Privacy Policy

Last updated: 2026-04-28. Operator: Oddly Even Group Pte. Ltd., Singapore. Aligned with the Singapore Personal Data Protection Act 2012 (PDPA), the EU General Data Protection Regulation (GDPR), and the Google API Services User Data Policy (including the Limited Use requirements).

1. Scope

This Privacy Policy describes how Oddly Even Group Pte. Ltd. ("oddly", "we", "us") collects, uses, discloses, and protects information when you use the platform at myoddly.com or any subdomain we operate (the "Service"). It covers personal data within the meaning of the Singapore Personal Data Protection Act 2012 (PDPA) and personal data within the meaning of the EU General Data Protection Regulation (GDPR) where applicable.

By creating an account or connecting any data source, you confirm that you have read this policy and consent to the processing it describes.

2. Who we are

The Service is operated by Oddly Even Group Pte. Ltd., a private limited company incorporated in Singapore. We are the controller of personal data that you provide directly to us and the processor of personal data that flows in from connected platforms (Shopify, Google Ads, Google Analytics, Google Search Console, Meta Ads).

3. Data we collect

We collect only what we need to operate the Service.

• Account data. Email address, brand name, billing currency, time zone, plan tier (Watch, Nudge, or Steer), and authentication tokens for the Service itself.
• Billing data. Stripe customer identifier and the metadata Stripe returns to us (subscription status, trial end date, last invoice). Card numbers, expiry dates, and CVV are entered directly into Stripe and never reach our servers.
• Connected source data. What you authorise via OAuth from Shopify, Google Ads, Google Analytics, Google Search Console, and Meta Ads. See section 4 for the per-source breakdown.
• Operational data. Action queue items the platform proposes, your approve/dismiss decisions, audit log entries that record which actions ran and why, and the dashboard tokens that authenticate you to the merchant portal.
• Optional contact data. WhatsApp number (used only on the Steer tier to deliver money-at-risk pings), and any messages you send to [email protected].

4. Connected sources

Each connected platform requires explicit OAuth consent. We request the minimum scopes necessary to operate the Service. You can revoke access at any time from the source platform's connected-apps panel; we'll detect the revocation and notify you.

Shopify

We read orders, inventory levels, products, product images, alt text, and store metadata via Shopify's Admin API. We do not read customer phone numbers, customer addresses, customer payment details, or customer notes beyond what is required to compute aggregated store metrics. We do not read draft orders, abandoned checkouts, or PII associated with individual customers.

Google Ads

We read campaign, ad group, keyword, and search-term performance, plus account-level recommendations from Google's Ads API. On the Nudge and Steer tiers we may write changes that you have explicitly approved (negative keywords, low-quality keyword pauses, recommendation dismissals, ad pauses for out-of-stock products). We never change campaign budgets without your approval, and we never move money between accounts.

Google Search Console

We read search performance data (queries, impressions, clicks, position) for properties you authorise. We do not write to Search Console.

Google Analytics 4

If you connect Google Analytics 4, we read aggregated session, conversion, and traffic-source metrics for the property you authorise. We do not read individual user-level identifiers, do not associate GA4 data with individuals, and do not export GA4 data outside the Service.

Meta Ads

We read campaign-level performance, ad-set-level performance, and creative metadata via Meta's Marketing API. We do not read messaging, comments, or audience PII. Meta integration is optional; cross-channel digest sections only appear when both Google and Meta are connected.

5. How we use data

• To operate the Service: surface money-at-risk alerts, build the weekly digest, populate your dashboard, and run the actions you approve or have explicitly delegated.
• To meet our contractual obligations to you (deliver the plan tier you've paid for, dispatch alerts, retain audit history).
• To diagnose and fix problems: error logs, action failures, integration health checks.
• To comply with legal obligations: tax reporting, Stripe billing records, anti-fraud checks.

We do not sell personal data. We do not use connected-source data to train AI or machine-learning models that are exposed to other customers. We do not use connected-source data to build advertising audiences or enrich profiles outside your account.

