's OAuth consent screen. This section describes how Nexus accesses, uses, stores, shares, retains, and deletes Google user data, and supplements the rest of this Privacy Policy. Nexus's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Data Accessed

When a merchant connects a Google account to Nexus, we request only the OAuth scopes strictly required to deliver the connected feature. The data we access is limited to:

Google account identity (sign-in only) — openid, email, profile. We use this solely to identify the authenticating user, link the connection to the correct Nexus workspace, and display the user's name and email in the Nexus UI.
Google Analytics 4 (read-only) — https://www.googleapis.com/auth/analytics.readonly. We read aggregated GA4 reporting data (sessions, users, conversions, revenue, traffic source dimensions, e-commerce events, and related metrics) for the GA4 properties the merchant explicitly selects during onboarding. We do not access GA4 admin settings, edit GA4 configuration, or read user-level identifiers from GA4.
Google Ads (read-only, where enabled) — https://www.googleapis.com/auth/adwords (read-only usage). We read campaign, ad group, ad, keyword, and performance metrics (impressions, clicks, cost, conversions, ROAS) for the ad accounts the merchant links. We do not create, edit, pause, or delete campaigns unless the merchant explicitly opts into a managed-optimization feature and re-consents to write scopes at that time.

We do not request access to Gmail, Google Drive, Google Calendar, Google Contacts, YouTube content, Google Photos, or any other Google service outside the scopes listed above.

Data Usage

Nexus uses Google user data exclusively to provide and improve the user-facing features the merchant signed up for. Specifically, we use Google data to:

Authenticate the user and maintain their session in Nexus.
Detect anomalies in eCommerce performance (traffic, conversions, revenue, paid media efficiency) using deterministic statistical methods (z-score, percentage thresholds, trend analysis).
Correlate signals across GA4, Google Ads, Shopify, and other sources the merchant has connected, to surface likely root causes of performance changes.
Generate written narratives, recommendations, and A/B test hypotheses for the merchant. When generative AI (large language models) is used to produce these narratives, the prompt is constructed from aggregated, de-identified metrics only; we do not send raw user-level data, individual session data, or personally identifying information from Google to any LLM provider.
Display dashboards, reports, and insight cards inside the Nexus app to the merchant who connected the account.

Nexus's use of Google user data complies with the Google API Services User Data Policy's Limited Use requirements:

We do not use Google user data to serve advertisements.
We do not sell Google user data.
We do not allow humans to read Google user data, except (a) with the merchant's explicit consent for a specific support request, (b) where required for security investigations or to comply with applicable law, or (c) where the data has been aggregated and anonymized and is used for internal operations in line with Google's policy.
We do not use Google user data to train, fine-tune, or improve generalized or non-personalized AI/ML models.

Data Sharing

Nexus does not sell, rent, or trade Google user data. We share Google user data only in the following limited circumstances:

With the merchant who authorized the connection — Authorized users within the merchant's Nexus workspace can view dashboards and reports derived from the connected Google data.
With trusted sub-processors that operate the Nexus service — strictly for the purpose of running our infrastructure under written data protection agreements:
- Cloud hosting and managed databases (e.g., AWS / Google Cloud / DigitalOcean — whichever provider hosts Nexus production infrastructure).
- Application monitoring, logging, and error tracking providers.
- LLM providers used for narrative generation. Only aggregated, anonymized metrics are sent; raw Google user data, identifiers, or PII are never transmitted to LLM providers.
For legal reasons — when we have a good-faith belief that disclosure is required to comply with applicable law, regulation, legal process, or enforceable governmental request, or to protect the rights, property, or safety of Omniconvert, our users, or the public.
In a corporate transaction — in the event of a merger, acquisition, reorganization, or sale of assets, in which case the acquiring entity will be bound by this Privacy Policy or will notify users of any material change.

We do not share Google user data with advertising networks, data brokers, or analytics providers for cross-site tracking purposes.

Data Storage & Protection

We take the following measures to protect Google user data:

Encryption in transit — All communication between the merchant's browser, Nexus servers, and Google APIs is encrypted using TLS 1.2 or higher.
Encryption at rest — OAuth refresh tokens, access tokens, and any cached Google data are encrypted at rest using industry-standard symmetric encryption (AES-256) with keys managed by our cloud provider's key management service.
Tenant isolation — Google data is logically partitioned per merchant workspace; queries are scoped by workspace identifier at the application layer, and no cross-tenant data access is permitted.
Access controls — Production access to systems holding Google user data is restricted to a small number of authorized engineers, requires multi-factor authentication, and is audited.
Network controls — Production databases are not publicly accessible; access is limited to the application's private network.
Secrets management — Google client secrets and signing keys are stored in a dedicated secrets manager and are not committed to source control.
Vendor due diligence — Sub-processors that may handle Google user data are reviewed for security posture and bound by data protection agreements.
Incident response — We maintain an incident response process. In the event of a confirmed data breach affecting Google user data, we will notify affected merchants and the relevant authorities in accordance with applicable law.

