Effective Date: February 28, 2025

OLO GmbH (“we” or “us”) is an AI consulting firm committed to protecting your personal data in compliance with the EU General Data Protection Regulation (GDPR) and applicable German laws like the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). This Privacy Policy explains what personal data we collect, how we use and protect it, and your rights. (Note: Information about cookies is provided separately.)

Types of Personal Data We Collect

We only collect personal data that is necessary for the purposes described in this policy. This may include:

• Contact Information: Name, email address, telephone number, postal address, and other basic contact details.

• Professional Details: Job title, company/organization name, and business contact information (when you interact with us in a business context).

• Communication Data: Content of emails, messages, or inquiries you send us and our correspondence with you.

• Transactional Data: Information related to services you purchase or contracts we enter into (e.g. contract details, invoices, payment information).

• Technical Data: Basic online identifiers and system logs when you visit our website or IT systems, such as your device’s IP address and timestamps (for security and debugging purposes, not for advertising or profiling).

  
  

“Personal data” means any information relating to an identified or identifiable natural person. In practice, this could be any detail that can identify you, directly or indirectly, such as the examples listed above.

Purposes of Data Processing

We process personal data only for specified and legitimate purposes. The main purposes for which OLO GmbH collects and uses personal data are:

• Providing Our Services: To deliver AI consulting services and fulfill our contracts with clients (e.g. using contact and contractual data to execute a consulting project).

• Communication: To respond to your inquiries, requests for information, or support questions. If you contact us (via email, phone, or contact form), we will use your data to communicate with you and address your needs.

• Business Development: To send you relevant information about our services, events, or newsletters if you have requested or consented to such marketing communications. You can opt out at any time.

• Website Functionality and Security: To operate, maintain, and secure our website and IT systems. For example, we may use technical log data to monitor for network security incidents or to ensure our website is delivered correctly to your browser. This is done to protect our legitimate interests in maintaining a safe and reliable service.

• Legal Compliance and Obligations: To comply with our legal obligations, such as maintaining records for tax and accounting purposes, or disclosing information when required by laws or authorities (e.g. complying with court orders or regulations).

• Enforcement of Rights: If necessary, to establish or defend legal claims or prevent fraud or misuse of our services. This includes using data as needed to enforce contracts or protect our company’s rights in case of disputes.

  
  

We will not use your personal data for new, incompatible purposes without updating this policy or seeking your consent when required. We do not engage in any automated decision-making or profiling that produces legal effects concerning you; all AI analyses we conduct for clients are on non-personal or client-provided data, or are performed under contract with appropriate safeguards.

Legal Bases for Processing

Under the GDPR, any processing of personal data must have a lawful basis. Depending on the specific context, OLO GmbH relies on one or more of the following legal bases:

• Consent (Art. 6(1)(a) GDPR): We will ask for your consent before processing personal data for certain purposes. For example, we rely on consent to send you marketing emails or newsletter updates. You have the right to withdraw consent at any time (see Your Rights below), and we will only continue processing on this basis as long as consent remains in place.

• Contractual Necessity (Art. 6(1)(b) GDPR): We process data that is necessary to perform a contract with you or to take steps at your request before entering a contract. For instance, if you engage our consulting services, we will process your contact details, project requirements, and billing information to fulfill that contract. Similarly, if you ask for a service proposal, we may process your data to prepare and negotiate an agreement.

• Legal Obligation (Art. 6(1)(c) GDPR): Some data processing is required by law. This includes processing personal data to meet legal obligations, such as retaining invoices for tax compliance or providing information to authorities if legally compelled. For example, German tax law requires us to keep invoice data for 10 years. In such cases, we process and retain data as needed to comply with those laws.

• Legitimate Interests (Art. 6(1)(f) GDPR): We may process personal data as necessary for our legitimate business interests, provided such interests are not overridden by your fundamental rights and freedoms. We carefully consider and balance our interests with your privacy. Examples of legitimate interests include: maintaining the security of our IT systems and website (e.g. storing server logs to detect misuse), responding to unsolicited inquiries, improving our services, or keeping basic contact information of clients for ongoing business relationship management. If we rely on this basis, we ensure our use is what you would reasonably expect and has minimal privacy impact. You have the right to object to processing based on legitimate interests (see Your Rights).

