Privacy Center

Privacy Policy.

Nummary Analytics S.L. ("we", "us", "our"), operating under the brand CompanyProspect, explains here how we collect, use, share and protect personal data — for our customers, our website visitors, and the business contacts that appear in our B2B database.

Last updated: 28 April 2026 Version: 1.0

Website visitors

Anyone who visits this website.

Customers

Businesses and professionals who use CompanyProspect.

Business contacts

Individuals whose publicly available professional info is in our B2B database.

01Who we are

We operate the CompanyProspect service, which provides curated business data sourced from publicly available registries and directories.

Nummary Analytics S.L. (the "data controller")
Registered office: Calle Madrigal 5, 28035, Madrid, Spain
EU VAT ID: ESB16459307
BORME: Registered with the Registro Mercantil de Madrid
30/04/2024 T 46693, F 180, S 8, H M 819603, I/A 1.

We are the data controller responsible for your personal data within the meaning of Art. 4(7) GDPR and Art. 4 LOPDGDD (Spanish data protection law). The company CEO serves as the privacy contact for all enquiries. We have not appointed a Data Protection Officer (DPO), as one is not mandatory under Art. 37 GDPR for an organization of our size.

Privacy contact

Email: privacy@companyprospect.com
Postal: Calle Madrigal 5, 28035, Madrid, Spain

02Data we collect and how we source it

Terminology clarifications. "Personal data" is any information that identifies a person — a name, an email address, a phone number. Business contact details (like a work email or a job title) are considered personal data under Art. 4(1) GDPR, even when they relate to someone's job rather than their private life. We use the term throughout this Policy. If you're in the US, your state law may call this "personal information" — see §13.

2.1 Data about our customers

Category	Examples	Legal basis
Account data	Name, email, company name, billing address.	Contract performance.
Payment data	Card last-4, billing address (processed by our payment provider — we never store full card numbers).	Contract performance.
Communications	Support emails, chat logs.	Legitimate interest (customer support).

2.2 Data about website visitors

Category	Examples	Legal basis
Technical data	IP address, browser type, device, referring URL.	Legitimate interest (security, analytics).
Cookie data	Session identifiers, analytics cookies.	Consent (where required) or legitimate interest.

2.3 Business contact data (our B2B database)

CompanyProspect aggregates and enriches information about small and medium-sized enterprises ("SMEs") exclusively from publicly available sources and licensed commercial APIs, including:

Official company registries — including USA Secretary of State filings (50 states, United States of America), BORME / Registro Mercantil (Spain), INSEE (France), Receita Federal — CNPJ open data (Brazil), Servicio de Impuestos Internos — SII (Chile), SUNARP (Peru). These sources will be expanded in the future, and this Policy updated accordingly. Company Registry information may include publicly available names of the business owner/director, shareholders or agents involved in the company filing.
Public business directories and websites — including Google Maps / Google Business Profile (accessed via licensed commercial APIs) as well as information publicly disclosed by the Company across their owned websites and social profiles. Company information might include corporate contact details (phone numbers, email addresses), as well as names and roles of their employees.
Email discovery and email verification providers — independent third-party providers specializing in corporate email pattern-discovery and deliverability verification, established in the EU/EEA or the United Kingdom and contractually authorized to permit our use of their outputs. These providers act as independent controllers under their own privacy policies. Specific provider identities are available on request to privacy@companyprospect.com.

Collected vs. generated email addresses. Some corporate-domain email addresses in our database are collected — i.e., found published by the business itself on its website, Google Business Profile, or official registry filing. Other addresses are generated — i.e., constructed by applying a known organizational email pattern (e.g., firstname.lastname@company.com) to a registry-sourced personal name, and then validated for deliverability. Generated addresses receive a confidence score and are only included in our database when they meet a minimum quality threshold. We disclose the source category to customers, who are contractually required to include the source disclosure in their first outreach (see §5).

The data elements we may process include: company name, registration number, registered address, date of incorporation, sector/activity industry codes, owner or director name, publicly listed or pattern-matched business email, publicly listed business phone number, and business location.

