Privacy Policy (ODX)

2. Scope

This Policy covers the ODX platform (APIs, SDKs, proxy, admin consoles, managed environments), our websites/dashboards, and support communications. It does not cover third-party services you connect to ODX; their privacy practices are governed by their own policies.

3. Categories of data we collect

A. Account & billing (Controller)

• Identity & contact (name, email, company, role)
• Auth & security (hashed credentials, tokens, session IDs)
• Billing (address, plan, invoices; limited payment metadata; no full card storage)
• Communications (support tickets, feedback)

B. Service/usage data (Controller)

• Device & log data (IP, user agent, timestamps)
• Product analytics (aggregated/pseudonymized where feasible)
• Cookies & similar technologies (see Cookie section)

C. Customer Data via ODX (Processor)

• Business records you process (e.g., ERP/CRM objects like orders, invoices, customers, addresses, products)
• Optional end-to-end encrypted payloads (if enabled, we cannot read content payloads)

Sensitive data: You are responsible for deciding whether to process special categories of data. Do not send sensitive data unless you have a lawful basis and safeguards.

4. Sources

• Data you provide directly (signup, support)
• Data collected automatically via the Services (logs, telemetry)
• Data received from processors you authorize (e.g., payment confirmations from Airwallex)

5. How we use data

As Controller (account/website/service operation)

• Provide & secure the Services (authentication, fraud prevention, incident response)
• Billing & collections (subscriptions, invoicing, tax compliance)
• Improve & support (diagnostics, analytics, troubleshooting, development)
• Communications (service notices, security alerts, marketing with consent where required)

Legal bases (GDPR/PDPA SG): performance of contract, legitimate interests (security/product improvement), consent (cookies/marketing), legal obligations (tax/audit).

As Processor (Customer Data in ODX)

• Only on your instructions to transmit, transform, store, or return data through ODX
• No secondary use of Customer Data for profiling, advertising, or model training unless explicitly agreed in writing

6. Cookies & similar technologies

We use essential cookies to make ODX work, plus optional analytics/payment-related cookies. Where required, we display a consent banner and honor your choices. Manage cookies via your browser and our banner settings.

7. Disclosures & processors

We share data with third parties only as needed to operate the Services and under appropriate contracts:

We may disclose data to comply with law, enforce agreements, or protect rights/safety. In corporate transactions, data may transfer under the same protections.

8. International transfers

We operate primarily from Singapore and may process data in other regions where our subprocessors operate. When transferring personal data internationally, we implement appropriate safeguards (e.g., SCCs, PDPA-compliant clauses, or equivalent mechanisms).

9. Security

• Transport encryption (TLS in transit)
• Encryption at rest (platform-managed)
• Optional end-to-end encryption (client-side; only you hold keys)
• Access controls & audits (least privilege, logging)
• Secure development & vulnerability management

No system is 100% secure. If a breach impacting your personal data occurs, we will notify you and regulators as required by law.

10. Data retention

• Account/billing: for the duration of your account and as required by law
• Logs/telemetry: for operational periods (e.g., 30–180 days) or longer for security/investigations
• Customer Data (Processor): per your settings/instructions; deleted/returned on termination or request, subject to legal holds/backups

11. Your rights

Depending on your jurisdiction (e.g., PDPA Singapore, GDPR EEA/UK, CCPA/CPRA California), you may have rights to access, correct, delete, object/restrict, withdraw consent, obtain portability, and lodge complaints. To exercise rights, contact us at privacy@terrakernel.com. If your data is processed as Customer Data under a customer account, contact that customer (Controller); we will assist as Processor.

12. Children’s privacy

The Services are not directed to children under the age required by applicable law. We do not knowingly collect personal data from children. If you believe a child has provided data, contact us to delete it.

13. Customer responsibilities

• Configure ODX securely (API keys, IP allow-lists, encryption, RBAC)
• Do not transmit prohibited or unlawful content
• Provide adequate privacy notices to your end-users and obtain necessary consents
• Honor data subject requests in your role as Controller
• Use client-side encryption for highly sensitive content where appropriate

14. Third-party links and services

Our Services may link to third-party sites or load third-party scripts you choose (e.g., via GTM or integrations). We are not responsible for their practices. Review their privacy policies.

15. Changes to this Policy

We may update this Policy from time to time. We will post the updated version and revise the effective date. If changes are material, we will provide additional notice (e.g., dashboard notice or email).

16. Contact us

17. Jurisdiction-specific disclosures (summary)

• Singapore (PDPA): Reasonable purposes with consent or other lawful basis; access/correction on request.
• EEA/UK (GDPR): See legal bases, rights, and transfer safeguards above.
• California (CCPA/CPRA): We do not sell personal information or use Customer Data for cross-context behavioral advertising.

18. Data Processing Addendum (DPA)

For a DPA (including SCCs or PDPA clauses), contact privacy@terrakernel.com. Our DPA governs processing of Customer Data and includes subprocessor commitments and security standards.