Privacy Policy

1. Who we are

Odin is operated by:

Piotr Graczyk, Ludowa 26/8, 64-920 Pila, Poland, NIP: 7642716927, Email: legal@odinbrain.wiki

For account deletion and support requests, email support@odinbrain.wiki.

2. Who can use Odin

Odin is a business-to-business product for teams and organizations. Public self-service sign-up is disabled.

Users can access Odin only if:

• They already have an Odin account, or
• They have been invited to an organization.

Odin is not intended for children or personal consumer use.

Organizations manage access through roles such as owner, admin, and member. Project-level permissions may also apply.

3. Our role under privacy laws

For some information, Odin acts as a controller. This means we decide why and how that information is processed. This usually applies to account data, security logs, analytics, support requests, and operational communications.

For customer workspace content, Odin usually acts as a processor on behalf of the customer organization. This includes uploaded files, synced integration data, wiki content, chat messages, embeddings, summaries, and AI processing performed for the organization.

The customer organization is responsible for deciding what content is connected to Odin, who may access it, and whether it has the right to process that content through Odin.

4. Information we collect

4.1 Account and identity information

We collect information needed to create and manage user accounts, including:

• Name
• Email address
• Profile image URL, if provided
• Email verification status
• Account creation and update timestamps
• Organization membership
• Team and project membership
• User role, such as owner, admin, or member

We use this information to authenticate users, manage access, and provide Odin.

4.2 Session and device information

When you use Odin, we may collect session and device-related information, including:

• Session token
• Session expiration timestamp
• IP address
• User agent
• Active organization and team identifiers
• Authentication cookie information

Odin uses session cookies to keep users signed in and to protect access to the app.

4.3 Authentication and invitation emails

We use email to support:

• Magic link sign-in
• Organization invitations
• Invitation acceptance links
• Other operational account messages

These emails may include secure URLs that allow users to sign in or accept invitations.

4.4 Product usage and analytics data

Subject to cookie consent where required, we may collect analytics and product usage information to understand how Odin is used, improve the product, debug issues, and maintain security.

This may include:

• User ID
• Email address
• Name
• Page views
• Session activity
• Product events, such as project creation, file upload, wiki clearing, invitation activity, and logout events
• Session replay data
• Error and exception data
• Device and browser information

Odin uses PostHog for analytics, session replay, and error tracking.

Recommended implementation: Use PostHog Cloud EU or self-hosted PostHog for EU customers. Do not load analytics or session replay until the user gives consent.

4.5 Chat and AI interaction data

When you use Odin chat or AI-assisted features, we may collect and store:

• Chat session titles
• User messages
• Assistant responses
• System messages
• Citations and references
• Access denial notices
• Related project and organization metadata

Chat content may be processed by third-party AI providers through OpenRouter to generate responses, classify information, create summaries, compile wiki content, and generate embeddings.

AI outputs may be inaccurate, incomplete, or outdated. Users should review important information before relying on it.

4.6 Customer content

Organizations may upload or connect content to Odin. This may include:

• Uploaded files, such as Markdown, text, PDF, DOCX, images, JSON, CSV, and similar files
• Extracted text from uploaded files
• Synced content from connected tools
• Slack messages directed to the Odin app
• Gmail messages or threads selected by users
• Google Drive files selected by users
• Fireflies meeting summaries
• GitHub, Jira, Linear, Figma, Slack, Google, Gmail, and Fireflies integration data
• Wiki pages generated by Odin
• Markdown knowledge base content
• Derived facts and vector embeddings
• Project names, descriptions, icons, and settings
• Organization names, slugs, logos, and settings
• Classification labels such as public, internal, confidential, or custom labels

Customer content is used to build and maintain the project wiki, support search, answer chat questions, and provide integration-based workflows.

4.7 Integration data

When an organization connects third-party tools, Odin may process integration-related information, including:

• OAuth access and refresh tokens
• Connected account identifiers
• Connected workspace identifiers
• Sync job logs
• API requests and responses
• Selected files, messages, issues, pull requests, designs, summaries, or other connected content

OAuth tokens are encrypted at rest when token encryption is configured.

Customers are responsible for ensuring they have the right to connect third-party tools and make their content available to Odin.

4.8 Security, access control, and audit data

We collect security and audit information to protect Odin and enforce access controls, including:

• Actor identifiers
• Integration names
• Tool names
• Allow or deny decisions
• Denial reasons
• Timestamps
• Tool call success or failure
• Duration and trace identifiers
• Access requests
• Usage events
• Token usage and estimated cost metadata

We use this information for security, debugging, access control, auditability, usage limits, and billing readiness.

5. Information we do not intentionally collect

Based on current product behavior:

• Odin does not provide a general public sign-up funnel.
• Odin does not mirror an entire Gmail mailbox.
• Gmail content is processed only when users manually select messages or threads.
• Google Drive content is limited to user-selected files.
• Slack content is not a full workspace mirror. Odin processes qualifying interactions with the Odin Slack app, such as mentions and direct messages.
• GitHub raw sync is focused on architecture or metadata-style digesting rather than storing the full codebase as raw content.

This may change as Odin develops. If our practices materially change, we will update this Privacy Policy.

