SME-Squared Ltd t/a Odinnu  |  Last updated: March 2026

1. Who We Are

This Privacy Policy explains how SME-Squared Ltd, trading as Odinnu, collects, uses, and protects your personal data when you visit odinnu.com or engage with our services.

We are the data controller for personal data collected through this website and in connection with our services. As a UK-based business, we are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What Data We Collect

We may collect and process the following categories of personal data:

2.1 Information you provide directly

• Name, email address, telephone number, and job title — when you complete our contact form or reach out to us directly
• Details of your business, including its size, sector, and current challenges — when you engage with our services
• Responses to any diagnostic or assessment tools on our website (see Section 3 below)
• Any other information you voluntarily share in correspondence with us

2.2 Information collected automatically

• IP address and browser type
• Pages visited, time spent on site, and referring URLs
• Cookie data and analytics identifiers (see Section 9 — Cookies)

2.3 Information from third parties

• Publicly available professional information, such as LinkedIn profiles, where relevant to a business enquiry

2.4 Special Category Data

We do not collect or process any special category data (such as health data, racial or ethnic origin, political opinions, or biometric data) as part of our services.

Our website includes an interactive diagnostic tool (‘How Are You?’) which invites managing directors to reflect on areas such as cognitive load and emotional pressure. This tool is purely front-end and interactive — no responses are transmitted to, recorded by, or stored on our servers or any third-party platform. No personal data is collected through this tool.

3. How We Use Your Data

We use your personal data only for the purposes described below, and only where we have a valid legal basis under UK GDPR. Where we rely on legitimate interests, we have carried out a legitimate interests assessment (LIA) and are satisfied that our interests are not overridden by your rights and freedoms.

4. How We Share Your Data

We do not sell, rent, or trade your personal data. We may share your data only in the following limited circumstances:

• With trusted third-party service providers (e.g. website hosting, email platforms, analytics tools) who process data on our behalf and are bound by data processing agreements
• With professional advisors such as lawyers or accountants where necessary for our legitimate business operations
• With law enforcement or regulatory authorities where required by law
• In connection with a sale, merger, or restructuring of our business — you would be notified in advance

Any third parties we share data with are required to handle it securely and in accordance with UK GDPR. We will update Section 5 when we add or change sub-processors, and will notify affected individuals where required by law.

5. Third-Party Data Processors

We use a small number of carefully selected third-party platforms to operate our business. These companies act as data processors on our behalf — meaning they process personal data only on our instructions and are contractually bound to protect it.

You can review HubSpot’s privacy and data processing commitments at: https://legal.hubspot.com/privacy-policy

We have entered into a Data Processing Agreement (DPA) with HubSpot as required by UK GDPR Article 28. If you would like confirmation of this or details of any other DPA, please contact us.

6. HubSpot CRM & Contact Tracking

We use HubSpot as our customer relationship management (CRM) platform. This section explains in more detail how your data is handled through HubSpot.

6.1 What HubSpot collects on our behalf

• Contact details you submit via our website forms (name, email, phone, company, message)
• Pages you visit on odinnu.com and how long you spend on them — once you have submitted a form or are a known contact
• Email open and click data — if you receive emails from us via HubSpot
• IP address and browser/device information associated with your contact record

6.2 Behavioural tracking and profiling

HubSpot performs behavioural tracking and contact-level profiling on our behalf. This includes recording your interactions with our website and emails, and associating that behaviour with your contact record. HubSpot may also use this data to calculate engagement scores or suggest contact prioritisation.

This tracking does not constitute automated decision-making that produces legal or similarly significant effects on you, and we do not use HubSpot’s lead scoring in a way that determines whether we engage with you. We rely on legitimate interests (Art. 6(1)(f)) as the lawful basis for this tracking, having satisfied ourselves that this does not override your rights.

6.3 HubSpot tracking cookies

HubSpot places its own tracking cookies (including ‘__hstc’ and related cookies) on your device when you visit our website. This allows HubSpot to identify returning visitors and, if you subsequently submit a form, associate your browsing history with your contact record. This constitutes a form of behavioural tracking.

You can prevent this tracking by declining marketing cookies via our cookie consent banner, or by adjusting your browser settings. Please note this will not affect any data already recorded.

6.4 Opting out of HubSpot communications

Every marketing email sent via HubSpot includes an unsubscribe link. You may also contact us directly at richard@odinnu.com to be removed from all HubSpot communications and to request deletion of your contact record.