6. Google API Services User Data Policy + Limited Use

Specifically:

• We use Google user data only to provide and improve user-facing features that are prominent in the Service (campaign monitoring, search-term cleanup, content gap detection, ad-pause recommendations for out-of-stock products, weekly digests, search performance reporting).
• We do not transfer Google user data to third parties except as necessary to provide or improve those user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
• We do not use Google user data to serve advertisements, including retargeting, personalised, or interest-based advertising.
• We do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes (such as investigating abuse), to comply with applicable law, or our use is for internal operations and the data has been aggregated and anonymised.

7. Subprocessors

We use a small set of subprocessors to run the Service. Each is bound by a data-processing agreement.

• Cloudflare Inc. (Workers, Pages, D1, Workers Secrets, R2). Hosts the platform code, the encrypted database, and edge cache.
• Stripe, Inc. Subscription billing, card capture, hosted checkout, customer portal.
• Resend (or successor email transport). Outbound transactional and digest email.
• Twilio (WhatsApp Business API). Outbound WhatsApp dispatch on the Steer tier only, when you've supplied a number.
• Google LLC (Ads, Search Console, Analytics APIs). Source platforms; data flows only when you authorise OAuth.
• Meta Platforms, Inc. (Marketing API). Source platform; data flows only when you authorise OAuth.

8. Retention + deletion

• Account, brand, and operational data are deleted within 30 days of account cancellation, except where retention is required by law (financial records, billing invoices, tax records).
• Audit log entries are retained for two years from creation. After two years they are either deleted or aggregated into anonymised statistics that cannot be tied back to a brand.
• Stripe billing records are retained for the period required by Singapore tax law (currently five years from the end of the relevant accounting year).
• OAuth refresh tokens are deleted immediately on cancellation or revocation.
• We may retain aggregated, anonymised metrics indefinitely. Anonymised means no value can be associated with you, your brand, or any individual.
• You can request immediate deletion at any time; see section 11.

9. Security

• All traffic between you and the Service is encrypted with TLS 1.2 or higher.
• OAuth tokens, API keys, and webhook signing secrets are stored in Cloudflare Workers Secrets, never in source code, never in logs, and never exposed to client-side JavaScript.
• The database (Cloudflare D1) is encrypted at rest. Backups inherit the same encryption.
• Authentication to the dashboard is token-based; tokens are rotated on cancellation or on request.
• Webhooks are verified with HMAC signatures before any action is taken on the payload.
• Application logs are scrubbed of credentials, OAuth tokens, and webhook secrets before write.
• Read more in the Security overview.

10. International transfers

The Service is operated from Singapore. Cloudflare's edge network may process data in any region in which it operates a point of presence; data at rest in D1 is held in the region of the issuing Cloudflare account. Stripe, Resend, Twilio, Google, and Meta may process data in jurisdictions outside Singapore and the EU. Where transfers are made out of the EEA, we rely on Standard Contractual Clauses or other transfer mechanisms recognised under GDPR.

11. Your rights (PDPA + GDPR)

You may at any time:

• Request access to the personal data we hold about you.
• Request correction of inaccurate or incomplete personal data.
• Withdraw consent for any processing that relies on consent. Withdrawing OAuth scopes is the operational form of this for connected platforms.
• Request deletion of your personal data, subject to retention required by law.
• Request a portable export of the operational data associated with your account.
• Lodge a complaint with the Personal Data Protection Commission of Singapore (PDPC) or, if you reside in the EEA, with your local supervisory authority.

To exercise any of these rights, email [email protected] with the subject "Data Request". We respond within 30 days.

12. Cookies + analytics

We use a single first-party cookie to keep your dashboard session alive. We do not use advertising cookies, third-party tracking pixels, or fingerprinting. We do not run Google Analytics, Meta Pixel, or any other third-party analytics on this domain. Server-side request logs are retained for 30 days for diagnostics and then deleted.

13. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it.

14. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes, we will notify you by email at least 30 days before the change takes effect, or sooner where required by law. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

15. Contact

Questions, requests, and disclosures: [email protected].

Data protection officer: [email protected].

Postal: Oddly Even Group Pte. Ltd., Singapore. Mailing address available on request to verified data subjects.