(We generally do not process data under the “vital interests” or “public interest” bases (GDPR Art. 6(1)(d) or (e)), as these typically apply to emergency or public authority situations. If that ever were to occur, we would only do so in strict accordance with the GDPR.)

Data Retention Periods

We adhere to the principle of storage limitation, meaning we keep personal data no longer than necessary for the purposes for which it was collected. In practice, this means:

• General Retention: We retain your personal data only for as long as it is needed to fulfill the purposes outlined in this policy or as required by law. Once the data is no longer needed, we will delete or anonymize it.

• Inquiries and Communication: If you contact us but do not become a client or engage our services, we will generally delete the correspondence and your contact details after a reasonable period of time following the conclusion of your inquiry. For example, routine inquiry emails may be kept for up to 1–2 years for reference, then securely deleted, unless further retention is justified (e.g. you later enter a contract with us or have given consent to receive updates).

• Contractual and Client Data: For clients with whom we have contracts, we retain personal data for the duration of the contractual relationship. After the contract ends, we may retain relevant data for the applicable statutory retention periods. In Germany, commercial and tax laws mandate retaining certain records (such as contracts, invoices, and financial transactions) for 6 to 10 years. We will retain such data as required until those periods lapse, then delete it in accordance with our data deletion schedules.

• Legal Compliance and Disputes: If we are under a legal obligation to keep data longer (for example, due to a litigation hold, audit requirements, or an ongoing legal dispute), or if we need the data to establish, exercise, or defend legal claims, we will retain the data for as long as required to fulfill those purposes. In such cases, the data will be restricted to only those uses and deleted once no longer legally necessary.

• Job Applications (if received): Should you apply for a job with us, we will use your application data only for the recruitment process. If your application is unsuccessful, we typically delete your data after the process concludes, unless you consent to a longer retention for future opportunities. Successful applicants’ data will be stored in their personnel file in compliance with employment laws.

After the applicable retention period ends, we will ensure your personal data is either securely deleted or irreversibly anonymized. If physical records exist, they will be shredded or otherwise destroyed. We also periodically review the data we hold and erase or anonymize information that is no longer needed.

Data Sharing with Third Parties

We treat your personal data as confidential and do not sell or rent it to third parties. We only share your data with third parties in the following circumstances:

• Service Providers (Processors): We use trusted third-party service providers to help us operate our business and the services we provide. This may include IT hosting providers, cloud storage services, email delivery services, customer relationship management (CRM) software, or other vendors. These parties process personal data only on our behalf and under our instructions, for the purposes we’ve described (for example, a cloud provider stores backup copies of our project files, which may include your contact information). We sign data processing agreements with such providers to ensure they protect your data and use it solely for the agreed purpose. These processors are bound to confidentiality and security obligations equivalent to ours.

• Within Our Corporate Group: If OLO GmbH is part of a group of companies or has affiliates, we may share data with our affiliated entities as needed for internal administrative purposes or to provide our services to you. (For example, if we have a branch or parent company assisting in service delivery, we might share your project details with them.) In such cases, access to personal data is limited to what is necessary, and all affiliates follow the same privacy protections. (Note: As of now, OLO GmbH operates as a single company based in Germany, so this sharing is minimal to non-existent.)

• Business Partners: In some cases, we may work with partner firms or subcontractors on projects (for instance, collaborating with another consulting specialist on an aspect of a client engagement). We will only share personal data with such partners if it is necessary for project execution and if we have appropriate agreements in place. These partners will be required to use the data only for the agreed purpose and to treat it in line with GDPR standards.

• Legal Requirements and Safety: We may disclose personal data to third parties if required to do so by law or valid legal process (such as in response to a subpoena, court order, or regulatory request). We may also share information if necessary to protect vital interests of individuals, to prevent serious harm, or to exercise, establish or defend our legal rights. For example, we might need to provide information to law enforcement authorities to investigate fraud or security incidents, or to our legal/tax advisors for auditing and compliance.

