Privacy Policy

1. Introduction

Odin Leads (“we”, “us”, “Service”) respects your privacy and is committed to transparent data practices. This Privacy Policy explains what personal data we collect, why, how we process and protect it, and your rights under applicable law.

This policy applies to odin.aldenmerlin.com and all interactions with Odin Leads.

2. Data Controller

Controller: Alden Merlin · aldenmerlin@gmail.com · odin.aldenmerlin.com

Processors: Stripe (payments), Resend (email delivery), Vercel (hosting, US-based).

3. What Data We Collect

3.1 Data We Collect

Payment & Transaction Data: Email address (provided at checkout), payment method identifier (processed by Stripe — we do not store full card details), transaction history (date, amount, report name), billing country for VAT purposes.

Cookies & Technical Data: Theme preference cookie (light/dark), language preference cookie (EN/PT), admin session cookie (httpOnly, internal access only), server logs via Vercel (IP address, browser user-agent, timestamps, referrer URL).

Communication Data: Email delivery logs via Resend, support messages sent to our email.

3.2 Data We Do Not Collect

We do not maintain user accounts or registration. Reports contain only company names, locations, and job titles — not personal data of individuals (candidates or hiring managers). We do not use third-party analytics trackers (Google Analytics, Facebook Pixel) and do not perform cross-site tracking.

4. Legal Basis for Processing

GDPR (EU/Germany)

Article 6(1)(b) — Contractual necessity: processing your email and payment data to fulfill the purchase contract.

Article 6(1)(c) — Legal obligation: processing payment data for tax and accounting compliance under German law (UStG — Umsatzsteuergesetz).

Article 6(1)(f) — Legitimate interests: processing server logs for platform security and performance monitoring.

BDSG (Germany)

We comply with German federal data protection standards per BDSG Sections 3 and 7, and maintain records of processing activities (Verarbeitungsverzeichnis) per BDSG Section 27.

LGPD (Brazil)

Article 7 — We process payment data with your consent at checkout. Article 7(IV) — processing is necessary to execute contracts.

CCPA/CPRA (California, USA)

Section 1798.100 — We collect personal information necessary for commercial transactions. We do not sell personal information; we only share with service providers under contract.

PIPL (China)

We minimize cross-border transfers of personal data. Where transfers occur, we use Standard Contractual Clauses or equivalent mechanisms.

5. How We Use Your Data

Email address: Payment processing, transaction confirmations, report delivery, support responses, tax compliance, and essential service notices (maximum 2-3 per year).

Payment data (Stripe): Payment verification and authorization, fraud prevention, refunds, tax reporting.

Cookies: Persisting theme and language preferences, maintaining admin sessions.

Server logs: Abuse detection, troubleshooting, usage analytics, law enforcement compliance (if legally required).

We do not use your data for: Marketing beyond transactional emails, targeted advertising, cross-site tracking, selling to third parties, or profiling/automated decision-making.

6. Data Sharing & International Transfers

Your data is shared with processors under contractual Data Processing Agreements (DPAs): Stripe (email, payment data — US/Ireland), Resend (email, delivery status — US), Vercel (IP, access logs — US).

For EU-to-US transfers, we rely on the Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs) per GDPR Articles 44-49, and adequacy decisions where applicable.

We do not share data with marketers, data brokers, or advertisers. Data may be disclosed to legal authorities if required by court order (GDPR Article 6(1)(c)).

7. Data Retention

Email address: Until deletion request + 3 years (German tax law §90 AO). Payment history: 10 years (German accounting law GoBD, HGB). Cookies: 1 year (theme/language), 30 days inactivity (admin session). Server logs: 30 days. Stripe data: Per Stripe retention (7 years, PCI-DSS). Resend logs: 90 days.

Upon request, we delete your email from our primary database within 30 days (except tax records required by law).

8. Your Rights

GDPR (EU/Germany) — Articles 15-22

Access (Art. 15): Request a copy of all personal data we hold. Rectification (Art. 16): Request correction of inaccurate data. Erasure (Art. 17): Request deletion (subject to legal retention). Restrict Processing (Art. 18): Request we stop processing during disputes. Portability (Art. 20): Request data in portable format. Object (Art. 21): Object to legitimate-interest processing. Automated Decisions (Art. 22): We do not engage in automated profiling.

To exercise: email aldenmerlin@gmail.com with “GDPR Request: [Right Name]”. Response within 30 days (Art. 12).

LGPD (Brazil) — Articles 17-22

Equivalent rights to GDPR: access, confirm, correct, erase, export data, revoke consent. Email with “LGPD Request: [Right]”.

CCPA/CPRA (California) — Sections 1798.100-120

Right to Know (1798.100): Disclose categories and specific personal information. Delete (1798.105). Correct (1798.106). Opt-Out (1798.115): We do not sell data. Non-Discrimination (1798.125).

California residents: email with “CCPA Request: [Right Name]”.

PIPL (China)

Right to access, correct, delete personal information, and withdraw consent. Email with “PIPL Request: [Right]”.

9. Cookies

We use only essential cookies: odin-theme (theme preference, 1 year), odin-locale (language preference, 1 year), odin-admin (admin session, 30 days), and Stripe session tokens (payment processing, session-only). No third-party or advertising cookies are used.

Under GDPR, essential cookies do not require consent as they are necessary for contract performance. You may refuse cookies via browser settings, but this may affect Service functionality.

10. Data Security

We implement HTTPS/TLS encryption for all data in transit, encrypted payment storage via Stripe (PCI-DSS Level 1), restricted access controls, and regular security reviews of processors. In case of a data breach, we will notify affected individuals and authorities within 72 hours per GDPR Article 33.

11. Children's Privacy

Odin Leads is not intended for children under 18. We do not knowingly collect data from children. If we become aware of such data, we will delete it promptly.

12. Complaints & Supervisory Authorities

You may lodge a complaint with your local data protection authority:

Germany: BfDI (bfdi.bund.de). EU: Your Member State's DPA (edpb.ec.europa.eu). Brazil: ANPD (gov.br/anpd). California: CPPA (cppa.ca.gov). China: CAC (cac.gov.cn).

13. Changes to This Policy

We may update this policy to reflect legal changes. Material changes will be communicated via email with 30 days' notice. The “Last Updated” date will be revised.

14. Contact

For privacy questions, data subject requests, or complaints: aldenmerlin@gmail.com