Odro
Effective 8 May 2026

Privacy Policy

Effective 8 May 2026Odro · Cape Town

This Privacy Policy explains how Odro (“Odro”, “we”, “us”) collects, uses, discloses, and protects personal information when you use the Odro platform, the website at odro.ai, or any related service (the “Service”). It applies to anyone who creates an Odro workspace, uses an Odro workspace as an end user (driver, dispatcher, etc.), or interacts with a Customer's tracking page. Words capitalised but not defined here have the meanings given in our Terms of Use.

01Our role: controller vs. processor#

Odro plays two different roles depending on whose data is involved.

  • Controller (Responsible Party). For personal information about Customer account-holders, billing contacts, and visitors to odro.ai (including marketing-page visitors). We decide why and how that personal information is processed and we are accountable for it.
  • Processor (Operator).For personal information uploaded into a Customer's workspace by the Customer or its End Users — recipient names, addresses, phone numbers, photographs, scan events, ratings, and the like. The Customer is the controller of that data; we process it on the Customer's behalf and only as instructed by these Terms and our service configuration.

If you received a tracking link and have a question about your delivery — please contact the merchant who is delivering your order. We can put you in touch but we cannot modify or delete that data without their instruction.

02What we collect#

We collect the following categories of personal information:

  • Account & billing. Name, email, hashed password, business name, role, phone, billing address, payment method, tax identifiers. Provided directly by you when you sign up or update workspace settings.
  • Workspace operational data.Customer-uploaded data including delivery-recipient names, contact details, addresses, time windows, order line items, prices, payment status, driver profiles, vehicle registrations, work schedules, and notes. Processed on the Customer's behalf.
  • Driver & delivery telemetry. When a driver scans a QR code, captures a photograph, enters a PIN, or uses navigation features, we record the timestamp, GPS coordinates (where available and permitted), device identifiers, and the scan event itself.
  • Customer-facing tracking data. Information visible to recipients via the tracking page — masked address, status events, estimated delivery times, and any rating or feedback the recipient submits after delivery.
  • Usage data. Browser and device information, IP address, pages viewed, actions taken, referrer URL, and approximate location derived from IP. Collected automatically via standard server logs and cookies.
  • Communications. Records of any messages, support tickets, calls, or emails between you and Odro.
  • Marketing data. If you sign up for our newsletter, demo, or other marketing-related interaction, we collect your email and the consents and preferences you provide. Marketing channels we may use include email, in-product banners, and (with explicit opt-in) SMS — never voice calls.

We do not knowingly collect special categories of personal information (e.g. health, race, biometric data) or information from children under 13 (or the local equivalent age of digital consent). If you believe we have inadvertently collected such information, please email privacy@odro.ai so we can delete it.

03How we use it#

We use personal information for the following purposes:

  • to provide, operate, maintain, and improve the Service;
  • to authenticate users, manage accounts, and protect against unauthorised access;
  • to process payments, manage subscriptions, and send billing-related notices;
  • to communicate with you about the Service, including security alerts, transactional emails, and changes to these policies;
  • to send marketing communications where you have opted in or where we are otherwise permitted by law (you may unsubscribe at any time);
  • to detect, prevent, and respond to fraud, abuse, security incidents, and policy violations;
  • to comply with applicable law, court orders, lawful requests by public authorities, and our contractual obligations;
  • to enforce our Terms of Use, including taking action against violations;
  • to develop new features and conduct research, using aggregated or de-identified data wherever practicable;
  • for any other purpose disclosed at the time of collection or to which you separately consent.

We do not train large language models or other AI models on Customer Data. Aggregated, de-identified usage data may inform product analytics and engineering decisions, but workspace contents — orders, addresses, photos, scans — are never used as training input.

Where applicable data-protection law requires us to identify a legal basis, we rely on:

  • Performance of a contract — to provide the Service to Customers and account-holders;
  • Legitimate interests — to operate, secure, and improve the Service, prevent fraud, conduct direct marketing where permitted, and pursue similar interests not overridden by your rights;
  • Consent — for marketing where required, and for any optional cookies or processing for which we ask separately;
  • Legal obligation — to retain records, respond to lawful requests, and meet tax, accounting, and similar duties;
  • Vital interests— in the rare case where processing is needed to protect a person's life or physical safety.

05Who we share it with#

We share personal information only as described below.

  • Within a Customer's workspace.Personal information uploaded by a Customer is accessible to other authorised users of that Customer's workspace, scoped by role.
  • Service providers (sub-processors). A small number of vendors host, operate, secure, and support the Service. They are contractually required to use personal information only as necessary to provide their services to us and to apply appropriate safeguards. As of the effective date these include:
    • Supabase — database hosting, authentication, file storage
    • Vercel — application hosting, edge delivery
    • Cloudflare — DNS, content delivery, anti-abuse
    • Email and SMS gateways — transactional notifications, billing
    • Payment processors — subscription billing
    • Mapping & geocoding providers — address normalisation, route display
    A current sub-processor list, including legal entity name and processing region, is available on request to privacy@odro.ai.
  • Compliance, safety, and legal claims. We may disclose information to comply with law, respond to lawful requests, enforce our Terms, protect the rights, property, or safety of Odro or others, or in connection with an actual or threatened legal claim.
  • Business transfers. If we are involved in a merger, acquisition, financing, sale of assets, reorganisation, or insolvency, personal information may be transferred to the successor entity, subject to confidentiality obligations and applicable law.
  • With your consent or at your direction.

