LEGAL

Privacy Policy

This policy explains how Odal collects, uses, stores, and protects personal data when you use our website, CRM, tracking script, and ad platform integrations.

Last updated — May 7, 2026

Who we are and how to contact us

Odal is operated by BRIGHT BRAND HOLDINGS LTD (trading as The Bright Brand and Odal), registered in England and Wales (company number 15918777).

Registered office: 124 City Road, London, England, EC1V 2NX.

For privacy requests, contact hello@odal.io. We do not currently have a separately appointed Data Protection Officer; this mailbox is monitored for data protection matters.

Personal data we collect

Depending on how you use Odal, we may collect:

  • Account and profile data (name, work email, company name, login and workspace details)
  • Support and communication data (messages, support requests, product feedback)
  • Form submission data captured via the Odal tracking script, including names, emails, phone numbers, company names, free-text form messages, and submitted field values
  • Technical and session data such as IP address (from web requests), browser and device metadata, user agent, screen resolution, timezone, and session duration
  • Attribution and analytics data including UTM parameters, click IDs, referrer, page history, touchpoint history, and visitor identifiers
  • Optional session instrumentation identifiers where enabled on tracked sites (for example Hotjar session ID and FullStory session URL)
  • Data from connected ad platforms (via OAuth-authorized access) including ad account information, campaign structures, spend, conversions, performance metrics, audience-related metrics, and creative metadata

How we collect data

  • Directly from users during registration, login, onboarding, and ongoing platform use
  • From client websites using the Odal tracking script (a first-party JavaScript snippet installed by our customers)
  • From ad platforms connected by customers via OAuth 2.0, where customers explicitly grant Odal read access on their behalf

The tracking script uses first-party browser storage to support attribution:

  • Cookie _oid (visitor identifier, 365-day expiry)
  • localStorage odal_ft (first-touch attribution)
  • localStorage odal_lt (last-touch attribution)
  • localStorage odal_tp (touchpoint history, capped at 50 entries)
  • localStorage odal_pv (page view history, capped at 100 entries)

The script may also read UTM parameters from window.dataLayer when available and supports cross-domain tracking through an optional data-cross-domains configuration that passes the visitor ID between approved domains.

Ad platform data we access on your behalf

When you connect integrations, Odal may access the following categories of data from each platform:

  • Google Ads: campaign, ad group, ad performance metrics, spend, conversion and audience-related data
  • Meta Ads: ad account data, campaign performance metrics, creative metadata, and audience-related data
  • Microsoft Advertising: campaign performance metrics, spend, and conversion data
  • TikTok Ads: campaign/ad group/ad performance metrics, spend, and conversion data
  • LinkedIn Ads: campaign performance metrics, spend, and audience-related metrics

Why we use personal data

We process personal data to:

  • Provide and operate Odal as a CRM and attribution platform
  • Deliver cross-channel campaign reporting and analytics
  • Connect ad spend and touchpoints to leads, opportunities, and closed revenue
  • Support tracking of website form submissions and attribution journeys
  • Maintain security, prevent abuse, troubleshoot issues, and improve service quality
  • Communicate product updates, support responses, and operational notices

Google API Services data use and Limited Use disclosure

Google user data accessed through Google APIs is used solely to provide and improve Odal's user-facing reporting and attribution features. We do not use Google user data for advertising, retargeting, sale to data brokers, or building user profiles unrelated to providing Odal services.

Odal's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

How data is shared

We do not sell personal data. We share data only where necessary to provide Odal or where required by law.

  • Infrastructure and hosting providers (including providers used to operate the application and database, such as Vercel and Supabase)
  • Service providers that support security, delivery, and product operations under contractual safeguards
  • Professional advisers and regulators where legally required
  • Law enforcement or government authorities when disclosure is required by applicable law

Data retention and deletion

  • Active customer data is retained for as long as needed to provide the service and meet legal duties
  • When an account is terminated or a deletion request is confirmed, we delete applicable account and service data within 30 days
  • Some information may remain in encrypted backups for a limited period before automatic overwrite or secure deletion

Security measures

We use technical and organizational safeguards designed to protect personal data, including access controls, encrypted transport, role-based permissions, monitoring, and least-privilege operational practices.

International data transfers

Where data is processed outside the UK, we use appropriate safeguards such as UK International Data Transfer Addendum/Standard Contractual Clauses, adequacy regulations, or equivalent lawful transfer mechanisms.

Your UK GDPR rights

Subject to applicable law, you may have the right to:

  • Access personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Request restriction of processing
  • Object to processing
  • Request data portability
  • Withdraw consent where processing is based on consent

To exercise these rights, contact hello@odal.io. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

Cookies and similar technologies

Odal uses first-party browser storage and cookies to provide attribution and reporting functionality, as described above. Customers who deploy the Odal tracking script on their own websites are responsible for implementing appropriate cookie consent and visitor privacy disclosures under applicable laws.

Users who connect Microsoft account data can manage or revoke application access via myapps.microsoft.com.

Changes to this policy

We may update this Privacy Policy from time to time. If changes are material, we will provide notice through appropriate channels, such as in-app notifications or email.