Privacy Policy

oddli ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR) and applicable Norwegian privacy law.

By using oddli you confirm you have read and understood this policy. If you do not agree, you must not use the Service.

1. Who We Are

oddli is operated as a sole trader based in Norway. We are the data controller for all personal data processed through the Service. You can contact us at legal@oddli.co with any privacy-related questions.

2. Data We Collect

We collect the following categories of personal data:

• Account data: Email address, username (if provided), and Clerk user ID — collected when you sign up via Clerk.
• Subscription data: Subscription status, Stripe customer ID, subscription period dates — collected when you start a trial or paid subscription.
• Payment data: Payment is processed entirely by Stripe. We never receive or store your card number, CVV, or bank details. We only receive a Stripe customer ID and subscription status.
• Notification preferences: Whether you have opted in to email or SMS notifications, and your phone number if provided.
• Usage data: Bankroll amount and currency (stored locally in your browser via Zustand; not sent to our servers unless you explicitly save it).
• Server logs: Standard server logs may include IP addresses, browser user-agent strings, and request timestamps for security and debugging purposes. These are not linked to your identity.

We do not collect: precise location data, biometric data, health data, or any special category data under GDPR Article 9.

3. Legal Basis for Processing

We process your personal data on the following legal bases:

• Contract performance (Article 6(1)(b)): Processing your email, subscription status, and payment data is necessary to provide the Service you signed up for.
• Legitimate interests (Article 6(1)(f)): Server logs and security monitoring are necessary for our legitimate interest in keeping the Service secure and reliable.
• Consent (Article 6(1)(a)): Email and SMS notifications are sent only where you have opted in. You can withdraw consent at any time in Settings.

4. How We Use Your Data

• To create and manage your account
• To process your subscription and manage billing via Stripe
• To send you daily pick notifications if you have opted in
• To respond to your support requests
• To detect and prevent fraud, abuse, or security incidents
• To comply with legal obligations

We do not sell your personal data to third parties. We do not use your data for advertising profiling.

5. Third-Party Processors

We share data with the following processors, each bound by a Data Processing Agreement:

• Clerk (clerk.com): Authentication and user identity management. Stores your email and session data. Hosted in the US with EU Standard Contractual Clauses in place.
• Stripe (stripe.com): Payment processing and subscription management. PCI DSS Level 1 certified. Processes payment data under their own privacy policy.
• Neon (neon.tech): Serverless PostgreSQL database. Stores account and subscription records. EU region (Frankfurt).
• Cloudflare (cloudflare.com): Application hosting and edge delivery. May process request metadata (IP, headers) at edge nodes globally.
• Resend (resend.com): Email notification delivery. Receives your email address only when you have opted in to email notifications.
• Twilio (twilio.com): SMS notification delivery. Receives your phone number only when you have opted in to SMS notifications.
• Anthropic (anthropic.com): AI model provider. The Claude API receives match data and sports statistics only — no personal data is included in AI model prompts.

6. Data Retention

• Account data: Retained for the duration of your subscription and for 2 years after cancellation, then deleted.
• Pick and settlement data: Retained indefinitely as anonymised aggregate performance records.
• Payment records: Retained for 5 years to comply with Norwegian accounting law (Bokføringsloven).
• Server logs: Retained for 90 days.

7. Your Rights Under GDPR

As a data subject you have the following rights. To exercise any of them, contact us at legal@oddli.co. We will respond within 30 days.

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Ask us to correct inaccurate data.
• Right to erasure (Art. 17): Request deletion of your account and personal data. We will delete your data within 30 days except where retention is required by law.
• Right to restrict processing (Art. 18): Ask us to restrict how we process your data in certain circumstances.
• Right to data portability (Art. 20): Request your data in a machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests.
• Right to withdraw consent: You can withdraw notification consent at any time in Settings. This does not affect the lawfulness of processing before withdrawal.

You also have the right to lodge a complaint with the Norwegian data protection authority: Datatilsynet — datatilsynet.no.

8. Cookies & Tracking

We use session cookies set by Clerk for authentication only. We do not use advertising cookies, tracking pixels, or third-party analytics tools (e.g. Google Analytics). No data is shared with advertising networks.

9. International Transfers

Some of our processors (Clerk, Stripe, Cloudflare, Resend, Twilio) may process data outside the European Economic Area. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including encrypted connections (TLS), access controls, and regular security reviews. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by email or in-app notice. The "Last updated" date at the top of this page always reflects the most recent version.

12. Contact

For any privacy-related questions, data subject requests, or complaints:

• Email: legal@oddli.co