Introduction
MailOdds B.V. ("MailOdds", "we", "our", or "us") operates a global commerce platform, served from data centres in the EU, the United States, and the Asia-Pacific region. The platform combines a storefront (catalog, checkout, reviews, promotions, returns, and custom domains), payments, owned email and SMS/RCS sending, email validation, deliverability tooling, and campaign automation, with visitor intelligence built in. Parts of the platform are increasingly agent-operable (for example via MCP and OID4AC). This Privacy Policy explains what personal data we process across these capabilities, why, on which legal basis, and what rights you have.
We comply with the EU General Data Protection Regulation (GDPR/AVG), the Dutch Uitvoeringswet AVG (UAVG), and the Telecommunicatiewet (Tw), and, where it applies to data we handle, with US state privacy law (including the CCPA as amended by the CPRA) and US/Canadian electronic-messaging law (TCPA and CASL).
A central point to understand up front: for most of what merchants run on the platform we are a processor acting on the merchant's documented instructions, but for our own visitor intelligence product (cross-device identity, intent classification, and heat/risk scoring) we are an independent controller. The next section sets out exactly which is which.
This policy is current as of May 31, 2026. It is drafted to be accurate to how the platform actually processes data and to align with the AVG, but it is not legal advice. Questions go to privacy@mailodds.com or to our Data Protection Officer at dpo@mailodds.com.
Who We Are
The controller and platform operator is:
- MailOdds B.V.
- Nassaukade 51-2, 1052CN Amsterdam, The Netherlands
- KvK (Dutch Chamber of Commerce): 99761246
- VAT ID: NL005409648B63
- Privacy contact: privacy@mailodds.com
- Data Protection Officer: dpo@mailodds.com
Our Role: Controller vs Processor
Under the GDPR our role is determined per processing activity, not once for the whole company (see EDPB Guidelines 07/2020). We are a controller where we decide the purpose and means of the processing, and a processor where we act on a merchant's documented instructions. Where we act as a processor, that relationship is governed by our Data Processing Agreement.
Where MailOdds is an independent controller
We determine the purposes and means for the following, so we are the controller and responsible for the lawful basis, this notice, and your rights:
| Purpose | Data Types | Legal Basis | Retention |
|---|---|---|---|
| Account management and authentication | Email, name, password hash, API keys | Contract (Art. 6(1)(b)) | Duration of account + 30 days |
| Payment and invoicing | Billing email, Stripe customer ID, payment metadata | Contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) | 7 years (Dutch fiscal law, AWR Art. 52) |
| Visitor intelligence: cross-device identity, intent classification, heat/risk scoring | Hashed IP, device fingerprint, behavioural events, inferred intent/risk scores, visitor ID (mo_vid) | Legitimate interest (Art. 6(1)(f)) with opt-out; subject to a documented balancing test | Probabilistic links decay after 30 days; email-anchored links until erasure |
| Product analytics and fraud/abuse prevention | Feature usage, IP, usage patterns, risk signals | Legitimate interest (Art. 6(1)(f)) | Up to 26 months (aggregated); fraud signals for the account duration |
| Customer support | Email, name, ticket content | Contract (Art. 6(1)(b)) | 2 years after resolution |
Visitor intelligence (cross-device identity / device graph, intent classification, and heat/risk scoring) is our own product, built on fixed models that we operate and improve. We do not run it to a merchant's specification; merchants can only opt out of it. That is why we are an independent controller, not a processor, for this processing. See the Visitor Intelligence section below.
