Privacy Notice
How Odda Digital System AS processes personal data
Document Owner: Odda Digital System AS Audience: Website visitors, prospects, customer contacts, job applicants Effective date: 5 June 2026 Version: 002
1. Who we are
Odda Digital System AS ("Odda Digital System", "we", "us", "our") is a Norwegian limited liability company (aksjeselskap), organisation number 918 167 803, with registered office at Holmavegen 29, 5750 Odda, Ullensvang kommune, Norway.
We build and operate software products, including Visual Tracking and Visual Registration, and provide related digital services. This notice concerns the personal data we process as a company, including through this website.
For matters relating to this notice or to personal data processed by us, contact our Data Protection Officer (personvernombud under GDPR Article 37):
- Name: Guilherme Elid
- Email: guilherme@oddadigitalsystem.no
- Postal: Odda Digital System AS, attn. DPO, Holmavegen 29, 5750 Odda, Norway
2. Scope of this notice
This notice describes processing where Odda Digital System acts as the Controller of your personal data under the General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") and the Norwegian Personal Data Act (personopplysningsloven, lov om behandling av personopplysninger).
It covers personal data we process when you:
- Visit oddadigitalsystem.no
- Contact us through the website, by email, or by phone
- Subscribe to our newsletter or product updates
- Take part in a discovery call, demo, or pilot for the Service
- Become a named contact under a Customer's Order Form (sponsor, Business Central administrator, billing contact, Data Protection Contact, or legal contact)
- Apply for a position at Odda Digital System
This notice does not cover the personal data Odda Digital System processes inside Customers' Business Central tenants on behalf of those Customers. That processing is governed by the Data Processing Addendum (DPA) that forms part of each Customer's contract with Odda Digital System, where the Customer is the Controller and Odda Digital System is the Processor.
3. What personal data we collect and why
3.1 Website visitors
When you visit our website we collect:
| Category | Examples | Purpose | Legal basis (GDPR) | Retention |
|---|---|---|---|---|
| Technical access data | IP address, browser type and version, device type, pages visited, timestamps, referring URL | Site security; analytics for content improvement | Article 6(1)(f) legitimate interest (security); Article 6(1)(a) consent (analytics) | Server logs: 30 days. Analytics: see Cookie Policy. |
| Cookies and similar identifiers | First-party preference cookies; third-party analytics cookies | Site preferences; usage analytics | Article 6(1)(f) legitimate interest (strictly necessary); Article 6(1)(a) consent (analytics) | See Cookie Policy |
For full detail on cookies and how to manage consent, see our Cookie Policy.
3.2 Contact and enquiry data
When you contact us via the website, by email, or by phone we collect:
| Category | Examples | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| Identification | Name, job title, employer | Respond to your enquiry; understand your context | Article 6(1)(f) legitimate interest | Until the enquiry is resolved + 12 months for follow-up |
| Contact | Work email, work phone | Reply to your enquiry; arrange a follow-up call | Article 6(1)(f) legitimate interest | As above |
| Enquiry content | Your message and any attachments | Address what you asked | Article 6(1)(f) legitimate interest | As above |
If your enquiry leads to a contract, the retention is extended for as long as we maintain the customer relationship plus the limitation periods set out in Norwegian law.
3.3 Newsletter and product updates
If you subscribe to our newsletter or product update list we collect your name, email, and (optionally) your employer. We use this only to send the subscriptions you have requested.
| Legal basis | Article 6(1)(a) consent |
|---|---|
| Retention | Until you unsubscribe; we keep a record of your unsubscribe to honour it |
| Withdraw consent | Use the unsubscribe link in any message, or email post@oddadigitalsystem.no |
We do not use personal data collected through these subscriptions for unrelated marketing without separate consent.
3.4 Discovery calls, demos, and pilots
During pre-sales conversations and pilot engagements we collect contact details, role information, and notes about the conversation (pain points, fit, technical context). We use this to assess whether our products or services are suitable for your organisation and to plan a possible contract.
| Legal basis | Article 6(1)(b) steps prior to entering a contract |
|---|---|
| Retention | Active record while we are in conversation; archived for 24 months if the conversation does not result in a contract; for the duration of the contract + Norwegian limitation periods if it does |
3.5 Customer contact data on Order Forms
When your employer signs an Order Form for the Service, the Order Form names individuals in five contact roles: Sponsor, Business Central administrator, Billing contact, Data Protection Contact, and Legal contact. For each named individual we collect name, job title (where given), work email, and work phone.
| Purpose | Operate the Service; route support cases; send invoices; address data-protection and legal queries; meet our obligations under the contract |
|---|---|
| Legal basis | Article 6(1)(b) performance of a contract with your employer; Article 6(1)(f) legitimate interest of Odda Digital System in maintaining accurate contact records |
| Source | Provided by your employer in the Order Form |
| Retention | For the duration of the contract + Norwegian limitation periods (typically three years for general contractual claims; ten years for accounting records) |
If you are named as a Customer contact and you leave your employer or change role, you can ask us (or your employer) to update the Order Form contact list.