• Corporate Transactions: In the unlikely event that OLO GmbH undergoes a business transaction such as a merger, acquisition, restructuring, or asset sale, personal data may be transferred to the new ownership or involved parties. In such cases, we will ensure the data remains subject to this Privacy Policy and applicable data protection laws. We would inform you of any such transfer and your options, if required by law.

Third-Party Recipients: Any third party that receives personal data as described above will only get the minimum information necessary. We do not allow any third party to use your data for their own marketing or other purposes unrelated to the reason we shared it. We also require third-party recipients to have appropriate data protection measures in place. Apart from these situations, no external parties will have access to your personal information.

International Data Transfers

OLO GmbH is based in Germany and generally processes personal data on servers within the European Union. However, in certain cases we may transfer or allow access to personal data from countries outside the European Economic Area (EEA). For example, we might use a cloud IT service or contractor located outside Europe. In all cases of international transfer, we will ensure an adequate level of data protection as required by GDPR Chapter V:

• Adequacy Decisions: We prefer to work with services in countries that the European Commission has determined have an adequate level of data protection comparable to the EU (GDPR Art. 45). If your data is transferred to such a country, it is protected under that country’s privacy laws which are recognized as strong by the EU.

• Standard Contractual Clauses: For transfers to countries without an adequacy decision (such as the United States, in cases where our service providers are US-based), we implement appropriate safeguards in line with GDPR Art. 46. The most common safeguard we use is the European Commission’s Standard Contractual Clauses (SCCs). These are contractual commitments that the foreign recipient of the data must adhere to, contractually ensuring your data enjoys GDPR-level protection even overseas. We have SCCs in place with our major service providers outside the EEA.

• Additional Measures: In light of European court rulings, we also assess each cross-border data transfer to ensure that, beyond signing SCCs, there are no legal gaps. This might include technical measures like encryption in transit and at rest, so that data is protected from unauthorized access by third-country authorities. In some cases, we may rely on EU-U.S. Data Privacy Framework certification for transfers to the U.S., if the recipient is certified under that framework, which indicates an adequate level of protection.

• Exceptions (Art. 49 GDPR): We will only rely on the GDPR’s specific derogations for international transfers in exceptional situations. For example, if you explicitly consent to a transfer after being informed of possible risks, or if the transfer is necessary to perform a contract with you (like booking you into a service located in a third country at your request), we might transfer data under those narrow conditions. These exceptions are used sparingly and in line with the law.

You can request a copy of the safeguards we use for international transfers (such as a copy of the relevant contractual clauses) by contacting us. We will not transfer your personal data to any international organization or country unless it is lawfully permitted and protected as described. Our goal is to ensure that your data remains secure and your rights intact wherever it may be processed.

Security Measures to Protect Personal Data

We take appropriate technical and organizational security measures to safeguard your personal data against unauthorized access, alteration, loss, or disclosure. We regularly review and update these measures to meet industry standards and legal requirements (GDPR Art. 32). Our measures include:

• Access Control: Personal data is accessible only by authorized personnel who need it for their job duties. We limit and manage staff access through user accounts, role-based permissions, and authentication safeguards (such as strong passwords and, where appropriate, two-factor authentication). Staff are trained in data protection and are bound by confidentiality agreements.

• Data Encryption: We employ encryption technology to protect data in transit and at rest whenever feasible. For instance, our website uses HTTPS (TLS encryption) to secure data transmitted between your browser and our site. Sensitive data stored on our systems or with cloud services is encrypted or pseudonymized, adding an extra layer of protection in case of unauthorized access.

• Secure Infrastructure: Our IT infrastructure (including servers, networks, and devices) is protected by firewalls, antivirus software, and intrusion detection systems to prevent and monitor for potential security breaches. We keep software up-to-date with security patches. Regular backups are performed to prevent data loss, and those backups are secured.

• Physical Security: For any on-site data (e.g., documents or local servers at our office), we have physical security controls. Our offices are secured (with controlled entry), and paper records containing personal data are kept in locked cabinets with restricted access. When such records are no longer needed, we shred or securely dispose of them.