Where MailOdds is a processor
For the following we act on the merchant's documented instructions, so the merchant is the controller and we are the processor. The merchant is responsible for the lawful basis and for handling data-subject requests; we assist them under the DPA. If you are an end customer of a store running on MailOdds, please direct requests about your order, account, or marketing preferences to that store; we will support the store in responding.
| Purpose | Data Types | Basis | Retention |
|---|---|---|---|
| Storefront, orders and customer records | Order details, customer name/email/phone, shipping address, reviews, wishlists | Processor agreement (Art. 28); merchant's lawful basis | Per merchant instruction; order rows kept for tax retention where applicable |
| Storefront visitor events (SDK tracking) | Visitor ID, event type, page/cart events, IP address | Consent (tracking) and/or merchant's legitimate interest | Configurable (default 365 days) |
| Returns, refunds and dispute evidence | Order reference, return reason, evidence text/images, refund outcome | Processor agreement (Art. 28); merchant's lawful basis | Per merchant instruction; chargeback windows where applicable |
| Payment coordination | Payment intent/session IDs, amounts (card data held by Stripe, not by us) | Processor agreement (Art. 28); Stripe is controller for card data | With the related order; Stripe retains per PCI DSS |
| SMS/RCS subscriber management and delivery | Phone number (E.164), consent status, opt-in proof (IP, user-agent, timestamp), message logs | Consent (TCPA/ePrivacy); processor agreement (Art. 28) | Opt-in records 4 years (TCPA); message logs ~90 days |
| Email campaigns, transactional sending and subscriber lists | Recipient email, name, custom fields, engagement events, consent timestamps | Consent (double opt-in); processor agreement (Art. 28) | Per merchant policy; deleted on erasure |
| Inbound processing (bounces, complaints, replies) | Sender/recipient address, bounce codes, reply text, classification | Legitimate interest (deliverability); processor agreement (Art. 28) | Up to 90 days (configurable) |
| Email validation (single and bulk) | Email address, validation result/sub-status | Processor agreement (Art. 28) | Single checks not stored; bulk job results 7 days |
Data We Process
Across the platform we process the following categories of personal data. The full purpose, role, legal basis, and retention for each appears in the tables above.
- Account and billing data (controller): email, name, password hash, API keys, billing email, Stripe customer ID, payment metadata.
- Storefront visitor behaviour: page and cart events, IP address, device information, and a visitor identifier (
mo_vid) used to recognise a returning visitor. - Intent and risk signals (controller): inferred purchase-intent and fraud/risk scores derived from visitor behaviour.
- Orders and customers (processor): order details, customer name, email, phone, shipping address, reviews, and wishlists.
- Returns and dispute evidence (processor): order reference, return reason, evidence text and images, and refund outcome.
- Payment metadata (processor): payment-intent and session identifiers and amounts. We do not store card numbers; card data is held by Stripe as a controller for that data.
- SMS/RCS subscribers (processor): phone number in E.164 form, consent status, opt-in proof, and message logs.
- Email recipients and subscriber lists (processor): recipient email, name, custom fields, engagement events, and consent timestamps.
- Inbound mail (processor): bounce, complaint, and reply metadata and content.
- Validation inputs (processor): email addresses submitted for validation and their results.
- OAuth and integration tokens: credentials you authorise for sign-in or for connecting a store (for example Shopify or Salesforce).
IP addresses can be personal data even when we do not know your name, because they are indirectly identifiable (CJEU Breyer, C-582/14). We treat them accordingly. For visitor intelligence we work with a hashed IP and decaying probabilistic links rather than a raw, indefinitely retained address.
Legal Basis & Retention
Per Article 6 of the GDPR we process personal data only when we have a valid legal basis. The tables in Our Role set out the legal basis and retention period for every processing purpose, split by whether we act as controller or processor. The consolidated retention schedule below drives the same values shown on our data-retention page.
