Odoo In-App Purchase Privacy Policy


This policy is an extension of the Odoo Privacy Policy to explain what information is collected, why, and how we use it for our IAP services.

Last updated: March 12, 2024 -  Archived versions

SMS Partner Autocomplete Reveal Social Media Connector Snailmail Documents Digitization Amazon Connector Germany - Certification for PoS (Fiskaly) itsme® identification Website Content Generation Chat with AI

SMS

Information we collect:  The information we collect is directly provided by our users when they use the service. This information includes the identifier of the Odoo IAP account making the request, as well as the destination mobile phone number and the text of the SMS to send.

How we use this information:  This SMS text and the destination mobile phone number is transferred to our service provider in order to execute the request. The contents and destination of the SMS are stored on the Odoo IAP server for moderation purpose, and our server logs keep a temporary record of the IAP account and the destination mobile number for security and abuse prevention purposes.

Accessing, Updating or Deleting Your Personal Information:  You have the right to access and update personal data you have previously provided to us. You can do so at any time by connecting to your personal account on iap.odoo.com. If you wish to permanently delete your account or personal information for a legitimate purpose, please contact our  Helpdesk  to request so. We will take all reasonable steps to permanently delete your personal information on our servers and on the third-party service providers you have used, except when we are required to keep it for legal reasons (typically, for administration, billing and tax reporting reasons).

Third Party Service Providers:

Service Provider Purpose Shared Data
MessageBird
Legal Page
Privacy & Security		 SMS processing through IAP services Shared with MessageBird: Text of the message and destination mobile phone number.
SMS Factor
Legal Page
Privacy & Security
 SMS processing through IAP services
 Shared with SMS Factor: Text of the message and destination mobile phone number.


Data Retention:  The Odoo IAP server logs contain a one-way hash of the IAP account, the content and the destination mobile phone number, and are kept on our servers for security and abuse prevention purposes, for up to 12 months.

Transfer of Data:  The Odoo IAP servers are located in  Belgium  and  France . For service providers, please see the relevant entry in the table above.

Partner Autocomplete

Information we collect:  When Odoo users enter customer or supplier data in their database, an auto-completion request is sent to our service with the company name or VAT number that have been entered. This data is processed anonymously - we do not store any information to identify the origin of the requests.
 No auto-completion request is made for individuals, only for contacts of type "Company", as we cannot and do not retrieve information for individuals. As a result, the processed data should generally not include any personal data.

How we use this information:  The requested company name or VAT number is transferred to our third-party service provided listed below, in order to retrieve company information such as the company address, email, logo and website.
The company info retrieved in this fashion is stored temporarily on our servers in order to speed up retrieval of frequently accessed data, and we take every step to make sure we only store business data, and no personally identifiable information.

Accessing, Updating or Deleting Your Personal Information:  Access to user requests cannot be requested as the data is anonymized.

Third Party Service Providers:

Service Provider Purpose Shared Data
Clearbit
Legal Page
Privacy & Security		 Auto complete partner information through IAP services Shared with Clearbit: We send the company name entered by the user to get more info and autocomplete. Only name entered for partner of type 'Company' are sent to Clearbit, not for individuals.
VIES
Privacy & Security		 Auto complete partner information through IAP services Shared with VIES: We provide the VAT number to get the address that will autocomplete.


Data Retention:  We only store aggregated metrics on anonymized requests of information on company domains on our server. We keep this indefinitely.

Transfer of Data:  Data is hosted on our servers which are located in  Belgium  and  France . See above for data shared with the service provider.

Reveal

Information we collect:  We collect the IP addresses submitted to our service for contact information. This data is anonymized, meaning that we do not store who submitted which IP address.

How we use this information:  IP addresses submissions are aggregated, made anonymous, and kept to improve our service. This information can no longer be associated with a specific person.

Accessing, Updating or Deleting Your Personal Information:  Access to submitted IP addresses cannot be requested as the data is anonymized.

Third Party Service Providers:  Whenever the user submits an IP address to identify its company domain, this request is sent to our server and to our service provider, Clearbit. We make sure that Clearbit uses this information in compliance with Data Protection legislation, and that the processing they carry out for us is limited to our specific purpose and covered by a specific data processing contract. More information can be found on Clearbit's  GDPR Compliance  and  Privacy Policy .

