Odoo In-App Purchase Privacy Policy

Last updated: May 12, 2021

Archived versions

This policy is an extension of the Odoo Privacy Policy to explain what information is collected, why, and how we use it for our IAP services.

SMS

Information we collect: The information we collect is directly provided by our users when they use the service. This information includes the identifier of the Odoo IAP account making the request, as well as the destination mobile phone number and the text of the SMS to send.

How we use this information: This SMS text and the destination mobile phone number is transferred to our service provider in order to execute the request. The contents of the SMS is not stored on the Odoo IAP server, however our server logs keep a temporary record of the IAP account and the destination mobile number for security and abuse prevention purposes.

Accessing, Updating or Deleting Your Personal Information: You have the right to access and update personal data you have previously provided to us. You can do so at any time by connecting to your personal account on iap.odoo.com. If you wish to permanently delete your account or personal information for a legitimate purpose, please contact our Helpdesk to request so. We will take all reasonable steps to permanently delete your personal information on our servers and on the third-party service providers you have used, except when we are required to keep it for legal reasons (typically, for administration, billing and tax reporting reasons).

Third Party Service Providers:
Service ProviderPurposeShared Data
Clicksend
Legal Page
Privacy & Security
SMS processing through IAP servicesShared with Clicksend: Text of the message and destination mobile phone number.
MessageBird
Legal Page
Privacy & Security
SMS processing through IAP servicesShared with MessageBird: Text of the message and destination mobile phone number.
SMS Factor
Legal Page
Privacy & Security
SMS processing through IAP services
Shared with SMS Factor: Text of the message and destination mobile phone number.


Data Retention: The Odoo IAP server logs contain a one-way hash of the IAP account, and the destination mobile phone number, and are kept on our servers for security and abuse prevention purposes, for up to 12 months.

Transfer of Data: The Odoo IAP servers are located in Belgium and France. For service providers, please see the relevant entry in the table above.

Partner Autocomplete

Information we collect: When Odoo users enter customer or supplier data in their database, an auto-completion request is sent to our service with the company name or VAT number that have been entered. This data is processed anonymously - we do not store any information to identify the origin of the requests.
No auto-completion request is made for individuals, only for contacts of type "Company", as we cannot and do not retrieve information for individuals. As a result, the processed data should generally not include any personal data.

How we use this information: The requested company name or VAT number is transferred to our third-party service provided listed below, in order to retrieve company information such as the company address, email, logo and website.
The company info retrieved in this fashion is stored temporarily on our servers in order to speed up retrieval of frequently accessed data, and we take every step to make sure we only store business data, and no personally identifiable information.

Accessing, Updating or Deleting Your Personal Information: Access to user requests cannot be requested as the data is anonymized.

Third Party Service Providers:
Service ProviderPurposeShared Data
Clearbit
Legal Page
Privacy & Security
Auto complete partner informations through IAP servicesShared with Clearbit: We send the company name entered by the user to get more info and autocomplete. Only name entered for partner of type 'Company' are sent to clearbit, not for individuals.
VIES
Privacy & Security
Auto complete partner informations through IAP servicesShared with VIES: We provide the VAT number to get the address that will autocomplete.


Data Retention: We only store aggregated metrics on anonymized requests of information on company domains on our server. We keep this indefinitely.

Transfer of Data: Data is hosted on our servers which are located in Belgium and France. See above for data shared with the service provider.

Reveal

Information we collect: We collect the IP addresses submitted to our service for contact information. This data is anonymized, meaning that we do not store who submitted which IP address.

How we use this information: IP addresses submissions are aggregated, made anonymous, and kept to improve our service. This information can no longer be associated with a specific person.

Accessing, Updating or Deleting Your Personal Information: Access to submitted IP addresses cannot be requested as the data is anonymized.

Third Party Service Providers: Whenever the user submits an IP address to identify its company domain, this request is sent to our server and to our service provider, Clearbit. We make sure that Clearbit uses this information in compliance with Data Protection legislation, and that the processing they carry out for us is limited to our specific purpose and covered by a specific data processing contract. More information can be found on Clearbit's GDPR Compliance and Privacy Policy.
Service ProviderPurposeShared Data
Clearbit
Legal Page
Privacy & Security
Retrieval of business info for prospection through IAP servicesShared with Clearbit: We send the website visitors IP address entered by the user to get more info and autocomplete. Only name entered for partner of type 'Company' are sent to clearbit, not for individuals.
Retrieved from Clearbit for visitors coming from EU companies: name, sector, est. size, est. revenue, website, social media and general contact info
Retrieved from Clearbit for visitors coming from non-EU companies: same as for EU companies, plus contact info for company executives, if known


Data Retention: We only store aggregated metrics on anonymized submissions of IP addresses on our server. We keep this indefinitely.

Transfer of Data: Data is processed on our servers which are located in Belgium and France. See above for data shared with the service provider.

Snailmail

Information we collect: The information we collect is directly provided by our users when they use the service. This information consists in the PDF document the user is sending by post, along with the address to which it is being shipped.

How we use this information: This information is sent to our server then transfered to our service provider in order to deliver the submitted document to the shipping address provided. This information is not stored on our server.

Accessing, Updating or Deleting Your Personal Information: This information is not stored on our server. Upon user request, we can provide access/control to the data stored on our service provider's servers.

Third Party Service Providers: Whenever we share this information with our service provider, Pingen, we make sure it is used in compliance with Data Protection legislation, and that the processing they carry out for us is limited to our specific purpose and covered by a specific data processing contract. More information can be found in Pingen's Privacy Policy.
Service ProviderPurposeShared Data
Pingen
Privacy & Security
Mail processing through IAP servicesShared with Pingen: PDF Document to send by post, they are kept by Pingen during 1 month for debugging purpose.


