Legal

Privacy Policy

Version 2.0 · Last updated: June 3, 2026

This Privacy Policy explains how Digital Peax OÜ ("Odaq", "we", "us") processes personal data when you visit odaq.ai, create an account, and use the Odaq platform. It is drafted in line with Articles 13 and 14 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus).

Odaq acts in two distinct roles. We are the data controller for the data we collect to operate our business — your account, billing, support, and security data. We act as a data processor on your behalf for the marketing data you connect or upload (for example your GA4, Meta Ads, or Search Console data), where you remain the controller. Sections 2 and 3 explain which role applies to which data.

1. Controller Identity

The controller responsible for the processing described in this policy is:

  • Legal name: Digital Peax OÜ
  • Registered office: Sepapaja tn 6, 15551 Tallinn, Harju Maakond, Estonia
  • Estonian Business Register (Äriregister) code: 14320659
  • EU VAT number: EE102001457
  • Managing Director: Sarp Dernek
  • Data-protection contact: info@odaq.ai

Full legal disclosure is available in our Imprint.

2. Personal Data We Process & Its Sources

2.1 Data you provide directly, or that we collect from your use (Art. 13). For this data we are the controller:

  • Account & identity data: name, email address, and profile picture when you register or sign in with Google.
  • Authentication data: session tokens and sign-in events (managed via NextAuth.js).
  • Marketing preferences: your opt-in choice and the date it was recorded, if you consent to marketing.
  • Support & sales communications: messages you send us, including enterprise/contact-sales enquiries.
  • Usage & technical data: features used, session data, IP address, device/browser metadata, and request logs.
  • Billing & credit records: plan, credit balance, and usage needed to operate the free tier and any paid plans.

2.2 Data ingested from your connected accounts and inputs (Art. 14). When you connect a platform or provide inputs, we ingest data from those sources to deliver the service. For this data you are the controller and we act as your processor:

  • Google Analytics 4: traffic metrics, user-behaviour and audience data, and conversion events from your GA4 properties.
  • Google Ads: campaign, ad, cost, and conversion data from your Google Ads accounts.
  • Google Search Console: search-performance, query, and indexing data from your properties.
  • Google Tag Manager: container and tag configuration from your GTM accounts.
  • Meta Ads: ad-account and campaign performance data from your Meta accounts.
  • Ahrefs / SEO data: SEO, backlink, keyword, and crawl/SERP outputs (via your Ahrefs token or our SEO data backend).
  • File uploads & crawler outputs: documents, assets, and website-crawl results you supply or trigger.
  • Agent inputs & outputs: prompts, chat history, and the insights, charts, and copy generated by our Insight, Canvas, and Scribe agents.
  • Hive Mind episodic memory: project-scoped, PII-sanitized summaries of what worked in prior agent sessions, stored as vector embeddings so agents improve over time.

Some of this connected data may relate to your end users (for example pseudonymous identifiers or on-site behaviour in your analytics). You are the controller for that data; we process it only on your documented instructions to provide the service. Because we receive it from your connected platform rather than from those individuals directly, and contacting them directly would be impossible or disproportionate, GDPR Art. 14(5)(b) applies — you are responsible for informing your end users of this processing under your own privacy notice.

3. Purposes of Processing & Legal Basis

We process personal data for the following purposes, each on the legal basis stated:

  • Account creation & service delivery — operating your account and providing the platform: performance of a contract (Art. 6(1)(b)).
  • Processing your connected marketing data with our AI agents — generating insights, charts, and copy from the data you connect: performance of a contract with you (Art. 6(1)(b)). Where that data includes your end users' personal data, we act as your processor under a data processing agreement (Art. 28), and you are responsible for the lawful basis toward those end users.
  • Marketing communications — product updates and newsletters: your consent (Art. 6(1)(a)), withdrawable at any time.
  • Service security & abuse prevention — authentication, rate-limiting, bot protection (Cloudflare Turnstile), and fraud prevention: our legitimate interests (Art. 6(1)(f)). Balancing test: we process limited technical data (IP address, request metadata, sign-in events) only as needed to keep the platform secure and available. Users reasonably expect basic security processing; it is minimised and does not override your fundamental rights. You may object under Art. 21.
  • Legal compliance — accounting/tax records and responding to lawful authority requests: compliance with a legal obligation (Art. 6(1)(c)).

Google user data. Odaq's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for targeted advertising, sell it to third parties, use it for creditworthiness decisions, or to train AI/ML models unrelated to the user-facing features of Odaq.

4. Recipients & Sub-processors

We do not sell or rent your personal data. We share it only with vetted sub-processors that help us run the platform, each bound by a data processing agreement, and in the limited circumstances below:

  • Sub-processors: infrastructure, AI, email, and security providers listed on our Sub-processors page.
  • Legal requirements: where disclosure is required by law or valid request from a public authority.
  • Business transfers: in a merger, acquisition, or asset sale, with notice to affected users.

