NLENFR
Free check
Odyssee

Privacy Policy

This is an English translation provided for your convenience. In the event of any discrepancy or ambiguity, the Dutch version of this privacy statement is legally binding.

Introduction

Welcome to Odyssee! Privacy and the protection of your personal data are central to what we do. We understand that you need to be able to trust that your data is handled safely and carefully when you visit our website, use our services or get in touch with us in any other way.

In this comprehensive privacy statement we explain transparently how we handle your personal data. We have drawn up this statement in accordance with the General Data Protection Regulation (GDPR) and all other applicable Dutch and European privacy legislation. By using our website and services, you agree to the processing described in this privacy statement. We therefore recommend that you read this statement carefully and consult it regularly, as we may amend it from time to time in line with new developments in our services or changes in legislation.

This privacy statement applies to all activities of Odyssee and to everyone who interacts with us in any way. Whether you are a visitor to our website, a customer, a prospect, a business partner or otherwise involved with our organisation, this privacy statement describes how we handle your data.

Who are we?

Odyssee is the trade name under which we conduct our activities. As the controller within the meaning of the GDPR, we are responsible for the lawful and careful processing of your personal data. Our full company details are as follows:

Organisation name: Odyssee Software Solutions B.V.
Address: Beursplein 37, 3011AA Rotterdam
Country: The Netherlands
Chamber of Commerce (KvK) number: 90380665
VAT number: NL865296327B01

For any questions, requests or comments regarding privacy and data protection, you can contact us through the following channels:

General contact details:
Email: contact@odyssee.one
Postal address: Postbus 30006, 3001 DA Rotterdam

Privacy-specific contact details:
Email for privacy questions: privacy@odyssee.one

Data Protection Officer:
In accordance with the GDPR, we have appointed a Data Protection Officer (DPO) who oversees compliance with privacy legislation within our organisation. For specific questions regarding the processing of personal data or exercising your privacy rights, you can contact our DPO directly:

DPO email: fg@odyssee.one
DPO postal address: Postbus 30006, 3001 DA Rotterdam

Which personal data do we collect and process?

Personal data is any data that contains information about an identified or identifiable natural person. This can be direct identifying data such as your name and address, but also indirect data such as an IP address or cookie identifier by which you can be identified. We collect and process various categories of personal data, depending on the way you interact with us and the services you obtain from us.

Identification and contact data form the basis of our data processing. This includes your first and last name, email address or addresses, telephone number or numbers including mobile numbers, full postal address consisting of street, house number, postcode, town and country, and, where relevant to our services, your date of birth. In certain cases we may be asked to process a copy of your identity document, but we only do this when this is legally required or necessary to prevent fraud.

Business and professional data are collected when you contact us as a business customer or in a professional capacity. This data includes your company name or the name of the organisation you work for, your job title or role within the organisation, your company’s Chamber of Commerce number, VAT number where applicable, billing details necessary for our administration, and bank details such as your IBAN when this is needed for payments or refunds. Business contact details that differ from your personal contact details also fall under this category.

Technical and digital data are collected automatically when you visit our website or use digital services. This concerns your IP address, information about the browser you use including type and version, your operating system, details about the device with which you visit our website, the URL of the website you came from before visiting our website, an overview of the pages you visit on our website and their order, the time and duration of your visit to our website, and data about your click and scroll behaviour on our website. This information helps us optimise our website and resolve technical issues.

Communication and interaction data arise from your contact with us through various channels. This includes all correspondence we have with you via email, telephone, chat functionality on our website, or physical mail, feedback you give us about our services or website, reviews you write about our products or services, questions you ask and complaints you submit, notes we make of conversations we have with you in support of our services, and information you provide when you take part in surveys, studies or market research we carry out.

Marketing and behavioural data are used to better tailor our communication and services to your interests and needs. This data includes information about your preferences and interests as apparent from your behaviour on our website or from information you provide directly, data about which content, products or services spark your interest, your marketing preferences and whether or not you wish to be approached for marketing purposes, information about your participation in events, webinars, workshops or other activities we organise, and networking data when you take part in our professional networking activities.

