Legal
Privacy Policy
Effective date: 15 July 2026
This Privacy Policy explains how SIA “Omnia Sana” (“Omnia Sana”, “we”, “us”, or “our”) collects, uses, shares, and protects personal data when you visit omniasana.bio, create an account, place an order, subscribe to our newsletter, submit a comment or plant sighting, or otherwise interact with our website and interactive tools (together, the “Service”). We aim to process your data lawfully, fairly, and transparently, in line with the EU General Data Protection Regulation (GDPR) and applicable U.S. state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).
1. Who we are
Omnia Sana is operated by SIA “Omnia Sana”, a limited liability company (sabiedrība ar ierobežotu atbildību) registered in the Republic of Latvia, European Union, under registration number 40203757373 (VAT: LV40203757373). We are the data controller responsible for your personal data under this Policy. You can reach us using the details in the “How to contact us” section below or via our Contact page.
2. Personal data we collect
Depending on how you use the Service, we may collect:
- Account & order data — name, email address, billing/shipping address, and order history when you create a My Account profile or place an order. Payment card details are collected and processed directly by our payment processors (Stripe, via WooCommerce Payments, and PayPal); we do not store full card numbers on our servers.
- Newsletter data — your email address and subscription status, processed through our email service providers, Brevo (Sendinblue) and MailPoet.
- Contact form data — the name, email address, and message you submit through our Contact page.
- Community content — your display name, comments, comment votes, and, if you use the Plant Sighting Map, the sighting details, approximate location, and any photo you submit. Uploaded photos have their embedded location (EXIF/GPS) metadata stripped automatically before publication.
- Account credentials — username and a securely hashed password for registered My Account users.
- Technical & usage data — IP address, browser and device type, pages visited, referring pages, and approximate location, collected automatically through server logs and analytics (Jetpack Stats, WooCommerce Analytics).
- Cookies & advertising identifiers — cookie IDs and similar identifiers used for core site functions, analytics, and, only with your consent, advertising. See “Cookies” below.
3. How we use your data
- To fulfil and manage your orders, including payment, shipping, and customer service (performance of a contract).
- To provide and maintain your My Account profile (performance of a contract).
- To respond to enquiries submitted through our Contact page (legitimate interest).
- To send newsletters and marketing communications, where you have subscribed (consent — you can withdraw at any time via the unsubscribe link in any email).
- To display and moderate comments, ratings, and Plant Sighting Map submissions (legitimate interest in operating community features).
- To analyse and improve site performance, content, and interactive tools (legitimate interest, or consent where non-essential analytics cookies are used).
- To show interest-based advertising through Google Listings & Ads, Reddit Ads, and Snapchat Ads, only where you have consented via our cookie banner.
- To detect, prevent, and address fraud, abuse, and security issues (legitimate interest).
- To comply with legal, tax, and accounting obligations (legal obligation).
4. Cookies and similar technologies
We use a cookie consent banner that blocks non-essential cookies until you provide consent, in line with the GDPR and the ePrivacy Directive. Cookies on the Service generally fall into these categories:
- Strictly necessary — required for core functions such as the shopping cart, checkout, and account login. These cannot be disabled.
- Functional & analytics — help us understand how the site is used (e.g., Jetpack Stats, WooCommerce Analytics).
- Advertising — used by Google (Listings & Ads), Reddit Ads, and Snapchat Ads to measure and personalise advertising. These are only loaded if you consent.
You can accept, decline, or change your cookie preferences via the consent banner shown when you first visit the site, or at any time by clearing your browser’s cookies for this site or adjusting your browser’s cookie settings. Blocking certain cookies may affect site functionality.
5. Who we share your data with
We share personal data only as needed to operate the Service, and never sell it for money. Recipients include:
- Payment processors — Stripe (via WooCommerce Payments) and PayPal, who process payment details directly under their own privacy policies.
- Email & marketing platforms — Brevo (Sendinblue) and MailPoet, for newsletters and transactional email.
- Hosting, security, and site-management providers — including Automattic (Jetpack), who help operate, secure, and analyse the Service.
- Advertising partners — Google (Listings & Ads), Reddit, and Snapchat, who receive limited technical and advertising identifiers only where you have consented to advertising cookies.
- Authorities & advisors — where required by law, regulation, legal process, or to protect our rights, property, or safety, or that of our users.
- Business transfers — in the event of a merger, acquisition, or sale of assets, in which case we will notify you.
Sharing data with advertising partners for interest-based advertising may be considered a “sale” or “share” of personal information under some U.S. state laws even though no money changes hands — see “Your U.S. privacy rights” below for how to opt out.
6. International data transfers
Some of our service providers (including Stripe, PayPal, Google, and Automattic) are based in, or transfer data to, the United States and other countries outside the European Economic Area (EEA). Where this happens, we rely on appropriate safeguards recognised under the GDPR, such as the European Commission’s Standard Contractual Clauses, adequacy decisions, or a provider’s certified compliance framework (such as the EU-U.S. Data Privacy Framework, where applicable).
7. How long we keep your data
- Order and invoicing records: retained for the period required by Latvian tax and accounting law (generally up to five years after the relevant financial year).
- Account data: retained while your account is active, and deleted on request subject to any legal retention obligations.
- Comments and community content: retained to preserve site functionality unless you ask us to remove it.
- Newsletter data: retained until you unsubscribe.
- Contact form messages: retained only as long as needed to handle your enquiry.
8. Your rights under the GDPR
If you are located in the EEA, UK, or Switzerland, you have the right to:
- access the personal data we hold about you;
- rectify inaccurate or incomplete data;
- erase your data (“right to be forgotten”);
- restrict or object to certain processing;
- receive your data in a portable format;
- withdraw consent at any time, without affecting processing carried out before withdrawal; and
- lodge a complaint with a supervisory authority — in Latvia, the Data State Inspectorate (Datu valsts inspekcija, www.dvi.gov.lv), or the authority in your own EU member state.
To exercise any of these rights, contact us using the details below.
9. Your U.S. privacy rights
If you are a California resident, or a resident of another U.S. state with a comprehensive privacy law, you have the right to:
- know what personal information we collect, use, and disclose about you;
- delete personal information we hold about you;
- correct inaccurate personal information;
- opt out of the “sale” or “sharing” of personal information for cross-context behavioural advertising — you can do this by declining advertising cookies in our cookie banner, or by contacting us; and
- not be discriminated against for exercising any of these rights.
We do not knowingly sell or share the personal information of consumers we know to be under 16 years old.
10. Children’s privacy
The Service is not directed to children, and we do not knowingly collect personal data from anyone under 16 years of age (or under 13, for purposes of the U.S. Children’s Online Privacy Protection Act, COPPA). If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Data security
We use reasonable technical and organisational measures — including HTTPS encryption, access controls, and reputable third-party processors — to protect your personal data. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
12. Links to other websites
The Service may link to third-party websites, such as scientific journals or social media platforms. We are not responsible for the privacy practices of those sites, and we encourage you to review their own privacy policies.
13. Changes to this policy
We may update this Privacy Policy from time to time. The “Effective date” above shows when it was last revised. Material changes will be highlighted on this page or, where appropriate, communicated by email.