What we do NOT do

We do not purchase bulk personal-data lists from consumer-facing data brokers. Our commercial inputs are limited to (a) registry data (often free, sometimes for a fee paid to the official registry); (b) commercial APIs that aggregate publicly listed business directory data; (c) public company directory profiles and websites; and (d) professional email discovery and email verification services, with resell permission.
We do not scrape private or login-protected accounts.
We do not collect data about individuals acting in a purely personal or consumer capacity.
We do not collect sensitive personal data (health, religion, political opinions, ethnicity, sexual orientation, trade union membership, biometric or genetic data), and all categories detailed in Art. 9(1) GDPR special-category list.
We do not collect or process data of children under 16.
We do not pattern-match or generate email addresses on free / consumer email providers (Gmail, Yahoo, Hotmail, Outlook.com, etc.). Pattern-matching is applied only to corporate-domain addresses (e.g. firstname.lastname@company.com). Where a business has itself published a free-provider address as its business contact (for example, a small business that lists localbusiness@gmail.com as the contact email on its Google Business Profile, official website, or registry filing), we may include that address in our database as a collected business contact under the same terms as any other publicly listed business email. We do not enrich purely personal email addresses that are not associated with a business.
We do not subject individuals to decisions based solely on automated processing that produce legal or similarly significant effects on them within the meaning of Art. 22 GDPR. Our systems do apply automated quality filters to corporate-domain email addresses (e.g. confidence scoring of pattern-matched emails), but these affect only whether a business contact is included in our database — and do not produce legal or similarly significant effects on the individual.

03Legal bases for processing

3.1 For customers

Purpose	Legal basis
Deliver and manage the service	Contract performance (Art. 6(1)(b) GDPR)
Billing and invoicing	Contract performance
Product improvement and analytics	Legitimate interest (Art. 6(1)(f) GDPR)
Marketing communications	Consent (Art. 6(1)(a) GDPR), withdrawable at any time
Tax and regulatory compliance	Legal obligation (Art. 6(1)(c) GDPR)

3.2 For business contacts in our database

We process publicly available business contact data under legitimate interest (or its local-law equivalent), as recognized in each jurisdiction where we operate:

Jurisdiction	Legal basis	Specific provision
EU / EEA	Legitimate interest of the controller	Art. 6(1)(f) GDPR, read with Recital 47 (a controller's legitimate interests may include direct marketing and the maintenance of business relationships, subject to a balancing test against data subject rights and freedoms).
Spain	Processing of professional contact data of legal entities and of sole traders / liberal professionals acting in their professional capacity	Art. 19 Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD), which expressly permits processing of the contact data of natural persons providing services on behalf of a legal entity, where limited to the data strictly necessary to locate them professionally and used solely to maintain a relationship of any kind with the entity they represent.
Brazil	Interesse legítimo of the controller	Art. 7, IX of Lei nº 13.709/2018 (LGPD), subject to the balancing and minimization requirements of Art. 10 LGPD; processing is limited to data strictly necessary for the legitimate purpose and supported by the reasonable expectations of the data subject (data drawn from official registries and from information disclosed by the business itself).
Peru	Personal data obtained from publicly accessible sources	Art. 14.5 of Ley nº 29733, Ley de Protección de Datos Personales, and Art. 2.9 / Art. 17 of its Reglamento (Decreto Supremo nº 003-2013-JUS), which exempt from prior consent the processing of personal data contained in publicly accessible sources — including official public registries, professional directories, and information made public by the data subject in a professional capacity — provided the processing respects the purpose for which the source was made public.
Chile	Data from publicly accessible sources (current law); legitimate interest (forthcoming law)	Art. 4 of Ley nº 19.628 sobre Protección de la Vida Privada permits processing without consent of personal data sourced from fuentes accesibles al público, and Art. 20 permits processing of data relating to commercial, industrial or professional activity. From the entry into force of Ley nº 21.719 (on or about December 2026), processing will additionally rely on the newly introduced interés legítimo basis (Art. 13, letter f), which is materially aligned with Art. 6(1)(f) GDPR.

A Legitimate Interest Assessment (LIA) concluded that our processing is proportionate, considering:

The data is sourced from official public registries or has been published by the data subjects themselves in a professional/business context.
We process only business contact data, not private or consumer data.
Our processing serves the legitimate commercial purpose of enabling B2B engagement, which is a recognized lawful interest under Recital 47 GDPR.
Data subjects retain the right to object at any time, and we honor objections promptly via our suppression list (see §9).

A summary of our LIA is available on request to privacy@companyprospect.com. The full assessment will be made available to supervisory authorities on request.

3.3 For website visitors

Purpose	Legal basis
Strictly necessary cookies (site functionality)	Legitimate interest
Analytics and performance	Consent (where applicable)
Security and fraud prevention	Legitimate interest

04How we use your data

For customers

To provide, maintain, and improve the CompanyProspect service.
To process payments and manage subscriptions.
To communicate about your account, product updates, or our services.
To provide customer support.

For business contacts

To compile and maintain an accurate B2B prospect database.
To deliver contact data to our customers for lawful B2B purposes.
To verify and refresh data accuracy through periodic re-checks against public sources.

For all

To comply with legal obligations.
To protect against fraud, abuse, and security threats.