Special categories of personal data are in principle not processed by us. This data, also known as sensitive personal data, concerns information about your health, political opinions, religious or philosophical beliefs, race or ethnic origin, sexual orientation, trade union membership, genetic data, biometric data or criminal data. Should it nevertheless be necessary in very exceptional cases to process such data, we will always ask for your explicit consent in advance and take additional security measures to protect this sensitive information.

How do we obtain your personal data?

We obtain your personal data in various ways, whereby transparency about the origin of this data is essential to good privacy practice. The main ways in which we obtain your data are as follows.

Data obtained directly from you form the largest part of our data collection. This happens when you actively choose to share information with us. You provide us with personal data when you sign up for our newsletter or other informative mailings, contact us via the contact forms on our website, contact us by telephone for questions or support, request information or quotes for our products or services, place orders or enter into contracts with us, register for events such as webinars, workshops, conferences or other activities we organise or take part in, participate in trainings, courses or e-learnings we offer, give feedback on our services or products, or when you respond to surveys or studies we carry out.

Data collected automatically via our digital channels are generated by your use of our website, apps or other digital platforms. We collect this data by means of cookies and similar technologies that store information about your website behaviour, web analytics tools such as Google Analytics that help us understand how our website is used, heatmap tools that show where visitors click and scroll on our website, social media plugins that share information about your interaction with our social media content, and security tools that help prevent fraud and misuse of our website. It is important to know that you always have control over much of this automatic data collection by adjusting your cookie settings.

Data obtained from third parties concern information we lawfully obtain from external sources. This happens when business partners, suppliers or collaboration partners we work with share your data with us because this is necessary for the provision of our services, when we collect information from publicly accessible sources such as professional networking sites like LinkedIn, business databases, or public registers when this is relevant to our business activities, when suppliers who provide services to us share your data with us insofar as this is necessary for their services to us, or when existing customers or partners recommend you to us and provide your contact details in doing so. We always ensure that such third parties are entitled to share your data with us and that this is done in accordance with applicable privacy legislation.

Why and on what legal basis do we process your data?

The GDPR requires that every processing of personal data is based on a valid legal basis. We process your personal data solely for specific, explicitly described and legitimate purposes, using the following legal bases.

Performance of contracts is an important legal basis for our data processing. When you order products or services from us, enter into a contract with us, or when you request a quote, we process your data in order to perform this contract or to take measures at your request with a view to concluding a contract. This includes processing your order, delivering our products or services, providing customer service and support, handling invoices and payments, carrying out projects and assignments in accordance with our agreements, account management and customer administration, and handling any disputes or complaints. For this processing we retain your data for the duration of our contractual relationship, plus a period of seven years thereafter due to tax retention obligations.

Compliance with legal obligations is a legal basis we use when the law obliges us to process or retain certain data. This mainly concerns our tax and administrative obligations such as keeping correct accounts, preparing annual financial statements, retaining tax-relevant documents, meeting identification requirements under Know Your Customer (KYC) procedures, and making legally required reports to regulators. We retain this data in accordance with legal requirements, which usually means for a period of seven years after the end of the relevant financial year.

Legitimate interest is a frequently used legal basis we rely on when we have a legitimate business interest in processing your data, provided this interest outweighs your privacy interests and fundamental rights. We rely on legitimate interest for direct marketing and sending newsletters to existing customers and prospects, analysing website use to improve our online services, conducting customer satisfaction surveys to optimise our services, maintaining business relationships and networks, preventing fraud and ensuring the security of our systems, business development and strategic planning, and handling complaints and legal proceedings. For processing based on legitimate interest we retain your data for a maximum of three years after our last contact, unless there are other reasons to retain the data for longer.

Consent is requested for specific processing where we cannot rely on another legal basis, in particular for certain marketing activities and the use of non-essential cookies. This concerns creating personalised content and recommendations based on extensive profile analysis, placing retargeting ads on external websites, carrying out extensive behavioural analysis for marketing purposes, and the use of marketing and tracking cookies that are not strictly necessary for the operation of our website. When we rely on your consent, you always have the right to withdraw this consent. After you withdraw your consent we stop the relevant processing, unless another legal basis applies.

