ODD Media LLC — Privacy Policy

---

1. Who this policy applies to

This policy applies to:

• Visitors to our websites (omdgrowth.com, Atlas marketing pages, and any other ODD Media LLC domain)
• Prospects and leads who fill out forms, book calls, or otherwise contact us
• Clients who engage OMD Growth for consulting or productized services
• Authorized Users of Atlas
• Recipients of our SMS Program

For Atlas Customer Data, this policy is supplemented by Section 10 and (where applicable) a separate Data Processing Addendum.

2. Information we collect about you

We collect personal information in the following ways.

2.1 Information you provide directly

• Contact and identity: name, email, phone number, company, role, and similar details you submit through forms, emails, calls, or in-product
• Account credentials (for Atlas): username, hashed password, OAuth identifiers (e.g., Google sign-in), API tokens
• Payment and billing information for Atlas subscriptions and consulting services (we use Stripe for billing — full payment card numbers are handled by Stripe, not stored by us)
• Communications: content of emails, SMS, calls, meetings, and chats with us
• Service inputs: materials, files, and information you share with us during a consulting engagement (e.g., audit access, screenshots, documents)

2.2 Information collected automatically

• Device and browser: IP address, browser type, device type, operating system, language, time zone, referrer URLs
• Usage data: pages viewed, links clicked, time on page, session duration, and similar telemetry from our websites and from Atlas
• Cookies and similar technologies: see Section 5

2.3 Information from third parties

• Connectors authorized by you (Atlas): when you authorize Atlas to connect to a third-party service (e.g., Close, Stripe, GA4, Meta, Typeform, JotForm, Airtable, Google Sheets), Atlas receives data from those services according to the scopes you authorize. See Section 10.
• Enrichment / lookups: for sales and marketing, we may use third-party tools to look up publicly available information about prospects (e.g., LinkedIn URL, company size).
• Analytics providers: aggregated information about how visitors interact with our websites.

3. How we use personal information

We use personal information to:

• Operate our websites and our products (including Atlas)
• Respond to inquiries, schedule and conduct calls, and provide consulting services
• Onboard and support clients and Atlas customers
• Send transactional, service, and SMS communications you've consented to
• Send relevant marketing communications (which you can opt out of at any time)
• Bill and collect payments
• Improve, secure, and protect our products and services
• Detect, prevent, and respond to fraud, abuse, security incidents, and policy violations
• Comply with legal obligations and enforce our agreements

We rely on the following legal bases for processing personal data of EU/UK individuals:

• Performance of a contract (delivering services and Atlas)
• Legitimate interests (operating, securing, and improving our business and products) — balanced against your rights
• Consent (e.g., SMS, marketing emails where required, certain cookies)
• Legal obligation (tax, compliance, dispute resolution)

4. How we share personal information

We share personal information only as needed and with the following categories of recipients:

• Service providers and sub-processors that help us operate (cloud hosting, database/queue infrastructure, email/SMS providers, analytics, error monitoring, payment processing, AI providers for Atlas reports). They are bound by written agreements that limit their use of personal information to providing services to us.
• Connected services you authorize (for Atlas): the third-party services you choose to connect.
• Professional advisors: lawyers, accountants, auditors, and insurers under confidentiality.
• Authorities and others when required by law, valid legal process, or to protect rights, safety, or property.
• Business transfers: in connection with a merger, acquisition, financing, reorganization, or sale of assets.

We do not sell personal information.

SMS opt-in data is never shared with third parties or affiliates for marketing or promotional purposes.

4.1 Sub-processor categories (current)

For Atlas and other products, we currently use sub-processors in the following categories. A current named list is available on request:

• Cloud infrastructure / hosting
• Managed database, cache, and queue services
• AI providers (Anthropic, OpenAI) for AI-generated reports in Atlas
• Payment processing (Stripe — for ODD Media LLC billing; we do not store full payment card numbers)
• Email and SMS providers for transactional and notification messaging
• Error monitoring and product analytics

Customers under a Data Processing Addendum receive advance notice of new sub-processors, with the right to object as set out in the DPA.

5. Cookies and tracking

We use cookies and similar technologies to:

• Operate and secure our websites and products (essential cookies — required)
• Remember preferences
• Understand how visitors and users interact with us (analytics)
• Measure marketing performance

Where required by law, we ask for consent before placing non-essential cookies. You can manage cookie preferences in your browser settings, and where offered, via an in-product cookie banner.

