Privacy Policy

Odenia ("we," "us," or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you visit our website at odenia.co, use our conversational AI platform, or interact with our services in any manner.

This policy is drafted in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (the "General Data Protection Regulation" or "GDPR"), the French Loi Informatique et Libertes (as amended), and all applicable data protection legislation in force in France and the European Union.

By accessing our website or using our services, you acknowledge that you have read and understood this Privacy Policy. Where we rely on your consent as a legal basis, we will obtain such consent explicitly before processing your data.

1. Data Controller

Odenia is the data controller within the meaning of Article 4(7) of the GDPR for all personal data collected through our website, our conversational AI chatbot, and our voice agent services.

2. Data We Collect

We collect and process the following categories of personal data, depending on how you interact with our services:

2.1 Data You Provide Directly

When you interact with our AI chatbot, fill out forms, or contact us, you may provide:

• Identity data: First name, last name
• Contact data: Email address, telephone number
• Professional data: Company name, website URL, industry/sector
• Business metrics: Monthly website traffic, current conversion rate, investment budget
• Communication data: Any messages, descriptions, or feedback you provide through our chatbot, voice agent, or contact forms

2.2 Data Collected Automatically

When you visit our website, certain data is collected automatically through cookies and similar technologies:

• Technical data: IP address (anonymized), browser type and version, operating system, device type, screen resolution
• Usage data: Pages visited, time spent on pages, click patterns, referral source, scroll depth
• Analytics data: Session duration, bounce rate, interaction events (chatbot engagement, form submissions, calendar bookings), collected via Google Analytics 4
• Language preference: Browser language settings (used for automatic language detection)

2.3 Data We Do Not Collect

We do not knowingly collect or process:

• Special categories of personal data (Article 9 GDPR), such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data
• Payment card numbers or bank account details (all payments are processed through third-party payment processors)
• Social security numbers or government identification numbers

3. Legal Basis for Processing

In accordance with Article 6(1) of the GDPR, we process your personal data on the following legal bases:

Processing Activity	Legal Basis	GDPR Article
Lead qualification via chatbot or voice agent	Consent (you initiate the conversation and provide your data voluntarily)	Art. 6(1)(a)
Delivering our AI services to contracted clients	Performance of a contract or pre-contractual steps	Art. 6(1)(b)
Sending follow-up communications and nurturing sequences	Legitimate interest (providing relevant information to prospects who have shown interest)	Art. 6(1)(f)
Website analytics and performance optimization	Legitimate interest (improving our services and user experience)	Art. 6(1)(f)
Compliance with legal obligations	Legal obligation	Art. 6(1)(c)
Scheduling meetings via Cal.com	Consent (you actively choose to book a meeting)	Art. 6(1)(a)

Where we rely on legitimate interest, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may object to processing based on legitimate interest at any time by contacting us at privacy@odenia.co.

4. Purposes of Processing

We process your personal data for the following specific purposes:

• Lead qualification and routing: To assess your business needs through our conversational AI and route you to the appropriate service tier (direct consultation for qualified leads, nurturing sequence for others)
• CRM management: To store and manage your contact information and interaction history in our customer relationship management system for follow-up and relationship building
• Service delivery: To configure, deploy, and maintain AI chatbot and voice agent systems for our contracted clients
• Communication: To respond to your inquiries, send appointment confirmations, share audit results, and provide relevant updates about our services
• Marketing and nurturing: To send you educational content, case studies, and service updates if you have opted in or where permitted under our legitimate interest (with easy opt-out mechanisms in every communication)
• Analytics and improvement: To analyze website usage patterns, optimize our AI conversation flows, and improve the performance of our platform
• Legal compliance: To comply with applicable laws, regulations, and legal proceedings, including tax and accounting obligations

5. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our retention periods are as follows:

Data Category	Retention Period	Justification
Qualified lead data (name, email, phone, website, business metrics)	36 months from last interaction	Legitimate interest in maintaining business relationship; B2B sales cycles
Non-qualified lead data	12 months from collection	Nurturing and potential re-engagement
Client contractual data	Duration of contract + 5 years	Legal obligation (French commercial law, statute of limitations)
Chatbot conversation logs	24 months	Service improvement and quality assurance
Website analytics data (GA4)	14 months	Google Analytics 4 default; legitimate interest
Cookie consent records	13 months	Compliance with ePrivacy Directive
Invoicing and payment records	10 years	French tax and accounting law (Code de commerce, Article L.123-22)

After the applicable retention period expires, your personal data is securely deleted or anonymized so that it can no longer be associated with you.

6. Third-Party Service Providers

To deliver our services, we share personal data with a limited number of carefully selected third-party processors. Each processor is bound by a Data Processing Agreement (DPA) in compliance with Article 28 of the GDPR. We do not sell your personal data to any third party.