With whom do we share your data?

We respect the confidentiality of your personal data and only share it with carefully selected parties when this is necessary for our services, legally required, or when you have given your explicit consent.

Internal access within our organisation is strictly regulated according to the “need-to-know” principle. Only those employees who need your data for the performance of their work have access to this information. All employees have signed a comprehensive confidentiality agreement and receive regular training on handling personal data correctly. We apply strict access controls and monitor the use of personal data within our organisation.

External processors are carefully selected parties that process personal data on our behalf on the basis of a processor agreement in accordance with Article 28 of the GDPR. These parties act solely according to our instructions and may not use your data for their own purposes. Our main categories of processors are IT service providers that manage our technical infrastructure, including hosting providers that manage our servers and websites (whereby we ensure that servers are located within the Netherlands or the European Union), cloud storage services for secure storage of data, software suppliers that provide us with necessary applications and systems, and IT support organisations that maintain our technical systems.

For marketing and communication we work with platforms for email marketing that send our newsletters and marketing emails, CRM systems that help us manage customer relationships, social media management tools for managing our online presence, and analytics service providers that help us optimise our website and marketing.

In the area of financial services we engage payment service providers for processing online payments, accounting service providers for support with our administration, and possibly factoring companies for the management of receivables.

We have contractually bound all external processors to strict privacy agreements that meet the requirements of the GDPR. We regularly check whether these parties comply with our privacy and security requirements.

Legal obligations may compel us to share your data with government authorities. This only happens when the law requires it and is limited to the information that is strictly necessary. Examples are providing tax data to the Tax Authority, sharing information with regulators in the context of investigations into our organisation, providing data to the police and judicial authorities in criminal proceedings, and sharing information with other government authorities when specific legislation requires this.

Business transfers may take place when our company or parts of it are acquired, merged, or sold. In such cases, personal data may form part of the business assets that are transferred. We will inform you in advance of such a transfer and point out your rights in that situation. The acquiring party will be bound by the same privacy obligations as us.

International transfer of data

We strive to process your personal data within the Netherlands and the European Economic Area (EEA), where the same high privacy protection standards apply as in the Netherlands. However, in our globalised digital economy it may sometimes be necessary to transfer data to countries outside the EEA.

Transfers within the EU and EEA we consider safe because the same privacy legislation applies in all these countries. When we use service providers in other EU countries, your data enjoys the same protection there as in the Netherlands.

Transfers to third countries only take place when this is strictly necessary and when adequate safeguards have been put in place for the protection of your data. For certain technical services we use American companies, but only when these companies comply with an adequacy decision of the European Commission or when appropriate safeguards have been put in place such as Standard Contractual Clauses approved by the European Commission. Examples of such services may be Google Analytics for website analysis, Microsoft Office 365 for productivity software, or other cloud services from reputable international providers.

When we are obliged to transfer your data to countries that do not have an adequacy decision from the European Commission, we always ensure that appropriate safeguards are in place. This may consist of the use of Standard Contractual Clauses, certification schemes, or, in exceptional cases, obtaining your explicit consent for the specific transfer.

We continuously monitor international privacy developments and adjust our procedures when necessary to safeguard the protection of your data, regardless of where it is processed.

Security of your data

We regard the security of your personal data as one of our most important responsibilities. We have taken extensive technical and organisational measures to protect your data against unauthorised access, loss, theft, misuse or unlawful processing.

Technical security measures form the backbone of our data security. All communication between your browser and our website is secured by means of SSL/TLS encryption, which means that data exchanged cannot be intercepted or read by third parties. Sensitive data in our databases is stored encrypted, so that it is not readable by unauthorised persons even in the event of a breach. Our backups are also encrypted and stored in secure locations.

Access to our systems is strictly regulated by means of multi-factor authentication for all users, role-based access rights whereby employees only have access to the data they need for their work, regular review of user rights to ensure that no unnecessary access exists, and automatic log-out procedures that prevent systems from being left unsecured.