| Data Type | Retention | On Deletion | Basis |
|---|---|---|---|
| Account data | Duration of account | Deleted within 30 days | Contract (Art. 6(1)(b)) |
| Billing records | 7 years | Retained per fiscal law | Legal obligation (AWR Art. 52) |
| Bulk validation results | 7 days after job | Auto-expired | Processor agreement (Art. 28) |
| Store orders | Per merchant policy; tax window where applicable | Per merchant instruction | Processor agreement (Art. 28) |
| Store customers | Duration of account / per merchant policy | Erased on DSAR (order rows may be retained for tax) | Processor agreement (Art. 28) |
| Storefront visitor events | Configurable, default 365 days | Immediate | Consent / legitimate interest |
| Visitor identity graph & scores | Probabilistic links 30-day decay; email-anchored until erasure | Severed on erasure | Legitimate interest (Art. 6(1)(f)) |
| Contact / subscriber lists | Duration of account | Immediate | Processor agreement (Art. 28) |
| Campaign data & engagement events | Per merchant policy | Immediate | Processor agreement (Art. 28) |
| SMS/RCS opt-in records | 4 years | Retained for compliance proof | Consent + legal obligation (TCPA 47 CFR 64.1200) |
| SMS/RCS message logs | ~90 days | Immediate | Processor agreement (Art. 28) |
| Inbound messages (bounces/complaints/replies) | Up to 365 days (default ~90) | Immediate | Legitimate interest (deliverability) |
| Audit logs | Up to 2 years | Immediate | Legitimate interest (accountability) |
| API tokens | Duration of account | Revoked/deleted | Contract (Art. 6(1)(b)) |
| Server logs | 90 days | Rotated | Legitimate interest (security) |
Where we rely on legitimate interest (Art. 6(1)(f)), we have carried out a three-part balancing test (legitimate interest, necessity, and balancing against your rights) and we make the interest pursued transparent here. You can object to legitimate-interest processing at any time under Art. 21, and objection to direct marketing is honoured without exception (Art. 21(2)). See Your Rights.
Visitor Intelligence
Visitor intelligence is the part of the platform where we act as an independent controller. It links activity from the same visitor across devices (a device graph), classifies likely purchase intent, and produces heat and risk scores that help stores prioritise attention and detect abuse. We rely on legitimate interest (Art. 6(1)(f)) as the legal basis, supported by a documented balancing test, and we apply safeguards: IP addresses are hashed, cross-device links formed only probabilistically decay after 30 days, and links anchored to a known email are severed when that record is erased.
This processing is subject to a clear opt-out. A visitor can opt out per visitor, after which we stop attaching that visitor to the identity graph and stop scoring them. Because we rely on legitimate interest, you also have the absolute right to object under Art. 21, and for direct-marketing purposes that objection is honoured immediately.
To classify intent and detect fraud we also run analysis over storefront session summaries and inbound email content using self-hosted large-language-model inference inside our EU infrastructure. This content is not sent to any external AI vendor or third-party model API; it stays within our own EU-hosted environment.
Automated Decision-Making
We carry out automated scoring in two places: visitor intelligence (intent and heat/risk scores) and platform fraud and abuse prevention. These scores inform prioritisation and review workflows; they do not, on their own, produce a legal or similarly significant effect on you within the meaning of Art. 22(1). A human makes the final determination on any consequential action, such as suspending an account or blocking a transaction.
You retain the safeguards in Art. 22 and Recital 71 regardless. You can opt out of visitor intelligence per visitor, and you can ask us to review any scoring that affects you and to explain the outcome. We provide a human-review path for this (internally, the per-visitor opt-out and the device_graph_dsar request flow). To use it, contact privacy@mailodds.com.
Email, SMS & RCS Consent
Sending commercial email, SMS, or RCS is governed by rules that are separate from, and additional to, the GDPR basis for processing the underlying contact data. Two requirements apply at once: a valid consent to send, and a valid lawful basis to process the contact details. Having a legitimate interest in processing an address does not by itself permit sending to it.
- Netherlands / EU (Telecommunicatiewet Art. 11.7, ePrivacy): commercial electronic messages require prior opt-in, unless the narrow soft opt-in for a seller's own similar products to an existing customer applies (its conditions are cumulative). Every message identifies the sender and offers a free, easy opt-out. The ACM (Autoriteit Consument & Markt) enforces these sending rules; the AP enforces the processing of the data.
- United States (TCPA) and Canada (CASL): SMS/RCS marketing requires prior express consent, with sender identification and a working STOP opt-out in each message. We record opt-in proof (IP, user-agent, and timestamp) and keep it for four years.
Where we send on a merchant's behalf we do so as a processor; the merchant remains responsible for holding valid consent for its lists. Consent is collected and proven per channel (email, SMS, and RCS are separate), and opt-out is processed promptly.
