Privacy Policy
Your privacy matters. This policy explains how we collect, use, and protect your personal data in compliance with the GDPR and LOPDGDD.
1. Data Controller
2. What Data We Collect
We may collect the following categories of personal data depending on how you interact with us:
- • Identification data: name, surname, email address, phone number, company name, tax ID.
- • Account data: username, encrypted password, billing information, subscription plan.
- • Usage data: IP address, browser type, pages visited, session duration, device information.
- • Communication data: messages sent through the contact form, support requests, and email correspondence.
- • Business data: invoices, accounting records, bank transactions, payroll data, and other financial information entered into the Odiverse platform by the user.
3. Purposes and Legal Basis
We process your personal data for the following purposes, each supported by a valid legal basis under Article 6 of the GDPR:
| Purpose | Legal Basis |
|---|---|
| Responding to contact requests and enquiries | Consent (Art. 6.1.a GDPR) |
| Providing and managing the Odiverse service | Contract performance (Art. 6.1.b GDPR) |
| Account management, billing, and invoicing | Contract performance (Art. 6.1.b GDPR) |
| Compliance with legal and tax obligations | Legal obligation (Art. 6.1.c GDPR) |
| Sending marketing and promotional communications | Consent (Art. 6.1.a GDPR) |
| Improving our services and performing analytics | Legitimate interest (Art. 6.1.f GDPR) |
When the legal basis is consent, you may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal. When based on legitimate interest, you have the right to object (see Section 6).
4. Data Recipients
Your personal data will not be sold or shared with third parties for their own marketing purposes. Data may be shared with the following categories of service providers, who act as data processors under appropriate data processing agreements:
- • Email service provider: Resend (for transactional and marketing emails).
- • Hosting infrastructure: Own servers located in Spain (no third-party cloud providers for core data).
- • Analytics: Google Analytics (anonymised usage data).
- • Payment processor: [PENDING] (for subscription billing).
- • AI services: Anthropic (Claude API, for AI-powered features within the platform). Data processed under a DPA with appropriate safeguards.
Additionally, data may be disclosed to public authorities when required by law.
5. International Data Transfers
Your core business data (invoices, accounting records, bank transactions) is stored exclusively on our own servers in Spain and never leaves the European Economic Area (EEA).
Certain ancillary services (email delivery via Resend, analytics via Google Analytics, AI processing via Anthropic) may involve transfers of limited data to the United States. These transfers are protected by appropriate safeguards, including EU Standard Contractual Clauses (SCCs) and/or the EU-U.S. Data Privacy Framework, in compliance with Chapter V of the GDPR.
6. Your Rights
Under the GDPR and LOPDGDD, you have the following rights in relation to your personal data:
Right of Access
Obtain confirmation of whether your personal data is being processed and access a copy of it.
Right to Rectification
Request the correction of inaccurate data or the completion of incomplete data.
Right to Erasure
Request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected.
Right to Restriction
Request that we limit the processing of your data in certain circumstances.
Right to Data Portability
Receive your personal data in a structured, commonly used, and machine-readable format.
Right to Object
Object to the processing of your data based on legitimate interests, including profiling.
To exercise any of these rights, please contact us at info@odiverse.com with proof of your identity. We will respond within 30 days.
If you believe your rights have not been adequately addressed, you have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Espanola de Proteccion de Datos, www.aepd.es).
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:
- • Contact enquiries: data is retained for the time necessary to respond to the enquiry, and up to 12 months thereafter unless you become a customer.
- • Customer account data: retained for the duration of the contractual relationship, and for up to 5 years afterwards for legal compliance purposes.
- • Invoicing and accounting data: retained for a minimum of 6 years as required by Spanish commercial law (Art. 30 of the Spanish Commercial Code).
- • Marketing communications: until you withdraw your consent or unsubscribe.
8. Security Measures
Odiverse implements appropriate technical and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- • Encryption of data in transit (TLS 1.3) and at rest (AES-256).
- • Own infrastructure hosted in Spanish data centres (no third-party cloud dependency for core data).
- • Role-based access control (RBAC) and principle of least privilege.
- • Regular security audits aligned with ISO 27001 and ENS standards.
- • Automated backups with redundant storage.
9. Cookies
This website uses cookies. For complete information about the types of cookies we use, their purposes, and how to manage your preferences, please refer to our Cookie Policy.
10. Changes to This Policy
Odiverse reserves the right to update this Privacy Policy at any time. Any significant changes will be communicated through the Website or via email. We encourage you to review this policy periodically. Continued use of the service after modifications constitutes acceptance of the updated policy.
Last updated: March 2025