6. Marketing and SMS Program

6.1 Marketing emails

We may send marketing emails to clients, prospects, and others who opt in. Every marketing email contains an unsubscribe link. You can also email welcome@omdgrowth.com to opt out.

6.2 SMS Program

Our SMS Program (operated under the OMD Growth brand for booking and client communications) is governed by the SMS Program terms in our Terms of Service.

• Opt-in. You opt in by submitting a form or other channel where the SMS consent language is presented. Consent is not required to purchase any goods or services.
• Use of mobile numbers. Mobile numbers collected through the SMS opt-in are used only to send messages related to your booking, scheduling, and follow-up communications. They are not shared or sold to third parties or affiliates for marketing or promotional purposes.
• Frequency. Message frequency varies. Message and data rates may apply.
• Opt-out. Reply STOP to any message at any time. Reply HELP for help.
• Eligibility. U.S. mobile subscribers, age 18+.

7. Data retention

We keep personal information only as long as needed for the purposes for which it was collected, or as required by law. General guidelines:

• Lead and prospect data: retained while there is a reasonable business purpose (typically up to 36 months from last interaction, then reviewed)
• Client and Atlas customer account data: retained for the duration of the relationship and as needed for billing, legal, and tax obligations (typically 7 years from end of engagement)
• Atlas Customer Data: retained per the Atlas terms — accessible during subscription, retained for 30 days after termination for export, then deleted from active systems (backup deletion on standard backup rotation, typically within 90 days)
• SMS opt-in records: retained for the duration of opt-in plus a reasonable period to demonstrate consent
• Web analytics: typically retained in aggregated/de-identified form per analytics provider defaults

We may retain limited information longer where necessary for legal claims, enforcement, regulatory requirements, or fraud prevention.

8. Security

We implement administrative, technical, and physical safeguards designed to protect personal information, including:

• Encryption in transit (TLS) for connections to our websites and Atlas
• Encryption at rest for managed databases and storage where supported
• Access controls with role-based permissions and authenticated tokens
• Multi-tenant isolation of Atlas Customer Data scoped by organization (org_id) at middleware and query layer
• Logical separation of staging and unified data layers
• Software updates and dependency monitoring
• Incident response procedures

No system is perfectly secure. We will notify affected individuals and customers of confirmed breaches as required by law.

9. Your rights

Depending on where you live, you may have the following rights regarding your personal information:

• Access — request a copy of personal information we hold about you
• Correction — request correction of inaccurate information
• Deletion — request deletion (subject to retention obligations)
• Restriction or objection — restrict or object to certain processing
• Portability — receive personal information in a structured, machine-readable format
• Withdraw consent — where processing is based on consent
• Lodge a complaint with your local data protection authority

9.1 California (CCPA / CPRA)

California residents have the right to know what personal information we collect, the right to delete (subject to exceptions), the right to correct, the right to limit use of sensitive personal information, and the right to opt out of sale or sharing for cross-context behavioral advertising. We do not sell personal information and we do not share personal information for cross-context behavioral advertising in the manner contemplated by the CPRA. We do not knowingly handle the personal information of minors under 16 in a way that would require opt-in.

9.2 EU / UK / EEA

If you are in the EU, UK, or EEA, you have the rights set out in the GDPR / UK GDPR. Our legal bases are described in Section 3. Your supervisory authority is the data protection authority in your country.

9.3 How to exercise rights

Email welcome@omdgrowth.com with your request. We may need to verify your identity. We respond within the timeframes required by applicable law (typically 30–45 days).

For Atlas Customer Data, the Customer is the data controller — please contact the Customer (the organization that controls the Atlas account) directly with rights requests about end-user data. We will support Customers in responding.

10. Atlas ReportingOS — special section for Customer Data

This section explains how we handle data you load into Atlas about your own customers, leads, employees, end users, and business operations ("Customer Data").

10.1 Roles

• You (the Atlas Customer) are the data controller of Customer Data — you decide what to load into Atlas, why, and on what legal basis.
• ODD Media LLC is the data processor of Customer Data, acting on your documented instructions, which include the Atlas Terms of Service, your configuration choices in Atlas, and any signed Data Processing Addendum (DPA).