3.6 Job applicants
When you apply for a position at Odda Digital System we collect the application materials you send us (CV, cover letter, references, interview notes).
| Legal basis | Article 6(1)(b) steps prior to entering a contract; Article 6(1)(a) consent (where you provide additional data voluntarily) |
|---|---|
| Retention | If we hire you: per our employee privacy notice. If we do not: 6 months after the recruitment process concludes, unless you ask us to delete sooner. |
4. Who we share personal data with
We share personal data with the following categories of recipients:
- Sub-processors who process personal data on our behalf — see our Sub-processor list for the current catalogue. Each sub-processor is bound by a Data Processing Agreement with us. The same list governs Customer Personal Data under the DPA.
- Professional advisors (lawyers, accountants, auditors) — bound by professional confidentiality.
- Public authorities — where legally required (e.g. tax authorities, Datatilsynet, court orders).
- Acquirers in case of a corporate transaction — subject to confidentiality undertakings.
We do not sell personal data and we do not use it for advertising-network targeting.
5. International transfers
Most processing takes place within the European Economic Area (EEA). Some processing takes place outside the EEA:
- United States: GitHub Inc., Sentry (Functional Software Inc.), Google LLC for analytics processing. Transfers are governed by the EU-US Data Privacy Framework where the recipient is certified, with EU Standard Contractual Clauses as a backup mechanism.
- India: Softices Consultancy Private Limited (Surat, Gujarat) provides engineering, debugging, and support to us under EU Standard Contractual Clauses (Module Three, processor-to-processor) with supplementary measures (encrypted remote sessions to Azure with data remaining at rest in the EEA, no local download, MFA + RBAC, access logging).
- CRM and customer communications: our CRM and support platform (HubSpot Ireland Limited) stores data in the EEA (Frankfurt) under HubSpot's EU data residency. Its parent, HubSpot, Inc. (United States), may access this data to provide support; such access is governed by the EU-US Data Privacy Framework with EU Standard Contractual Clauses as a backup.
A documented transfer impact assessment for the India transfer is reviewed at least annually. The full transfer mechanism and supplementary measures are described in the DPA Section 3.6.
6. Your rights
Under the GDPR and Norwegian personal-data law, you have the right to:
- Access the personal data we hold about you (Article 15)
- Rectify inaccurate or incomplete personal data (Article 16)
- Erase personal data ("right to be forgotten") in the circumstances set out in Article 17
- Restrict our processing in the circumstances set out in Article 18
- Object to processing based on our legitimate interest (Article 21)
- Receive the personal data you provided to us in a portable, machine-readable format (Article 20)
- Withdraw consent where processing is based on consent, without affecting the lawfulness of past processing (Article 7(3))
- Not be subject to a decision based solely on automated processing (Article 22) — note: Odda Digital System does not currently perform automated decision-making
To exercise any of these rights, contact us at guilherme@oddadigitalsystem.no or by post (see Section 1). We will respond within one month under Article 12(3); the period may be extended by a further two months for complex requests, in which case we will tell you within the first month.
We may need to verify your identity before responding, to avoid disclosing personal data to the wrong person.
7. Complaints
If you believe our processing of your personal data does not comply with the GDPR or Norwegian personal-data law, you can complain to Datatilsynet (the Norwegian Data Protection Authority):
- Website: datatilsynet.no
- Email: postkasse@datatilsynet.no
- Phone: +47 22 39 69 00
- Post: Datatilsynet, Postboks 458 Sentrum, 0105 Oslo
We hope you will contact us first so we have an opportunity to address your concern directly.
8. Changes to this notice
We may update this notice from time to time to reflect changes to our processing, legal requirements, or sub-processor arrangements. The effective date at the top of this notice shows when the current version took effect. Material changes will be announced on our website at least thirty days before they take effect.
Past versions of this notice are retained internally and available on request.
9. Contact
For all questions relating to this notice or to personal data processed by Odda Digital System:
| Controller | Odda Digital System AS, org. nr. 918 167 803 |
| Address | Holmavegen 29, 5750 Odda, Norway |
| DPO (personvernombud) | Guilherme Elid |
| DPO email | guilherme@oddadigitalsystem.no |
| General contact | post@oddadigitalsystem.no |
| Supervisory authority | Datatilsynet, datatilsynet.no |