privacy
The legal bits
Privacy Policy
Last Updated: June 5, 2024
Odyssey Media Group ("we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, and disclose your personal information when you visit our website, odysseymediagroup.co.uk (the "Website"), and when we provide marketing services to our clients.
As a marketing agency, we understand the critical importance of data privacy, especially concerning the data we manage on behalf of our clients. This policy aims to be transparent about our data practices and to comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
1 Key Definitions (GDPR)
To help you understand this policy, here are some key terms as defined by GDPR:
Personal Data: Any information relating to an identified or identifiable natural person (a 'data subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Processing: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
Data Processor: A natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.
Data Subject: The identified or identifiable natural person to whom Personal Data relates.
Consent: Any freely given, specific, informed, and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
2 Our Role: Data Controller vs. Data Processor
Understanding our role in relation to your data is crucial:
When We Act as a Data Controller:
We are the Data Controller when we determine the purposes and means of processing your Personal Data collected through our Website (e.g., when you fill out a contact form, subscribe to our newsletter, or when we collect website analytics data about your visit to odysseymediagroup.co.uk).
In this capacity, we are directly responsible for ensuring your rights are upheld and our processing activities comply with GDPR.
When We Act as a Data Processor:
We act as a Data Processor when we process Personal Data on behalf of our clients (who are the Data Controllers). This typically occurs when we manage marketing campaigns, analyse customer data, or handle CRM data as instructed by our clients.
In this role, we only process the data according to the documented instructions of our clients. Our clients are responsible for establishing the legal basis for processing their customers' or prospects' data, obtaining necessary consents, and informing their data subjects about their data processing activities.
We enter into Data Processing Agreements (DPAs) with all our clients to ensure robust safeguards and compliance with Article 28 of the GDPR, outlining our responsibilities and obligations as a Processor.
3 Information We Collect
We collect different types of information depending on our interaction with you or our clients:
3.1. Information You Directly Provide (When we are Data Controller)
Contact Information: Name, email address, phone number, company name, job title, and any other information you choose to share when you:
Fill out contact forms on our Website.
Subscribe to our newsletter or other marketing communications.
Engage with us via email, phone, or social media.
Enquire about or sign up for our services.
Communication Data: Records of your correspondence with us.
Client Onboarding Information: If you become a client, we may collect business-related information necessary for contract fulfilment and service delivery, such as billing details and specific project requirements.
3.2. Information Collected Automatically (When we are Data Controller)
When you visit our Website, we may automatically collect certain information about your device and browsing activity through cookies and similar technologies. This information may include:
Technical Data: Your IP address, browser type and version, operating system, device type, referrer URL, and unique device identifiers.
Usage Data: Pages visited on our Website, time spent on pages, clickstream data, search queries, and dates/times of access.
3.3. Information We Process on Behalf of Clients (When we are Data Processor)
As a marketing agency, we process various types of Personal Data provided by our clients to deliver our services. The specific categories of data processed depend on the services requested by each client but may include:
Customer Relationship Management (CRM) Data: Customer names, contact details (email, phone, address), purchase history, customer segments, and communication preferences.
Marketing Campaign Data: Audience segments, campaign performance data, conversion metrics, and user interaction data (e.g., email opens, clicks).
Website Analytics Data: Anonymised or pseudonymised website visitor data (e.g., traffic sources, user behaviour on client websites) for reporting and optimisation purposes.
Lead Generation Data: Data collected through client-specific landing pages or forms, such as prospect names, email addresses, and company details.
Note: For data processed on behalf of our clients, Odyssey Media Group does not determine the original purposes or means of processing. Our clients retain full responsibility as Data Controllers for such data, and you should refer to their respective privacy policies for details on their data practices.
4 Legal Bases for Processing Your Personal Data (When we are Data Controller)
We will only process your Personal Data when we have a valid legal basis to do so under GDPR. The legal bases we rely on include:
Consent: Where you have given clear consent for us to process your Personal Data for a specific purpose (e.g., subscribing to marketing newsletters, accepting non-essential cookies). You have the right to withdraw your consent at any time.
Contractual Necessity: Where processing is necessary for the performance of a contract with you, or to take steps at your request before entering into a contract (e.g., to respond to your service inquiries, to provide our marketing services if you become a client).
Legal Obligation: Where processing is necessary for compliance with a legal obligation to which we are subject (e.g., for tax purposes, legal reporting requirements).
Legitimate Interests: Where processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include:
Operating and improving our Website and services.
Understanding how users interact with our Website to enhance user experience.
Ensuring the security and integrity of our systems.
Responding to your inquiries and providing customer support.
Conducting internal analytics and market research.
Preventing fraud and ensuring legal compliance.
We always balance our legitimate interests against your rights and freedoms.