Service Provider Purpose Shared Data
Clearbit
Legal Page
Privacy & Security		 Retrieval of business info for prospection through IAP services Shared with Clearbit: We send the website visitors IP address entered by the user to get more info and autocomplete. Only name entered for partner of type 'Company' are sent to clearbit, not for individuals.
Retrieved from Clearbit for visitors coming from EU companies: name, sector, est. size, est. revenue, website, social media and general contact info
Retrieved from Clearbit for visitors coming from non-EU companies: same as for EU companies, plus contact info for company executives, if known


Data Retention:  We only store aggregated metrics on anonymized submissions of IP addresses on our server. We keep this indefinitely.

Transfer of Data:  Data is processed on our servers which are located in  Belgium  and  France . See above for data shared with the service provider.

Social Media Connector

This IAP service provides the link between the Odoo Social Marketing Application and the various social media providers listed here under.

Information we collect: We receive the complete API calls sent from the Odoo Social Marketing Application with their parameters, and the responses to these requests coming from the social media providers APIs. We also receive the database identifier and IP address of the Odoo database where the Social Media Application is installed.

How we use this information: We only use the information contained in the social media provider API requests and responses in order to transmit them securely to your Odoo Social Application.
The contents of the requests and responses are not stored, we only record minimal metadata for security and auditing purposes: meaning your database identifier and the time of your request.

Accessing, Updating or Deleting Your Personal Information: The minimal information stored on our server does not carry any significant privacy risk, and is considered necessary for the security of our services, so it can't be deleted. We can however give access to this information upon request.
Any private and/or sensitive data, such as the content of your social media post, is only stored on your Odoo database and can be accessed and deleted at will.

Third Party Service Providers: The Social Media Application requests are transmitted to the social media providers endpoint, the list of those providers are listed here under.

Service Provider Purpose Shared Data
Facebook Graph API
Facebook Privacy Policy
 Facebook Access Shared with Facebook: contents of the Facebook Graph API requests.
Facebook Instagram Graph API
Facebook Privacy Policy		 Facebook Instagram Access Shared with Facebook: contents of the Facebook Instagram Graph API requests.
Twitter API
Twitter Privacy Policy		 Twitter Access Shared with Twitter: contents of the Twitter API requests.
LinkedIn API
LinkedIn Privacy Policy		 LinkedIn Access Shared with LinkedIn: contents of the LinkedIn API requests.
YouTube
Google Privacy Policy Google Security Settings YouTube Terms of Service		 YouTube Access Shared with YouTube: contents of the YouTube API requests.


Data Retention: The requests and response contents are not stored on our servers.

Transfer of Data: The data is processed on our servers which are located in Belgium and France, and then transmitted to the selected social media endpoint (see above).

Snailmail

Information we collect:  The information we collect is directly provided by our users when they use the service. This information consists in the PDF document the user is sending by post, along with the address to which it is being shipped.

How we use this information:  This information is sent to our server then transfered to our service provider in order to deliver the submitted document to the shipping address provided. This information is not stored on our server.

Accessing, Updating or Deleting Your Personal Information:  This information is not stored on our server. Upon user request, we can provide access/control to the data stored on our service provider's servers.

Third Party Service Providers:  Whenever we share this information with our service provider, Pingen, we make sure it is used in compliance with Data Protection legislation, and that the processing they carry out for us is limited to our specific purpose and covered by a specific data processing contract. More information can be found in  Pingen's Privacy Policy .

Service Provider Purpose Shared Data
Pingen
Privacy & Security		 Mail processing through IAP services Shared with Pingen: PDF Document to send by post, they are kept by Pingen during 1 month for debugging purpose.


Data Retention:  Document and destinator's shipping address are not stored on our servers.

Transfer of Data:  Data is processed on our servers which are located in  Belgium  and  France . See above for data shared with the service provider.

Documents Digitization

Information we collect:  The information we collect is directly provided by our users when they use the service. This information consists in the document that the user is sending to the service and some information to help to discern the user in the document: the company name, the company VAT number, the language of the user and his email.

