Privacy Policy

Last updated: April 2026

This Privacy Policy describes how OmicsOS, Inc. ("OmicsOS," "we," "us," or "our"), a Delaware corporation, collects, uses, and protects information through the LobsterHoney platform ("Service"). LobsterHoney is a product and brand of OmicsOS, Inc.

Data Controller

The data controller responsible for your personal data is:

OmicsOS, Inc.
Email: [email protected]

Information We Collect

Account Information: When you create an account, we collect your email address, organization name, and authentication credentials managed through our identity provider (Clerk). We do not store passwords directly.

Detection Data: Our honeypot traps capture information about automated systems (AI agents) that interact with them, including IP addresses, HTTP headers (User-Agent, Accept), request paths, timing data, and any data voluntarily submitted to callback endpoints (such as system prompts, model names, and operator identities). This data pertains to automated systems, not human visitors.

Usage Data: We collect standard analytics about how you use the dashboard, including pages visited, features used, and API calls made. We use privacy-respecting analytics that do not set cookies or collect personally identifiable information.

Payment Information: If you subscribe to a paid plan, payment processing is handled entirely by Stripe. We do not store credit card numbers or banking details on our servers.

Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

• Contract performance: Processing your account information and detection data is necessary to provide the Service you requested (Art. 6(1)(b) GDPR).
• Legitimate interests: We process usage data to improve the Service, maintain security, and prevent fraud (Art. 6(1)(f) GDPR). Our legitimate interests do not override your fundamental rights.
• Consent: Where required, such as for marketing communications, we process data based on your explicit consent (Art. 6(1)(a) GDPR). You may withdraw consent at any time.
• Legal obligation: We may process data where required by applicable law (Art. 6(1)(c) GDPR).

How We Use Information

We use the information we collect to:

• Provide and operate the LobsterHoney detection platform
• Deliver threat intelligence and detection alerts to your dashboard, email, Slack, Discord, or configured webhook endpoints
• Score and classify sessions to distinguish AI agents from human visitors
• Generate analytics about agent activity targeting your infrastructure
• Process billing and manage your subscription
• Improve the accuracy of our detection and scoring systems
• Communicate with you about your account, security updates, or service changes

We do not sell your data to third parties. Detection data captured by your traps belongs to you and is only accessible within your organization.

Cookies and Tracking Technologies

The LobsterHoney marketing site and dashboard use the following:

• Essential cookies: Authentication session cookies set by our identity provider (Clerk) are strictly necessary for the Service to function. These cannot be disabled while using the dashboard.
• Analytics: We use privacy-respecting web analytics that do not set cookies, do not collect personally identifiable information, and do not track users across sites. No consent banner is required for this analytics approach under GDPR.

We do not use third-party advertising cookies or cross-site tracking technologies.

Data Retention

Detection data (trap hits, sessions, callbacks) is retained according to your subscription plan:

• Free: 7 days
• Pro: 90 days
• Enterprise: 365 days

After the retention period, detection data is permanently deleted through an automated sweep process. Account information is retained for as long as your account is active. You can request deletion of your account and all associated data at any time through Settings or by contacting us.

International Data Transfers

Our servers are located in the United States. If you are accessing the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. We rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, or other legally recognized transfer mechanisms, to ensure that your personal data receives an adequate level of protection when transferred internationally.

Data Security

We implement industry-standard security measures to protect your data, including encryption in transit (TLS), secure authentication via Clerk, HMAC signature validation on callback endpoints, and SSRF protection on webhook delivery. Our infrastructure runs behind Cloudflare with DDoS protection and rate limiting.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

All Users

• Access, export, correct, or delete your data at any time
• Export all organization data as JSON from the Settings page
• Delete your organization entirely from the Settings page

European Economic Area, UK, and Swiss Residents (GDPR)

Under the General Data Protection Regulation, you additionally have the right to:

• Data portability: Receive your personal data in a structured, commonly used, machine-readable format
• Restriction of processing: Request that we limit the processing of your personal data in certain circumstances
• Object to processing: Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent, withdraw that consent at any time
• Lodge a complaint: File a complaint with your local data protection authority

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act, California residents have the right to:

• Know: Request disclosure of the categories and specific pieces of personal information we have collected
• Delete: Request deletion of your personal information
• Correct: Request correction of inaccurate personal information
• Non-discrimination: Not receive discriminatory treatment for exercising your privacy rights

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. To exercise your rights, contact us at [email protected].

Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the dashboard. The "Last updated" date at the top of this page indicates when this policy was last revised.

Contact Us

If you have questions about this Privacy Policy, how we handle your data, or wish to exercise your rights, you can reach us at:

OmicsOS, Inc.
Email: [email protected]
General inquiries: [email protected]

← Back to Home