Privacy Policy

Last updated: 2026-05-12. Operator: Oddly Even Group Pte. Ltd., Singapore. Aligned with the Singapore Personal Data Protection Act 2012 (PDPA), the EU General Data Protection Regulation (GDPR), and the Google API Services User Data Policy (including the Limited Use requirements). Document reference: OEG-PRIV-2026-001 v1.1.

Scope

This Privacy Policy describes how Oddly Even Group Pte. Ltd. ("oddly", "we", "us") collects, uses, discloses, and protects information when you use the platform at myoddly.com or any subdomain we operate (the "Service"). It covers personal data within the meaning of the Singapore Personal Data Protection Act 2012 (PDPA) and personal data within the meaning of the EU General Data Protection Regulation (GDPR) where applicable.

By creating an account or connecting any data source, you confirm that you have read this policy and consent to the processing it describes.

Who we are

The Service is operated by Oddly Even Group Pte. Ltd., a private limited company incorporated in Singapore. We are the controller of personal data that you provide directly to us and the processor of personal data that flows in from connected platforms (Shopify, Google Ads, Google Analytics, Google Search Console, Meta Ads).

Data we collect

We collect only what we need to operate the Service.

• Account data. Email address, brand name, billing currency, time zone, plan tier (Watch, Nudge, or Steer), and authentication tokens for the Service itself.
• Billing data. Payment-processor customer identifier and the metadata returned to us (subscription status, trial end date, last invoice). Card numbers, expiry dates, and CVV are entered directly into the payment processor and never reach our servers.
• Connected source data. What you authorise via OAuth from Shopify, Google Ads, Google Analytics, Google Search Console, and Meta Ads. See section 4 for the per-source breakdown.
• Operational data. Action queue items the platform proposes, your approve or dismiss decisions, audit log entries that record which actions ran and why, and the dashboard tokens that authenticate you to the merchant portal.
• Optional contact data. WhatsApp number (used only on the Steer tier to deliver money-at-risk pings), and any messages you send to hello@myoddly.com.

Connected sources

Each connected platform requires explicit OAuth consent. We request the minimum scopes necessary to operate the Service. You can revoke access at any time from the source platform's connected-apps panel; we'll detect the revocation and notify you.

Shopify

We read orders, inventory levels, products, product images, alt text, and store metadata via Shopify's Admin API. We do not read customer phone numbers, customer addresses, customer payment details, or customer notes beyond what is required to compute aggregated store metrics. We do not read draft orders, abandoned checkouts, or PII associated with individual customers.

Google Ads

We read campaign, ad group, keyword, and search-term performance, plus account-level recommendations from Google's Ads API. On the Nudge and Steer tiers we may write changes that you have explicitly approved (negative keywords, low-quality keyword pauses, recommendation dismissals, ad pauses for out-of-stock products). We never change campaign budgets without your approval, and we never move money between accounts.

Google Search Console

We read search performance data (queries, impressions, clicks, position) for properties you authorise. We do not write to Search Console.

Google Analytics 4

If you connect Google Analytics 4, we read aggregated session, conversion, and traffic-source metrics for the property you authorise. We do not read individual user-level identifiers, do not associate GA4 data with individuals, and do not export GA4 data outside the Service.

Meta Ads

We read campaign-level performance, ad-set-level performance, and creative metadata via Meta's Marketing API. We do not read messaging, comments, or audience PII. Meta integration is a Steer-tier feature and is optional; cross-channel digest sections only appear when both Google and Meta are connected.

How we use data

• To operate the Service: surface money-at-risk alerts, build the weekly digest, populate your dashboard, and run the actions you approve or have explicitly delegated.
• To meet our contractual obligations to you (deliver the plan tier you've paid for, dispatch alerts, retain audit history).
• To diagnose and fix problems: error logs, action failures, integration health checks.
• To comply with legal obligations: tax reporting, billing records, anti-fraud checks.

We do not sell personal data. We do not use connected-source data to train models that are exposed to other customers. We do not use connected-source data to build advertising audiences or enrich profiles outside your account.

Separately, we offer an optional anonymized benchmark contribution feature that is off by default. Details and opt-in mechanics are described in the next section.

Anonymized benchmark contribution (opt-in, default OFF)

This section describes a feature that is OFF by default. You must explicitly opt in for it to apply to your account.

What it is

oddly offers an optional feature where merchants contribute anonymized, aggregated metrics to a cross-merchant benchmark dataset. In exchange, contributing merchants see how their store compares to similar stores (for example, "merchants in your category with similar ad spend average X percent wasted spend on out-of-stock items").

How we anonymize

Contributed metrics are:

• Aggregated: we never share individual orders, individual customers, individual products, or individual campaigns.
• De-identified: all merchant identifiers, store names, customer IDs, product names, and SKUs are removed before contribution.
• Bucketed: metrics are grouped into ranges (for example, monthly ad spend is bucketed as $1k to $5k, $5k to $10k) so that no single merchant can be re-identified by spend alone.
• Minimum cohort size: benchmark calculations require a minimum of 5 contributing merchants per category and spend tier before any benchmark is computed or displayed.

