1. Who We Are

OmertaBrowser is developed and distributed by OmertaLabs, operating under the same principles as OmertaVPN. We are incorporated in a jurisdiction with no mandatory data retention laws. Our registered address is available upon written request.

2. The Core Principle

OmertaBrowser is a local application that runs on your device. The vast majority of its functionality — profile management, fingerprint spoofing, script execution, and session isolation — operates entirely locally, on your hardware. We cannot see what sites you visit, what profiles you use, or what scripts you run.

3. What We Collect

We collect the absolute minimum required to provide the service. The following data may be processed:

Account Information

• Email address — used for account authentication and license delivery only.
• Password — stored as a salted bcrypt hash. We never see your plaintext password.
• Subscription tier — used to enforce feature access. Not linked to usage data.

License Verification

• A cryptographic license token is verified against our server at application launch.
• This check transmits only: license token, application version, and OS platform (e.g. win11).
• No profile data, browsing data, fingerprint configuration, or script content is transmitted.

Crash Reports (Optional)

• If you opt in to crash reporting, anonymized stack traces may be transmitted when the application crashes.
• These reports contain no URLs, profile names, script content, or personally identifying information.
• Crash reporting is disabled by default. You can toggle it in Settings → Privacy → Crash Reports.

AI Assistant Usage (Capo / Consigliere)

• When using the built-in AI assistant, your messages are sent to our AI inference endpoint over a TLS-encrypted connection.
• Messages are processed to generate a response and are not retained beyond the duration of the API call.
• If you configure an external AI model (GPT-4, Claude, Gemini, etc.), your messages are transmitted directly to that provider under their respective privacy policies.

4. What We Never Collect

• Browsing history, URLs visited, or page content from any profile.
• Profile configurations, fingerprint settings, or proxy assignments.
• Script content, automation logs, or AI agent activity.
• Cookie data, session tokens, or saved credentials within profiles.
• IP addresses used by your profiles or proxy connections.
• The identity or number of sites you access.
• Payment details beyond what our payment processor requires for transaction completion.

5. Cloud Sync (Capo / Consigliere)

If you enable Cloud Profile Sync, your profile configurations are encrypted on your device using AES-256 before transmission. We store only the encrypted ciphertext. We do not hold the decryption key — you do. Even in the event of a server compromise, your profile data remains inaccessible.

Cloud sync is opt-in. Profiles remain local by default.

6. Data Sharing

We do not sell, rent, or trade your personal data to any third party. We do not serve advertising. We have no advertising partners.

The only circumstances under which data may be shared with third parties:

• Payment processing — transactions are handled by our payment processor. We share only what is necessary to complete the transaction.
• Legal compulsion — in the event of a legally binding court order from a jurisdiction with authority over us, we would disclose only account registration data (email and subscription tier). We structurally cannot provide browsing or session data because we do not possess it.

7. Government & Law Enforcement Requests

We treat government and law enforcement data requests with the following standing policy, inspired by the Omertà tradition:

• We challenge all requests to the fullest extent permitted by law in our jurisdiction.
• We notify affected users of any requests unless legally prohibited from doing so.
• We publish an annual Transparency Report disclosing the number of requests received and fulfilled.
• We have architecturally ensured that the data most sought by authorities — browsing history, session data, fingerprint configurations — does not exist on our systems and therefore cannot be provided.

8. Data Retention

Account data (email, hashed password, subscription status) is retained for the duration of your account. Upon account deletion, all records are permanently purged within 30 days.

License verification logs (containing no personal data) are retained for 7 days for fraud detection purposes, then automatically deleted.

AI assistant conversation logs: none retained. Each request is stateless.

9. Your Rights

Depending on your jurisdiction, you may have rights including access, correction, deletion, portability, and objection to processing. To exercise any of these rights, contact us at the address below. We respond to all requests within 30 days.

10. Security

All data in transit is encrypted using TLS 1.3. Cloud-synced profile data is encrypted client-side using AES-256-GCM before leaving your device. Our infrastructure undergoes annual penetration testing by an independent security firm. We operate a responsible disclosure program — see our security page for details.

11. Children

OmertaBrowser is not intended for use by persons under the age of 18. We do not knowingly collect data from minors.

12. Changes to This Policy

Material changes to this privacy policy will be communicated by email to registered users at least 14 days before taking effect. The current version is always available at browser.omertavpn.com/privacy. We maintain a full version history.

13. Contact

For privacy-related inquiries, data requests, or security reports: