Your GDPR Rights

Under the EU General Data Protection Regulation (Regulation 2016/679), you have comprehensive rights over your personal data. This page explains each right in plain language and tells you exactly how to exercise them.

Last updated: February 27, 2026

Table of Contents

  1. Overview of Your Rights
  2. Your Rights in Detail
  3. How to Exercise Your Rights
  4. Identity Verification
  5. Response Timeframes
  6. Exceptions and Limitations
  7. Right to Lodge a Complaint
  8. Data We May Hold About You
  9. Contact Information

1. Overview of Your Rights

The General Data Protection Regulation (GDPR) grants individuals in the European Economic Area (EEA) a set of fundamental rights regarding the processing of their personal data. At Odenia, we are committed to upholding these rights fully and transparently.

As a data subject, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate or incomplete data
  • Erase your data ("right to be forgotten")
  • Restrict how we process your data
  • Port your data to another service provider
  • Object to certain types of processing
  • Withdraw consent at any time where consent is the legal basis
  • Not be subject to solely automated decision-making

These rights are not absolute -- there are certain situations where we may lawfully decline a request or fulfil it only in part. We explain these exceptions below.

2. Your Rights in Detail

Right of Access
Art. 15

You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to receive a copy of that data free of charge. You are also entitled to supplementary information including the purposes of processing, the categories of data, the recipients, the retention period, and the source of the data if not collected directly from you.

How to exercise

Email privacy@odenia.co with subject "GDPR - Right of Access" and specify what data you would like to access. We will provide your data in a commonly used electronic format (PDF or CSV).

Right to Rectification
Art. 16

You have the right to request that we correct any inaccurate personal data concerning you without undue delay. Taking into account the purposes of processing, you also have the right to have incomplete personal data completed, including by providing a supplementary statement.

How to exercise

Email privacy@odenia.co with subject "GDPR - Rectification" and clearly identify the data that is inaccurate and the correct information.

Right to Erasure ("Right to Be Forgotten")
Art. 17

You have the right to request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw your consent (where consent is the legal basis), when you object to processing and there are no overriding legitimate grounds, when the data has been unlawfully processed, or when deletion is required by law.

Please note that we may be required to retain certain data for legal compliance purposes (e.g., invoicing records under French tax law), even after an erasure request.

How to exercise

Email privacy@odenia.co with subject "GDPR - Erasure Request" and specify which data you would like deleted.

Right to Restriction of Processing
Art. 18

You may request that we restrict the processing of your personal data in certain circumstances, including: when you contest the accuracy of your data (restriction applies while we verify accuracy); when the processing is unlawful and you prefer restriction over erasure; when we no longer need the data but you require it for the establishment, exercise, or defence of legal claims; or when you have objected to processing pending verification of whether our legitimate grounds override yours.

When processing is restricted, we will only store the data and will not further process it without your consent (except for the establishment, exercise, or defence of legal claims, or for the protection of the rights of another person).

How to exercise

Email privacy@odenia.co with subject "GDPR - Restriction Request" and explain the grounds for your request.

Right to Data Portability
Art. 20

Where we process your data based on your consent or for the performance of a contract, and where the processing is carried out by automated means, you have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format (such as CSV or JSON). You also have the right to request that we transmit this data directly to another controller, where technically feasible.

How to exercise

Email privacy@odenia.co with subject "GDPR - Data Portability" and specify your preferred format (CSV, JSON, or XML). If you want us to transmit the data to another controller, provide their contact details.

Right to Object
Art. 21

You have the right to object at any time to the processing of your personal data based on our legitimate interest (Article 6(1)(f) GDPR), including any profiling based on that provision. Upon receiving your objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Direct marketing: Where we process your data for direct marketing purposes (including lead nurturing), you have an absolute right to object at any time. Upon objection, we will immediately cease all direct marketing processing. Every email we send includes an unsubscribe link.

How to exercise

Email privacy@odenia.co with subject "GDPR - Objection" or click the unsubscribe link in any marketing email.

Right to Withdraw Consent
Art. 7(3)

Where our processing of your personal data is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent is prospective -- it does not affect the lawfulness of any processing carried out before the withdrawal.

How to exercise

Email privacy@odenia.co with subject "GDPR - Withdraw Consent" and specify which consent you wish to withdraw.

Automated Decision-Making
Art. 22

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Our AI chatbot and voice agents perform automated lead qualification (routing leads based on budget thresholds and business criteria). However, this automated routing does not produce legal effects and does not constitute a final decision about service provision. All service decisions are reviewed and confirmed by a human team member before any contract is executed.

How to exercise

If you believe you have been subject to a decision based solely on automated processing, email privacy@odenia.co with subject "GDPR - Automated Decision" to request human review.

3. How to Exercise Your Rights

We have made exercising your rights as simple as possible. Here is the process:

1

Submit Your Request

Send an email to privacy@odenia.co with a clear subject line identifying the right you wish to exercise (e.g., "GDPR - Right of Access"). In the body of your email, provide sufficient detail for us to understand and respond to your request, including the email address associated with your data at Odenia.

2

Acknowledgment

We will acknowledge receipt of your request within 3 business days. If we need any additional information or clarification, we will let you know at this stage.

3

Identity Verification

For security purposes, we may ask you to verify your identity before processing your request. This is to ensure that personal data is not disclosed to unauthorized persons. See the Identity Verification section below for details.

4

Processing and Response

We will process your request and provide a substantive response within 30 calendar days of receipt (or of identity verification, if required). In complex cases, we may extend this period by up to 60 additional days, and we will inform you of any extension within the initial 30-day period.

No fee required. You will not have to pay a fee to exercise any of your GDPR rights. However, if your request is manifestly unfounded or excessive (in particular, if it is repetitive), we may charge a reasonable fee based on administrative costs or refuse to act on the request, in accordance with Article 12(5) of the GDPR.

4. Identity Verification

To protect your personal data and prevent unauthorized disclosure, we may need to verify your identity before fulfilling a GDPR request. Our verification process is designed to be proportionate and non-intrusive:

  • Email verification: If you contact us from the same email address we have on file, this is typically sufficient to verify your identity for standard requests.
  • Additional verification: For sensitive requests (such as erasure of an entire profile or data portability), we may ask you to confirm additional identifying details that match the data in our records (e.g., the phone number or company name associated with your account).
  • Third-party requests: If you are making a request on behalf of another individual, we will require evidence of your authority to act on their behalf (e.g., a written authorization signed by the data subject).

We will never ask you for sensitive information such as passwords, payment details, or government identification numbers as part of the identity verification process.

5. Response Timeframes

In accordance with Article 12(3) of the GDPR, we are committed to the following response timeframes:

  • Acknowledgment: Within 3 business days of receiving your request
  • Substantive response: Within 30 calendar days of receipt (or of completed identity verification)
  • Extension (if necessary): Up to 60 additional calendar days for complex or numerous requests, with notice provided within the initial 30-day period explaining the reason for the delay
  • Direct marketing objections: Processed immediately upon receipt; marketing communications will cease within 48 hours

6. Exceptions and Limitations

While your GDPR rights are fundamental, they are not absolute. In certain limited circumstances, we may be unable to fully comply with a request:

  • Legal obligations: We may need to retain certain data to comply with French tax, accounting, or commercial law (e.g., invoicing records must be retained for 10 years under Article L.123-22 of the French Commercial Code).
  • Legal claims: Data may be retained where necessary for the establishment, exercise, or defence of legal claims.
  • Freedom of expression: The right to erasure does not apply where processing is necessary for exercising the right of freedom of expression and information.
  • Public interest: Certain processing may be necessary for reasons of public interest in the area of public health, or for archiving purposes in the public interest, scientific or historical research, or statistical purposes.
  • Manifestly unfounded or excessive requests: Where a request is clearly without merit or is repetitive, we may charge a reasonable administrative fee or refuse to comply, in accordance with Article 12(5) of the GDPR. We will always explain our reasoning if we take this position.

If we cannot comply with a request (in whole or in part), we will inform you of the reasons and of your right to lodge a complaint with the supervisory authority.

7. Right to Lodge a Complaint

If you are not satisfied with our response to your GDPR request, or if you believe that your data protection rights have been infringed, you have the right to lodge a complaint with the competent data protection supervisory authority.

As Odenia is established in France, the competent supervisory authority is:

Commission Nationale de l'Informatique et des Libertes (CNIL)

3 Place de Fontenoy, TSA 80715

75334 Paris Cedex 07, France

Website: www.cnil.fr

Online complaint form: www.cnil.fr/fr/plaintes

Phone: +33 1 53 73 22 22

You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement, in accordance with Article 77 of the GDPR.

We would always appreciate the opportunity to address your concerns before you approach the CNIL or any other supervisory authority. Please contact us first at privacy@odenia.co, and we will do our best to resolve your concern promptly.

8. Data We May Hold About You

If you have interacted with Odenia through our website, chatbot, voice agent, or by contacting us directly, we may hold some or all of the following data:

  • Contact information: First name, email address, telephone number
  • Professional information: Company name, website URL, industry/sector
  • Business metrics: Monthly website traffic, current conversion rate, investment budget
  • Interaction history: Chatbot conversation logs, voice agent interaction records, email correspondence
  • Qualification status: Whether you were identified as a qualified lead (budget >= EUR 3,000)
  • Booking information: Calendar bookings made through Cal.com
  • Technical data: Anonymized IP address, browser type, device type, pages visited
  • Consent records: Records of consents given or withdrawn

For a comprehensive overview of all data we collect and how we use it, please refer to our Privacy Policy.

9. Contact Information

For all GDPR-related inquiries, requests, or complaints, please contact:

Data Protection Contact

Email: privacy@odenia.co

General email: contact@odenia.co

Company: Odenia

Data Controller: Cedric Sacuto, Founder

Location: France, European Union

We are committed to protecting your personal data and respecting your rights. If you have any questions about the content of this page or our data protection practices, please do not hesitate to reach out.