Privacy Policy
Odenia ("we," "us," or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you visit our website at odenia.co, use our conversational AI platform, or interact with our services in any manner.
This policy is drafted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (the "General Data Protection Regulation" or "GDPR"), the French Loi Informatique et Libertes (as amended), and all applicable data protection legislation in force in France and the European Union.
By accessing our website or using our services, you acknowledge that you have read and understood this Privacy Policy. Where we rely on your consent as a legal basis, we will obtain such consent explicitly before processing your data.
1. Data Controller
Company: Odenia
Founder & Data Controller: Cedric Sacuto
Registered office: Zygmunta Augusta 5, 31-504 Krakow, Poland
Website: odenia.co
Email: contact@odenia.co
Data Protection Contact: privacy@odenia.co
Odenia is the data controller within the meaning of Article 4(7) of the GDPR for all personal data collected through our website, our conversational AI chatbot, and our voice agent services.
2. Data We Collect
We collect and process the following categories of personal data, depending on how you interact with our services:
2.1 Data You Provide Directly
When you interact with our AI chatbot, fill out forms, or contact us, you may provide:
- Identity data: First name, last name
- Contact data: Email address, telephone number
- Professional data: Company name, website URL, industry/sector
- Business metrics: Monthly website traffic, current conversion rate, investment budget
- Communication data: Any messages, descriptions, or feedback you provide through our chatbot, voice agent, or contact forms
2.2 Data Collected Automatically
When you visit our website, certain data is collected automatically through cookies and similar technologies:
- Technical data: IP address (anonymized), browser type and version, operating system, device type, screen resolution
- Usage data: Pages visited, time spent on pages, click patterns, referral source, scroll depth
- Analytics data: Session duration, bounce rate, interaction events (chatbot engagement, form submissions, calendar bookings), collected via Google Analytics 4
- Language preference: Browser language settings (used for automatic language detection)
2.3 Data We Do Not Collect
We do not knowingly collect or process:
- Special categories of personal data (Article 9 GDPR), such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data
- Payment card numbers or bank account details (all payments are processed through third-party payment processors)
- Social security numbers or government identification numbers
3. Legal Basis for Processing
In accordance with Article 6(1) of the GDPR, we process your personal data on the following legal bases:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Lead qualification via chatbot or voice agent | Consent (you initiate the conversation and provide your data voluntarily) | Art. 6(1)(a) |
| Delivering our AI services to contracted clients | Performance of a contract or pre-contractual steps | Art. 6(1)(b) |
| Sending follow-up communications and nurturing sequences | Legitimate interest (providing relevant information to prospects who have shown interest) | Art. 6(1)(f) |
| Website analytics and performance optimization | Legitimate interest (improving our services and user experience) | Art. 6(1)(f) |
| Compliance with legal obligations | Legal obligation | Art. 6(1)(c) |
| Scheduling meetings via Cal.com | Consent (you actively choose to book a meeting) | Art. 6(1)(a) |
Where we rely on legitimate interest, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time by contacting us at privacy@odenia.co.
4. Purposes of Processing
We process your personal data for the following specific purposes:
- Lead qualification and routing: To assess your business needs through our conversational AI and route you to the appropriate service tier (direct consultation for qualified leads, nurturing sequence for others)
- CRM management: To store and manage your contact information and interaction history in our customer relationship management system for follow-up and relationship building
- Service delivery: To configure, deploy, and maintain AI chatbot and voice agent systems for our contracted clients
- Communication: To respond to your inquiries, send appointment confirmations, share audit results, and provide relevant updates about our services
- Marketing and nurturing: To send you educational content, case studies, and service updates if you have opted in or where permitted under our legitimate interest (with easy opt-out mechanisms in every communication)
- Analytics and improvement: To analyze website usage patterns, optimize our AI conversation flows, and improve the performance of our platform
- Legal compliance: To comply with applicable laws, regulations, and legal proceedings, including tax and accounting obligations
5. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our retention periods are as follows:
| Data Category | Retention Period | Justification |
|---|---|---|
| Qualified lead data (name, email, phone, website, business metrics) | 36 months from last interaction | Legitimate interest in maintaining business relationship; sales cycles |
| Non-qualified lead data | 12 months from collection | Nurturing and potential re-engagement |
| Client contractual data | Duration of contract + 5 years | Legal obligation (French commercial law, statute of limitations) |
| Chatbot conversation logs | 24 months | Service improvement and quality assurance |
| Website analytics data (GA4) | 14 months | Google Analytics 4 default; legitimate interest |
| Cookie consent records | 13 months | Compliance with ePrivacy Directive |
| Invoicing and payment records | 10 years | French tax and accounting law (Code de commerce, Article L.123-22) |
After the applicable retention period expires, your personal data is securely deleted or anonymized so that it can no longer be associated with you.