Our network security comprises advanced firewalls and intrusion detection systems that detect and block unusual activity, regular penetration tests by external security experts to identify vulnerabilities, continuous monitoring of our systems for suspicious activity, and the use of isolated network segments to limit the impact of any security incidents.

In the area of software security we ensure regular updates of all systems with the latest security patches, extensive antivirus and anti-malware protection on all systems, the application of secure coding practices in the development of our own software, and regular vulnerability assessments to identify and address potential weaknesses.

Organisational security measures ensure that the human factor in our security is just as strong as our technical measures. Our personnel policy includes thorough background checks for all employees who have access to personal data, mandatory privacy and security training for all employees that is regularly repeated and updated, confidentiality agreements signed by all employees, and a clear desk and clear screen policy that ensures that sensitive information is not left unsecured.

Our process security comprises documented security procedures that are regularly updated, a comprehensive incident response plan that describes how we respond to security incidents, regular internal and external security audits to evaluate our security measures, and business continuity planning to ensure that our services can continue even in the event of serious security incidents.

Physical security of our office spaces and servers comprises secured access to all areas where personal data is processed, special access control to server rooms and other critical locations, procedures for the secure destruction of documents and other physical data carriers, and, where necessary, camera surveillance to prevent unauthorised access.

Data breach procedures are crucial for minimising the impact of any security incidents. Should a data breach nevertheless occur despite all our precautions, we have clear procedures to report it to the Dutch Data Protection Authority within 72 hours as required by the GDPR, to inform data subjects directly when there is a high risk to their rights and freedoms, to carry out a thorough investigation into the cause and scope of the incident, and to implement additional security measures to prevent recurrence.

Retention periods for your data

We do not retain your personal data for longer than is necessary for the purposes for which it was collected, or for as long as is legally required. Our retention periods are carefully determined on the basis of the purposes of the processing, legal retention obligations and the needs of our business operations.

For contractual relationships we apply the following retention periods. During an active customer relationship we retain all data necessary for the provision of our services and the maintenance of the customer relationship. After termination of a contract we retain the contractual and financial data for seven years due to tax retention obligations as laid down in the Dutch Civil Code. Communication data such as emails and notes of conversations we retain for two years after our last contact for any support or dispute resolution. Marketing-related data we retain until you unsubscribe from our communication or for a maximum of three years after inactivity.

For prospects and potential customers we apply shorter retention periods because there is no contractual obligation. Active prospects with whom we have no further interaction within two years of the last meaningful contact are automatically removed from our systems. For marketing communication, data is retained until you unsubscribe or until it becomes clear that you are no longer interested in our services. Inactive prospects are automatically removed from our marketing database after one year without any activity.

For website visitors who are not a customer or prospect, we retain analytics data in accordance with the standard periods of the tools used, usually 26 months for Google Analytics. This data is often anonymised, which means it no longer qualifies as personal data. Cookie-related data has various retention periods depending on the type of cookie, whereby marketing cookies remain active for a maximum of two years.

Statutory retention periods take precedence over our own preferences and include tax data that must be retained for seven years after the relevant financial year in accordance with the Dutch Civil Code, payroll data that must be retained for seven years after the end of an employment relationship, and other sector-specific retention obligations that may apply depending on the nature of our services.

Automatic deletion is implemented in our systems to ensure that data is automatically deleted when the retention period has expired. Annually we carry out a comprehensive review of all data stored in our systems to identify and delete outdated information. This process is documented for accountability to regulators.

Your privacy rights under the GDPR

The GDPR gives you several important rights regarding the processing of your personal data. We fully respect these rights and have set up procedures to ensure that you can effectively exercise them.

The right of access gives you the right to know which personal data we process about you. When you submit an access request, we provide you with an overview of all the personal data we hold about you, the purposes for which we use this data, the categories of recipients with whom we may share your data, the retention periods we apply, the source from which we obtained your data if you did not provide it yourself, and information about any automated decision-making we apply. To submit an access request, you can send an email to privacy@odyssee.one with a copy of your identity document on which you have masked the citizen service number (BSN) and the photo to protect your privacy.

The right to rectification offers you the possibility to have incorrect or incomplete personal data corrected. If you find that we hold incorrect information about you, or if certain data is incomplete, you can request us to correct or complete it. We will make the necessary corrections within one month of receiving your request and inform you about the measures taken.

