Privacy Policy

Website Privacy Policy

1 INTRODUCTION

1.1 Important Information and Who We Are

Welcome to Odjo Ltd's Privacy and Data Protection Policy ("Privacy Policy").

At Odjo Ltd ("we", "us", or "our"), we are committed to protecting and respecting your privacy and Personal Data in compliance with the United Kingdom General Data Protection Regulation ("GDPR"), the Data Protection Act 2018, and all other mandatory laws and regulations of the United Kingdom.

This Privacy Policy explains how we collect, process, and keep your data safe. The Privacy Policy will tell you about your privacy rights, how the law protects you, and inform our employees and staff members of all their obligations and protocols when processing data.

The individuals from which we may gather and use data can include:

  • Customers
  • Suppliers
  • Business contacts
  • Employees/Staff Members
  • Any other people that the organisation has a relationship with or may need to contact.

This Privacy Policy applies to all our employees and staff members and all Personal Data processed at any time by us.

1.2 Your Data Controller

Odjo Ltd is your Data Controller and responsible for your Personal Data. We are not obliged by the GDPR to appoint a data protection officer and have not voluntarily appointed one at this time. Therefore, any enquiries about your data should be sent to us by email at help@odjo.co.uk.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

1.3 Processing Data on Behalf of a Controller and Processors' Responsibility to You

In discharging our responsibilities as a Data Controller, we have employees who will deal with your data on our behalf ("Processors"). The responsibilities below may be assigned to an individual or may be taken to apply to the organisation as a whole. The Data Controller and our Processors have the following responsibilities:

  • Ensure that all processing of Personal Data is governed by one of the legal bases laid out in the GDPR (see 2.2 below for more information);
  • Ensure that Processors authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of Personal Data;
  • Obtain the prior specific or general authorisation of the Controller before engaging another Processor;
  • Assist the Controller in the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights;
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller;
  • Maintain a record of all categories of processing activities carried out on behalf of a Controller;
  • Cooperate, on request, with the supervisory authority in the performance of its tasks;
  • Ensure that any person acting under the authority of the Processor who has access to Personal Data does not process Personal Data except on instructions from the Controller; and
  • Notify the Controller without undue delay after becoming aware of a Personal Data Breach.

2 LEGAL BASIS FOR DATA COLLECTION

2.1 Types of Data / Privacy Policy Scope

We may collect, use, store, and transfer different kinds of Personal Data about you, including but not limited to:

  • Profile/Identity Data: First name, last name, gender, date of birth.
  • Contact Data: Phone number, addresses, email addresses.
  • Marketing and Communications Data: Preferences in receiving marketing information.
  • Billing Data: Debit and credit card information, billing address.
  • Transactional Data: Records of payments made for our services or products.
  • Technical Data: IP address, browser type and version, operating system, and location.
  • Customer Support Data: Feedback and survey responses.
  • Usage Data: How you use our website, products, and services.
  • Special Categories of Data: Genetic information, biometric data, and criminal convictions where applicable.

2.2 The Legal Basis for Collecting That Data

We rely on the following justifications:

  • Consent: When you opt-in to certain services.
  • Contractual Obligations: Necessary data to fulfil contractual obligations.
  • Legal Compliance: Data required by law, such as for fraud prevention.
  • Legitimate Interest: Data that is necessary for business operations without infringing on your rights.

For special categories of data, we rely on explicit consent for lawful processing.

3 ODJOAI EMAIL PERMISSIONS AND TRACKING

3.1 OAuth-Based Access and Tracking Pixels

For users who grant permission, OdjoAI may integrate with their email accounts using OAuth authentication. OAuth is a secure protocol that allows users to grant limited access to their email accounts without sharing passwords. By authorising OdjoAI, users enable the platform to:

  • Generate and send emails on their behalf.
  • Attach tracking pixels to emails to monitor open rates and engagement.
  • Track email delivery, including whether an email has been successfully sent and received.

Odjo Ltd does not have access to the content of emails sent via user accounts. We can only see:

  • The subject line and email body generated by our AI before being sent.
  • Whether the email has been opened (via tracking pixels).
  • Any engagement metrics related to the email.

We do not store or access email content beyond what is generated by our language models. Users retain full control over email permissions and may revoke access at any time through their email provider settings.

3.2 Legal Compliance and Data Protection

  • OdjoAI operates in full compliance with the GDPR and the Data Protection Act 2018.
  • All email data processed via OAuth remains under the control of the user and their respective email provider.
  • Users can opt out of email tracking at any time by adjusting their settings within OdjoAI.
  • Email content is not stored by Odjo Ltd after it is sent.

3.3 Google Workspace API Compliance

Odjo Ltd explicitly affirms that Google Workspace APIs are not used to develop, improve, or train generalised AI and/or machine learning models. All data accessed through Google Workspace APIs remains protected and is used strictly for the intended functionality of OdjoAI, in compliance with applicable legal and regulatory requirements.

By using OdjoAI's email integration, users acknowledge and agree to the above terms regarding OAuth permissions and email tracking.

3.4 Gmail Alias Management

OdjoAI requests access to users' Gmail settings in order to manage "Send As" aliases. This allows users to send emails from different addresses (e.g., hello@, support@) via their Gmail account while using the OdjoAI platform. This functionality is essential for users who operate multiple brands, departments, or personas and want to maintain a professional identity when reaching out to contacts. Access is strictly limited to reading existing aliases and creating or modifying alias configurations that the user explicitly approves. OdjoAI does not access or retain the contents of user inboxes for this feature, and all changes are made via secure OAuth authentication. Users may revoke alias access at any time from their Google account settings.

3.5 Data Retention and Deletion of Google Data

Odjo Ltd retains only the minimum Google account data necessary to provide and improve the functionality of OdjoAI. Specifically:

  • Email metadata (e.g., recipient, subject, timestamps) and performance data (e.g., open rates, engagement) are stored for analytics and support purposes.
  • We do not retain the full content of emails after they are sent.
  • No Gmail content is used to train or enhance any AI models.

Users may revoke access to their Google account at any time via their Google security settings: https://myaccount.google.com/permissions

If you request deletion of your data, we will:

  • Permanently delete all Google-derived data associated with your account within 14 business days, unless required for legal compliance.
  • Remove all associated metadata and revoke any active tokens.

To request deletion, contact us at help@odjo.co.uk with the subject line: Data Deletion Request.

This Privacy Policy was last updated on 4 June 2025.