book a demo

oda: privacy policy

Valid from: 16 May 2026

1. General Information

This Privacy Policy explains how Spatial Commerce Ltd (trading as "oda") collects and processes personal data through the website getoda.ai and our social media profiles. Personal data means any information relating to an identified or identifiable natural person, including name or IP address.

Data Controller:
Spatial Commerce Ltd (trading as "oda")
66 Paul Street, London EC2A 4NA, United Kingdom
Company number: 17214640
Email: privacy@getoda.ai
Spatial Commerce Ltd is registered with the Information Commissioner's Office (ICO) as a data controller under the Data Protection Act 2018.

Data Protection Officer:
Gerrit McGowan
Email: privacy@getoda.ai

Legal bases for processing (under the UK GDPR):

  • Article 6(1)(a) UK GDPR: Processing with your consent
  • Article 6(1)(b) UK GDPR: Contract performance and pre-contractual measures
  • Article 6(1)(c) UK GDPR: Compliance with legal obligations
  • Article 6(1)(f) UK GDPR: Legitimate interests (answering inquiries, website security)

In this Policy, "UK GDPR" refers to the Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018.

International data transfers: Where we transfer personal data outside the United Kingdom, we rely on (i) UK adequacy regulations made by the Secretary of State (including the UK Extension to the EU–U.S. Data Privacy Framework, sometimes referred to as the "UK–US Data Bridge"); (ii) the International Data Transfer Agreement (IDTA) issued by the Information Commissioner; or (iii) the UK Addendum to the EU Standard Contractual Clauses, where no adequacy regulation applies.

Storage durations:

  • Contact form inquiries: 6–12 months after resolution
  • CRM data: Duration of relationship plus 3 years
  • Log files: Maximum 14 days
  • Google Analytics: 14 months
  • Cold outreach contact data (non-responsive): 90 days
  • Accounting and tax records: 6 years from the end of the relevant accounting period (HMRC guidance and section 386 Companies Act 2006)
  • Commercial correspondence: 6 years

Your rights as a data subject under the UK GDPR:

  • Right of access (Article 15 UK GDPR)
  • Right to rectification (Article 16 UK GDPR)
  • Right to erasure (Article 17 UK GDPR)
  • Right to restriction of processing (Article 18 UK GDPR)
  • Right to object (Article 21 UK GDPR)
  • Right to data portability (Article 20 UK GDPR)
  • Right to withdraw consent (Article 7(3) UK GDPR)

Exercise your rights by contacting: privacy@getoda.ai

Right to lodge a complaint with the supervisory authority:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
Helpline: 0303 123 1113
Website: ico.org.uk

No fully automated decision-making within the meaning of Article 22 UK GDPR is used as standard practice. Mandatory data fields are marked on the website; refusal to provide mandatory data may result in contract rejection or service discontinuation.

Making contact: When you contact us by email or form, we collect your name, email address, telephone number (if provided), and message content. Legal basis: Article 6(1)(f) UK GDPR (legitimate interest in responding to inquiries) or Article 6(1)(b) UK GDPR for pre-contractual enquiries. Data is deleted or anonymised 6–12 months after resolution.

Customer surveys: Periodic surveys are conducted to understand customer needs. Legal basis: legitimate interest in service improvement (Article 6(1)(f) UK GDPR). Data is deleted once survey results have been evaluated.

Direct marketing (cold outreach): We may send unsolicited business-to-business emails to corporate subscribers that may benefit from our services, using publicly available contact data (company websites, public business directories). We use the Instantly platform to deliver and manage these outreach campaigns (see Section 2). Legal basis: Article 6(1)(f) UK GDPR (legitimate interest in B2B marketing) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"), which permits unsolicited marketing emails to corporate subscribers subject to the right to object. You may object at any time by replying to the email, using the unsubscribe link, or contacting privacy@getoda.ai — we will immediately cease contact and add you to our permanent suppression list. Non-responsive data is deleted within 90 days. We do not send unsolicited marketing emails to individual subscribers (sole traders, partnerships of two or three individuals, or private individuals) without prior consent.

2. Data Processing on Our Website and Tools

Cookies and similar technologies: We store or access information on your terminal equipment (cookies, similar identifiers) either on the basis of strict technical necessity or with your consent, in accordance with regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003. See our Cookie Policy for details and to manage your preferences.

Informative use of the website: When you visit our website, your browser automatically transmits the following data, which we store temporarily in log files for up to 14 days for security and stability purposes: IP address, date and time of request, time zone, page requested, HTTP status code, data volume transferred, referrer URL, browser type and version, operating system, and language settings. Legal basis: Article 6(1)(f) UK GDPR (legitimate interest in website security and functionality).

Web hosting and infrastructure (Google Cloud): Our website and core platform infrastructure are hosted on Google Cloud Platform, provided by Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland (with Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, as a sub-processor where relevant). Google Cloud processes content, usage, meta, and contact data primarily within EU/EEA regions, with potential transfers to the USA. Such transfers are protected under the UK Extension to the EU–U.S. Data Privacy Framework (where Google LLC is certified) and a Data Processing Agreement under Article 28 UK GDPR is in place. Privacy policy: cloud.google.com/terms/cloud-privacy-notice

Contact form: Data submitted via the contact form (name, email address, message, and any voluntarily provided information) is stored solely for the purpose of processing and responding to your enquiry. Legal basis: Article 6(1)(f) or Article 6(1)(b) UK GDPR. Data is deleted 6–12 months after resolution; contract-related enquiries may be retained up to 3 years.

