On this page
Legal
Privacy Policy
1. Introduction
This Privacy Policy explains what personal data OddStorm Ltd collects when you use the OddStorm website, web application, and desktop application (collectively, the "Service"), how we use it, and the rights you have over it.
We are committed to processing personal data lawfully, transparently, and only to the extent necessary to operate the Service.
2. Data controller
The data controller for personal data processed in connection with the Service is:
- Controller
- OddStorm Ltd
- Address
- Mladost 1, bl. 24, entr. 1, fl. 2, ap. 3
1784 Sofia, Bulgaria - Contact
- oddstorm.com/contact
3. Data we collect
We collect only what is needed to provide and secure the Service.
Account data
- Email address
- Username
- Password (stored as a salted hash; never in plain text)
- Country and time zone, derived from your registration IP where applicable
Usage & technical data
- IP address (used for security, fraud prevention, and approximate location)
- Browser type, operating system, and device identifiers passed by your client
- Authentication events and session metadata
- Subscription, payment status, and support correspondence
Payment data
Payment card and bank details are handled and stored exclusively by our regulated payment partners over HTTPS/TLS. OddStorm does not see or store full payment instrument data.
4. How we use your data
- To create and operate your account and deliver the Service you subscribe to.
- To process subscription payments and renewals through our payment partners.
- To send transactional emails (account confirmation, password reset, billing notices). We do not send unsolicited marketing.
- To prevent and investigate fraud, abuse, scraping, and account sharing.
- To meet legal, accounting, and tax obligations.
- To improve the Service by analysing aggregated usage patterns.
5. Legal basis
Under the EU General Data Protection Regulation (GDPR) and the Bulgarian Personal Data Protection Act, we rely on the following legal bases:
- Contract — to provide the Service you have subscribed to.
- Legitimate interests — to keep the Service secure, prevent abuse, and operate the business.
- Legal obligation — to comply with tax, accounting, and regulatory requirements.
- Consent — for non-essential cookies and analytics, where applicable. You can withdraw consent at any time.
6. Sharing of data
We do not sell or trade personal data. We share data only with carefully selected processors who act on our behalf and under contract, including:
- Hosting and infrastructure providers
- Payment processors
- Email delivery providers (transactional only)
- Fraud prevention services
We may disclose data when required by law, court order, or to protect the rights, property, and safety of OddStorm or others.
7. Retention
We keep personal data only for as long as needed for the purposes described above, or as required by law. Account data is retained for the lifetime of the account; billing records are kept for the period required by applicable accounting and tax legislation. On account deletion, we anonymise or remove data that is no longer required.
8. Cookies & tracking
We use cookies and similar technologies for:
- Essential — keeping you signed in, remembering language and theme.
- Analytics — understanding how the Service is used, in aggregate.
Visitors from the EU, EEA, UK, and Switzerland are shown a consent banner where applicable. You can change your choice at any time from your browser settings or by clearing site data.
9. Your rights
If you are in the EU, EEA, UK, or Switzerland, you have the following rights with respect to your personal data:
- Access — request a copy of the data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion of your data, subject to legal retention requirements.
- Restriction — limit how we process your data in certain situations.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent.
- Complain — to the Bulgarian Commission for Personal Data Protection (cpdp.bg) or your local supervisory authority.
To exercise any of these rights, contact us via the contact page. We respond within 30 days.
10. Security
We apply technical and organisational measures appropriate to the risks of processing, including encrypted transport (HTTPS/TLS), hashed and salted passwords, restricted production access, audit logging, and routine security reviews. No system is perfectly secure; if a breach affecting your data ever occurs, we will notify you and the supervisory authority where required by law.
11. Children
The Service is intended for adults aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe a child has provided us with personal data, please contact us so we can remove it.
12. Changes to this policy
We may update this Privacy Policy to reflect changes in the Service, the law, or our practices. The current version is always available at www.oddstorm.com/privacy with the Last updated date shown above.
13. Contact
For questions about this Privacy Policy or your data, please reach out through our contact page or by post at the address shown above.