We maintain an up-to-date list of sub-processors and commit to giving at least 30 days' advance notice of any new sub-processor, so you have the opportunity to object before it begins processing your data.

5. International Transfers

Some of our sub-processors are established in the United States, so providing the service involves transferring personal data outside the European Economic Area. Each such transfer is protected by an appropriate Art. 46 safeguard:

  • EU–US Data Privacy Framework (DPF) adequacy decision (July 2023), where the provider is self-certified — currently Vercel, Google, Cloudflare, and Neon.
  • Standard Contractual Clauses (SCCs), Module 2 (controller-to-processor), for providers not relying on the DPF — including OpenAI, Anthropic, Resend, and DataForSEO — supported by transfer impact assessments and supplementary measures where appropriate.

The provider-by-provider transfer mechanism is set out on the Sub-processors page. You may request a copy of the relevant safeguards by emailing info@odaq.ai.

6. Retention Periods

We keep personal data only for as long as needed for the purpose it was collected. Our standard retention periods are:

Data categoryRetention period
Account & profile dataUntil you delete your account, then purged within 30 days.
OAuth access/refresh tokens (GA4, Google Ads, GSC, GTM, Meta)Held encrypted while the integration is connected; deleted on disconnect or account deletion.
Connected-platform data pulled for analysisCached transiently per data type (e.g. SEO cache 6 hours–7 days); not retained beyond the cache window or account deletion.
Chat history, insights, Canvas/Scribe outputsUntil you delete them or delete your account.
Hive Mind episodic memories (PII-sanitized)Project-scoped for the life of the project; deleted on project or account deletion.
Marketing-consent recordUntil you withdraw consent, plus a record of the withdrawal to evidence compliance.
Security & audit logsUp to 90 days.
Encrypted database backupsUp to 35 days (point-in-time-restore window), then overwritten.
Billing & accounting recordsUp to 7 years, as required by the Estonian Accounting Act (Raamatupidamise seadus).

7. Your Data Subject Rights

Subject to the conditions in the GDPR, you have the right to:

  • Access the personal data we hold about you (Art. 15)
  • Rectification of inaccurate or incomplete data (Art. 16)
  • Erasure ("right to be forgotten") (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability — receive your data in a structured, machine-readable format (Art. 20)
  • Object to processing based on legitimate interests (Art. 21)
  • Withdraw consent at any time, without affecting prior lawful processing (Art. 7(3))

You can exercise most rights yourself from your Account Settings: delete your account and all associated data, disconnect any integration to revoke its tokens and synced data, or update your marketing preferences. For access, portability, or any request you cannot complete self-serve, email info@odaq.ai. We respond to verified requests within 30 days. A self-serve data export is on our roadmap; until it ships we provide exports on request.

8. Automated Decision-Making & Profiling

Odaq's AI agents — Insight, Canvas, and Scribe — analyse your inputs and connected marketing data to produce insights, charts, and copy that may inform your marketing decisions. These outputs are recommendations: a human (you) reviews them and decides whether to act.

We do not carry out automated decision-making that produces legal effects concerning you, or similarly significantly affects you, solely by automated means without human review, within the meaning of Art. 22 GDPR.

9. Data Protection Officer

We have assessed our obligation under Art. 37 GDPR to appoint a Data Protection Officer. Our core activities do not consist of large-scale regular and systematic monitoring of data subjects, nor large-scale processing of special categories of data. We have therefore determined that appointing a DPO is not mandatory at our current scale. We have nonetheless designated a data-protection contact (info@odaq.ai) and will re-assess this determination as we grow.

10. Children

Odaq is a business tool that is not directed at children, and our Terms of Use require users to be at least 18. We do not knowingly collect personal data from anyone under 16. While Estonia's Personal Data Protection Act sets the digital-consent age for information-society services at 13, we apply the higher 16+ threshold, consistent with the GDPR default and our 18+ Terms. If we learn that we hold personal data from someone under this age, we will delete it without undue delay.

11. Right to Lodge a Complaint

If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. Our lead authority is:

  • Authority: Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate)
  • Address: Tatari 39, 10134 Tallinn, Estonia
  • Website: www.aki.ee

You may also complain to the supervisory authority in your country of habitual residence or place of work.

12. Cookies

Odaq uses only essential functional cookies and no tracking or advertising cookies. For details, see our Cookie Policy.

13. Changes to This Policy

This is Version 2.0, last updated on the date shown above. We may update this policy to reflect changes in our practices or legal obligations. For material changes, we will notify registered users by email or an in-app notice before the change takes effect, and we keep prior versions available on request.

14. Contact Us

For any privacy question or to exercise your rights, contact our data-protection contact:

info@odaq.ai

Digital Peax OÜ · Sepapaja tn 6, 15551 Tallinn · Estonia