§ LEGAL · ODYSSEY TECH SAS

Privacy Policy

How Odyssey collects, uses, retains and protects personal data. Last updated: 27 May 2026.

Compliance: GDPR (EU 2016/679) · EU AI Act (EU 2024/1689) · French Data Protection Act · CNIL 2026 guidelines

§ AVAILABLE IN FRENCH · DISPONIBLE EN FRANÇAIS

A bilingual French/English version of this policy is available as a PDF document.

↓ DOWNLOAD BILINGUAL PDF (FR/EN)

Preamble

Odyssey Tech SAS ("Odyssey", "we", "our") places fundamental importance on the protection of personal data. This privacy policy describes how we collect, use, store and protect the personal data of visitors to our website and our clients.

As a strategic advisory firm operating primarily B2B (private equity firms, large enterprises, executive leadership), we process limited personal data exclusively for legitimate professional purposes.

1. Data Controller

The data controller is Odyssey Tech SAS, a French simplified joint-stock company (SAS), subsidiary of Ascent Holding, represented by Axel Tombereau, President.

SIREN: 819 100 090 — Registered with Paris Trade Registry — EU VAT: FR58 819 100 090. Registered office: 128 rue La Boétie, 75008 Paris, France.

Contact: contact@odyssey.tech (single address for all inquiries, including privacy and GDPR rights exercise).

Data Protection Officer (DPO): Odyssey has not designated a formal DPO, as we are not legally required to do so under Article 37 of the GDPR. Any data protection request can be addressed to contact@odyssey.tech.

2. Scope

This policy applies to all personal data collected by Odyssey through our website odyssey.tech and its subdomains, our email communications with clients and prospects, our Calendly meetings and scoping calls, our advisory engagements and professional services, as well as any other professional interaction.

3. Data Collected and Legal Bases

In compliance with Article 6 of the GDPR, we collect and process the following data:

3.1 Browsing data

Anonymized IP address, browser type and OS, pages visited, session duration, referrer, date and time. Legal basis: legitimate interest (Art. 6.1.f) for necessary statistics; consent (Art. 6.1.a) for non-strictly-necessary analytics cookies. Retention: 12 months maximum (CNIL recommendation).

3.2 Contact form data

First and last name, professional email, company, role, message, phone where applicable. Legal basis: performance of pre-contractual measures (Art. 6.1.b); legitimate interest for commercial qualification (Art. 6.1.f). Retention: 3 years from last contact (CNIL recommendation for B2B prospecting).

3.3 Calendly appointments

Name, email, company, role, meeting subject, timestamp, eligibility question answers. Legal basis: performance of pre-contractual measures (Art. 6.1.b). Retention: 3 years from the meeting.

3.4 Contractual and engagement data

Client identification data and that of their representatives, contractual data (engagement letters, NDA), data provided for the engagement, professional email correspondence. Legal basis: performance of contract (Art. 6.1.b). Retention: 5 years for emails after engagement end; 10 years for contracts (French Commercial Code L.123-22 obligation).

3.5 Payment data

Payments are processed exclusively by our provider Stripe. Odyssey does not store any banking data. Legal basis: performance of contract (Art. 6.1.b) and legal accounting obligation (Art. 6.1.c). Retention: 10 years for payment records (French accounting obligation).

4. Data Recipients

Your data is accessible only to Odyssey partners and staff with a legitimate need for access, our technical subprocessors (see section 5), legally authorized authorities in case of judicial requisition, and our legal counsel and accountants where applicable, under professional confidentiality.

We never sell, rent or transfer your data to third parties for commercial purposes.