• Vendor Due Diligence: When we use third-party service providers (processors) that handle personal data, we carefully vet their security practices. We choose reputable providers with robust security certifications or standards (for example, ISO 27001 for information security or SOC 2 compliance). We ensure through contracts that they implement appropriate technical and organisational measures and that they promptly inform us of any data breaches.

• Breach Response: We have a data breach response plan. Despite best efforts, if a security incident occurs that poses a risk to personal data, we will notify the affected individuals and the relevant authorities (such as the German data protection authority) without undue delay as required by GDPR (Articles 33 and 34). We treat your data security with utmost priority.

These measures are designed to provide a level of security appropriate to the risk of the personal data processing. However, please note that no system is 100% secure; if you have reason to believe that your interaction with us or your data might no longer be secure (for example, if you suspect a vulnerability on our website), please notify us immediately so we can take prompt action.

Your Rights Under the GDPR

As a data subject, you have several rights regarding your personal data that we respect and uphold, in accordance with GDPR and German law. You may exercise the following rights:

• Right to Information and Access: You have the right to obtain confirmation as to whether we are processing personal data about you, and if so, to access that data along with certain information. This includes details about the purposes of processing, categories of data, recipients, retention periods, and the safeguards relating to any international transfers. Upon request, we will provide you with a copy of your personal data undergoing processing (the first copy is free of charge). (GDPR Art. 15)

• Right to Rectification: You have the right to request that we correct or update any inaccurate or incomplete personal data we hold about you. We will rectify incorrect information without undue delay. (GDPR Art. 16)

• Right to Erasure: Also known as the “right to be forgotten,” this right allows you to ask us to delete your personal data in certain circumstances. You can request erasure if the data is no longer needed for the original purpose, if you withdraw consent and no other legal basis exists, if you object to processing and we have no overriding legitimate grounds, or if the data was unlawfully processed. We will honor valid erasure requests without undue delay, except where retention is required by law or other limited exceptions apply. (GDPR Art. 17)

• Right to Restriction of Processing: You have the right to request a temporary halt to processing of your personal data in certain scenarios. For example, if you contest the accuracy of your data or have objected to processing (pending verification of our grounds), or if processing is unlawful but you prefer restriction over deletion. When processing is restricted, we will store your data but not use it until the issue is resolved (except to the extent allowed by law). (GDPR Art. 18)

• Right to Data Portability: For data you have provided to us and which we process by automated means based on your consent or a contract, you have the right to receive that data in a structured, commonly used, machine-readable format and to request that we transmit it to another controller where technically feasible . In plain terms, this allows you to reuse your data across different services. (GDPR Art. 20)

• Right to Object: You have the right to object to certain data processing activities. You can object at any time to processing of your personal data when it’s based on our legitimate interests (Art. 6(1)(f)), including any profiling on that basis. If you lodge an objection, we will stop the processing in question unless we have compelling legitimate grounds that override your interests, rights, and freedoms, or if we need to continue processing for the establishment or defense of legal claims. Importantly, if we process your data for direct marketing purposes, you have an absolute right to object at any time and we will immediately stop using your data for marketing. (GDPR Art. 21)

• Right to Withdraw Consent: If we are processing any of your personal data based on your consent, you have the right to withdraw your consent at any time. This will not affect the lawfulness of any processing done before the withdrawal, but it means we will cease the processing that was based on consent going forward. For example, you can unsubscribe from our newsletter or withdraw consent for optional data uses and we will respect that choice. (GDPR Art. 7(3))

• Right Not to be Subject to Automated Decisions: We do not typically make decisions based solely on automated processing (without human involvement) that produce legal or similarly significant effects on individuals. If we ever do so (for instance, in a hypothetical future where we use an AI tool to screen candidates or something similar), you would have the right not to be subject to such a decision without human intervention. In addition, you would have the right to express your point of view and contest the decision. (GDPR Art. 22) – Again, this is largely theoretical for us at this time, as our processing involves human decision-making.

These rights are subject to certain limitations and exemptions under the GDPR and BDSG. For instance, if fulfilling your request would adversely affect the rights and freedoms of others, or if we are legally required to retain data, we might not be able to comply fully, but we will explain the situation to you if that occurs. Generally, however, we will do our best to accommodate any request you make in exercising your rights.