Service Provider	Purpose	Data Shared	Location
Airtable (Formagrid Inc.)	CRM and lead database management	Name, email, phone, website, sector, business metrics, qualification status	United States (EU SCCs in place)
N8N (self-hosted)	Workflow automation (lead routing, email sequences, webhook processing)	Lead data as submitted via chatbot	EU (self-hosted infrastructure)
Cal.com (Cal.com Inc.)	Appointment scheduling for qualified leads	Name, email (as provided when booking)	EU / United States (EU SCCs in place)
Google Analytics 4 (Google Ireland Ltd.)	Website analytics and conversion tracking	Anonymized IP, usage data, event data (no directly identifying information)	EU (Google Ireland) with potential US transfer (EU SCCs)
OpenAI / Anthropic	Conversational AI intelligence (chatbot and voice processing)	Conversation content (processed in real-time, not stored long-term by provider under our DPA)	United States (EU SCCs / adequacy mechanisms)
Hosting provider	Website and infrastructure hosting	All data processed through our website	European Union

We require all third-party processors to implement appropriate technical and organizational measures to protect your data in accordance with GDPR standards.

7. Cookies and Tracking Technologies

7.1 What Are Cookies

Cookies are small text files placed on your device when you visit our website. They serve various purposes, from ensuring the website functions properly to helping us understand how visitors use our site.

7.2 Cookies We Use

Cookie Name / Type	Purpose	Duration	Category
odenia-lang	Remembers your language preference (FR/EN)	12 months	Strictly necessary
_ga, _ga_*	Google Analytics 4: distinguishes users and sessions for analytics	Up to 14 months	Analytics (requires consent)
_gid	Google Analytics: distinguishes users for 24-hour analytics	24 hours	Analytics (requires consent)

7.3 Managing Cookies

You may control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling strictly necessary cookies may affect the functionality of our website. For analytics cookies, we obtain your consent before placing them on your device, in compliance with Article 5(3) of the ePrivacy Directive (2002/58/EC).

7.4 Google Analytics 4

We use Google Analytics 4 (GA4) to understand how visitors interact with our website. GA4 uses first-party cookies and does not store full IP addresses (IP anonymization is enabled by default). We have configured GA4 to:

• Anonymize IP addresses
• Disable data sharing with Google for advertising purposes
• Set data retention to 14 months
• Restrict data processing to our Google Analytics property in the EU (Google Ireland Limited)

We track the following custom events: chatbot_engagement, lead_qualified, cal_clicked, cal_booked, and form_submitted. These events do not contain directly identifying personal data.

8. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights with respect to your personal data. These rights apply regardless of where you are located, though certain rights are specific to individuals in the European Economic Area (EEA):

• Right of access (Article 15): You have the right to obtain confirmation of whether we are processing your personal data, and if so, to receive a copy of that data along with information about how and why it is being processed.
• Right to rectification (Article 16): You have the right to request correction of inaccurate personal data and to have incomplete data completed.
• Right to erasure / "right to be forgotten" (Article 17): You have the right to request deletion of your personal data where there is no compelling reason for its continued processing, subject to applicable legal retention obligations.
• Right to restriction of processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
• Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., CSV or JSON) and to transmit it to another controller.
• Right to object (Article 21): You have the right to object to the processing of your personal data based on our legitimate interest. Upon receiving your objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent (Article 7(3)): Where processing is based on your consent, you may withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
• Right not to be subject to automated decision-making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you. Our AI-based lead qualification system routes you to different service paths, but final decisions about service provision are always made by a human.

How to Exercise Your Rights

To exercise any of these rights, please send your request to:

Right to Lodge a Complaint

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. As Odenia is established in France, the competent authority is:

9. International Data Transfers

Odenia operates primarily within the European Union and adopts an EU-first approach to data processing. However, some of our third-party service providers may process personal data outside the EEA.

Where personal data is transferred to a country outside the EEA that has not received an adequacy decision from the European Commission, we ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (as adopted under Commission Implementing Decision (EU) 2021/914) with all relevant data processors located outside the EEA.
• Supplementary measures: Where required by the CJEU's Schrems II ruling (Case C-311/18), we implement additional technical and organizational safeguards, such as encryption in transit and at rest, pseudonymization, and contractual restrictions on government access requests.
• Transfer Impact Assessments: We conduct Transfer Impact Assessments (TIAs) for each international data transfer to evaluate the legal framework of the recipient country and the effectiveness of our safeguards.

You may request a copy of the safeguards in place by contacting us at privacy@odenia.co.

10. Data Security

We take the security of your personal data seriously and implement appropriate technical and organizational measures in accordance with Article 32 of the GDPR, including:

• Encryption: All data transmitted between your browser and our servers is encrypted using TLS 1.3. Data at rest is encrypted using AES-256 encryption.
• Access control: Access to personal data is restricted to authorized personnel on a strict need-to-know basis, with multi-factor authentication required for all administrative access.
• Infrastructure security: Our servers are hosted in EU data centers with ISO 27001 certification, physical security controls, and regular security audits.
• Incident response: We maintain a data breach response plan and will notify the relevant supervisory authority within 72 hours of becoming aware of a breach, and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in compliance with Articles 33 and 34 of the GDPR.
• Regular testing: We conduct regular security assessments and vulnerability testing to ensure the ongoing confidentiality, integrity, and availability of our systems.

11. Children's Privacy

Our services are designed for business professionals and are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe that we have inadvertently collected data from a child under 16, please contact us immediately at privacy@odenia.co, and we will take steps to delete such data promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Post a notice on our website for a reasonable period
• Where required, seek your renewed consent for any changes that affect the legal basis for processing

We encourage you to review this policy periodically to stay informed about how we protect your data.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please do not hesitate to contact us: