Privacy policy

1. Data controller

The controller of personal data collected on the website and as part of the Services is:

2. Data collected

We collect and process the following categories of data:

Category	Examples	Source
Identity	Name, first name, position, company name, registration number	Online subscription
Contact details	Postal address, email, phone	Subscription, contact, support
Connection data	IP address, identifiers, access logs	Automatic (server logs)
Payment data	Bank details (encrypted via Stripe/SystemPay), IBAN for SEPA	Payment
Technical data	Centrex config, mail accounts, CRM database, hosting	Use of Services
Communication data	Support tickets, emails exchanged, call recordings (Centrex if enabled)	Support and telephony

3. Purposes and legal bases

Purpose	Legal basis	Duration
Contract performance (account creation, provision of Services)	Contract performance (art. 6.1.b GDPR)	Contract duration + 3 years
Billing and accounting	Legal obligation (art. 6.1.c GDPR)	10 years (Commercial Code)
Technical support and after-sales	Contract performance	Contract duration + 1 year
Commercial prospecting (existing customers)	Legitimate interest (art. 6.1.f GDPR)	3 years after last contact
Audience statistics (Matomo)	Consent (art. 6.1.a GDPR)	13 months maximum
Security, fraud prevention	Legitimate interest	Rolling 1 year

4. Data recipients

Data is accessible to authorized personnel of ODOIP SAS (commercial, support, technical, accounting teams). It may be transmitted to:

• our technical subcontractors bound by GDPR sub-contracting agreements (Stripe, SystemPay for payments; partner operators for number portability);
• administrative or judicial authorities upon legal request.

Data is neither sold nor rented to commercial third parties.

5. Hosting and location

Data is hosted on ODOIP servers located in France. No regular data transfer outside the European Union is performed. In case of occasional transfer (e.g. use of a third-party service), appropriate safeguards are implemented in accordance with articles 44 et seq. of the GDPR (standard contractual clauses of the European Commission).

6. Data security

ODOIP implements appropriate technical and organizational measures to guarantee the confidentiality, integrity and availability of processed data:

• HTTPS encryption (TLS 1.3) on the entire website and Services;
• strict data partitioning between customers (isolated multi-tenant);
• encrypted daily backups with minimum 30-day retention;
• access control by strong authentication and access logging;
• regular security testing and component updates.

7. Your rights

In accordance with articles 15 to 22 of the GDPR, you have the following rights:

• Right of access: obtain confirmation and a copy of the data we hold about you.
• Right of rectification: have any inaccurate or incomplete data corrected.
• Right to erasure ("right to be forgotten"): have your data deleted within the limits provided by law (the 10-year invoice retention obligation remains a priority).
• Right to restriction: temporarily suspend processing.
• Right to object: object to processing based on legitimate interest or for prospecting purposes.
• Right to portability: receive your data in a structured machine-readable format.
• Right to set post-mortem directives on the fate of your data after your death.

To exercise these rights, contact our DPO at: info@odoip.fr. A response will be provided within a maximum of one month, extendable by two months for complex requests.

In case of difficulty, you can lodge a complaint with the French National Commission for Information Technology and Civil Liberties: www.cnil.fr/en/plaintes.

8. Cookies and trackers

For any information on cookies used and their management, consult our cookie policy.

9. Policy updates

This policy may be updated to reflect regulatory or technical developments. The applicable version is the one online at the date of your consultation. Substantial modifications will be notified to you by email.

Dernière mise à jour : 2026-05-25 · DPO : info@odoip.fr