Privacy Policy
This Privacy Policy explains how Odapyn SAS (“Odapyn”, “we”, “us”) collects, uses, and protects personal data in connection with the odapyn.com website, the Oda product, and related services (together, the “Services”).
Odapyn is a French société par actions simplifiée registered under SIREN 948 444 468, with its registered office at 8 Résidence du Val, 91120 Palaiseau, France. We are the data controller for personal data processed through the Services.
1. What data we collect
1.1 Data you provide
- Contact data: name, email address, phone number, and any message you send us.
- Account data (Oda product): email, password hash, profile details, workspace name, and preferences.
- Business data (Oda product): information you give us about your business — brand, website content, contacts, campaigns, and content you create, upload, or generate through the Services.
- Third-party connections: if you connect an account (e.g. Google, Instagram, Meta, Stripe) we receive tokens and the minimum profile information required by the relevant platform.
- Payment data: when you purchase a paid plan, payment information is handled by our payment processor (Stripe). We do not store your card details.
1.2 Data we collect automatically
- Usage data: pages visited, actions taken, timestamps, device and browser information, approximate location inferred from your IP address.
- Log data: IP address, request metadata, and error logs, retained for security and debugging.
- Cookies and similar technologies: strictly necessary cookies (session, authentication, security) and optional analytics cookies (only with your consent where required by law).
2. Why we process your data (legal bases)
- Performance of a contract — to deliver the Services you asked for (account creation, product functionality, support).
- Legitimate interests — to secure the Services, prevent abuse, improve quality, and communicate service updates.
- Consent — for optional analytics, marketing emails, and non-essential cookies, where required.
- Legal obligation — to comply with accounting, tax, and regulatory requirements.
3. Third-party platforms (Meta, Google, Stripe)
When you connect a third-party account to Oda, we request the minimum permissions needed for the features you enable. OAuth access tokens are encrypted at rest with AES-128 (Fernet) and revoked on disconnect.
3.1 Meta (Facebook & Instagram)
If you connect a Facebook Page or Instagram Business account, we may request the following permissions, each used only for the feature named beside it:
pages_show_list— list the Pages you manage so you can pick which Page to connect to Oda.pages_read_engagement— read the Page’s name, category, profile picture, and recent post engagement so Oda can display Page info in your workspace.pages_manage_metadata— subscribe to Page webhooks so Oda can notify you of new messages or comments.pages_manage_posts— publish posts, scheduled content, and carousel updates to your Page on your behalf when you click “Post” in Oda.instagram_basic/instagram_business_basic— read the Instagram Business account username, profile picture, and account-level stats.instagram_content_publish— publish feed posts, reels, and stories to your Instagram Business account when you click “Post” in Oda.instagram_manage_comments/instagram_business_manage_comments— read and reply to comments on your Instagram posts from Oda’s inbox.business_management— list the Pages and Instagram accounts your Business Portfolio grants Oda access to, so you can pick which to connect.
Content published via Meta (captions, images, videos, replies) is stored for as long as your account is active and then deleted per Section 7. If Meta sends us a data-deletion request on your behalf, we revoke your tokens immediately and delete all Meta-sourced data within 30 days. Oda’s deletion callback endpoint is https://api.oda.do/api/meta/data-deletion.
3.2 Google
Calendar, mail, or drive scopes are only requested for the specific feature you enable.
3.3 Stripe
For payments and billing. Stripe is the controller for the card data it processes.
You can revoke any integration at any time from your account settings.
4. Use of data for AI features
The Oda product uses large language models and other AI systems to help you run your business. Your content may be sent to our AI model providers (e.g. Anthropic, OpenAI, Google) to generate outputs you request. These providers act as sub-processors bound by contractual data protection obligations. We do not use your business content to train foundation models; our providers operate under zero-retention or short-retention policies where available.
5. Sharing your data
We do not sell personal data. We share it only with:
- Sub-processors that operate parts of the Services on our behalf (hosting, databases, email delivery, AI model providers, analytics).
- Platforms you connect (Meta, Google, Stripe, etc.) strictly as required to deliver the feature.
- Authorities, where we are legally required to do so.
A current list of sub-processors is available on request.
6. Data transfers outside the EEA
Some sub-processors may be located outside the European Economic Area (notably in the United States). In that case we rely on European Commission adequacy decisions and/or Standard Contractual Clauses, together with additional safeguards where appropriate.
7. Retention
We keep personal data for as long as your account is active and for the period necessary to meet the purposes described here, or as required by law (typically up to 10 years for accounting records). You can delete your account at any time; after deletion, we retain only what is necessary to comply with legal obligations.
8. Your rights
Under the GDPR and French data protection law, you have the right to:
- Access, rectify, and erase your personal data;
- Restrict or object to processing;
- Data portability;
- Withdraw consent at any time, where processing is based on consent;
- Lodge a complaint with the French data protection authority (CNIL);
- Give instructions regarding the fate of your personal data after your death.
To exercise these rights, email amine@odapyn.com. We reply within one month.
9. Security
We apply industry-standard technical and organisational measures: encryption in transit (TLS), encryption at rest for sensitive tokens, role-based access control, audit logs, and regular backups. No system is perfectly secure, but we take security seriously and respond quickly to incidents.
10. Children
The Services are not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data to us, contact us and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version on this page and update the “last updated” date. Material changes will be communicated by email where appropriate.
12. Contact
Data controller: Odapyn SAS
8 Résidence du Val, 91120 Palaiseau, France
SIREN 948 444 468
Email: amine@odapyn.com