05Data sharing and controller relationships

Business contact data is personal data (see the terminology note in §2). We disclose personal data only to the categories of recipients listed below, and only for the purposes and under the safeguards stated:

Recipient	Purpose	Safeguard
Payment processors (Stripe)	Process transactions	PCI-DSS compliant; we never store full card numbers.
Cloud infrastructure (ClickHouse, Supabase, Cloudflare, Amazon Web Services)	Host the service	EU-based where feasible; otherwise Standard Contractual Clauses (Art. 46(2)(c) GDPR).
Email discovery & verification providers (EU/EEA & UK-based; specific identities available on request to privacy@companyprospect.com)	Verify deliverability of corporate-domain emails	Independent controllers under their own privacy policies; data limited to candidate email + corporate domain.
Licensed business-directory and registry-aggregation APIs	Perform entity matching for enriching	DPAs in place; data limited to query strings and returned business records.
Our B2B customers	Deliver prospect data they have purchased	Controller-to-controller (see below) + contractual obligations re: source disclosure, suppression list, and use limitation.
Law enforcement / regulators	When legally required	Only in response to valid legal process.

"Sale" of personal data — clarification

Under GDPR and equivalent EU and LATAM laws, the provision of business contact data to our customers is a controller-to-controller disclosure lawful under Art. 6(1)(f) GDPR (and the local-law equivalents identified in §3.2). GDPR does not use the concept of "sale" — what matters is whether a valid legal basis applies and whether the data subject's rights are preserved.

Under certain US state privacy laws (notably CCPA/CPRA in California, and analogous statutes in Virginia, Colorado, Connecticut, Texas and other states), the provision of personal information to a third party in exchange for monetary or other valuable consideration may meet the statutory definition of a "sale" or "sharing". To be clear:

We do NOT sell personal data to data brokers for advertising or consumer-profiling purposes, and we do NOT engage in cross-context behavioral advertising.
We DO license business contact data to our B2B customers as our core commercial offering — and under the US state-law definitions above, this licensing may constitute a "sale" or "sharing".

US-resident data subjects may opt out of this licensing at any time; see §13.

Controller-to-controller transfer

When a customer accesses business contact data through CompanyProspect, both Nummary Analytics and the customer act as independent data controllers for that data. Each party is independently responsible for its own GDPR (and equivalent law) compliance. Our customers agree, via our Terms of Service and a separate Data Sharing Agreement, to:

Use the data only for lawful B2B purposes.
Respect data subject rights, including opt-out and rectification requests.
Include in the first commercial communication sent to each contact a disclosure identifying the source of the contact information and the right to opt out (Art. 14 GDPR / equivalents).
Apply our suppression list within 5 business days of receipt (see §9).

These obligations are mirrored in our internal compliance program.

Downstream notification & suppression-list cadence

When a business contact exercises the right to erasure or objection, we (a) remove the contact from our database, (b) add the contact to a permanent suppression list, and (c) include the contact in the next monthly suppression-list update we send to all customers who have purchased data within the previous 24 months. Customers are contractually required to apply the update within 5 business days.

06International transfers

We are based in Spain and primarily store data within the EEA. However, certain processing involves transfers outside the EEA — in particular: (a) cloud hosting that may use US-region infrastructure, (b) email verification providers established in the EU/EEA and the United Kingdom, and (c) delivery of B2B contact data to customers located outside the EEA (today: Brazil, Peru, Chile, US).

Where data is transferred outside the EEA, we ensure adequate protection through:

EU adequacy decisions where available (e.g., the UK adequacy decision for transfers to UK-based providers; EU-US Data Privacy Framework where the US recipient is certified).
Standard Contractual Clauses (SCCs) approved by the European Commission (Art. 46(2)(c) GDPR). For LATAM jurisdictions: ANPD-approved standard contractual clauses for Brazil (Resolução CD/ANPD nº 19/2024); and applicable contractual safeguards under Chilean (Ley 19.628 / forthcoming Ley 21.719) and Peruvian (Ley 29733) law.
Supplementary measures per EDPB 01/2020 (encryption in transit and at rest, access controls, transfer-impact assessment where applicable).
For controller-to-controller transfers to customers outside the EEA, an executed Data Sharing Agreement that incorporates the relevant SCCs as part of the customer contract.

A copy of the SCCs or an executed transfer agreement is available on request to privacy@companyprospect.com.

07Data retention

Data type	Retention period
Customer account data	Duration of the contract + 6 years per Spanish Código de Comercio Art. 30.
Business contact data	Removed upon valid objection, or if not refreshed against a public source for 24 consecutive months.
Generated email addresses (pattern-matched)	Removed within 30 days of detected non-deliverability, or upon objection.
Payment records	6 years per Código de Comercio Art. 30, which also observes Spanish Ley General Tributaria (Art. 66) 4-year statute for tax assessment.
Server and access logs	90 days.
Support conversations	2 years after account closure.
Suppression / opt-out list	Maintained indefinitely (minimum data — name and/or email hash) to ensure objections remain honoured.

