How Fullinfo handles personal data — written in plain language. This policy covers visitors to fullinfo.com and users of the Fullinfo product. Part I applies to everyone. Part II applies to US residents specifically.
In short, we:
The general policy under GDPR and similar laws. This section covers what we collect on the website, what's in the Fullinfo product database, and how you exercise your rights.
Fullinfo B.V. (“Fullinfo”, “we”, “us”, or “our”) operates a business intelligence platform. With new public information coming online every day, we constantly process data — some of which qualifies as personal data under the EU General Data Protection Regulation (GDPR) and US state laws including the California Consumer Privacy Act (CCPA).
We designed our technology with privacy in mind from the start. That includes internal privacy and security policies, confidentiality obligations on our team, transparency about how we operate, and prompt handling of data subject rights.
This document has two parts. Part I describes our general practice and applies to everyone. Part II contains additional disclosures specifically for residents of US states with consumer privacy laws (such as California). If there is any conflict between the two parts, the provision that better protects your privacy applies.
When a Fullinfo customer runs a search through the platform, we process personal data on their behalf. In that moment, the customer is the data controller — they decide what data they want and what they will use it for — and Fullinfo is the data processor, acting on their instructions.
As controller, our customer is responsible for, among other things:
After a search is completed, the relevant data is also included in Fullinfo's own database for the benefit of other customers. From that point on, Fullinfo is the controller of that data. See the next section.
Fullinfo also proactively builds its database independently of any individual customer search. We compile and combine company profiles, including publicly available contact details. Where these contain personal data, Fullinfo is the data controller.
For the database, we typically hold the following categories of personal data:
We collect this on the basis of our legitimate interest (Article 6(1)(f) GDPR) in providing our customers with current, relevant business intelligence about organisations and the professionals associated with them. We do not collect special or sensitive categories of personal data.
We have weighed this against the privacy interests of the individuals concerned and concluded that, given the public nature of the source material, the limited scope of what we collect (professional context only), and the strong opt-out mechanism described in Section 12, the balance is reasonable. A written Legitimate Interest Assessment is available on request from privacy@fullinfo.com.
If you would like to be removed from our database, see Section 12 below. The process is free, friction-free, processed within 7 business days, and permanent.
Fullinfo builds its database from publicly indexable web sources, accessed through legitimate commercial channels.
We crawl company websites directly — the same content the company has chosen to publish to the open web. This includes any business contact information the company has chosen to publish on contact pages, team pages, press releases, and similar.
For information about individuals associated with companies, we consume search snippets returned by commercial search APIs — primarily Google's. These are the same publicly visible snippets that appear in any search result page. Fullinfo participates in Google's paid commercial ecosystem and operates within the terms of that service.
We do not access professional networks via authenticated sessions, log-ins, or bypass mechanisms. We do not scrape platforms directly. We do not purchase contact lists from data brokers. We do not consume or cross-reference breach data, leaked credentials, or compromised credential databases.
We also process data from press releases, blogs, government publications, regulatory filings, and similar publicly available sources, always in accordance with the terms under which that information is published.
A note on Article 14 GDPR. Where we process personal data we did not collect directly from the individual, GDPR Article 14 ordinarily requires us to notify each individual. Given the scale at which we operate, individual notification would involve disproportionate effort within the meaning of Article 14(5)(b). We meet our notification obligation by publishing this policy and providing the prominent removal mechanism described in Section 12.
Where Fullinfo provides email addresses in the product, they have either been:
The product interface indicates how each email address was sourced and verified. Email addresses that cannot be confirmed to exist by third-party verification are not provided in the product.
Where Fullinfo provides phone numbers, they have been observed on a domain operated by the person's employer or on the individual's own publicly published material. We do not source phone numbers from data brokers, breach data, third-party contact lists, or any source other than the open web.
When you create a Fullinfo account — either directly through our signup flow or via a third-party login (Google, Microsoft, or similar) — we process the following personal data on the legal basis of performance of our agreement with you:
We store account data until you delete your account or until 2 years after your last login, whichever comes first. After 2 years of inactivity, we send a reminder email; if you do not respond, the account is deleted. Some records (such as billing records) are retained longer where required by tax or other law.
