Privacy Policy

Overview

Off Hours is a product of OJOS, LLC (DBA Off Hours), a Utah limited liability company affiliated with TCN Group (collectively “we,” “our,” or “us”). This Privacy Policy explains how we collect, use, and safeguard information when you use our service at off-hours.app and dashboard.off-hours.app.

We built Off Hours for Amazon sellers and agencies who want to schedule their ad campaigns without handing over more data than necessary. We collect only what we need to make the product work.

Information We Collect

Account information. When you sign up, we collect your name and email address.

Amazon Ads data. When you connect your Amazon Ads account, we access your campaign names, campaign IDs, and campaign status (enabled/paused). We use this only to execute your schedules — we do not access your sales data, revenue figures, product listings, or any Seller Central information.

Schedule and rule data. The dayparting schedules, budget rules, event rules, and performance rules you create are stored in our database so we can execute them automatically.

Usage data. We collect standard server logs including pages visited, actions taken, and timestamps. We use this to improve the product and debug issues.

Payment information. Payments are processed by Stripe. We do not store your card number or billing details — Stripe handles this directly.

How We Use Your Information

• To authenticate your account and connect to Amazon Ads on your behalf
• To execute your campaign schedules and rules automatically, every hour
• To send transactional emails (account confirmation, payment receipts, schedule alerts, weekly performance insights)
• To improve the product based on how it's being used
• To respond to your support requests

We do not sell your data. We do not use your Amazon Ads data for advertising, benchmarking, or any purpose other than executing the rules you have configured.

Amazon Ads Data

We access your Amazon Ads account using the official Login with Amazon (LWA) authorization flow with the advertising::campaign_management scope. When you connect your Amazon Ads account, we access advertising data needed to execute your scheduling and budget rules, including:

• Campaign names, IDs, and current state (enabled/paused) for Sponsored Products campaigns
• Daily budget settings on Sponsored Products campaigns (read and write — required for budget rules)
• Profile and account metadata (profile ID, country, currency, timezone)
• Campaign-level performance metrics from the Amazon Advertising Reporting API: impressions, clicks, spend, sales, purchases, ACOS, ROAS, cost-per-click, and click-through rate. We use a 14-day attribution window. Pulled once per day per connected profile, around 6 AM in the profile's local timezone. Required to evaluate Performance Rules.

We use this data to enable, pause, and adjust budgets on Sponsored Products campaigns according to the schedules and rules you create, and to evaluate Performance Rules against prior-day metrics.

Campaign performance data is retained for 90 days from the date it was pulled, then automatically purged. We do not share this data with any third party.

We do not currently access: search term reports, keyword-level metrics, bid history, targeting data, Sponsored Display campaigns, Sponsored Brands campaigns, individual order data, customer information, product listings, reviews, inventory data, or any non-advertising Seller Central information.

We comply fully with the Amazon Ads Partner Network Policies. We do not share your Amazon Ads data with any third party, do not store data beyond what is required to execute your schedules, and do not use your Amazon Ads data for any purpose other than the service you signed up for. You can revoke our access to your Amazon account at any time via your Amazon account settings.

Data Retention

We retain your personal information for as long as your account is active. When you delete your account or workspace, we apply the following retention schedule.

Soft deletion period (30 days). After requesting deletion, your data enters a 30-day soft delete state. During this window, you can reverse the deletion by emailing hello@off-hours.app.

Hard deletion. After the 30-day soft delete window, we permanently delete personal information, account credentials, OAuth tokens, rule configurations, and operational data. Deletion requests are processed within 30 days of receipt.

Billing records (7 years). Stripe transaction records and invoices are retained for 7 years to comply with US tax law (IRC § 6001 and applicable state requirements).

Aggregated and anonymized data. Data that has been anonymized and aggregated for product analytics may be retained indefinitely, as it cannot be linked back to individual users.

Backups. Database backups are retained per our cloud provider's standard backup schedule, after which backup copies are also purged.

Trial accounts. Inactive trial accounts may be deleted 90 days after trial expiry. Email hello@off-hours.app to request immediate deletion of your trial account.

Right to erasure. You can request immediate deletion at any time by emailing hello@off-hours.app. We will honor erasure requests within 30 days, except for records we are legally required to retain (such as billing records).

Legal Basis for Processing Your Data

We process your data under the following legal bases (GDPR Article 6):

Contract performance. To deliver the Off Hours service you've signed up for, including authentication, rule execution, and account management.

Legitimate interest. For product analytics, security monitoring, and service improvements that don't override your fundamental rights.

Consent. For marketing communications, analytics cookies, and retargeting cookies, where you've actively opted in.

Legal obligation. For tax records, financial compliance, and responses to lawful regulatory requests.

Your Data Rights

Under GDPR (for EU/UK users) and CCPA (for California users), you have the following rights:

• Right of access: Request a copy of all personal data we hold about you.
• Right to rectification: Correct inaccurate personal data.
• Right to erasure: Request deletion of your data (subject to legal retention requirements).
• Right to data portability: Receive your data in a machine-readable format.
• Right to object: Object to processing for legitimate interest or direct marketing.
• Right to restrict processing: Limit how we process your data while disputes are resolved.
• Right to withdraw consent: Withdraw consent at any time for processing based on consent.

To exercise any of these rights, email hello@off-hours.app. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

International Data Transfers

Off Hours is operated by OJOS, LLC, a US-based company. When you use our service from outside the United States, your data is transferred to and processed in the United States. We use standard contractual clauses and other appropriate safeguards (where applicable) to protect your data during international transfer.

For users in the EU/UK, this transfer is conducted under the EU-US Data Privacy Framework (where applicable) and standard contractual clauses approved by the European Commission.

Data Processing Agreement (DPA)

If you are a business customer subject to GDPR or similar regulations, our standard Data Processing Agreement is available at dashboard.off-hours.app/dpa. To execute a countersigned copy adapted to your specific use of Off Hours, email hello@off-hours.app.

Third-Party Services

We use a small number of third-party services to operate Off Hours:

• Stripe — payment processing
• Supabase — database and authentication
• Vercel — hosting and serverless infrastructure
• Resend — transactional email delivery
• Anthropic — Claude API for the AI rule-builder feature; processes user-typed prompts and assistant responses
• Trigger.dev — cron task orchestration for rule execution (transient processing only; no persistent storage)

Each of these services has its own privacy policy. We have data processing agreements in place with all providers who handle personal data.

Cookies

We use essential cookies only — for authentication sessions and security. We do not use tracking cookies, advertising pixels, or third-party analytics beyond basic server logs.

Changes to This Policy

We may update this policy from time to time. When we do, we'll update the “Last updated” date at the top and notify active users by email of any material changes.

Contact