How we use this information:  Documents (PDF/image) are parsed and analyzed to return structured data to the user. Files are stored, along with their structured information, to be used in the continual improvement of our service. Other information like company name, company VAT number, user language and user email are only used to identify vendor and customer in invoice detection.

Accessing, Updating or Deleting Your Personal Information:  Document files stored, along with their structured information, can be accessed and deleted upon user request.

Third Party Service Providers:  Whenever a user submits an document file to this service, it can be sent to Google Vision to be parsed and converted to text. We make sure that Google uses this information in compliance with Data Protection legislation, and that the processing they carry out for us is limited to our specific purpose and covered by a specific data processing contract.
Google Vision deletes the images processed either immediately or within a few hours after processing.
More information can be found on the  Google Vision FAQ Google's Data Processing Amendment  and  Privacy Framework .

Data Retention:  Submitted files, along with their structured data, are stored on our server for a duration of 6 months. After this period, submitted files will be deleted and structured data anonymized.

Transfer of Data:  Data is hosted on our servers which are located in  Belgium  and  France .
Some OCR data may be temporarily stored and processed by Google Vision. In order to make sure all processing is exclusively conducted on European Union territory, we have activated the  EU Regional Restriction  for the Google Vision API.
Images processed by Google Vision are deleted from Google servers within a few hours of processing. Google guarantees the region-restricted processing via Google Vision in their  Service Specific Terms .

Amazon Connector

This IAP service provides the link between the Odoo Amazon Connector (that end-users can install in their Odoo deployments) and the Amazon MWS API.

Information we process: We receive the complete Amazon MWS API calls sent from the Odoo Amazon Connector with their parameters, and the responses to these requests coming from the Amazon MWS API. We also receive the database identifier and IP address of the Odoo database where the connector is operating, as well as the Odoo Enterprise identifier.

How we use this information: We only use the information contained in the Amazon API requests and responses in order to transmit them securely to the two endpoints: requests coming from the Odoo Amazon Connector are signed and transmitted to Amazon, and the responses are then transmitted back to the connector who sent the request.
The contents of the requests and responses are not stored, we only record minimal metadata for security and auditing purposes: name of Amazon API Endpoint being called (e.g. ListOrderItems), date and time of the call, Amazon marketplace code (EU/US/..)., IP address of the caller, and identifier of calling databases.

Accessing, Updating or Deleting Your Personal Information: The minimal information stored on our server does not carry any significant privacy risk, and is considered necessary for the security of our services, so it can't be deleted. We can however give access to this information upon request.

Third Party Service Providers: The Amazon Connector requests are transmitted to the Amazon MWS Endpoints, according to the Amazon Marketplace that the user configured in the Odoo Amazon Connector. More information can be found in Amazon MWS's Enpoint documentation.

Service Provider Purpose Shared Data
Amazon MWS
Data Protection Policy		 MWS Service Access Shared with Amazon: contents of the MWS API requests.


Data Retention: The requests and response contents are not stored on our servers. The metadata recorded for security and audit purposes is kept in our logs for up to 12 months.

Transfer of Data: The data is processed on our servers which are located in Belgium and France, and then transmitted to the selected Amazon MWS endpoint (see above).

Germany - Certification for PoS (Fiskaly)

This IAP service acts as a proxy between the Odoo end-users and Fiskaly GmbH, a Cloud-based Technical Security System (TSS) providing compliant archive services for the German Kassensicherungsverordnung.

Information we process: The IAP service only directly processes the company information for the IAP end-customer, such as company name, address, VAT number, German tax number and Wirtschafts-Identifikationsnummer, as well as the Fiskaly organization ID, for the initial registration.
Once the registration is completed, the Odoo PoS App will directly transfer order information for archival purposes to Fiskaly. This includes order information (products, amounts, quantities, payment methods, and client contact info when present), time of the order and staff member name.

How we use this information: The company information is simply sent to Fiskaly in order to achieve one of the following: company registration at the financial authorities, update of the company information or request for new credentials.
By using the Odoo PoS App in Germany, order information is directly sent to Fiskaly while finalizing the order. For restaurants, they are also sent while creating, updating and deleting orders. This information is sent to the corresponding TSS. Upon closing a session, all the data created and collected during the session will be sent to the DSFinV-K service of Fiskaly.

