Work/ in-Context/ Sign up
Omniform is project management with an AI brain built in. Plan work, track progress, and talk to an assistant that understands every thread, doc, and decision you and your team make. Context stays with you and your work.
Omniform is project management with an AI brain built in. Plan work, track progress, and talk to an assistant that understands every thread, doc, and decision you and your team make. Context stays with you and your work.
Omniform is an AI-native project and task management platform operated by 38one (38one.com), a UK-registered business trading since 2014.
For the purposes of data protection law, 38one (trading as Omniform) is the data controller — meaning we determine how and why your personal data is processed.
We are not required to appoint a Data Protection Officer under Article 37 UK GDPR; however, you may contact us at support@omniform.work for any data protection queries.
When you create an account, we collect:
To keep your account secure, we process:
Our session storage schema includes columns for IP address, user agent, and location-related fields (such as timezone, city, country, and region). Geolocation tracking and automatic IP detection are disabled in our configuration, and these fields are not actively populated. However, we want to be upfront that the underlying authentication framework schema contains these columns. If we ever enable these features, we will update this policy before doing so.
Everything you build in Omniform is stored on our servers:
We do not collect analytics, telemetry, or behavioural tracking data. We do not use Google Analytics, error tracking services (such as Sentry), or any advertising or marketing trackers.
We store a small amount of data locally in your browser:
We use no analytics cookies, no tracking cookies, and no advertising cookies.
We process your personal data only where we have a lawful basis to do so under GDPR. Here is how each category maps to a purpose and legal basis:
| Data | Purpose | Lawful Basis |
|---|---|---|
| Account data (name, email, password) | To create and maintain your account and provide the service | Contractual necessity (Art. 6(1)(b)) |
| Content data (tasks, notes, files, etc.) | To provide the service you signed up for | Contractual necessity (Art. 6(1)(b)) |
| Authentication data (sessions, OAuth, 2FA) | To secure your account and prevent unauthorised access | Contractual necessity (Art. 6(1)(b)) + Legitimate interest in security (Art. 6(1)(f)) |
| AI features (chat, voice, search, context memory) | To provide AI-assisted functionality as a core part of the service | Contractual necessity (Art. 6(1)(b)) |
| Email communications (verification, password resets, invitations) | To operate essential account functions | Contractual necessity (Art. 6(1)(b)) + Legitimate interest (Art. 6(1)(f)) |
| Timezone | To schedule reminders at your correct local time | Legitimate interest (Art. 6(1)(f)) |
| GitHub integration data | To provide developer workflow features you have opted into | Contractual necessity (Art. 6(1)(b)) |
We may also process your data where required by law or regulation (Art. 6(1)(c)).
We do not process your data for marketing, advertising, profiling, or automated decision-making.
We have conducted legitimate interest assessments for the processing described above. These are available on request.
AI is a core part of Omniform. We want to be completely transparent about what data flows where when you use these features.
When you use AI chat within Omniform, we send the following to Anthropic's API:
Searchlight (automatic context resolution): When your project content is too large to fit within the AI's context window, Omniform may run an additional pipeline that sends project catalog data — including task names, note excerpts, and chat summaries — to Anthropic's API using a separate, dedicated API key. This pipeline helps the AI find the most relevant content from across your project. It only activates when needed and can be configured in your AI settings.
We do not send to Anthropic:
AI responses are stored in our database as part of your conversation history. Anthropic does not use data submitted via their API for model training, in accordance with their data usage policy. Anthropic processes data in the United States.
If you use the voice input feature:
When the AI performs a web search on your behalf:
If you enable the GitHub integration and use the AI developer workflow:
Your third-party API keys (for Anthropic, OpenAI, Tavily, GitHub, Searchlight, MCP, and other integrated services) are encrypted at rest using AES-256-GCM encryption before being stored in our database. Keys are never logged or exposed in plain text.
We do not sell, rent, or trade your personal data. We do not use your data for advertising. We do not share your data with any parties beyond those listed below.
The following third parties process data as part of delivering the Omniform service:
We will notify you of material changes to our subprocessors by updating this policy.
Some of the third parties we work with are based outside the UK and EEA:
For international transfers, we rely on Data Processing Agreements incorporating Standard Contractual Clauses (SCCs) with our subprocessors. For transfers from the UK specifically, we use the UK International Data Transfer Addendum (UK IDTA) to the EU Standard Contractual Clauses, as required by the ICO.
We are in the process of ensuring all relevant DPAs are fully executed and will update this policy as that work completes.
Where possible, we select providers that offer GDPR-compliant data processing agreements and appropriate safeguards for cross-border data transfers.
We do not currently have fully automated data cleanup processes for all expired records. This is planned and in development. In the meantime, expired data may persist in storage until cleanup routines are implemented.