10.2 Categories of Customer Data Atlas typically processes

Depending on the connectors you enable, Customer Data may include:

• Contact and identifier data about your customers, leads, and contacts (name, email, phone, address, company)
• Communication metadata and content (CRM activity history, emails, calls, notes, tasks)
• Form responses (Typeform, JotForm, Airtable form data)
• Web analytics (GA4 events, traffic data, audience segments)
• Ad performance and audience data (Meta ads — campaign performance and audience-level data, subject to Meta's policies)
• Payment and transaction metadata (Stripe / PayPal — transaction amounts, status, customer email; we do not access or store full payment card numbers)
• Business records (Google Sheets, Airtable bases you connect)

10.3 What we do with Customer Data

We process Customer Data only to:

• Provide Atlas to you (ingest, normalize, store, deduplicate, query, dashboard, generate AI reports, deliver via the Atlas web app)
• Maintain, secure, troubleshoot, and improve Atlas
• Comply with legal obligations
• Enforce our agreements with you

We do not:

• Sell Customer Data
• Use Customer Data for our own marketing or advertising
• Use Customer Data to market to your end users
• Use Customer Data to train any third-party AI model (AI providers in our pipeline are configured for inference only, and we contractually require sub-processors not to train on our submitted data; current AI sub-processors include Anthropic and OpenAI)
• Combine Customer Data across customers in a way that re-identifies any individual

10.4 Aggregated and anonymized data

We may produce aggregated, de-identified statistics derived from Customer Data (data that does not identify any Customer or individual) for product improvement, benchmarks, and analytics. This data is not Customer Data.

10.5 Sub-processors

Atlas relies on the sub-processor categories listed in Section 4.1. Customers under a DPA receive advance notice of new sub-processors with a right to object.

10.6 Security

Security measures applicable to Customer Data are described in Section 8 and in the Atlas Terms of Service (Part D, Section D8).

10.7 Data subject requests

When end users (the Customer's data subjects) make rights requests, the Customer is the controller and is responsible for responding. We will reasonably cooperate, including by providing tools to access, export, correct, or delete Customer Data within Atlas.

10.8 International transfers

Atlas infrastructure is located in [PRIMARY HOSTING REGION — to be confirmed]. If Customer Data is transferred to or accessed from another country, we use appropriate safeguards (such as Standard Contractual Clauses for transfers from the EU/UK) and apply equivalent protections.

10.9 Retention and deletion

• During subscription: Customer Data is retained and accessible per Customer's account configuration.
• After termination: Customer Data is retained for 30 days for export, then deleted from active systems. Backup copies are deleted on standard backup rotation cycles (typically within 90 days).
• On request: Customer may request earlier deletion of specific Customer Data, subject to legal retention obligations.

10.10 Data Processing Addendum

A standard DPA is available on request and is recommended for customers subject to GDPR, UK GDPR, CCPA, or similar regimes. The DPA, when signed, sits above this Privacy Policy in the order of precedence for personal data processing.

10.11 Connected third-party services

When you connect a third-party service to Atlas (Close, Stripe, GA4, etc.), the third party's privacy practices and terms apply to data on their side. We are not responsible for the practices of connected third parties.

11. International data transfers

We are based in the United States, and our infrastructure may be located in the United States or other regions. If you access our products or services from outside the U.S., your information may be transferred to, processed, and stored in the U.S. or other countries that may have different data protection laws than your country. Where required, we use appropriate safeguards (including Standard Contractual Clauses) for transfers of personal data from the EU, UK, or EEA.

12. Children

Our websites, products, and services are not directed to children under 18, and we do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please email welcome@omdgrowth.com and we'll delete it.

13. Third-party links and services

Our websites, the SMS Program, and Atlas may link to or integrate with third-party services. We are not responsible for the privacy practices of those third parties. Review their policies before sharing information with them.

14. Do Not Track

Our websites do not currently respond to "Do Not Track" browser signals.

15. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. For material changes, we'll make reasonable efforts to notify active users (e.g., by email or in-product notice). Continued use after changes take effect constitutes acceptance.

16. Contact us

For privacy questions, requests, or concerns:

• Email: welcome@omdgrowth.com
• Mailing: ODD Media LLC — [MAILING ADDRESS]
• Privacy contact: Omar Daoud, Founder

If you are not satisfied with our response, you may also contact your local data protection authority.

---

ODD Media LLC — operating brands include OMD Growth and Atlas ReportingOS.