5 How We Use Your Information (Purposes of Processing)
5.1. When We are Data Controller:
We use the information we collect directly from you or automatically from our Website visitors for the following purposes:
To Provide and Maintain Our Website: To ensure the proper functioning and availability of odysseymediagroup.co.uk. (Legal Basis: Legitimate Interests)
To Improve Our Website and User Experience: To analyse usage patterns, identify popular content, and optimise Website design and functionality. (Legal Basis: Legitimate Interests)
To Communicate With You: To respond to your inquiries, provide customer support, and send you important updates regarding our services. (Legal Basis: Contractual Necessity, Legitimate Interests)
For Marketing and Promotional Purposes: To send you newsletters, updates, and information about our services that may be of interest to you, based on your consent. (Legal Basis: Consent)
To Personalise Your Experience: To tailor content and advertising on our Website based on your preferences, where you have provided consent for targeting cookies. (Legal Basis: Consent)
For Analytics and Research: To understand user behaviour, conduct market research, and perform statistical analysis to improve our offerings. (Legal Basis: Legitimate Interests, Consent for certain analytics cookies)
For Security and Fraud Prevention: To protect our Website, systems, and users from malicious activity, fraud, and unauthorised access. (Legal Basis: Legitimate Interests, Legal Obligation)
To Comply with Legal Obligations: To meet our legal and regulatory requirements. (Legal Basis: Legal Obligation)
5.2. When We are Data Processor (for Client Data):
When acting as a Data Processor, we process data solely to provide contracted marketing services to our clients. This includes:
Executing Marketing Campaigns: Managing and optimising advertising campaigns on various platforms (e.g., social media, search engines) according to client instructions.
Audience Targeting and Segmentation: Using client-provided data to identify and target specific customer segments for marketing initiatives.
Reporting and Analysis: Generating performance reports and insights for clients based on marketing data.
CRM Management: Updating and maintaining client CRM systems with prospect or customer data as instructed.
Website Analytics Integration: Setting up and managing analytics tools for client websites to track performance and user behaviour.
6 How We Share Your Information
We may share your Personal Data (when we are Data Controller) or client data (when we are Data Processor, under client instructions) in the following circumstances:
With Service Providers: We engage trusted third-party service providers who assist us in operating our Website and providing our services (e.g., hosting providers, IT support, analytics providers, email marketing platforms, CRM systems). These providers are contractually bound to process data only on our instructions and to implement appropriate security measures.
Examples: Google Analytics, Hubspot (as mentioned in your original policy), cloud hosting providers, email service providers.
With Our Clients (as Data Processor): When we are processing data on behalf of a client, we share that data back with the respective client (the Data Controller) as required by our service agreement and their instructions.
For Legal Reasons: We may disclose your information if required to do so by law, court order, or in response to a valid request from a public authority (e.g., law enforcement agencies, regulatory bodies).
Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Website of any change in ownership or uses of your Personal Data.
With Your Consent: We may share your information with third parties when we have your explicit consent to do so.
We will never sell or rent your Personal Data to third parties for their independent marketing purposes without your explicit consent.
7 International Data Transfers
Odyssey Media Group primarily stores and processes data within the European Economic Area (EEA) and the United Kingdom (UK). However, some of our service providers, or our clients, may operate outside the EEA/UK.
When Personal Data is transferred outside the EEA or UK, we ensure appropriate safeguards are in place to protect your privacy rights, as required by GDPR. These safeguards may include:
Standard Contractual Clauses (SCCs): Implementing SCCs approved by the European Commission or the UK Information Commissioner's Office (ICO) with the recipient of the data.
Adequacy Decisions: Relying on countries deemed to provide an adequate level of data protection by the European Commission or UK government.
Binding Corporate Rules (BCRs): If applicable for large multinational organisations.
By using our Website or services, you acknowledge that your information may be transferred to and processed in countries outside the EEA/UK where data protection laws may differ. We will always take steps to ensure your data is treated securely and in accordance with this Privacy Policy.
8 Data Security
Odyssey Media Group takes the security of your Personal Data very seriously. We implement a variety of technical and organisational measures designed to protect your information from unauthorised access, disclosure, alteration, and destruction. These measures include:
Encryption: Using encryption for data in transit and at rest where appropriate.
Access Controls: Implementing strict access controls and authentication procedures to limit who can access Personal Data.
Physical Security: Securing our physical premises and data storage facilities.
Organisational Measures: Regular staff training on data protection, clear internal policies, and procedures for handling Personal Data.
Pseudonymisation/Anonymisation: Where feasible and appropriate, we apply pseudonymisation or anonymisation techniques to reduce the identifiability of data.
Regular Audits and Assessments: Conducting regular security assessments and penetration tests to identify and address vulnerabilities.
Incident Response Plan: Maintaining a robust plan for responding to data breaches and security incidents.
While we strive to use commercially acceptable means to protect your Personal Data, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, we cannot guarantee its absolute security.
9 Data Retention
We will retain your Personal Data only for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements.
The retention periods for Personal Data vary depending on the type of data and the purpose of processing:
Website Contact Forms/Inquiries: Generally retained for up to 12-24 months after the last interaction, unless it leads to a client relationship, in which case it is retained for the duration of the contract plus a legally required period.
Marketing Consent Data: Retained until you withdraw your consent or after a period of inactivity, typically 24 months, after which we may seek re-consent.