Data Retention: Document and destinator's shipping address are not stored on our servers.

Transfer of Data: Data is processed on our servers which are located in Belgium and France. See above for data shared with the service provider.

OCR

Information we collect: The information we collect is directly provided by our users when they use the service. This information consists in the invoice file the user is sending to OCR, and some information to help to discern the user in the invoice: the company name, the company VAT number, the language of the user and his email.

How we use this information: Invoice files (PDF/image) are parsed and analyzed to return structured invoice data to the user. Files are stored, along with their structured information, to be used in the continual improvement of our service. Other information like company name, company VAT number, user language and user email are only used to identify vendor and customer in invoice detection.

Accessing, Updating or Deleting Your Personal Information: Invoice files stored, along with their structured information, can be accessed and deleted upon user request.

Third Party Service Providers: Whenever a user submits an invoice file to our OCR service, it can be sent to Google Vision to be parsed and converted to text. We make sure that Google uses this information in compliance with Data Protection legislation, and that the processing they carry out for us is limited to our specific purpose and covered by a specific data processing contract.
Google Vision deletes the images processed either immediately or within a few hours after processing.
More information can be found on the Google Vision FAQ, Google's Data Processing Amendment and Privacy Framework.

Data Retention: Submitted files, along with their structured data, are stored on our server for a duration of 6 months. After this period, submitted files will be deleted and structured data anonymized.

Transfer of Data: Data is hosted on our servers which are located in Belgium and France.
Some OCR data may be temporarily stored and processed by Google Vision. In order to make sure all processing is exclusively conducted on European Union territory, we have activated the EU Regional Restriction for the Google Vision API.
Images processed by Google Vision are deleted from Google servers within a few hours of processing. Google guarantees the region-restricted processing via Google Vision in their Service Specific Terms.

Amazon Connector

This IAP service provides the link between the Odoo Amazon Connector (that end-users can install in their Odoo deployments) and the Amazon MWS API.
Information we process: We receive the complete Amazon MWS API calls sent from the Odoo Amazon Connector with their parameters, and the responses to these requests coming from the Amazon MWS API. We also receive the database identifier and IP address of the Odoo database where the connector is operating, as well as the Odoo Enterprise identifier.

How we use this information: We only use the information contained in the Amazon API requests and responses in order to transmit them securely to the two endpoints: requests coming from the Odoo Amazon Connector are signed and transmitted to Amazon, and the responses are then transmitted back to the connector who sent the request.
The contents of the requests and responses are not stored, we only record minimal metadata for security and auditing purposes: name of Amazon API Endpoint being called (e.g. ListOrderItems), date and time of the call, Amazon marketplace code (EU/US/..)., IP address of the caller, and identifier of calling databases.

Accessing, Updating or Deleting Your Personal Information: The minimal information stored on our server does not carry any significant privacy risk, and is considered necessary for the security of our services, so it can't be deleted. We can however give access to this information upon request.

Third Party Service Providers: The Amazon Connector requests are transmitted to the Amazon MWS Endpoints, according to the Amazon Marketplace that the user configured in the Odoo Amazon Connector. More information can be found in Amazon MWS's Enpoint documentation.
Service ProviderPurposeShared Data
Amazon MWS
Data Protection Policy
MWS Service Access Shared with Amazon: contents of the MWS API requests.


Data Retention: The requests and response contents are not stored on our servers. The metadata recorded for security and audit purposes is kept in our logs for up to 12 months.

Transfer of Data: The data is processed on our servers which are located in Belgium and France, and then transmitted to the selected Amazon MWS endpoint (see above).

Germany - Certification for PoS (Fiskaly)

This IAP service acts as a proxy between the Odoo end-users and Fiskaly GmbH, a Cloud-based Technical Security System (TSS) providing compliant archive services for the German Kassensicherungsverordnung.

Information we process: The IAP service only directly processes the company information for the IAP end-customer, such as company name, address, VAT number, German tax number and Wirtschafts-Identifikationsnummer, as well as the Fiskaly organization ID, for the initial registration.
Once the registration is completed, the Odoo PoS App will directly transfer order information for archival purposes to Fiskaly. This includes order information (products, amounts, quantities, payment methods, and client contact info when present), time of the order and staff member name.

How we use this information: The company information is simply sent to Fiskaly in order to achieve one of the following: company registration at the financial authorities, update of the company information or request for new credentials.
By using the Odoo PoS App in Germany, order information is directly sent to Fiskaly while finalizing the order. For restaurants, they are also sent while creating, updating and deleting orders. This information is sent to the corresponding TSS. Upon closing a session, all the data created and collected during the session will be sent to the DSFinV-K service of Fiskaly.

Accessing, Updating or Deleting Your Personal Information: The archived orders can be accessed through Fiskaly directly. They can be updated as long as they have not been finalized. Once finalized, they are archived for ten years, in compliance with Germany regulations.
Fiskaly organization IDs stored by IAP is only deleted when the service is canceled, as it required for service operation.

Third Party Service Providers:
Service ProviderPurposeShared Data
Fiskaly
Data Protection Policy
Fiscal data archive service Shared with Fiskaly: Fiskaly Organization credentials for IAP end-customers + order data (directly transfered from PoS to Fiskaly)


Data Retention: Fiskaly organization IDs are stored on the IAP servers for the duration of the service. The metadata recorded for security and audit purposes is kept in our logs for up to 12 months.
Orders data archived on the Fiskaly side are stored for ten years.

Transfer of Data: The IAP data is processed on our servers which are located in Belgium and France, and then transmitted to the Fiskaly services endpoints, located in Germany. Fiskaly archived data are stored in Germany.