Accessing, Updating or Deleting Your Personal Information: The archived orders can be accessed through Fiskaly directly. They can be updated as long as they have not been finalized. Once finalized, they are archived for ten years, in compliance with Germany regulations.
Fiskaly organization IDs stored by IAP is only deleted when the service is canceled, as it required for service operation.

Third Party Service Providers:

Service Provider Purpose Shared Data
Fiskaly
Data Protection Policy		 Fiscal data archive service Shared with Fiskaly: Fiskaly Organization credentials for IAP end-customers + order data (directly transfered from PoS to Fiskaly)


Data Retention: Fiskaly organization IDs are stored on the IAP servers for the duration of the service. The metadata recorded for security and audit purposes is kept in our logs for up to 12 months.
Orders data archived on the Fiskaly side are stored for ten years.

Transfer of Data: The IAP data is processed on our servers which are located in Belgium and France, and then transmitted to the Fiskaly services endpoints, located in Germany. Fiskaly archived data are stored in Germany.

itsme® identification

Information we process:  The information we collect is directly provided by the users of the service (Odoo customers as well as other signatories of their documents) when they use the service to identify themselves. This information includes the identifier of the Odoo IAP account making the request, the full name and date of birth of the person providing their identity as given by the itsme® platform.

How we use this information:  The full name and date of birth of the identified person are transferred from the itsme® platform to the database of the Odoo IAP account making the request,  without being stored on the Odoo IAP platform . Information regarding the date and time of the request and a non-reversible hash of the payload are stored on the IAP servers for security and traceability purposes.

Accessing, Updating or Deleting Your Personal Information:  Access to Personal Information coming from the itsme® platform cannot be requested since it is not stored on the Odoo IAP platform. Information coming from the customer Odoo instance (IAP identifier, hash of the payloads and other traceability data) can be obtained or deleted by contacting us through our  Helpdesk .

Third Party Service Providers:

Service Provider Purpose Shared Data
itsme®
Privacy Policy		 Identify a document signatory through IAP Services Retrieved from itsme®: Full name and date of birth of the identified person.


Data Retention:  The Odoo IAP server stores a one-way hash of the name and date of birth of the identified person, which are kept on our servers for traceability of the signed document.

Transfer of Data:  The data is processed on our servers which are located in  Belgium  and  France . For service providers, please see the relevant entry in the table above.

Website Content Generation

Information we process:  The information we collect consists in (odoo generated) default texts of the theme selected for the website creation, the language of the website and the industry for which the website is generated.

How we use this information:  We use OpenAI to generate text of the same size as the generic theme text, modifying it to fit the selected industry and the language of the website. We save this information along with the OpenAI responses to reduce the number of calls to OpenAI should someone perform the exact same request. This data is anonymized and can no longer be associated with a specific person.

Accessing, Updating or Deleting Your Personal Information:  Access to user requests cannot be requested as the data is anonymized.

Third Party Service Providers:

Service Provider Purpose Shared Data
OpenAI
Privacy Policy		 Generate text for the website that fits the requested industry.
 Shared with OpenAIThe texts of the theme selected to make the website, the language of the website and the industry for which the website is generated


Data Retention:  We only store anonymized data which by default are deleted after a period of 30 days. If the same website creation request is made regularly, the period of 30 days is extended.

Transfer of Data:  The data is processed on our servers which are located in  Belgium  and  France . See above for data shared with the service provider.

Chat with AI

Information we process:  The information we collect is directly provided by our users when they use the service. This information consists in the history of the conversation, the requested action and the selected text given by the user. We don't store any data.

How we use this information:  We use Open AI to generate text based on a conversation history or a user query.

Accessing, Updating or Deleting Your Personal Information:  Access to user requests cannot be requested as the data is not stored.

Third Party Service Providers:

Service Provider Purpose Shared Data
OpenAI
Privacy Policy		 Generate text, shorten text, lengthen text, make text more friendly, professional or persuasive
 Shared with OpenAI : Conversation history, user-selected text, user-requested action.


Data Retention: We don't store the data.