Data Storage & Security
Our core infrastructure, databases, and the EU-hosted intelligence models are operated within the European Union (Germany). The platform is also served from edge nodes in the United States and the Asia-Pacific region so that stores and their visitors are served from a nearby location; see International Transfers for what this means for your data. We implement industry-standard security measures including:
- TLS encryption for all data in transit
- Encryption of sensitive data at rest
- Regular security testing
- Access controls and authentication for our team
- Automated, encrypted backups
While we strive to protect your data, no method of transmission over the Internet is completely secure. We cannot guarantee absolute security, but we will notify the relevant authority and, where required, affected individuals promptly in the event of a data breach, as required by the GDPR. Security contact: security@mailodds.com.
Sub-Processors
We do not sell your personal data. We engage the sub-processors below to operate the platform; each is bound by a Data Processing Agreement. The list here is the authoritative one and is mirrored on our sub-processors page. Separately, storefront session summaries and inbound email content used for intent and fraud analysis are processed by our self-hosted, EU-based models and are not shared with any external AI vendor.
Core sub-processors
| Provider | Purpose | Data | Location | Transfer Mechanism |
|---|---|---|---|---|
| Contabo GmbH | Infrastructure hosting (compute, databases, storage; all nodes) | All service data at rest and in transit | Germany | Intra-EEA |
| Stripe Payments Europe Ltd / Stripe, Inc. | Payment processing and Stripe Connect payouts | Billing email, customer ID, payment metadata, payout details (no card numbers stored by us) | Ireland / United States | EU-US Data Privacy Framework |
| Sinch AB | SMS and RCS message delivery | Recipient phone number (E.164), message content, delivery receipts | Sweden | Intra-EEA |
| Proton AG | Transactional/SMTP relay for platform notifications | Recipient email address, message content | Switzerland | Swiss adequacy decision |
| Cloudflare, Inc. | DNS and bot protection (Turnstile) | IP address, bot-verification token, DNS queries | United States | EU-US Data Privacy Framework |
Optional integrations (engaged only if you opt in)
The following are engaged only when you choose to use the relevant feature, such as signing in with a third-party provider or connecting an external store.
| Provider | Purpose | Data | Location | Transfer Mechanism |
|---|---|---|---|---|
| Google LLC | Optional sign-in (OAuth) | Email, name, OAuth token (only if you sign in with Google) | United States | EU-US Data Privacy Framework |
| GitHub, Inc. (Microsoft) | Optional sign-in (OAuth) | Email, name, OAuth token (only if you sign in with GitHub) | United States | EU-US Data Privacy Framework |
| Shopify, Inc. | Optional store connection (catalog/order sync) | Shop credentials/OAuth tokens, product and order data you choose to sync | United States | EU-US Data Privacy Framework |
| Salesforce, Inc. | Optional store connection (CRM/commerce sync) | Org ID, OAuth tokens, contact and order records you choose to sync | United States | EU-US Data Privacy Framework |
| Google LLC (Google Drive) | Optional file storage for automation workflows (e.g. n8n) | Files you choose to export/import (e.g. lists, job results) | United States | EU-US Data Privacy Framework |
We may also disclose data to legal authorities where required by law or to protect our rights.
International Transfers
Our primary infrastructure and our intelligence models are hosted within the EU. We transfer personal data outside the European Economic Area (EEA) in two situations: when we use a sub-processor located outside the EEA, and when storefront traffic is served from our US or Asia-Pacific edge nodes. We rely on the transfer mechanisms below, and we conduct a Transfer Impact Assessment for transfers that depend on Standard Contractual Clauses, in line with Schrems II (CJEU C-311/18) and EDPB recommendations.
| Mechanism | What it means |
|---|---|
| Intra-EEA | No additional safeguard required (data stays within the EU/EEA). |
| Swiss adequacy decision | Switzerland benefits from an EU adequacy decision. |
| EU-US Data Privacy Framework | We rely on DPF certification, with Standard Contractual Clauses (SCCs) as a backup mechanism. |
For US-based sub-processors we rely on the EU-US Data Privacy Framework where the provider is certified, verifying the certification and the covered data categories, and we keep Standard Contractual Clauses as a backup. The specific provider, location, and mechanism for each appear in the Sub-Processors tables.