The right to erasure, also known as the right to be forgotten, gives you the right under certain circumstances to demand the erasure of your personal data. You can exercise this right when the personal data is no longer needed for the original purposes for which it was collected, when you withdraw the consent on which the processing was based and there is no other legal basis for the processing, when you object to processing based on legitimate interest and there are no compelling legitimate grounds for continuing the processing, or when your personal data has been processed unlawfully. It is important to know that this right is not absolute and that we may continue to process your data if we have a valid legal basis for doing so, such as a statutory retention obligation.

The right to restriction of processing offers you the possibility to temporarily restrict the processing of your data instead of having it deleted. You can exercise this right when you contest the accuracy of the personal data and we need time to verify it, when the processing is unlawful but you do not want the data to be deleted, when we no longer need your personal data for the processing purposes but you still need it for the establishment, exercise or defence of a legal claim, or when you have objected to processing and we still have to determine whether our legitimate grounds prevail over your objections.

The right to data portability gives you the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format. This right only applies to data you have provided yourself and that is processed on the basis of consent or for the performance of a contract, and where the processing is carried out by automated means. You also have the right to have this data transferred directly from us to another organisation, insofar as this is technically possible.

The right to object gives you the possibility to object to the processing of your personal data in certain situations. You can always object to processing for direct marketing purposes, including profiling related to direct marketing. For other processing based on legitimate interest you can object, but we must then assess whether our compelling legitimate grounds for the processing prevail over your interests, rights and freedoms.

The right regarding automated decision-making and profiling protects you against decisions based solely on automated processing that have legal effects or otherwise significantly affect you. We do not apply fully automated decision-making that has significant consequences for our customers. Should this be the case in the future, we will inform you about it and respect your rights in this regard.

Exercising your rights is easy by contacting us via privacy@odyssee.one or by sending a letter to our postal address for the attention of the Privacy Officer. When submitting a request we need your identity to ensure that we only provide or change your data. A copy of your identity document is therefore required, on which you can mask the citizen service number (BSN) and the photo. We respond to all privacy requests within one month, but for complex requests we may extend this period by a maximum of two months. You will always receive a confirmation of receipt of your request.

Cookies and similar technologies

Our website uses cookies and similar technologies to safeguard functionality, improve the user experience and gain insight into the use of our website. Cookies are small text files that are stored on your device when you visit our website.

Functional cookies are essential for the proper functioning of our website and do not require consent because they are strictly necessary. These cookies provide basic functionalities such as remembering your login details during a session, storing your language preferences, keeping track of items in a virtual shopping cart, security functions that protect against malicious activity, and load balancing to ensure that our website performs well. These cookies are placed automatically and usually have a limited lifespan of a session up to a maximum of one year.

Analytical cookies help us understand how our website is used and enable us to improve the user experience. For this we mainly use Google Analytics in an anonymised configuration whereby IP addresses are truncated and no personally identifiable information is collected. These cookies collect information about pages visited, time spent on the website, referral sources, and technical information about browsers and devices. We also use heatmap tools that show us where visitors click and how they navigate through our website. This information is used solely to optimise our website and is not shared with third parties for commercial purposes. The retention period for analytical cookies is a maximum of 26 months.

Marketing cookies are used for personalised marketing and require your explicit consent. These cookies enable us to show you relevant ads on other websites, link your behaviour on our website to your social media profile, offer personalised content based on your previous visits, and measure the effectiveness of our marketing campaigns. Examples of marketing cookies are Google Ads remarketing cookies, the Facebook Pixel, LinkedIn tracking cookies, and social media widgets. These cookies have a maximum lifespan of two years and you can always disable them via our cookie settings.

Managing your cookie preferences is easy and you have full control over which cookies you accept. On your first visit to our website you will see our cookie banner in which you can choose to accept all cookies, allow only functional cookies, or use advanced settings to determine per category which cookies you want to accept. You can change your preferences at any time via the cookie settings link that is permanently available in the footer of our website, by deleting your browser cookies (although you will then have to set your preferences again), or by adjusting the cookie settings in your browser for future visits.

