Overview

Odiup is a construction project management and procurement platform. We help organizations manage projects, HR, inventory, finance, procurement, and subcontractor collaboration. This policy explains what data we collect, why, and how we protect it.

Information We Collect

• Account data: name, email, organization, role.
• Operational data: projects, BOQs, procurement requests, inventory, HR records, invoices.
• Device and usage: log data, browser type, pages visited, timestamps.
• Files: documents and images you upload.
• Notifications: opt-in web push tokens.

Google User Data Access

Our application integrates with Google services for authentication and document processing. When you sign in with Google, we access the following information:

• Basic profile information: Your name, email address, and profile picture
• Authentication tokens: To maintain your login session securely

We also use Google Document AI service to process uploaded invoice documents. This service analyzes document content to extract structured data (amounts, dates, vendor information) but does not store or retain your documents.

How We Use Information

• Provide and secure app features like project tracking, HR, inventory, finance, and procurement.
• Maintain access controls and permissions across organizations and subcontractors.
• Improve reliability, performance, and user experience.
• Communicate product updates, security notices, and support responses.
• Process uploaded documents using Google Document AI to extract structured data for invoice management.

Data Usage

We use Google user data exclusively to:

• Authenticate your identity and maintain secure access to your account
• Display your name and profile information within the application
• Associate your account with your organization and role-based permissions
• Provide personalized user experience and support

Google Document AI is used solely for processing invoice documents you upload, extracting structured data to populate invoice records in our system. We do not use this service for any other purpose or retain documents beyond processing.

Legal Bases

Where applicable, we process data based on consent, contract necessity, legitimate interests in operating the service, and legal obligations.

Data Sharing

We do not sell personal data. We share data with service providers under strict agreements:

• Google: For authentication services and document processing via Document AI
• Supabase: For secure data storage and backend services
• Hosting providers: For application infrastructure

Within your organization, access is governed by roles and permissions. Subcontractor access is scoped to projects you grant. We do not share Google user data with third parties beyond the service providers listed above.

Data Storage & Protection

We implement industry-standard security measures to protect your data:

• Encryption in transit and at rest using TLS and AES-256 encryption
• Secure authentication using OAuth 2.0 and PKCE flow
• Role-based access controls and least-privilege principles
• Regular security audits and monitoring
• Secure data centers with physical and logical access controls

Google user data is stored securely in our encrypted database and is only accessible to authorized personnel with legitimate business needs. We do not store Google authentication tokens beyond what is necessary for session management.

Data Retention & Deletion

We retain your data for as long as your account is active or as needed to provide the service. Specifically:

• Account data: Retained while your account is active
• Project data: Retained according to your organization's policies
• Google authentication data: Retained only for active sessions
• Document processing: Documents are processed and deleted immediately after data extraction

Data Deletion Process: You may request deletion of your data at any time by:

• Contacting us at privacy@odiup.com
• Using the account deletion feature in your profile settings
• Requesting deletion through your organization administrator

We will process deletion requests within 30 days, subject to legal requirements and organizational policies. Some data may be retained for legitimate business purposes or legal compliance.

Your Rights

• Access, correct, export, or delete your data (subject to org policies).
• Manage notification preferences and connected devices.
• Withdraw consent where processing relies on consent.
• Revoke Google account access through your Google account settings.
• Request information about how your Google data is used.

Contact

Questions about privacy or data handling? Contact our privacy team:

• Email: privacy@odiup.com
• General support: odiup.app@gmail.com
• Data deletion requests: privacy@odiup.com