1. Customer data processing
Olli processes customer data only to provide, secure, support, troubleshoot, improve, and bill the service, or as required by law. Customer data may include inventory exports, product and supplier records, sales history, purchase-order data, operational notes, user details, support messages, and connected-system data authorised by the customer.
Customers remain responsible for the accuracy, legality, and permissions for data they provide. Olli does not sell customer data and does not use customer business data to train public AI models.
2. Data Processing Addendum
For paid customers, Olli's Data Processing Addendum applies unless a signed agreement says otherwise. The DPA covers processing instructions, confidentiality, security measures, subprocessors, assistance with access/deletion requests, breach notification support, return or deletion of customer data, and audit cooperation appropriate for a small SaaS provider.
3. Subprocessors
Olli uses subprocessors to host, store, email, message, bill, monitor, secure, and support the service. Current or planned providers may include Vercel for hosting, Supabase for application data, Stripe for billing, Resend for email, messaging providers for alerts, analytics or error-monitoring tools, and customer-authorised integrations such as ecommerce, inventory, spreadsheet, accounting, or communication systems.
Before adding a material new subprocessor for customer production data, Olli reviews the provider's purpose, data access, security posture, location, contractual terms, and operational need.
4. Cookies and analytics
Olli currently treats operational cookies, local storage, form-state storage, admin sessions, and security logs as essential. If non-essential analytics, remarketing, advertising pixels, or cross-site tracking are added, Olli will update the Privacy Policy and add consent controls before using them for visitors where consent is required.
5. Spam Act process
Olli sends commercial electronic messages only where it has express consent, inferred consent, an existing customer relationship, or another lawful basis. Olli records the source and time of consent where practical, identifies Olli as the sender, includes accurate contact details, and provides a clear unsubscribe path.
Unsubscribe requests are actioned as soon as practical and within 5 working days. Olli does not use harvested address lists.
6. Privacy breach response
Olli keeps an internal incident register for suspected privacy or security incidents. For each incident, the register records detection time, affected systems, data categories, containment steps, assessment outcome, customer communications, OAIC notification decision, remediation, and closure date.
Suspected eligible data breaches are assessed promptly. If a breach is likely to result in serious harm and remedial action cannot prevent that risk, Olli will notify affected individuals and the OAIC as required by the Notifiable Data Breaches scheme.
7. Security policy
Olli applies least-privilege access, separate production credentials, secret rotation, encrypted transport, provider-managed encryption at rest where available, role-based administration, production-change review, backup and recovery checks, dependency review, logging, rate limiting, and vendor review for tools that touch customer data.
Customer data is retained only while needed to provide the service, meet legal and tax obligations, resolve disputes, maintain security records, or comply with a customer agreement. On request or termination, Olli deletes, returns, or de-identifies customer data unless retention is legally or operationally required.
8. Customer order form and MSA
Paid customers should have a written order form or proposal that states the customer entity, plan, users, connected systems, fees, billing cycle, term, support expectations, onboarding scope, cancellation rules, data processing terms, and any special service commitments. Larger customers can use an MSA plus order form instead of relying only on website terms. See the Customer Agreement checklist.