Under UK GDPR, you have the following rights over your personal data. We will respond to all rights requests within 30 days of receiving them. If a request is particularly complex, we may extend this by up to 60 days, and we will let you know.
You can view your data directly within the Omniform application. A full account data export is available at Settings → Data & Privacy → Export All Data. This export includes your tasks, notes, AI conversations and messages (including tool calls and token usage), time sessions, time reports, file metadata, and account information in JSON format. You may also request a copy of your data by contacting us at support@omniform.work.
You can edit your account information (name, email), task content, notes, and AI messages directly within the application.
You can delete individual tasks, notes, AI conversations, and other content within the application.
Full account deletion is available at Settings → Data & Privacy → Delete Account. The deletion process shows you a summary of what will be affected before you confirm. You may also request account deletion by contacting us at support@omniform.work.
When you delete your account:
We aim to process deletion within 30 days. Some data may be retained where we have a legal obligation to do so.
A full account data export is available at Settings → Data & Privacy → Export All Data in JSON format, including tasks, notes, AI conversations and messages, time sessions, time reports, file metadata, and account information. Per-project export is also available in Markdown format.
We recommend exporting your data before deleting your account.
You may request restriction of processing by contacting us at support@omniform.work. Where processing is restricted, we will mark your data and cease processing it except for storage.
You may object to any processing carried out on the basis of legitimate interest by contacting us at support@omniform.work. We will assess your objection and cease processing unless we have compelling legitimate grounds.
Where processing is based on your consent, you may withdraw it at any time. This will not affect the lawfulness of processing carried out before withdrawal.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
We take the security of your data seriously and implement the following measures:
No system is 100% secure. While we work hard to protect your data, we cannot guarantee absolute security. If we become aware of a security breach that affects your personal data, we will notify you and the ICO in accordance with our legal obligations.
Omniform is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16.
If we become aware that we have inadvertently collected data from a child under 16, we will take steps to delete that data promptly.
If you believe a child under 16 has provided us with personal data, please contact us at support@omniform.work.
We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements.
For any privacy-related questions, concerns, or to exercise any of your rights under GDPR, please contact us:
Supervisory Authority: Information Commissioner's Office (ICO) · ico.org.uk · 0303 123 1113
These Terms of Service ("Terms") govern your access to and use of Omniform, a project and task management platform operated by 38one ("we", "us", "our"), a UK-registered business trading as Omniform.
By creating an account, you confirm that you have read, understood, and agree to be bound by these Terms. If you do not agree, please do not use the Service. These Terms form a legally binding agreement between you and us.
These Terms should be read alongside our Privacy Policy and Cookie Policy, which are incorporated by reference and form part of this agreement. For details on how third-party services process your data, including services used to deliver the platform, see our Privacy Policy.
Throughout these Terms, the following definitions apply:
Omniform is a project and task management platform with integrated AI assistance. It includes hierarchical task management, rich text notes, file attachments, time tracking, team collaboration, scheduling, financial tracking, and AI-powered features.
The Service is provided on an "as is" basis. We aim for high availability but do not guarantee specific uptime levels. We do not currently offer a formal service level agreement (SLA).
While we implement reasonable security measures to protect your data, we are not liable for data loss. We encourage you to regularly export your data using the export features available within the Service.
Omniform includes AI-powered features that rely on third-party services. Please read this section carefully.
You retain all ownership and intellectual property rights in the Content you create, upload, or input into Omniform.
By using the Service, you grant us a limited, non-exclusive, worldwide licence to store, process, display, and transmit your Content solely for the purpose of providing and maintaining the Service. This licence includes transmitting Content to third-party AI providers when you use AI Features, and making Content you create in shared Workspaces accessible to other members of that Workspace in accordance with their role and permissions. This licence terminates when you delete your Content or your Account, subject to any legal retention obligations.
Content generated by AI within Omniform is provided to you as part of the Service. Ownership of AI-generated content may be subject to the terms of the underlying AI provider (Anthropic, OpenAI). We make no claim of ownership over AI-generated content.
The legal status of copyright in AI-generated content is evolving and varies by jurisdiction. We make no representation that AI-generated content is protected by copyright.
You are responsible for how you use AI-generated content, including ensuring it does not infringe any third-party rights.
Omniform — including its design, source code, branding, documentation, and all related materials — is owned by 38one. These Terms do not grant you any rights in our intellectual property beyond the limited right to use the Service in accordance with these Terms.
If you provide feedback, suggestions, or ideas about Omniform, you grant us a perpetual, irrevocable, royalty-free licence to use, modify, and incorporate that feedback without obligation or compensation to you.