6. Third-Party Service Providers
To deliver our services, we share personal data with a limited number of carefully selected third-party processors. Each processor is bound by a Data Processing Agreement (DPA) in compliance with Article 28 of the GDPR. We do not sell your personal data to any third party.
| Service Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Airtable (Formagrid Inc.) | CRM and lead database management | Name, email, phone, website, sector, business metrics, qualification status | United States (EU SCCs in place) |
| N8N (self-hosted) | Workflow automation (lead routing, email sequences, webhook processing) | Lead data as submitted via chatbot | EU (self-hosted infrastructure) |
| Cal.com (Cal.com Inc.) | Appointment scheduling for qualified leads | Name, email (as provided when booking) | EU / United States (EU SCCs in place) |
| Google Analytics 4 (Google Ireland Ltd.) | Website analytics and conversion tracking | Anonymized IP, usage data, event data (no directly identifying information) | EU (Google Ireland) with potential US transfer (EU SCCs) |
| OpenAI / Anthropic | Conversational AI intelligence (chatbot and voice processing) | Conversation content (processed in real-time, not stored long-term by provider under our DPA) | United States (EU SCCs / adequacy mechanisms) |
| Hosting provider | Website and infrastructure hosting | All data processed through our website | European Union |
We require all third-party processors to implement appropriate technical and organizational measures to protect your data in accordance with GDPR standards.
Odenia never sells, rents, or transfers your personal data to third parties for commercial purposes.
7. Cookies and Tracking Technologies
7.1 What Are Cookies
Cookies are small text files placed on your device when you visit our website. They serve various purposes, from ensuring the website functions properly to helping us understand how visitors use our site.
7.2 Cookies We Use
| Cookie Name / Type | Purpose | Duration | Category |
|---|---|---|---|
| odenia-lang | Remembers your language preference (FR/EN) | 12 months | Strictly necessary |
| _ga, _ga_* | Google Analytics 4: distinguishes users and sessions for analytics | Up to 14 months | Analytics (requires consent) |
| _gid | Google Analytics: distinguishes users for 24-hour analytics | 24 hours | Analytics (requires consent) |
7.3 Managing Cookies
You may control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling strictly necessary cookies may affect the functionality of our website. For analytics cookies, we obtain your consent before placing them on your device, in compliance with Article 5(3) of the ePrivacy Directive (2002/58/EC).
7.4 Google Analytics 4
We use Google Analytics 4 (GA4) to understand how visitors interact with our website. GA4 uses first-party cookies and does not store full IP addresses (IP anonymization is enabled by default). We have configured GA4 to:
- Anonymize IP addresses
- Disable data sharing with Google for advertising purposes
- Set data retention to 14 months
- Restrict data processing to our Google Analytics property in the EU (Google Ireland Limited)
We track the following custom events: chatbot_engagement, lead_qualified, cal_clicked, cal_booked, and form_submitted. These events do not contain directly identifying personal data.
8. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights with respect to your personal data:
- Right of access (Article 15): You have the right to obtain confirmation of whether we are processing your personal data, and if so, to receive a copy of that data along with information about how and why it is being processed.