When data is no longer needed, it is securely deleted or irreversibly anonymized.

08Your rights

Under GDPR and applicable data protection laws, you have the right to:

Access your personal data.
Rectify inaccurate or incomplete data.
Erase your data ("right to be forgotten"), subject to legal retention obligations.
Restrict processing in certain circumstances.
Object to processing based on legitimate interest — we will cease processing unless we demonstrate compelling legitimate grounds.
Data portability — receive your data in a structured, machine-readable format.
Withdraw consent at any time (where processing is consent-based), without affecting the lawfulness of prior processing.

For business contacts in our database

If your professional contact information appears in the CompanyProspect database, you have additional specific options:

Object / opt out: Request removal of your data from our database at any time. We will process your request within 30 days and add you to our permanent suppression list to prevent re-collection.
Access and rectify: Request a copy of the data we hold about you, or ask us to correct inaccuracies.
Source disclosure (Art. 14(2)(f) GDPR): Ask us to identify the specific public source from which your data was obtained (e.g., "BORME entry filed on 2024-01-01") and, where applicable, whether the email address was collected from a public listing or generated by pattern-matching.
Downstream notification: Where your data has been shared with our customers, you may request that we notify those customers of your erasure or rectification request. We make reasonable efforts to do so via our monthly suppression-list update.

How to exercise your rights

Email: privacy@companyprospect.com
Opt-out page: https://companyprospect.com/optout

We respond to all requests within 30 days. If we need an extension (complex or multiple requests), we will inform you within that period and the extension may be up to a further 60 days (Art. 12(3) GDPR).

If you are unsatisfied with our response, you may lodge a complaint with your local supervisory authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD) — www.aepd.es. For other jurisdictions: France (CNIL), Brazil (ANPD), Peru (ANPDP), Chile (APDP), or your local DPA.

09Suppression list

We maintain a suppression list containing the minimum data necessary (typically name and/or a hash of the email address) to ensure that individuals who have opted out remain excluded from our database. This list is used solely for opt-out enforcement and is not shared with customers.

10Cookies and tracking

Our website uses:

Strictly necessary cookies — required for the site to function (no consent needed).
Analytics cookies — to understand usage patterns (consent required where applicable). The only service used at the moment is Google Analytics (GA4).

We do not use third-party advertising trackers. We do not engage in cross-site tracking. A detailed cookie list is available in our cookie banner settings and on a dedicated page: companyprospect.com/cookie-policy.

11Security

We implement appropriate technical and organizational measures to protect personal data, including:

Encryption in transit (TLS 1.2+) and at rest.
Role-based access controls and least-privilege principles.
Regular security reviews and vulnerability assessments.
Incident response procedures with breach notification within 72 hours as required by GDPR Art. 33. Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify those individuals without undue delay (GDPR Art. 34).

No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

12Children

Our service is directed at businesses and business professionals, and not directed at minors. We do not knowingly collect data from individuals under 16 years of age (under Spanish law Art. 8 LOPDGDD, the digital-consent age is 14). If we become aware that we have collected data from a child, we will delete it promptly.

13USA state privacy rights

If you are a resident of any of the following US states with comprehensive privacy legislation — California, Connecticut, Colorado, Delaware, Indiana, Iowa, Minnesota, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Virginia — you may have additional rights, including:

Right to know what personal information we collect and how it is used.
Right to delete your personal information.
Right to non-discrimination for exercising your privacy rights.
Right to opt out of the "sale" or "sharing" of personal information — the provision of B2B contact data to customers may constitute a "sale" under certain state definitions. You may opt out at any time at companyprospect.com/optout.

We honor Global Privacy Control (GPC) signals as a valid opt-out request where required by applicable state law. To exercise these rights, contact privacy@companyprospect.com or use our opt-out page.

We do not collect "sensitive personal information" as defined under California Civil Code §1798.140(ae).

14Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our website at least 30 days before taking effect. The "Last updated" date at the top reflects the most recent revision. The versioned history of all changes can be consulted in the changelog below.

For Business Contacts in our database whom we cannot reach by email, material changes will be reflected on this page; data subjects who have requested erasure or opt-out will not be re-contacted.

+Changelog

Versioned history of every revision to this Privacy Policy. The most recent entry applies. Older versions are kept for audit purposes and are available on request to privacy@companyprospect.com.

v1.0 28 April 2026 Initial publication

First public version of the CompanyProspect privacy policy.

Identifies Nummary Analytics S.L. as the data controller and provides contact details.