If you register or log in via a third-party identity provider (Google, Microsoft, LinkedIn, or similar), we receive the basic profile information that provider shares — typically name and email address. You can manage what information is shared through that provider's account settings.
When you submit one of our website forms (early access, demo request, market search, contact) or send us an email, we process your name, email address, company, and the content of your message in order to respond. We do not use these submissions to send marketing unless you specifically opt in.
We retain contact correspondence for as long as it is reasonably needed to resolve your enquiry, generally not longer than 2 years from our last interaction.
If you apply for a job with us, we process your name, contact details, CV, cover letter, references, and any other information you provide, for the purpose of handling your application and (where successful) preparing for an employment relationship. If you are not hired, we retain your application for up to 6 weeks after the position is filled (in case it reopens during the probationary period), unless you give us explicit consent to keep it on file for longer.
As part of the application process we may review publicly available professional profiles (e.g. LinkedIn) where relevant to the role. We will not ask for access to private profiles or send connection requests for assessment purposes. You can object to this screening at the time of application.
We use Google reCAPTCHA (or an equivalent service) on our forms to prevent automated abuse. reCAPTCHA analyses how the form is completed — including timing, mouse movements, and IP address — to distinguish humans from bots. This data is processed by Google under Google's privacy policy. Our legal basis is legitimate interest in keeping our forms secure.
Fullinfo shares your personal data with third parties only as needed to operate, and only to the extent permitted by law. We disclose personal data when:
Categories of processors we use include:
An up-to-date list of subprocessors is available on request to privacy@fullinfo.com.
We do not sell your personal data to third parties for their own marketing purposes.
We use industry-standard technical and organisational measures to protect personal data — TLS in transit, encryption at rest where applicable, access controls scoped to a small team, and confidentiality obligations on everyone with access. No system is perfectly secure, but we take it seriously.
If you come across a security issue with Fullinfo, please report it to security@fullinfo.com. We respond to responsible disclosure in good faith.
Where we have stated a specific period above, that is what applies. Otherwise:
You can ask us to delete your data sooner — see Section 11 and Section 12.
We keep cookies on this website to a minimum.
We use a small set of cookies that are required for the site to function — for example, remembering whether you have closed a banner. These do not track you across sites and do not require consent under the ePrivacy Directive.
The product application uses authentication and session cookies needed for the product to work. These are not advertising or tracking cookies.
We may use a privacy-respecting analytics tool that does not use cookies and does not identify individual visitors. If we ever switch to a cookie-based analytics tool, we will add a consent banner and update this section.
You can disable cookies in your browser settings. Note that some parts of the site or product may not work correctly without them.
If you are in the EU, UK, or another jurisdiction with GDPR-style rights, you can:
To exercise any of these rights, email privacy@fullinfo.com. We respond within 7 business days where reasonably possible, and within the 30 days GDPR requires in any case. We do not charge for this.
If you do not want your personal data in the Fullinfo product, you can have it removed. The process is deliberately friction-free.
Email privacy@fullinfo.com with a note saying you would like to be removed. Where it is not obvious from your email address, please tell us your full name and the company you are associated with, so we can find the right record.
When we remove you, we do both of the following:
Removal is permanent. Once you are on the suppression list, we do not re-index you, even if your information surfaces again in a future data refresh.
Our infrastructure is based primarily in the European Union. Some of our processors operate from or transit data through other jurisdictions, including the United States. Where this happens, transfers are protected by:
If you would like a copy of the relevant SCCs, email privacy@fullinfo.com.
The Fullinfo product and website are intended for business users and are not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact privacy@fullinfo.com and we will delete it.
We update this policy from time to time as our practices evolve. When we make a material change, we update the “last updated” date at the top, and where the change is significant we will flag it on the website or by email if you have been in active contact with us.
If you feel we have not handled your privacy enquiry properly, you can lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or the supervisory authority in your country of residence.
For privacy-specific questions or to exercise any right under this policy, email privacy@fullinfo.com. For general questions, email hello@fullinfo.com or use the contact page.
The controller for your personal data under this policy is:
Fullinfo B.V.
