Privacy Policy

01Information We Collect

We collect information you provide directly and information generated through your use of OdoTrust:

• Account information: Name, email address, company name, job title, and password when you create an account.
• Company data: Compliance policies, frameworks, controls, evidence, and employee information you upload or generate within the platform.
• Usage data: How you interact with OdoTrust - pages visited, features used, time spent, clicks, and navigation patterns.
• Device data: Browser type, operating system, IP address, and device identifiers.
• Communication data: Messages you send us via email or support channels.

02How We Use Your Information

We use your information to:

• Provide the service: Run your compliance workflows, generate policies, track controls, and manage your compliance program.
• Improve OdoTrust: Understand usage patterns to build better features (we use aggregated, anonymized data for this).
• Communicate: Send product updates, security notices, and support responses. We don't spam.
• AI features: Power AI onboarding, policy generation, and smart consolidation. Your data is processed but never used to train models.
• Security: Detect fraud, abuse, and unauthorized access.

03Data Sharing & Third Parties

We share your data only when necessary to provide the service:

• Cloud infrastructure: Hosted on secure cloud providers (AWS/GCP) with enterprise-grade security.
• AI providers: Processed through AI APIs for smart features - no data retention by providers.
• Payment processing: Stripe handles billing. We never see or store your full card number.
• Analytics: Anonymized usage analytics to improve the product.

We will never share your data with advertisers, data brokers, or any party that doesn't directly support your use of OdoTrust.

04Data Security

As a compliance platform, security isn't just a feature - it's our entire identity:

• Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256).
• Access controls: Role-based access, MFA support, and audit logging.
• SOC 2 alignment: We build OdoTrust to the same standards we help our customers achieve.
• Regular audits: Continuous security monitoring and periodic third-party assessments.
• Incident response: Documented incident response plan with notification within 72 hours.

05Data Retention

We keep your data only as long as needed:

• Active account: Data retained while your account is active.
• After cancellation: We retain data for 30 days after account deletion, then permanently erase it.
• Full export: You can export ALL your data at any time, in standard formats. No lock-in. No hostage data.
• Legal requirements: Some data may be retained longer if required by law (e.g., billing records).

06Your Rights (GDPR & Beyond)

Regardless of where you're located, we give you these rights:

• Access: Request a copy of all data we hold about you.
• Correction: Fix any inaccurate information.
• Deletion: Request complete deletion of your data ("right to be forgotten").
• Portability: Export your data in machine-readable formats.
• Objection: Object to specific types of data processing.
• Restriction: Request we limit how we process your data.

07Cookies & Tracking

We use minimal cookies:

• Essential cookies: Required for login, session management, and security. Can't be disabled.
• Analytics cookies: Anonymous usage analytics to improve the product. Can be disabled.
• No advertising cookies: We don't run ads. We don't track you across the internet. Zero ad cookies.

08Children's Privacy

OdoTrust is a B2B compliance platform. We do not knowingly collect information from anyone under 16. If you believe a child has provided us with personal data, contact us and we'll delete it immediately.

09Changes to This Policy

If we make material changes, we'll notify you via email and update this page. We won't quietly change terms to sneak things past you - that would be the opposite of what we stand for.

10Contact Us

Questions about this policy? Privacy concerns? Just want to chat?