7. International Transfers

Your personal data may be processed outside the United Kingdom by the third-party processors we use. We ensure appropriate safeguards are in place for all such transfers in compliance with UK GDPR Chapter V:

• HubSpot, Inc. (USA) — transfers are covered by the UK-US Data Bridge (where applicable) and, as a fallback, by Standard Contractual Clauses under the UK International Data Transfer Agreement (IDTA)
• Website hosting provider (India) — our hosting provider stores website files and static content only. All contact form data is captured directly by HubSpot and does not pass through or reside on the hosting server. No personal data of visitors is therefore transferred to India in the ordinary course of operating this website
• Google Analytics (USA) — similarly relies on the UK-US Data Bridge and SCCs
• Meta Platforms, Inc. (USA) — Meta Pixel data transfers are covered by the UK-US Data Bridge and SCCs. You can review Meta’s data policy at https://www.facebook.com/privacy/policy/
• Reddit, Inc. (USA) — Reddit Pixel data transfers are covered by the UK-US Data Bridge and SCCs. You can review Reddit’s privacy policy at https://www.reddit.com/policies/privacy-policy
• Google LLC (USA) — Google Ads conversion tracking and remarketing data transfers are covered by the UK-US Data Bridge and SCCs. Google Analytics and Google Ads may share infrastructure. You can review Google’s privacy policy at https://policies.google.com/privacy

For any other international transfers, we apply adequacy decisions or appropriate contractual safeguards as required by UK GDPR. For more information on any specific transfer mechanism, please contact us.

8. How Long We Keep Your Data

We retain personal data only for as long as necessary for the purposes for which it was collected, taking into account legal, regulatory, and business requirements.

When data is no longer required, we delete or anonymise it securely.

9. Cookies

Our website uses cookies to improve your browsing experience and help us understand how our site is used. Cookies are small text files placed on your device.

9.1 Types of cookies we use

• Functional cookies — strictly necessary for the website to operate correctly
• Preference cookies — remember your settings and choices
• Analytics cookies — collect statistical data about how visitors use our site (e.g. Google Analytics)
• Marketing cookies — used to deliver relevant content and track campaign performance, including HubSpot tracking cookies, Meta Pixel cookies (Facebook/Instagram advertising), Reddit Pixel cookies, and Google Ads cookies. These allow us to measure the effectiveness of our advertising and, where you have consented, to show relevant Odinnu adverts on Meta, Reddit, and Google platforms (including Search, Display, and YouTube)

You can manage your cookie preferences at any time via the cookie consent banner on our website, or through your browser settings. Disabling certain cookies may affect the functionality of the site.

For more detail on the specific cookies placed on your device, including HubSpot cookies, please refer to our cookie consent management tool.

10. Electronic Marketing and PECR

Where we send marketing emails or other electronic communications, we do so in compliance with both UK GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR).

For B2B contacts, PECR permits us to send marketing emails to business email addresses where the recipient has not previously objected, and where the communication is relevant to their role and business. In all cases, we will:

• Identify ourselves clearly in all marketing communications
• Include a clear and easy way to opt out in every message
• Honour opt-out requests promptly and without charge
• Not send marketing to anyone who has previously objected or unsubscribed

Where we rely on consent for electronic marketing (for example, for individuals or where required by PECR), you may withdraw that consent at any time by clicking the unsubscribe link in any email or by contacting us at richard@odinnu.com.

11. Your Rights Under UK GDPR

You have the following rights in relation to your personal data. These rights are not absolute and may be subject to certain exceptions under law.

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — ask us to correct inaccurate or incomplete data
• Right to erasure — request deletion of your data where there is no compelling reason for us to continue processing it
• Right to restrict processing — ask us to limit how we use your data in certain circumstances
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests or direct marketing
• Right to withdraw consent — where processing is based on consent (including explicit consent for special category data), you may withdraw it at any time without affecting the lawfulness of prior processing
• Rights related to automated decision-making — we do not use automated decision-making or profiling that produces legal or similarly significant effects on you

To exercise any of these rights, please contact us using the details in Section 1. We will respond within one calendar month. There is no charge for exercising your rights, unless requests are manifestly unfounded or excessive.

12. Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. These measures include:

• Encrypted transmission of data via HTTPS
• Access controls limiting who can view personal data
• Data processing agreements with all third-party processors
• Regular review of our data handling practices

While we take reasonable precautions, no method of transmission over the internet is entirely secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach and, where required, inform you directly.

13. Children’s Privacy

Our website and services are directed exclusively at business professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will delete it promptly.

14. Links to Other Websites

Our website may contain links to third-party websites, including LinkedIn and other platforms. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies independently. This Privacy Policy applies only to odinnu.com and our services.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or legal requirements. When we make material changes, we will update the ‘Last updated’ date at the top of this page. Where changes are significant, we may also notify you directly (for example, by email where we hold your contact details). We encourage you to review this policy periodically.

16. How to Complain

If you have concerns about how we handle your personal data, please contact us in the first instance at richard@odinnu.com. We will endeavour to resolve your concern promptly and fairly.

If you remain dissatisfied, you have the right to lodge a complaint with the UK’s data protection regulator: