Skip to content
Legal

Privacy Policy

How NNi Solutions collects, uses, and protects personal data when you visit oden.cam or use the Oden C.A.M service.

Last updated:

1. Data controller

NNi Solutions is the data controller for personal data processed within the Oden C.A.M service and the oden.cam website.

For data-protection matters, contact: dpo@oden.cam or by post to NNi Solutions, Sweden.

2. Personal data we process

We process the following categories of personal data:

2.1 Customer and account data

  • Name, email address, phone number.
  • Company name, registration number, billing address.
  • Customer's contact person.
  • Login credentials (passwords are stored only in hashed form).

2.2 Usage data

  • IP addresses, browser, and device type for security and troubleshooting purposes.
  • Logs of activity in the Oden control panel.
  • Website analytics (anonymised where technically possible).

2.3 Content within the Customer's WordPress installation

We have technical access to content and personal data residing in the Customer's own WordPress installation solely for the purpose of delivering the Service. This is done on the Customer's instruction under the data-processing agreement (DPA) included with the customer contract.

3. Purposes and legal basis

PurposeLegal basis (GDPR art. 6)
Delivering the Service under contractPerformance of contract (art. 6.1.b)
Invoicing and bookkeepingLegal obligation (art. 6.1.c)
Security monitoring and incident handlingLegitimate interest (art. 6.1.f)
Troubleshooting and supportPerformance of contract (art. 6.1.b)
Marketing to existing customers (newsletters)Legitimate interest, with the option to unsubscribe
Web analytics (anonymised)Legitimate interest (art. 6.1.f)

4. Recipients and sub-processors

We share personal data with the following categories of recipients, always under written agreements that ensure protection equivalent to the GDPR:

  • Operation of the Oden control panel: Google Cloud Run + Firestore, region europe-north1 (Finland).
  • Hosting for customers on the WEBBELi add-on: Fast servers in Sweden (NNi Solutions). Customers who keep their existing hosting are not affected by this.
  • Payment providers: Stripe (card payments), Klarna (for consumers where available).
  • Email: Mailgun (transactional emails, e.g. order confirmations).
  • Bookkeeping and audit: Authorised audit firms in Sweden.

We do not engage any sub-processors based in the United States. Schrems II concerns therefore do not affect us.

5. Retention period

  • Account and contract data: Throughout the contract term plus 7 years thereafter (Swedish Bookkeeping Act).
  • Logs: 90 days for security purposes, then deleted.
  • Backups: Rolling retention for 30 days.
  • Marketing data: Until you unsubscribe from newsletters.
  • Inbound enquiries (contact form, email): Maximum 24 months.

6. Security

We apply industry-standard information security measures, including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • Two-factor authentication (2FA) for every NNi Solutions employee with access to customer data.
  • Logging and monitoring of access to sensitive systems.
  • Regular security reviews and penetration tests.
  • Written confidentiality agreements with all employees and sub-processors.

7. Your rights

Under the GDPR you have the following rights regarding your personal data:

  • Access (art. 15): The right to information about which data we process and a copy of it.
  • Rectification (art. 16): The right to have incorrect data corrected.
  • Erasure (art. 17): The right, in certain cases, to have your data deleted.
  • Restriction (art. 18): The right to have processing restricted in certain situations.
  • Data portability (art. 20): The right to receive your data in a structured, machine-readable format.
  • Objection (art. 21): The right to object to processing based on legitimate interest.
  • Withdraw consent: Where processing is based on consent, you can withdraw it at any time.

Send requests to dpo@oden.cam. We normally respond within 30 days.

8. Cookies

The oden.cam website uses a limited set of cookies. Detailed information is in our cookie policy.

9. Complaints

If you believe that we process your personal data in breach of the GDPR, you have the right to file a complaint with the Swedish Authority for Privacy Protection (IMY):

IMY, Box 8114, 104 20 Stockholm, Sweden
Phone: +46 8-657 61 00
Website: imy.se

10. Changes to this policy

We may update this privacy policy. The latest version is always available at oden.cam/en/privacy. We will notify existing customers by email of any material changes.

GDPR

GDPR — how we handle your data.

We built Oden C.A.M around data minimization, EU hosting, and full transparency — not as an afterthought.

01

Where your data lives

All Oden data (control panel, logs, backups) is stored in Cloud Run and Firestore in the Finland region (europe-north1). Your WordPress sites run on whichever hosting you choose — if you want to move to us, we offer WEBBELi as an add-on (Scandinavian servers in Sweden). Backups are AES-256 encrypted and stay inside the EU. We use no subprocessors in the US or other non-EU/EEA countries — which means Schrems II concerns simply don't apply.

02

What data we process

Only what's needed to run your WordPress: your sites' URLs, plugin and theme versions, update history, and cryptographic keys. We never touch your visitors' data — there's no tracking pixel and no ads module.

  • Site metadata (URL, version, status)
  • Operations logs (security events, updates)
  • Backup archives (encrypted, 30 days)
  • Operator identity (your email, for support)
03

How it's protected

The connection between your WordPress and Oden goes via the WEBBELi worker plugin we install on your site — TLS 1.3 with Ed25519 keys. Stored secrets are envelope-encrypted (Cloud KMS). Audit logs are write-only and kept for 12 months.

04

Your rights

You can request access to, correction of, or deletion of your data. Email hello@oden.cam and we'll respond within 30 days (usually within 48 hours). At termination, all customer data is permanently erased within 60 days — except what we must retain under Swedish bookkeeping law (7 years).

05

Data incidents

If we confirm an incident affecting your personal data, we'll contact you within 72 hours with an initial report, in parallel with our notification to IMY (the Swedish DPA). The report covers what happened, what was affected, and what mitigations we're applying.

06

Data Processing Agreement (DPA)

A standard DPA is automatically included — no separate paperwork. It stipulates EU hosting, sub-processors (list available on request), and Swedish law as the applicable jurisdiction. Larger procurements can sign an extended agreement: hello@oden.cam.

Controller: NNi Solutions, Sweden. Questions? hello@oden.cam
Service

Get Oden C.A.M