Amsterdam, the Netherlands
Chamber of Commerce (KvK): 82102066
Data Protection Officer: privacy@fullinfo.com
This part adds disclosures specifically for residents of US states with consumer privacy laws — most notably the California Consumer Privacy Act (CCPA) as amended by the CPRA. Equivalent state laws (Nevada, Virginia, Colorado, etc.) may also apply by analogy. Part I above applies to you as well; this part adds to it.
If you are a resident of California (or another US state with a similar consumer privacy law) and you interact with our website or product, this section sets out the additional disclosures required by your state law.
Where Part I and Part II both apply, the provision that more strongly protects your privacy is the one we apply.
California law requires us to disclose how we respond to “Do Not Track” (DNT) signals from web browsers. Our website does not currently respond to DNT signals, because we do not engage in the kind of cross-site tracking that DNT was designed to address. If we ever introduce such tracking, we will update this section.
You can enable or disable DNT in your browser settings. Note that even with DNT disabled, we do not run third-party advertising trackers on this website.
The CCPA defines “sale” broadly — it includes selling, renting, releasing, disclosing, disseminating, making available, or otherwise communicating personal information to a third party for valuable consideration, whether or not the consideration is monetary.
Fullinfo licenses access to its business intelligence database to its customers. Whether this constitutes a “sale” under the CCPA depends on the specifics and is not entirely settled. To be safe, we treat it as a sale for CCPA purposes and offer you the right to opt out.
To opt out, email privacy@fullinfo.com. Once we receive and confirm a verifiable consumer request from you, we will stop including your personal data in our product and add you to our permanent suppression list, as described in Section 12.
If you are a California resident (and, by analogy, a resident of other US states with similar laws), you have the following rights:
To exercise any of these rights, email privacy@fullinfo.com. We respond within 45 calendar days, which we may extend by another 45 days where permitted by law and where we notify you of the extension.
To protect against fraudulent requests, we may ask you to provide enough information for us to reasonably verify that you are the person about whom we hold data, or that you are an authorised agent acting on their behalf. We use the minimum verification needed for the type of request.
The CCPA organises personal information into statutory categories. Here is how the data we collect maps onto those categories, with sources:
| CCPA Category | Examples in our case | Source |
|---|---|---|
| Identifiers (real name, alias, online identifier, IP address, email, account name, etc.) | Name, email, IP address, account identifier | From you directly (account, forms) or from publicly available web sources (database) |
| Cal. Civ. Code §1798.80(e) categories (name, address, phone, etc.) | Name, business contact details, payment information | From you directly |
| Commercial information | Records of services purchased or considered, credit usage history | From your use of our product |
| Internet or network activity information | Interaction with our website and product | Generated as you use our services |
| Professional / employment-related information | Job title, employer, professional bio | Publicly available web sources (database), or from you directly (account) |
In the preceding twelve months we have disclosed Identifiers, Cal. Civ. Code §1798.80(e) categories, Commercial information, Internet or network activity information, and Professional / employment-related information to service providers and customers for the business purposes described in Sections 6 and 7. When we disclose personal information for a business purpose, we enter a contract requiring the recipient to keep it confidential and use it only for the specified purpose.
We do not collect or process “sensitive personal information” as defined under the CPRA — we do not collect Social Security numbers, financial account login details, precise geolocation, racial or ethnic origin, religious beliefs, union membership, the contents of private mail or messages, genetic data, biometric identifiers, health information, or sex life / sexual orientation data.
The Fullinfo product is intended for business users. We do not knowingly collect personal information from anyone under 16. We do not sell the personal information of consumers we know are under 16, unless we receive affirmative authorization (the “right to opt-in”) from either the consumer (if between 13 and 16) or the parent or guardian (if under 13). If you believe we hold personal information about someone under 16, please contact privacy@fullinfo.com with enough detail for us to investigate and delete the information.
This policy is governed by the laws of the Netherlands. Disputes regarding the privacy practices described here are subject to the jurisdiction of the courts of Amsterdam — without prejudice to your right to lodge a complaint with your local supervisory authority under Article 77 GDPR, or to exercise rights granted to you by US state law.
Fullinfo B.V. · Amsterdam, the Netherlands · KvK 82102066 · privacy@fullinfo.com