We do not sell personal information for monetary consideration and do not share personal information for cross-context behavioural advertising.

06International transfers#

Odro is based in South Africa. We may host and process personal information in countries outside your country of residence, including the European Union, the United Kingdom, and the United States. Where personal information is transferred internationally, we take steps to ensure appropriate safeguards are in place — including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Agreement, or other recognised legal mechanisms. By using the Service you consent to such transfers where local law requires consent for them.

07Cookies & similar tech#

We use a small number of cookies and similar technologies to keep you signed in, remember your preferences, secure the Service, and analyse usage. You can configure your browser to refuse cookies, but parts of the Service may not function correctly without them. We will request your consent for any non-essential cookies where required by law.

08How long we keep it#

We retain personal information only as long as necessary for the purposes described in this Policy or as required by law. As a guideline:

  • Workspace data— for the duration of the Customer's subscription and for thirty (30) days after termination, after which it is deleted, anonymised, or aggregated, unless a longer period is required by law (e.g. tax records).
  • Account & billing records — for the duration of the relationship and for the longer of (a) seven (7) years after the last transaction or (b) the period required by applicable accounting and tax law.
  • Server logs — up to ninety (90) days, save for security-incident records which may be retained longer for investigation.
  • Marketing data— until you opt out, after which we keep a minimal suppression record so we don't contact you again.

09Your rights#

Depending on where you live, you may have some or all of the following rights with respect to personal information about you that we control:

  • the right to access the personal information we hold about you;
  • the right to rectify inaccurate or incomplete information;
  • the right to erase personal information (the “right to be forgotten”);
  • the right to restrict or object to processing;
  • the right to data portability;
  • the right to withdraw consent at any time, where processing is based on consent;
  • the right to not be subject to automated decision-making with legal or similarly significant effects;
  • the right to lodge a complaint with a supervisory authority — in South Africa, the Information Regulator (inforegulator.org.za); in the EU, your local data-protection authority; in the UK, the ICO (ico.org.uk); in California, the California Privacy Protection Agency.

To exercise a right, email privacy@odro.ai. We may need to verify your identity before responding. We will not discriminate against you for exercising any of these rights and will respond within the period required by applicable law (typically 30 days, extendable once where necessary).

For workspace data (where Odro is a Processor), please address requests to the relevant Customer; we will assist them in responding. If you are unsure who the Customer is, contact us and we will route your request.

10Region-specific notices#

10.1 South Africa (POPIA)

Odro is the responsible party for the personal information described in this Policy where we act as a controller. We process personal information in accordance with the eight conditions for lawful processing under the Protection of Personal Information Act, 2013 (POPIA). You have the rights set out in section 5 of POPIA, including access, correction, deletion, and the right to complain to the Information Regulator. Our Information Officer can be reached at privacy@odro.ai.

10.2 European Economic Area & United Kingdom (GDPR / UK GDPR)

Where we transfer personal information out of the EEA or UK, we rely on appropriate safeguards including the European Commission's Standard Contractual Clauses and the UK International Data Transfer Agreement. You have the rights described above and may lodge a complaint with your local supervisory authority. We do not currently maintain an EU or UK establishment; for the purposes of Articles 27 GDPR / UK GDPR, you may contact us at privacy@odro.ai.

10.3 California (CCPA / CPRA)

Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, California residents have the right to know what personal information we collect, the right to delete, the right to correct, the right to opt out of sale or sharing, and the right to limit use of sensitive personal information. We do not sell personal information for monetary consideration and do not share personal information for cross-context behavioural advertising. Personal information categories we collect map to the CCPA categories of identifiers, commercial information, internet activity, geolocation data, and inferences. To exercise rights, email privacy@odro.ai.

10.4 Other regions

We endeavour to comply with applicable privacy laws in every jurisdiction where the Service is offered. If a particular jurisdiction grants you rights beyond those described above, we will respect those rights. If you have questions about a specific law, contact privacy@odro.ai.

11Security#

We use a combination of administrative, technical, and physical safeguards to protect personal information, including encryption in transit (TLS 1.2+) and at rest where supported, role-based access control, per-organisation row-level data isolation, audit logging, and least-privilege production access. No system is perfectly secure; we cannot guarantee that personal information will never be accessed, used, or disclosed by unauthorised parties. You are responsible for keeping your account credentials confidential and for notifying us promptly if you suspect compromise.

12Children#

The Service is not directed to children under 13 (or the local equivalent age of digital consent). We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information without parental consent, please contact us so we can delete it.

13Changes to this Policy#

We may update this Policy from time to time. The most current version will always be posted at odro.ai/legal/privacy with a new effective date. Material changes will be communicated via email or in-product notice where required by law. Your continued use of the Service after a change takes effect constitutes acceptance.

14Data Processing Addendum#

Customers who require a Data Processing Addendum (DPA) for compliance with GDPR, UK GDPR, POPIA, or similar laws may request our standard DPA — incorporating the EU Standard Contractual Clauses and UK International Data Transfer Agreement where relevant — by emailing legal@odro.ai. The DPA, once countersigned by both parties, forms part of these Terms.

15Contact us#

Odro · Cape Town, South Africa
Privacy & data protection: privacy@odro.ai
Legal: legal@odro.ai
General: hello@odro.ai