HubSpot CRM: We use HubSpot CRM for customer relationship management. Provider: HubSpot, Inc., 25 First Street, Cambridge, MA 02141, USA. Data processed: contact data (name, email, company), usage data, content data (inquiry details), meta data (device, IP). Processing takes place on EU servers. Transfers to the USA, where applicable, are protected under the UK Extension to the EU–U.S. Data Privacy Framework (where HubSpot is certified) and a Data Processing Agreement under Article 28 UK GDPR is in place. Retention: duration of relationship plus 3 years. Privacy policy: legal.hubspot.com/privacy-policy

Instantly (email outreach platform): We use Instantly to send and manage B2B cold outreach email campaigns. Provider: Instantly.ai (Bizfy Solutions LLC), 1209 Mountain Road Pl NE, Suite N, Albuquerque, NM 87110, USA. Data processed: business contact data (name, business email address, company, job title), email engagement metrics (opens, clicks, replies), and suppression list data. Legal basis: Article 6(1)(f) UK GDPR (legitimate interest in B2B marketing). Transfers to the USA are protected under the UK Extension to the EU–U.S. Data Privacy Framework where applicable, and otherwise under the UK Addendum to the EU Standard Contractual Clauses. A Data Processing Agreement under Article 28 UK GDPR is in place. Retention: non-responsive contacts are deleted within 90 days; suppression list data is retained indefinitely to honour opt-out requests. Privacy policy: instantly.ai/privacy-policy

Google Analytics 4: With your consent, we use Google Analytics 4 (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to understand how visitors interact with our website. Data collected: pages visited, time spent, interactions, device type, browser, and anonymised IP address. IP anonymisation is activated — IP addresses are shortened within the EU/EEA/UK before any transmission to the USA. Legal basis: Article 6(1)(a) UK GDPR and regulation 6 PECR (consent). Data is automatically deleted after 14 months.

Withdraw consent at any time via: (1) the cookie banner, (2) the Google Analytics Opt-out Add-on, or (3) privacy@getoda.ai. Transfers to the USA are protected under the UK Extension to the EU–U.S. Data Privacy Framework. Further information: policies.google.com/privacy

3. Data Processing on Social Media Platforms

We maintain organisational profiles on social media platforms for service presentation and stakeholder communication. Platform operators process user data for advertising and research purposes and may store cookies on your device. Servers may be located outside the UK. When you contact us via social media, we process your message data to respond to your enquiry. Legal basis: Article 6(1)(f) UK GDPR. Retention: typically 6–12 months after the last interaction.

LinkedIn: Operator: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. LinkedIn processes data for targeted advertising and analytics. We act as joint controller for certain page analytics (Page Insights). Privacy policy: linkedin.com/legal/privacy-policy | Opt-out: linkedin.com/psettings

Instagram: Operator: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. Meta processes data for advertising, personalisation, and analytics. We act as joint controller for business page insights. Privacy policy: instagram.com/legal/privacy | Opt-out via Settings > Privacy and Security > Data Sharing.

Facebook: Operator: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. Meta processes data for advertising, personalisation, and analytics. Meta bears primary responsibility for Page Insights data and handles data subject rights requests relating to that processing. Privacy policy: facebook.com/privacy/policy | Opt-out via Settings & Privacy > Ads > Ad Preferences.

4. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. The current version is always available on this page. The "Valid from" date at the top indicates the last revision. We will notify you of material changes via a prominent notice on the website prior to the changes taking effect. We encourage you to review this policy periodically.

5. 3D Scene Content & Personal Data

oda creates interactive 3D scenes of physical spaces using photogrammetry and Gaussian Splat technology. During the capture process, incidental personal data may be recorded — for example, vehicle licence plates, individuals present in the space, or other identifying information visible in the environment at the time of capture.

Legal basis: Article 6(1)(f) UK GDPR — legitimate interest in providing accurate spatial representations of our clients' spaces. We have carried out a balancing exercise weighing this legitimate interest against the rights and freedoms of data subjects, and we apply technical and organisational measures (including capture protocols and the response process below) to minimise privacy impact.

Your right to request restriction or erasure: If you believe your personal data has been incidentally captured in one of our 3D scenes, you have the right to request restriction of processing (Article 18 UK GDPR) or erasure (Article 17 UK GDPR). To submit a request, contact privacy@getoda.ai with a description of the scene and the nature of the data concerned.

How we handle requests: Upon receiving a valid request, we will take the affected scene offline while we assess and address the concern. We aim to respond to all requests within 30 days, in line with Article 12(3) UK GDPR. Please note that due to the technical nature of Gaussian Splat rendering, permanent automated redaction of specific elements within a scene is not currently possible. Where erasure cannot be achieved by technical means, we will assess whether the scene can remain published, must be restricted, or must be permanently removed, on a case-by-case basis.

Retention: 3D scene data is retained for the duration of the client contract. Scenes are unpublished upon contract termination.

6. Questions and Comments

If you have any questions or comments about this Privacy Policy, or wish to exercise your rights under the UK GDPR, please contact:

Spatial Commerce Ltd (trading as "oda")
Data Protection Officer: Gerrit McGowan
66 Paul Street, London EC2A 4NA, United Kingdom
Email: privacy@getoda.ai