- Right to rectification (Article 16): You have the right to request correction of inaccurate personal data and to have incomplete data completed.
- Right to erasure / "right to be forgotten" (Article 17): You have the right to request deletion of your personal data where there is no compelling reason for its continued processing, subject to applicable legal retention obligations.
- Right to restriction of processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
- Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., CSV or JSON) and to transmit it to another controller.
- Right to object (Article 21): You have the right to object to the processing of your personal data based on our legitimate interest. Upon receiving your objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
- Right to withdraw consent (Article 7(3)): Where processing is based on your consent, you may withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
- Right not to be subject to automated decision-making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you. Our AI-based lead qualification system routes you to different service paths, but final decisions about service provision are always made by a human.
How to Exercise Your Rights
To exercise any of these rights, please send your request to:
Email: privacy@odenia.co
Subject line: "GDPR Request - [Your Right]" (e.g., "GDPR Request - Right of Access")
We will respond to your request within 30 days of receipt, as required by Article 12(3) of the GDPR. In exceptional cases involving complex or numerous requests, we may extend this period by an additional 60 days, and we will inform you of any such extension within the initial 30-day period.
We may ask you to verify your identity before processing your request, to ensure the security of your data.
Right to Lodge a Complaint
If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. As Odenia Sp. z o.o. is established in Poland. The competent supervisory authority is the Polish DPA (UODO). For French users, they may also contact:
Commission Nationale de l'Informatique et des Libertes (CNIL)
3 Place de Fontenoy, TSA 80715
75334 Paris Cedex 07, France
Website: www.cnil.fr
Phone: +33 1 53 73 22 22
9. International Data Transfers
Odenia operates primarily within the European Union and adopts an EU-first approach to data processing. However, some of our third-party service providers may process personal data outside the EEA.
Where personal data is transferred to a country outside the EEA that has not received an adequacy decision from the European Commission, we ensure that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (as adopted under Commission Implementing Decision (EU) 2021/914) with all relevant data processors located outside the EEA.
- Supplementary measures: Where required by the CJEU's Schrems II ruling (Case C-311/18), we implement additional technical and organizational safeguards, such as encryption in transit and at rest, pseudonymization, and contractual restrictions on government access requests.
- Transfer Impact Assessments: We conduct Transfer Impact Assessments (TIAs) for each international data transfer to evaluate the legal framework of the recipient country and the effectiveness of our safeguards.
You may request a copy of the safeguards in place by contacting us at privacy@odenia.co.
10. Data Security
We take the security of your personal data seriously and implement appropriate technical and organizational measures in accordance with Article 32 of the GDPR, including:
- Encryption: All data transmitted between your browser and our servers is encrypted using TLS 1.3. Data at rest is encrypted using AES-256 encryption.
- Access control: Access to personal data is restricted to authorized personnel on a strict need-to-know basis, with multi-factor authentication required for all administrative access.
- Infrastructure security: Our servers are hosted in EU data centers with ISO 27001 certification, physical security controls, and regular security audits.
- Incident response: We maintain a data breach response plan and will notify the relevant supervisory authority within 72 hours of becoming aware of a breach, and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in compliance with Articles 33 and 34 of the GDPR.
- Regular testing: We conduct regular security assessments and vulnerability testing to ensure the ongoing confidentiality, integrity, and availability of our systems.
11. Children's Privacy
Our services are designed for business professionals and are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe that we have inadvertently collected data from a child under 16, please contact us immediately at privacy@odenia.co, and we will take steps to delete such data promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Post a notice on our website for a reasonable period
- Where required, seek your renewed consent for any changes that affect the legal basis for processing
We encourage you to review this policy periodically to stay informed about how we protect your data.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please do not hesitate to contact us:
General inquiries: contact@odenia.co
Data protection matters: privacy@odenia.co
Postal address: Odenia Sp. z o.o., Zygmunta Augusta 5, 31-504 Krakow, Poland
Data Controller: Cedric Sacuto, Founder