You agree not to:
Violation of this section may result in a warning, temporary suspension, or permanent termination of your Account, depending on the severity and nature of the violation. We reserve the right to take immediate action, including termination without prior warning, for serious violations.
Workspace deletion: A Workspace owner may delete their Workspace at any time. When a Workspace is deleted, all content within that Workspace — including tasks, notes, files, AI conversations, and time sessions created by any member — is permanently deleted. Members will be notified by email when a Workspace they belong to is deleted. Members' own Accounts and any other Workspaces they belong to are not affected.
Account deletion with owned Workspaces: If you delete your Account while you own Workspaces, those Workspaces and all their content will also be permanently deleted, and members will be notified by email. If a Workspace has no other members, the Workspace and all its content will be deleted along with your Account. We strongly recommend transferring Workspace ownership to another member before deleting your Account. The deletion process will show you a summary of affected Workspaces and their member counts before you confirm.
A full account data export is available at Settings → Data & Privacy → Export All Data, including tasks, notes, AI conversations and messages, time sessions, time reports, file metadata, and account information in JSON format. Per-project export is also available in Markdown format within the application.
You can delete your Account at Settings → Data & Privacy → Delete Account. The deletion process shows you a summary of affected data, including any Workspaces you own and their member counts, before you confirm. You may also request account deletion by contacting us at omniform@38one.com.
We recommend exporting any data you wish to keep before confirming deletion — once deletion is complete, your data cannot be recovered.
Upon Account deletion, your personal data, tasks, notes, AI conversations, files, time sessions, financial data, Account information, and all other personal data associated with your Account are permanently deleted. Files you uploaded (stored in Cloudflare R2) are permanently deleted. Content you contributed to other users' Workspaces (such as notes and AI conversations) will have your identity removed, but the content itself may remain accessible to other Workspace members. Comments you made on notes in shared Workspaces are permanently deleted (not de-identified). Your time tracking entries in shared Workspaces are permanently deleted. Some data may be retained where we have a legal obligation to do so.
We aim to process deletion within 30 days.
Please refer to our Privacy Policy for full details on your rights under UK GDPR, including your right to data portability.
Omniform is currently available free of charge.
We reserve the right to introduce paid plans or features in the future. If paid plans are introduced:
To the maximum extent permitted by applicable law:
Nothing in these Terms excludes or limits our liability for:
If you are a consumer, you have legal rights under the Consumer Rights Act 2015 and other UK consumer legislation. These Terms do not affect those rights.
You agree to indemnify, defend, and hold harmless 38one and its officers, employees, and agents from and against any claims, damages, losses, liabilities, and expenses (including reasonable legal fees) arising from:
This indemnification obligation does not apply to the extent that a claim arises from our own negligence or breach of these Terms. To the extent you are a consumer, this section applies only as permitted by applicable consumer protection law, including the Consumer Rights Act 2015.
Upon termination, your right to access and use the Service ceases immediately. The following sections survive termination: Section 5 (User Content and Intellectual Property), Section 12 (Limitation of Liability), Section 13 (Indemnification), Section 15 (Governing Law and Disputes), and any other provisions that by their nature should survive.
These Terms are governed by and construed in accordance with the laws of England and Wales.
Any disputes arising from or in connection with these Terms shall be subject to the exclusive jurisdiction of the courts of England and Wales.
Nothing in these Terms affects your statutory rights as a consumer under UK law.
We encourage you to contact us first if you have a concern or dispute. We will attempt to resolve matters informally before either party initiates court proceedings.
We may update these Terms from time to time. When we make material changes, we will notify you at least 30 days in advance via email or in-app notification.
Where required by applicable law, we will seek your explicit consent to material changes. Otherwise, your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Terms. If you do not agree to the updated Terms, you should stop using the Service and may delete your Account as described in Section 10.
If you have any questions about these Terms, please contact us:
Cookies are small text files that a website places on your device (computer, phone, or tablet) when you visit. They allow the website to recognise your browser and remember things like whether you are logged in. Cookies are sent back to our server with each request.
Local storage and session storage are similar technologies built into your browser. They let a web application save data directly on your device — but unlike cookies, this data is never sent to our servers. It stays in your browser. The difference between the two is lifespan: local storage persists until you clear it, while session storage is automatically deleted when you close the browser tab.
We do not use IndexedDB or service workers.
We keep things simple. Omniform only uses strictly necessary cookies — the ones required for authentication and security. That's it.
We do not use:
Because every cookie we set is strictly necessary for the service to function, we are exempt from the consent requirement under UK PECR (the Privacy and Electronic Communications Regulations) and the EU ePrivacy Directive. This means we do not display a cookie consent banner.
We publish this policy anyway because we believe in full transparency about what happens in your browser when you use Omniform.