We disclose two points plainly. First, because storefront content is served from regional edge nodes, a storefront visitor's IP address may be processed on a US or Asia-Pacific edge node to route and serve that request; for the US this is covered by the EU-US Data Privacy Framework and Standard Contractual Clauses as a backup, and our Transfer Impact Assessment for the regions outside an adequacy decision. Second, our visitor-intelligence scoring relies on legitimate interest with an opt-out rather than on your consent; you can object at any time and opt out per visitor (see Visitor Intelligence). We describe these as they actually operate and do not claim safeguards beyond those stated here.
Your Rights
Under the GDPR you have the following rights over personal data for which we are the controller. Where we act as a processor for a merchant, please address your request to that merchant; we will assist them in responding.
| Right | Article | What it means | How to exercise |
|---|---|---|---|
| Access | Art. 15 | Obtain a copy of the personal data we hold about you | Dashboard > Settings > Privacy > Export Data, or email us |
| Rectification | Art. 16 | Correct inaccurate or incomplete data | Dashboard > Account Settings, or email us |
| Erasure | Art. 17 | Delete your personal data | Dashboard > Settings > Delete Account, or email us |
| Restriction | Art. 18 | Limit how we process your data | Email us with details |
| Portability | Art. 20 | Receive your data in a machine-readable format (JSON) | Dashboard > Settings > Privacy > Export Data |
| Objection | Art. 21 | Object to processing based on legitimate interest, including profiling and direct marketing | Email us; objection to direct marketing is honoured immediately |
| Automated decisions | Art. 22 | Not be subject to solely automated decisions with legal/significant effects; request human review of scoring | Per-visitor opt-out of intelligence; email us for review |
Where processing is based on your consent, you may withdraw it at any time; withdrawal does not affect the lawfulness of processing before withdrawal. To exercise any right, contact privacy@mailodds.com. We respond within one month, as required by the GDPR. You also have the right to lodge a complaint with a supervisory authority (see Complaints & Authorities).
US Privacy Rights
If you are a California resident, the California Consumer Privacy Act as amended by the CPRA gives you the right to access the personal information we hold about you, to request its deletion, to correct inaccurate information, and to opt out of the sale or sharing of personal information. We do not sell personal information. To exercise these rights, contact privacy@mailodds.com; we will not discriminate against you for doing so. Residents of other US states with comparable privacy laws may exercise equivalent rights through the same contact.
For commercial SMS and RCS, US and Canadian electronic-messaging law (TCPA and CASL) applies as described in Email, SMS & RCS Consent: prior express consent, sender identification, and a working opt-out in every message.
Data Retention
We keep personal data only as long as necessary for the purpose it was collected for (Art. 5(1)(e)), or longer where the law requires (for example seven years for fiscal records under AWR Art. 52). The full retention schedule, including the 30-day decay of probabilistic visitor links and the four-year retention of SMS opt-in proof, is set out in the table under Legal Basis & Retention and mirrored on our data-retention page.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material change by posting the new version on this page and updating the effective date above (currently May 31, 2026). For significant changes we will also notify account holders by email.
Complaints & Supervisory Authorities
You have the right to lodge a complaint with the Autoriteit Persoonsgegevens (the Dutch Data Protection Authority) if you believe your data-protection rights have been infringed. You can reach them at autoriteitpersoonsgegevens.nl. You may also complain to the supervisory authority in your own EU country of residence.
For complaints about commercial electronic messages (spam, SMS, or RCS) in the Netherlands, the competent authority is the Autoriteit Consument & Markt (ACM), which enforces the Telecommunicatiewet sending rules.
Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
- Privacy: privacy@mailodds.com
- Data Protection Officer: dpo@mailodds.com
- MailOdds B.V., Nassaukade 51-2, 1052CN Amsterdam, The Netherlands
- KvK: 99761246 · VAT: NL005409648B63
This policy is current as of May 31, 2026. It is product-accurate and AVG-aligned but is not legal advice.