5. Technical Subprocessors

For operational reasons, we use the following subprocessors, each having signed Data Processing Agreements (DPAs) compliant with the GDPR:

• Google Workspace — email, Drive, Meet, Calendar (USA, SCC)

• Microsoft 365 — Office, Teams (USA, SCC)

• Stripe — client payments (USA, SCC)

• Calendly — appointments (USA, SCC)

• Framer — website hosting (USA, SCC)

• Google Analytics 4 + Google Tag Manager — analytics (USA, SCC)

• Brevo — email marketing (France, EU)

• Squarespace Domains — registrar (USA, SCC)

• Anthropic Claude API — AI assistance (USA, Zero Data Retention mode)

International transfers: When subprocessors are based outside the EU (mainly USA), transfers are secured by Standard Contractual Clauses (SCCs) approved by the European Commission, in compliance with Articles 44-46 of the GDPR.

6. Cookies and Trackers

Our website uses cookies. A detailed cookie policy is available at odyssey.tech/cookies. You can modify your preferences at any time via the "Manage my cookies" link in the footer. Strictly necessary cookies (always active); analytics cookies (Google Analytics, subject to consent); no advertising or retargeting cookies.

7. Use of Artificial Intelligence

As a firm specializing in AI strategy, we use generative AI tools (Claude/Anthropic, ChatGPT/OpenAI, Gemini/Google, Grok/xAI) in our operations, in compliance with EU Regulation 2024/1689 ("EU AI Act").

7.1 Commitments regarding your data

Odyssey commits to never use the data of clients, prospects or visitors to train AI models, nor to authorize publishers to do so. We systematically activate "Zero Data Retention" modes on APIs. Sensitive data is never entered into consumer interfaces.

7.2 No automated decisions

In accordance with Article 22 of the GDPR, Odyssey makes no decisions based solely on automated processing. All our analyses and recommendations are subject to human review by a partner or senior consultant before communication to the client.

7.3 Right to object to AI use

Upon your explicit request, and where technically feasible, you may request that Odyssey handle your engagement without recourse to generative AI tools. See our detailed AI policy at odyssey.tech/ai-use.

8. Data Security

Odyssey implements appropriate technical and organizational measures in accordance with Article 32 of the GDPR: TLS encryption (HTTPS required), two-factor authentication on all sensitive tools, strong password policies, advanced email authentication (DKIM 2048-bit, SPF, DMARC, MTA-STS), access limited to legitimate need, regular audit of subprocessors and their certifications (ISO 27001, SOC 2), incident response plan.

Breach notification: In case of a data breach likely to result in a risk to your rights and freedoms, Odyssey will notify the CNIL within 72 hours and, where applicable, data subjects without undue delay, in accordance with Articles 33 and 34 of the GDPR.

9. Your Rights

In accordance with Articles 15 to 22 of the GDPR and the French Data Protection Act, you have the following rights regarding your personal data: right of access, right to rectification, right to erasure ("right to be forgotten"), right to restriction, right to data portability, right to object, right to withdraw consent at any time, right to define post-mortem directives.

9.1 How to exercise your rights

To exercise these rights, contact us at contact@odyssey.tech. We undertake to respond within one month from receipt of your request, in accordance with Article 12.3 of the GDPR. This period may be extended by two additional months if necessary, considering the complexity and number of requests. For security reasons, we may ask you to justify your identity before responding.

9.2 Right to lodge a complaint

If you believe, after contacting us, that your rights are not respected, you may lodge a complaint with the French Data Protection Authority (CNIL — 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France, www.cnil.fr) or with the supervisory authority of your country of residence.

10. Minors

Our website and services are aimed exclusively at adult professionals. We do not knowingly collect data concerning minors under 16 years of age. If we learn that such collection has occurred, we will immediately delete the data concerned.

11. Policy Updates

Odyssey may modify this privacy policy at any time to reflect legal, technical or operational changes. Any substantial modification will be notified on this page with mention of the update date. In case of significant change affecting the processing of your data, we will inform you by email when technically possible. We invite you to consult this page regularly.

§ CONTACT

Questions about your data?

contact@odyssey.tech — Single address for all inquiries, including exercising your GDPR rights.