How OdoFlow handles your mileage and account data

We collect the information needed to create your account, protect your access, and operate OdoFlow. This can include your name, email address, authentication status, support messages, and basic technical information such as browser, device, IP address, request metadata, and rate-limit events.

When you use OdoFlow, we store the mileage records you create, including dates, odometer readings, mileage totals, categories, notes, trip status, sync status, and related timestamps. If you upload odometer photos, we store those photos and related OCR information, such as extracted text, confidence, and any correction you make.

If you connect Google, OdoFlow requests permission to create and update OdoFlow mileage evidence in Google Drive and Google Sheets. We store encrypted Google OAuth tokens, Drive folder identifiers, file links, and spreadsheet identifiers so we can keep your mileage records in sync. We also store a one-way hashed Google account identifier and an encrypted Google email address to enforce trial limits and prevent repeat-trial abuse.

OdoFlow uses Google user data only to provide the Google sync features you choose to enable and to protect against trial abuse. We do not sell Google user data, use it for ads, or use it to train generalized AI or machine learning models. OdoFlow's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including Limited Use requirements.

If you start or manage a paid subscription, billing is handled by Stripe. OdoFlow stores Stripe customer and subscription identifiers, plan status, trial status, and related billing metadata. We do not store full payment card numbers.

We use your information to:

• Create and secure your account.
• Save, process, display, export, and sync your mileage records.
• Run OCR on odometer photos when you ask OdoFlow to read them and apply usage limits that protect the service from abuse.
• Provide support, troubleshoot bugs, and prevent abuse.
• Manage trials, subscriptions, invoices, and billing status.
• Comply with legal, tax, security, and operational obligations.

OdoFlow relies on trusted providers to operate the service. These include Supabase for authentication, database, and storage; Vercel for hosting; Resend for account email delivery; Google APIs for optional Drive, Sheets, and OCR features; and Stripe for billing. We may also disclose information when required by law, to protect users, or to investigate abuse or security incidents.

We keep account, trip, photo, sync, and billing records for as long as needed to provide OdoFlow, meet legal obligations, resolve disputes, and maintain accurate business records. You can request account or data deletion by contacting support. Some limited billing, security, or compliance records may be retained when required. Google anti-abuse claim records may also be retained after account deletion with support email context removed, solely to prevent repeat-trial abuse.

We use reasonable technical and organizational safeguards, including authenticated access, row-level data controls, encrypted Google token storage, and restricted server-side credentials. No internet service can guarantee perfect security, so please use a strong password and contact us quickly if you believe your account is at risk.

You can choose whether to connect Google, whether to upload odometer photos, and whether to maintain a paid subscription. You can disconnect Google from the Settings page, update billing through the billing portal, or contact support for account and data requests.

Questions about privacy or data requests can be sent to support@odoflow.app.