Third-party cookies are placed by external parties and have their own privacy policy. For the main third-party cookies we refer you to the relevant privacy statements: Google’s privacy policy can be found at policies.google.com/privacy and you can opt out via tools.google.com/dlpage/gaoptout, Facebook’s privacy policy is at facebook.com/privacy/explanation and you can opt out via facebook.com/settings, and LinkedIn’s privacy policy can be found at linkedin.com/legal/privacy-policy with opt-out options via linkedin.com/psettings.

Disabling cookies is possible via your browser settings, although this may limit the functionality of our website. Most browsers offer the possibility to disable cookies entirely, block only third-party cookies, or warn you before cookies are placed. Specific instructions can be found in the help section of your browser or via the privacy and security settings.

Privacy and minors

Our services are primarily aimed at adults and business users. We do not knowingly collect personal data from children under the age of 16 without the consent of parents or guardians, as required by the GDPR.

If you are under 16 and wish to use our website or services, we ask you to first obtain consent from your parents or guardians. Do not provide personal data to us without this consent. We advise parents and guardians to be involved in their children’s online activities and to contact us if they have questions about the processing of their minor children’s data.

Parents and guardians have the same rights with regard to their minor children’s data as data subjects have regarding their own data. This means that they can request access to their child’s data, request correction or erasure, and object to certain processing. For such requests they can contact us via privacy@odyssee.one stating their relationship to the child.

Changes to this privacy statement

This privacy statement may be amended from time to time due to changes in our services, new technological developments, changes in applicable legislation, or feedback from users and regulators. We are committed to always informing you in a timely and transparent manner about important changes.

In the event of substantial changes that affect the way we process your data, we will actively inform you via the email addresses we have for you, place a prominent notice on our website, and, if necessary, ask for your consent again for new processing. For smaller changes that mainly concern clarifications or are the result of legislative changes, we will suffice with publishing the new version on our website.

We advise you to regularly check the date at the top of this privacy statement to see whether there have been any changes. You may also consider signing up for our newsletter in which we communicate important updates about our privacy policy, or following us on social media where we announce significant changes.

We archive all previous versions of our privacy statement so that you can always review which provisions applied at the time you provided specific data to us or used our services.

Contact and complaints procedure

For all questions, comments or requests regarding this privacy statement or our data processing, our team is ready to help you. We strive to handle all privacy-related matters quickly and professionally.

For general privacy questions you can contact our Privacy Officer via privacy@odyssee.one or by sending a letter to our office address for the attention of the Privacy Officer. We respond to all questions within five working days and aim to provide a full answer to more complex questions within two weeks.

For exercising your privacy rights such as access, rectification, erasure or objection, you use the same contact details. Do not forget to enclose a copy of your identity document (with the BSN and photo masked) so that we can verify your identity. We handle all requests within the statutory period of one month, or a maximum of three months for very complex requests.

For contact with our Data Protection Officer you can send an email to fg@odyssee.one. Our DPO is independent and can advise you on your privacy rights, mediate in disputes with our organisation, and oversee compliance with privacy legislation within our organisation.

If you are not satisfied with how we handle your personal data or with our response to your questions or requests, we encourage you to discuss this with us first. We can often reach a solution together that is satisfactory for both parties. To do so, contact us via privacy@odyssee.one and describe as clearly as possible what your objection is and what you would like us to do differently.

Submitting a complaint with the supervisory authority is always possible if you believe that we do not handle your personal data correctly. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) is the Dutch regulator in the area of privacy and data protection. You can submit a complaint via their website autoriteitpersoonsgegevens.nl where you will find an online complaint form, by sending a letter to Autoriteit Persoonsgegevens, Postbus 93374, 2509 AJ Den Haag, or by calling 088-1805250. Submitting a complaint to the AP is free and you do not need to engage a lawyer for this.

This privacy statement was last updated on 25 September 2025. For questions about this privacy statement, you can contact us via privacy@odyssee.one.

We appreciate your trust in our organisation and are committed to respecting and protecting your privacy in accordance with the highest standards of data protection.