How to Exercise Your Rights

You can exercise any of your data protection rights by contacting us (see Contact Details below). There is no formal requirement – you may contact us by email, post, or telephone. To help us process your request efficiently, please provide your name and specify which right you wish to exercise and what personal data your request relates to. You may use the keyword “GDPR request” in your communication.

Response Time: We will respond to your request without undue delay, and in any event within one month of receiving it. Under GDPR, we can extend this period by an additional two months if the request is complex or if we have received numerous requests from you, but we will inform you within the first month if an extension is needed and the reasons why. Our response will address the actions we have taken on your request or provide an explanation if we cannot fulfill it in whole or in part (with legal justification).

Verification: For your security, we may need to verify your identity before executing certain requests, especially for access, deletion, or portability. This is to ensure that personal data is not disclosed to or altered by someone who is not entitled to it. We might ask you to provide information that confirms you are the data subject in question (for example, sending the request from the email address we have on file, or providing a piece of identification in a secure manner). Any identity documents or additional data provided for verification will be used strictly for that purpose and deleted afterward.

Cost: In general, exercising your rights is free of charge. You will not have to pay any fee for legitimate requests. However, if your requests are manifestly unfounded or excessive (for example, repetitive requests), the GDPR allows us to either charge a reasonable fee taking into account the administrative costs, or refuse to act on the request. We have never had to do this, and we commit to handling requests fairly. We will always inform you if any fee or refusal is contemplated and the reasons for it.

We kindly note that if you withdraw consent or request erasure, this could affect our ability to provide you with certain services (for example, if you ask us to delete all your contact information while you still have an ongoing project with us, we might not be able to continue that project without using your data). We will inform you if such a situation arises, so you can decide how to proceed.

Finally, if you have any questions about your rights or the process, please feel free to ask us. We are here to help and take your privacy seriously.

Contact Details for Privacy Inquiries

If you have any questions, concerns, or requests regarding your personal data or this Privacy Policy, please contact us. We are the “data controller” for the purposes of GDPR and can be reached at:

OLO GmbH
Hildegardstr. 4
80333 Munich
Germany

Email: privacy@odyssean.ai

Your inquiry will be reviewed by our privacy team, and we will reply as soon as possible.

Right to Lodge a Complaint with a Supervisory Authority

We hope to resolve any issue or query you might have, but if you believe we have not handled your personal data properly or your requests or concerns have not been addressed satisfactorily, you have the right to lodge a complaint with a data protection supervisory authority. Without prejudice to any other administrative or judicial remedy, you can contact the supervisory authority directly about our data processing practices (GDPR Art. 77) .

OLO GmbH’s lead supervisory authority in Germany is the data protection authority of the state of Bavaria, since our headquarters are in Munich. You may contact this authority at:

Bavarian State Office for Data Protection Supervision (BayLDA) – “Bayerisches Landesamt für Datenschutzaufsicht”
Promenade 18, 91522 Ansbach, Germany
Postal address: P.O. Box 1349, 91504 Ansbach, Germany
Phone: +49 (0)981 180093-0
Fax: +49 (0)981 180093-800
Email: poststelle@lda.bayern.de
Website: lda.bayern.de

You can also choose to contact the data protection authority in the EU country of your habitual residence or workplace, or where the alleged infringement occurred, if different. The supervisory authority will then inform us and investigate your complaint. You will not be penalized or refused service for exercising your right to complain; we fully respect this right.

We encourage you to contact us first to try to resolve any issue directly, but you are entitled to approach the authority at any time. The BayLDA (or any competent authority) will provide you with further guidance on how to submit a complaint. For instance, you may need to provide some information and proof of identity to the authority as part of the process.

Thank you for reading our Privacy Policy. We are committed to transparency and protecting your privacy. We may update this policy from time to time to reflect changes in our practices or legal requirements. If we make significant changes, we will notify users appropriately. We encourage you to review this policy occasionally. If you have any questions or feedback about this Privacy Policy, please do not hesitate to contact us at the contact information provided above. Your trust is important to us, and we will continue working hard to keep your personal data safe and secure.