We set a small number of cookies — all first-party, all strictly necessary.
| Name | Purpose | Duration | Type |
|---|---|---|---|
better-auth.session_token | Authenticates your session — this is how we know you are logged in. | 7 days; renewed automatically when you use the app. | HTTP-only, Secure (HTTPS only), SameSite: Lax |
better-auth.csrf | Protects against cross-site request forgery attacks — a standard security measure. | Session only — deleted when you close your browser. | Secure |
| OAuth state/PKCE cookies (temporary) | Preserves your login state during Google or GitHub sign-in. Prevents security attacks during the redirect flow. | Minutes only — automatically removed once sign-in completes. | HTTP-only, Secure, SameSite: None (required for the cross-site OAuth redirect) |
github_oauth_state | Preserves state during the GitHub developer OAuth flow (used when connecting your GitHub account for integrations, distinct from social sign-in). | 10 minutes — automatically removed once the flow completes. | HTTP-only, Secure, SameSite: Lax |
A note on OAuth cookies: The temporary OAuth cookies only exist for a few moments while you sign in with Google or GitHub. If you don't use social sign-in, these cookies are never set.
All cookies are set on .omniform.work, are first-party, and are not accessible to JavaScript (HTTP-only), with the exception of the CSRF token which must be readable by the browser to function correctly.
We use a small number of local storage items to make the application work smoothly. These are stored entirely in your browser — they never leave your device, and we cannot access them from our servers.
Note that data stored in local storage is not encrypted by your browser. Anyone with physical access to your device could potentially view this data.
| Key | Purpose | What's Stored | Duration | Contains Personal Data? |
|---|---|---|---|---|
omniform-react-query-cache | Caches your workspace data so the app loads faster and works during brief connectivity interruptions. | Cached copies of your tasks, notes, and other workspace data. | 7 days (auto-expires). Also clears automatically if your browser storage is full. | Yes — cached copies of your content (task names, note text, etc.), stored only in your browser. |
omniform-chat-draft-{chatId} | Saves your unsent AI chat message so you don't lose your draft if you navigate away or refresh. | The text you typed in the chat input. One entry per conversation where you have an unsent draft. | 7 days (older drafts are automatically cleaned up). | Yes — whatever you typed, stored only in your browser. |
omniform-ui-state | Remembers where you were in the app — which workspace, which task you were viewing, and your navigation preferences. | Internal workspace and task IDs, navigation path, and UI flags (e.g. whether archived items are shown). | Until you clear it. | No — only internal identifiers and UI preferences. |
omniform-timers | Keeps your active work timer running even if you refresh the page or close and reopen the tab. | Timer state per task: running or paused, start time, elapsed time, and last active date. | Until you clear it. | No — only task IDs and timestamps. |
We also use a small number of additional local storage keys for application state (such as current workspace selection and UI section collapse preferences). These store only internal identifiers and UI flags — no personal data.
Omniform does not currently use session storage to store any application data.
We do not set or allow any third-party cookies.
The only external resource Omniform loads is typeface files from Google Fonts (fonts.googleapis.com). This is a font delivery service — Google does not set cookies through the Fonts API. However, loading fonts from Google does mean your browser makes a network request to Google's servers, which transmits your IP address to Google.
We plan to self-host these fonts to eliminate this data transfer entirely. For more detail on how this affects your privacy, please see our Privacy Policy.
Under UK PECR (Regulation 6(4)) and the EU ePrivacy Directive (Article 5(3)), cookies and similar technologies that are strictly necessary for a service to function are exempt from the requirement to obtain consent.
All cookies Omniform sets are strictly necessary:
The local storage items listed in Section 4 are also covered by PECR Regulation 6. We rely on the strictly necessary exemption for these items: they are essential for the application to function correctly — caching data for performance, saving unsent drafts, and maintaining running timers. Without them, core application functionality would be degraded or lost. Our legal basis for setting these items is the strictly necessary exemption, not the location of the data.
Because all cookies and browser storage we use are strictly necessary, we do not display a cookie consent banner. You can still control cookies and storage through your browser settings (see below).
You are in control of cookies and browser storage on your device. Here's what you should know:
Browser cookie settings. All modern browsers let you view, block, and delete cookies through their settings or preferences menu. Consult your browser's help documentation for instructions.
What happens if you block or delete cookies:
better-auth.session_token) will log you out. You will need to sign in again.A reminder: All local storage data lives in your browser. We do not set, read, or delete it remotely — you have full control.
We may update this policy if we change how we use cookies or browser storage. We will update the "Last Updated" date at the top of this page when we do.
If we ever introduce non-essential cookies — for example, analytics or marketing — we will update this policy and implement appropriate consent mechanisms before doing so.
If you have questions about this Cookie Policy, you can reach us at:
For broader questions about how we handle your data, please see our Privacy Policy.