Privacy Policy

OmniRun provides isolated virtual machine sandboxes for AI agent workloads. We are committed to protecting your privacy and being transparent about the data we collect. This policy explains what data we gather, how we use it, and how we protect it.

Account information. When you sign up, we collect your email address. We use a passwordless one-time password (OTP) flow sent to your email for authentication -- we do not store passwords.

Usage data. We track sandbox usage (creation, duration, resource consumption) to enforce plan limits and for billing purposes.

API tokens. We store hashed API tokens you generate through the dashboard. The full token value is shown once at creation and is not stored in plain text.

Vault credentials. If you use our Vault feature, credentials are encrypted at rest and only injected into your sandboxes at runtime. OmniRun staff cannot read vault contents.

We use Umami, a privacy-focused analytics platform. Umami does not use cookies, does not track users across websites, and does not collect personal information. All data is anonymized and aggregated. We use it to understand page views, feature usage, and general traffic patterns.

We use a single httpOnly session cookie (omnirun_token) to maintain your authenticated session. This cookie is strictly necessary for the service to function and is not used for tracking. We do not use any third-party tracking cookies.

Every sandbox runs in its own microVM with a dedicated Linux kernel. Sandboxes are fully isolated from each other and from our infrastructure. When a sandbox is destroyed, all data within it is permanently deleted -- there is no shared state between sessions.

Code you execute in sandboxes is not logged, stored, or inspected by OmniRun. Sandbox execution results may be temporarily cached in memory to improve performance for identical requests, but are never persisted to disk.

We use the following third-party services:

• Email delivery -- for sending OTP authentication codes to your email address.
• Umami analytics -- privacy-focused, cookieless web analytics (self-hosted).

We do not sell, share, or provide your data to advertisers or data brokers.

Account data is retained for as long as your account is active. Usage logs are retained for billing purposes for up to 90 days. You can request deletion of your account and all associated data at any time.

You have the right to access, correct, or delete your personal data. You can delete your API tokens through the dashboard at any time. For account deletion or data export requests, contact us at the address below.

For privacy-related questions or requests, email us at privacy@omnirun.io.