What we contribute

Aggregated metrics include category-level wasted ad spend percentage, return on ad spend ranges, repeat purchase rate ranges, click-through and conversion rate ranges, and channel mix percentages. We do not contribute customer email addresses, customer names, individual order data, individual product names, individual campaign names, or any data that could identify a specific merchant or end customer.

Your control

Opt-in is presented as an unchecked checkbox during onboarding and on your Settings page. You may revoke your opt-in at any time. Once revoked, we stop including your store's data in future benchmark computations within 24 hours. Revocation does not retroactively remove your historical anonymized contribution from past benchmark calculations, because those contributions cannot be re-identified to your store.

Google API Services User Data Policy + Limited Use

Specifically:

• We use Google user data only to provide and improve user-facing features that are prominent in the Service (campaign monitoring, search-term cleanup, content gap detection, ad-pause recommendations for out-of-stock products, weekly digests, search performance reporting).
• We do not transfer Google user data to third parties except as necessary to provide or improve those user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
• We do not use Google user data to serve advertisements, including retargeting, personalised, or interest-based advertising.
• We do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes (such as investigating abuse), to comply with applicable law, or our use is for internal operations and the data has been aggregated and anonymised.

Sub-processors

We use the following sub-processors to deliver the Service. We require each sub-processor to maintain confidentiality and security obligations consistent with this Policy.

Source platforms (Google for Ads, Search Console, and Analytics; Meta for Marketing API) act as upstream data sources; data flows only when you authorise OAuth and is not considered a sub-processor for purposes of this section.

How recommendations are generated

oddly's intelligence is deterministic by default. The signals (wasted-spend alerts, visibility scores, trend detection) are computed from your data on our infrastructure. To make the resulting recommendations more specific to your situation, we send a structured slice of the relevant signal (counts, scores, top page paths, tracked keywords) to a third-party model-inference provider at request time. We do not send full content, raw user records, or anything sensitive. The provider does not retain inputs after the response and does not use them to train any model. If this processing is unavailable, you receive the deterministic templated recommendation; nothing breaks.

Retention + deletion

• Account, brand, and operational data are deleted within 30 days of account cancellation, except where retention is required by law (financial records, billing invoices, tax records).
• Audit log entries are retained for up to 12 months from creation. After that they are deleted or aggregated into anonymised statistics that cannot be tied back to a brand.
• Billing records are retained for the period required by Singapore tax law (currently five years from the end of the relevant accounting year).
• OAuth refresh tokens are deleted immediately on cancellation or revocation.
• We may retain aggregated, anonymised metrics indefinitely. Anonymised means no value can be associated with you, your brand, or any individual.
• You can request immediate deletion at any time; see section 11.

Security

• All traffic between you and the Service is encrypted with TLS 1.2 or higher.
• OAuth tokens, API keys, and webhook signing secrets are stored in a managed key-management system, never in source code, never in logs, and never exposed to client-side JavaScript.
• The database is encrypted at rest. Backups inherit the same encryption.
• Authentication to the dashboard is token-based; tokens are rotated on cancellation or on request.
• Webhooks are verified with HMAC signatures before any action is taken on the payload.
• Application logs are scrubbed of credentials, OAuth tokens, and webhook secrets before write.
• Read more on the security page.

International transfers

The Service is operated from Singapore on globally distributed edge infrastructure. The edge network may process data in any region where the underlying infrastructure operates. Payments, email, messaging, and source platforms may process data in jurisdictions outside Singapore and the EU. Where transfers are made out of the EEA, we rely on Standard Contractual Clauses or other transfer mechanisms recognised under GDPR.

Your rights (PDPA + GDPR)

You may at any time:

• Request access to the personal data we hold about you.
• Request correction of inaccurate or incomplete personal data.
• Withdraw consent for any processing that relies on consent. Withdrawing OAuth scopes is the operational form of this for connected platforms.
• Request deletion of your personal data, subject to retention required by law.
• Request a portable export of the operational data associated with your account.
• Lodge a complaint with the Personal Data Protection Commission of Singapore (PDPC) or, if you reside in the EEA, with your local supervisory authority.

To exercise any of these rights, email k.peh@myoddlyeven.com with the subject "Data Request". We respond within 30 days.

Shopify GDPR compliance webhooks

In compliance with Shopify Partner Program requirements and GDPR Article 17, oddly implements three mandatory webhooks for merchants who install the oddly app via Shopify:

All three webhooks are HMAC-SHA256 verified to prevent unauthorized requests. Receipt and completion of each webhook event is logged in our audit trail. Merchants and end customers receive notifications via our internal operations channel for each compliance event.

Cookies + analytics

We use a single first-party cookie to keep your dashboard session alive. We do not use advertising cookies, third-party tracking pixels, or fingerprinting. We do not run third-party analytics on this domain. Server-side request logs are retained for 30 days for diagnostics and then deleted.

Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it.

Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. For material changes, we will notify you by email at least 30 days before the change takes effect, or sooner where required by law. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

Contact

Questions, requests, and disclosures: hello@myoddly.com.

Data protection officer: k.peh@myoddlyeven.com.

Postal: Oddly Even Group Pte. Ltd., Singapore. Mailing address available on request to verified data subjects.