GDPR
Last updated 17 July 2026
This is the structure our compliance analysis requires, written out so the gaps are visible. The binding text is a legal deliverable: it must be written by counsel and translated professionally, not by us.
The short version
We hold business contact details of people who did not give them to us. That is lawful, and it is only lawful if we do several specific things properly. This page is what we do, stated plainly enough to be held to.
If you only want one thing from this page: ask us to delete your details. No account, no explanation, permanent.
We are a controller, and we say so
For the business contact data in our database we act as a controller, not a processor. Our competitors' agreements tend to say the customer is the controller and the vendor a mere processor. A processor does not go out and source the data; we do, so we are not one. Calling ourselves a processor would be more comfortable and less true.
Why we did not e-mail you
Art. 14 would normally require us to tell you we hold your data. We rely on the exemption at Art. 14(5)(b) — doing it for every person in the database is disproportionate effort.
That exemption obliges us to take appropriate measures instead, including making the information publicly available. The privacy notice and the opt-out page are those measures. They are not decoration; they are the entirety of our Art. 14 posture, and they are on every public page for that reason.
Where the data lives
All primary data storage is in the EU: our database runs in Supabase's EU region and our application in Vercel's Frankfurt (fra1) region. The form on this website is handled by a function pinned to the same region.
Where a sub-processor transfers data outside the EU, that transfer is covered by Standard Contractual Clauses.
Where we use a language model, inference runs on OVH AI Endpoints, in the EU. Contact details are never sent to it — only job advertisement text is. That is a substantive reason to prefer an EU model host, independent of cost.
Our sub-processors
Named, publicly, and kept current. Our product uses Vercel (hosting), Supabase (database), Stripe (payments), Resend (e-mail), OVH AI Endpoints (inference), PostHog (product analytics) and Sentry (error tracking), together with the contact-data vendors named on each individual record.
This website uses fewer: Vercel to host it, Plausible for analytics, Zeeg for the demo scheduler, and Resend to deliver the form to us.
There is no cookie banner because there are no cookies
Plausible is cookieless. It sets nothing on your device, does not follow you to other websites, and does not build a profile of you. It counts page views and button presses in aggregate. A consent banner would be asking your permission for something we are not doing.
Retention
A contact record revealed to a customer is retained for 180 days from the date we retrieved it, then the e-mail address, phone number and LinkedIn URL are redacted from every account holding them — including accounts that paid to see them.
We do not keep revealed contact details indefinitely. A five-year window is exactly what the French regulator fined a competitor for.
For customers: the DPA
We enter into a data processing agreement with every customer, and it states our position rather than hiding it: we source the data, we bear the Art. 14 duty for it, and we indemnify you against claims arising from the details we supplied. Ask us for the current version.
Complaining
You can complain to your national supervisory authority. You do not have to come to us first, though we would rather you did, because we can fix it faster.