Client Data (as Processor): Retained for the duration specified in the Data Processing Agreement (DPA) with our client, and then securely deleted or returned to the client.
Financial Records: Retained for 6-7 years as required by tax and accounting laws.
Website Analytics Data: Retained according to the settings of the analytics service (e.g., Google Analytics data is retained for up to 26 months before aggregation).
When Personal Data is no longer required, we will securely delete or anonymise it.
10 Your Rights Under GDPR
Under the General Data Protection Regulation (GDPR), you have a number of important rights regarding your Personal Data. We are committed to facilitating the exercise of these rights:
Right to Be Informed: You have the right to be informed about the collection and use of your Personal Data. This Privacy Policy serves to fulfil this right.
Right of Access (Article 15): You have the right to request a copy of the Personal Data we hold about you, along with information about how and why we are processing it.
Right to Rectification (Article 16): You have the right to request that we correct any information you believe is inaccurate or incomplete.
Right to Erasure ("Right to Be Forgotten") (Article 17): You have the right to request that we erase your Personal Data, under certain conditions (e.g., if the data is no longer necessary for the purposes for which it was collected, or if you withdraw consent and there is no other legal basis for processing).
Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your Personal Data, under certain conditions (e.g., if you contest the accuracy of the data, or if the processing is unlawful).
Right to Data Portability (Article 20): You have the right to request that we transfer the data that we have collected to another organisation, or directly to you, in a structured, commonly used, and machine-readable format, under certain conditions.
Right to Object (Article 21): You have the right to object to our processing of your Personal Data, particularly where we are relying on legitimate interests as the legal basis, or for direct marketing purposes.
Rights in Relation to Automated Decision-Making and Profiling (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless certain exceptions apply. (Note: Odyssey Media Group does not currently engage in automated decision-making or profiling that would produce such effects on individuals).
Right to Withdraw Consent: Where we rely on your consent as the legal basis for processing your Personal Data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
10.1. How to Exercise Your Rights
To exercise any of these rights, please contact us using the details provided in the "Contact Us" section below. Please specify which right you wish to exercise and provide enough information for us to identify you and respond to your request. We may need to verify your identity before fulfilling your request. We will respond to your request without undue delay and at the latest within one month of receipt.
10.2. Right to Lodge a Complaint
If you have concerns about our data processing practices, you have the right to lodge a complaint with the relevant supervisory authority. In the UK, this is the Information Commissioner's Office (ICO):
Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Helpline number: 0303 123 1113 ICO website: https://www.ico.org.uk
11 Cookies and Similar Technologies
We use cookies and similar tracking technologies on our Website. Cookies are small data files placed on your device. We use them for:
Strictly Necessary Cookies: Essential for the Website to function correctly (e.g., navigating pages, accessing secure areas). These do not require consent.
Performance Cookies: Collect information about how you use our Website (e.g., pages visited, loading times) to help us improve its performance.
Functional Cookies: Remember choices you make (e.g., language preferences) to provide enhanced, more personalised features.
Targeting/Advertising Cookies: Used to deliver advertisements relevant to you and your interests, limit the number of times you see an advertisement, and help measure the effectiveness of advertising campaigns. These require your explicit consent.
11.1. Third-Party Cookies
We use third-party services that place cookies on your device:
Google Analytics: To understand how visitors use our Website. We have configured Google Analytics to respect your cookie consent choices. For more information, please see Google's privacy policy: https://support.google.com/analytics/answer/7318509?hl=en
HubSpot: For CRM functionalities, marketing automation, and website analytics. We have configured HubSpot to respect your cookie consent choices. For more information, please see HubSpot's privacy policy: https://legal.hubspot.com/legal-stuff
11.2. Managing Cookies
You can control and manage cookies in several ways:
Cookie Consent Banner: Our Website provides a consent banner that allows you to accept or decline non-essential cookies.
Browser Settings: Most web browsers allow you to control cookies through their settings. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this Website may become inaccessible or not function properly.
Third-Party Opt-Out Tools: You can opt-out of certain third-party advertising cookies through industry opt-out pages such as the Network Advertising Initiative (NAI) at http://www.networkadvertising.org/ or the Digital Advertising Alliance (DAA) at http://www.aboutads.info/choices/.
12 Links to Other Websites
Our Website may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.
13 Children's Privacy
Our services are not intended for individuals under the age of 18 ("Children"). We do not knowingly collect Personal Data from Children. If you are a parent or guardian and you are aware that your Child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from Children without verification of parental consent, we take steps to remove that information from our servers.
14 Changes to This Privacy Policy
We may update our Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, and other factors. We will notify you of any significant changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top of this policy. We encourage you to review this Privacy Policy periodically for any changes. Your continued use of the Website after any modifications to this Privacy Policy will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified Privacy Policy.
15 Contact Us
If you have any questions about this Privacy Policy, your rights under GDPR, or our data processing practices, please do not hesitate to contact our Data Protection Lead:
By Email: info@odysseymediagroup.co.uk
By Mail: Odyssey Media Group, Waterside Drive, Arlington Business Park, Theale, Reading RG7 4SA