Privacy Policy
Contents
1. Scope
This Privacy Policy describes how Oddly Even Group Pte. Ltd. ("oddly", "we", "us") collects, uses, discloses, and protects information when you use the platform at myoddly.com or any subdomain we operate (the "Service"). It covers personal data within the meaning of the Singapore Personal Data Protection Act 2012 (PDPA) and personal data within the meaning of the EU General Data Protection Regulation (GDPR) where applicable.
By creating an account or connecting any data source, you confirm that you have read this policy and consent to the processing it describes.
2. Who we are
The Service is operated by Oddly Even Group Pte. Ltd., a private limited company incorporated in Singapore. We are the controller of personal data that you provide directly to us and the processor of personal data that flows in from connected platforms (Shopify, Google Ads, Google Analytics, Google Search Console, Meta Ads).
3. Data we collect
We collect only what we need to operate the Service.
- Account data. Email address, brand name, billing currency, time zone, plan tier (Watch, Nudge, or Steer), and authentication tokens for the Service itself.
- Billing data. Payment-processor customer identifier and the metadata returned to us (subscription status, trial end date, last invoice). Card numbers, expiry dates, and CVV are entered directly into the payment processor and never reach our servers.
- Connected source data. What you authorise via OAuth from Shopify, Google Ads, Google Analytics, Google Search Console, and Meta Ads. See section 4 for the per-source breakdown.
- Operational data. Action queue items the platform proposes, your approve or dismiss decisions, audit log entries that record which actions ran and why, and the dashboard tokens that authenticate you to the merchant portal.
- Optional contact data. WhatsApp number (used only on the Steer tier to deliver money-at-risk pings), and any messages you send to [email protected].
4. Connected sources
Each connected platform requires explicit OAuth consent. We request the minimum scopes necessary to operate the Service. You can revoke access at any time from the source platform's connected-apps panel; we'll detect the revocation and notify you.
Shopify
We read orders, inventory levels, products, product images, alt text, and store metadata via Shopify's Admin API. We do not read customer phone numbers, customer addresses, customer payment details, or customer notes beyond what is required to compute aggregated store metrics. We do not read draft orders, abandoned checkouts, or PII associated with individual customers.
Google Ads
We read campaign, ad group, keyword, and search-term performance, plus account-level recommendations from Google's Ads API. On the Nudge and Steer tiers we may write changes that you have explicitly approved (negative keywords, low-quality keyword pauses, recommendation dismissals, ad pauses for out-of-stock products). We never change campaign budgets without your approval, and we never move money between accounts.
Google Search Console
We read search performance data (queries, impressions, clicks, position) for properties you authorise. We do not write to Search Console.
Google Analytics 4
If you connect Google Analytics 4, we read aggregated session, conversion, and traffic-source metrics for the property you authorise. We do not read individual user-level identifiers, do not associate GA4 data with individuals, and do not export GA4 data outside the Service.
Meta Ads
We read campaign-level performance, ad-set-level performance, and creative metadata via Meta's Marketing API. We do not read messaging, comments, or audience PII. Meta integration is a Steer-tier feature and is optional; cross-channel digest sections only appear when both Google and Meta are connected.
5. How we use data
- To operate the Service: surface money-at-risk alerts, build the weekly digest, populate your dashboard, and run the actions you approve or have explicitly delegated.
- To meet our contractual obligations to you (deliver the plan tier you've paid for, dispatch alerts, retain audit history).
- To diagnose and fix problems: error logs, action failures, integration health checks.
- To comply with legal obligations: tax reporting, billing records, anti-fraud checks.
We do not sell personal data. We do not use connected-source data to train models that are exposed to other customers. We do not use connected-source data to build advertising audiences or enrich profiles outside your account.
6. Google API Services User Data Policy + Limited Use
Limited Use commitment. oddly's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- We use Google user data only to provide and improve user-facing features that are prominent in the Service (campaign monitoring, search-term cleanup, content gap detection, ad-pause recommendations for out-of-stock products, weekly digests, search performance reporting).
- We do not transfer Google user data to third parties except as necessary to provide or improve those user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
- We do not use Google user data to serve advertisements, including retargeting, personalised, or interest-based advertising.
- We do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes (such as investigating abuse), to comply with applicable law, or our use is for internal operations and the data has been aggregated and anonymised.
7. Sub-processors
We use a small set of sub-processors to run the Service. Each is bound by a data-processing agreement.
- Edge infrastructure provider. Compute, database, object storage, and CDN. Hosts the platform code, the encrypted database, and edge cache.
- Payments processor. Subscription billing, card capture, hosted checkout, customer portal.
- Email transport provider. Outbound transactional and digest email.
- Messaging provider. Outbound WhatsApp dispatch on the Steer tier only, when you've supplied a number.
- Source platforms. Google (Ads, Search Console, Analytics) and Meta (Marketing API) act as source platforms; data flows only when you authorise OAuth.
8. Retention + deletion
- Account, brand, and operational data are deleted within 30 days of account cancellation, except where retention is required by law (financial records, billing invoices, tax records).
- Audit log entries are retained for up to 12 months from creation. After that they are deleted or aggregated into anonymised statistics that cannot be tied back to a brand.
- Billing records are retained for the period required by Singapore tax law (currently five years from the end of the relevant accounting year).
- OAuth refresh tokens are deleted immediately on cancellation or revocation.
- We may retain aggregated, anonymised metrics indefinitely. Anonymised means no value can be associated with you, your brand, or any individual.
- You can request immediate deletion at any time; see section 11.
9. Security
- All traffic between you and the Service is encrypted with TLS 1.2 or higher.
- OAuth tokens, API keys, and webhook signing secrets are stored in a managed key-management system, never in source code, never in logs, and never exposed to client-side JavaScript.
- The database is encrypted at rest. Backups inherit the same encryption.
- Authentication to the dashboard is token-based; tokens are rotated on cancellation or on request.
- Webhooks are verified with HMAC signatures before any action is taken on the payload.
- Application logs are scrubbed of credentials, OAuth tokens, and webhook secrets before write.
- Read more on the security page.
10. International transfers
The Service is operated from Singapore on globally distributed edge infrastructure. The edge network may process data in any region where the underlying infrastructure operates. Payments, email, messaging, and source platforms may process data in jurisdictions outside Singapore and the EU. Where transfers are made out of the EEA, we rely on Standard Contractual Clauses or other transfer mechanisms recognised under GDPR.
11. Your rights (PDPA + GDPR)
You may at any time:
- Request access to the personal data we hold about you.
- Request correction of inaccurate or incomplete personal data.
- Withdraw consent for any processing that relies on consent. Withdrawing OAuth scopes is the operational form of this for connected platforms.
- Request deletion of your personal data, subject to retention required by law.
- Request a portable export of the operational data associated with your account.
- Lodge a complaint with the Personal Data Protection Commission of Singapore (PDPC) or, if you reside in the EEA, with your local supervisory authority.
To exercise any of these rights, email [email protected] with the subject "Data Request". We respond within 30 days.
12. Cookies + analytics
We use a single first-party cookie to keep your dashboard session alive. We do not use advertising cookies, third-party tracking pixels, or fingerprinting. We do not run third-party analytics on this domain. Server-side request logs are retained for 30 days for diagnostics and then deleted.
13. Children
The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it.
14. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes, we will notify you by email at least 30 days before the change takes effect, or sooner where required by law. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
15. Contact
Questions, requests, and disclosures: [email protected].
Data protection officer: [email protected].
Postal: Oddly Even Group Pte. Ltd., Singapore. Mailing address available on request to verified data subjects.