No system is perfectly secure. While we use commercially reasonable safeguards, we cannot guarantee absolute security.

Data Retention & Deletion

OAuth tokens are retained for as long as the merchant's Google connection is active. When a merchant disconnects Google in Nexus, or revokes Nexus's access from their Google Account permissions page, we revoke the token with Google and delete it from our systems within 30 days.
Cached Google reporting data (GA4 metrics, Google Ads performance data) is retained only as long as it is needed to power dashboards and historical comparisons inside Nexus, and in any case no longer than 24 months. Aggregated, de-identified statistics derived from this data may be retained longer for product analytics and benchmarking.
Account closure — When a merchant closes their Nexus workspace, all Google user data associated with that workspace, including OAuth tokens and cached reporting data, is deleted from our production systems within 30 days, and from encrypted backups within 90 days.
User-initiated deletion — A merchant can request immediate deletion of all Google user data we hold about their workspace at any time by:
1. Disconnecting Google inside the Nexus app (Settings → Integrations → Google → Disconnect), which triggers automated deletion, or
2. Emailing privacy@omniconvert.com with the subject "Nexus — Google Data Deletion Request". We will confirm and complete deletion within 30 days.
Revoking access at Google — At any time, a user may revoke Nexus's access to their Google account at https://myaccount.google.com/permissions. Revocation will sever Nexus's ability to read further data; previously cached data will be deleted following the process above.

For any questions about how Nexus handles Google user data, contact us at privacy@omniconvert.com.

———

Meta (Facebook & Instagram) User Data

Nexus Insights integrates with Meta's Marketing API to provide ad performance intelligence and, where the merchant explicitly opts in, automated optimization for Meta Ads campaigns. Our use of data received from Meta complies with Meta's Platform Terms and Developer Policies.

Data Accessed

When a merchant connects their Meta Business account to Nexus, we request only the permissions strictly required for the connected feature set:

email, public_profile — to identify the authenticating user.
business_management — to enumerate the Business Manager accounts the user administers, so the merchant can pick which one to connect.
ads_read — to read campaign structure, creatives, audiences, placements, and performance metrics (impressions, clicks, spend, conversions, ROAS, attribution data) for the ad accounts the merchant selects.
ads_management — required only when the merchant opts into managed-optimization features (e.g., automated budget reallocation, auto pause/start rules). Nexus only writes changes that the merchant has explicitly configured in advance via Nexus's rules engine; we never make ad changes outside the merchant's stated intent.
pages_read_engagement, pages_show_list — where the merchant connects a Facebook Page for ad attribution and creative analysis.
instagram_basic — where the merchant connects an Instagram Business account linked to ads they wish to analyze.

We do not request access to private messages, friend lists, or any user data outside the scopes listed above.

Data Usage

We use Meta data to:

Detect anomalies and trends in paid social performance.
Correlate Meta ad performance with site analytics, revenue, and other connected sources.
Generate written narratives, recommendations, and creative-level insights inside the Nexus app. Only aggregated, de-identified metrics are sent to LLM providers; raw Meta data, user identifiers, or PII are never transmitted to LLMs.
Where the merchant has explicitly opted in, execute pre-configured optimization actions (e.g., pause an ad set when CPA exceeds a threshold the merchant defined).

We do not use Meta data for advertising targeting outside the merchant's own ad accounts, do not sell Meta data, and do not use Meta data to train generalized AI/ML models.

Data Sharing

We share Meta data only with the merchant's authorized workspace users and with the same limited set of sub-processors described in the "Google User Data → Data Sharing" section above (cloud hosting, monitoring, and aggregated-metrics-only LLM providers), all under written data protection agreements. We do not share Meta data with advertising networks or data brokers.

Data Storage & Protection

Meta access tokens, page tokens, and any cached Meta data are encrypted at rest (AES-256), encrypted in transit (TLS 1.2+), logically isolated per merchant workspace, and protected by the access controls, network controls, and incident-response process described in the "Google User Data → Data Storage & Protection" section above.

Data Retention & Deletion

Meta access tokens are retained for as long as the connection is active and deleted within 30 days of disconnection.
Cached Meta reporting data is retained for up to 24 months to power historical comparisons inside Nexus.
A merchant can disconnect Meta from Nexus at any time (Settings → Integrations → Meta → Disconnect), which triggers automated deletion of tokens and cached data.
A user can revoke Nexus's access from their Facebook account at https://www.facebook.com/settings?tab=business_tools.

For any questions about how Nexus handles Meta user data, contact us at privacy@omniconvert.com.