6. How we collect information

We collect information directly from users, automatically through app usage, from organizations, and from connected third-party services.

7. How we use information

We use information to:

• Provide Odin, including authentication, organization management, project access, file processing, sync jobs, wiki generation, search, chat, and integrations
• Process customer content
• Provide AI-assisted features
• Enforce security and access control
• Send operational communications
• Improve the product, subject to consent where required
• Track usage and support billing readiness
• Comply with legal obligations

8. AI processing

Odin uses third-party AI services to provide chat, wiki compilation, classification, summarization, ingestion, and embedding features.

When you use AI-powered features, customer content and chat prompts may be sent to OpenRouter and underlying model providers. This may include user chat messages, assistant responses, wiki excerpts, raw source excerpts, integration content, project metadata, classification metadata, summaries, and citations.

Odin does not currently train its own AI models on customer content.

We recommend configuring Odin so that prompt and completion logging is disabled and Zero Data Retention routing is used where available. However, model providers may have different retention and logging policies.

9. Legal bases for processing

If GDPR or similar laws apply, we rely on the following legal bases:

10. How we share information

We do not sell personal information.

We may share information with service providers and subprocessors, customer-controlled integrations, legal authorities where required, and parties involved in a business transfer.

For a current list of our subprocessors, see our Public Subprocessor List.

11. International data transfers

Odin is based in Poland, in the European Union. We aim to serve customers worldwide.

Some service providers may process data outside the European Economic Area, including in the United States. This may include AI providers, analytics providers, infrastructure providers, and connected third-party services.

Where required, we rely on appropriate safeguards such as Standard Contractual Clauses, adequacy decisions, Data Processing Agreements, and other lawful transfer mechanisms.

12. Cookies and similar technologies

Odin uses strictly necessary cookies for authentication, session management, security, and access control.

Subject to user consent, Odin may use PostHog for analytics, product usage measurement, session replay, and error tracking.

Odin requires cookie consent for non-essential analytics and session replay technologies. Users should be able to accept all cookies, reject non-essential cookies, choose cookie categories, and change consent later.

If a user rejects analytics cookies, Odin should not load analytics or session replay for that user.

13. Data retention

We keep information only for as long as needed to provide Odin, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and support legitimate business purposes.

Users can request account deletion by contacting support@odinbrain.wiki.

14. Security

We use technical and organizational measures designed to protect information, including:

• HTTPS in production
• Role-based access controls
• Organization and project-level permissions
• Data classification labels
• Access audit logging
• OAuth token encryption at rest when configured
• Railway-hosted project asset storage
• Controlled access to project assets
• Invite-only account access
• Background job processing controls

No system is perfectly secure. We cannot guarantee that information will never be accessed, disclosed, altered, or destroyed.

We do not currently claim SOC 2, ISO 27001, HIPAA, or similar certification unless separately stated in writing.

15. Your rights and choices

Depending on your location, you may have privacy rights, including the right to request access, correction, deletion, restriction, portability, objection, withdrawal of consent, opt-out of certain analytics or marketing, and complaint to a data protection authority.

To exercise your rights, contact legal@odinbrain.wiki. For account deletion, contact support@odinbrain.wiki.

Organization admins may also manage users, projects, connected sources, and project content directly inside Odin.

If you use Odin through an organization, some requests may need to be handled by your organization because the organization controls the workspace content.

16. Account and organization controls

Odin is designed for organization-managed workspaces. Your organization may invite or remove users, control project access, connect or disconnect integrations, delete projects, and manage project content.

If you use Odin through an organization, you may need to contact your organization admin for requests related to workspace content.

17. Children's privacy

Odin is not intended for children. Odin is designed for business users invited into organizations.

We do not knowingly collect personal information from children under 16. If you believe a child has provided personal information to Odin, contact us at legal@odinbrain.wiki.

18. Regional privacy disclosures

European Union, European Economic Area, United Kingdom, and Switzerland

If GDPR, UK GDPR, or similar laws apply, users may have additional rights described in this Privacy Policy.

For customer workspace content, Odin generally acts as a processor on behalf of the customer organization. In such cases, the customer organization determines the purposes and means of processing, and Odin processes data according to the customer's instructions.

Users may have the right to lodge a complaint with their local data protection authority. In Poland, this is the President of the Personal Data Protection Office.

California and other United States privacy laws

If California or other US state privacy laws apply, users may have additional rights, such as the right to know, delete, correct, and opt out of certain sale or sharing of personal information.

Odin does not sell personal information.

19. Third-party links and services

Odin may connect to third-party services at the direction of customers and users. Those services have their own privacy policies and terms. Odin is not responsible for the privacy practices of third-party services that are not controlled by us.

Customers are responsible for ensuring they have appropriate rights, permissions, and notices before connecting third-party tools to Odin.

20. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

If we make material changes, we will notify users by email, in-app notice, or another appropriate method. The updated policy will show the new effective date.

21. Contact us

Piotr Graczyk, Ludowa 26/8, 64-920 Pila, Poland, NIP: 7642716927, Email: legal@odinbrain.wiki

For account deletion and support requests: support@odinbrain.wiki

If your Odin account is provided through an organization, you may also contact your organization admin for questions about project content, connected integrations, or workspace access.