Privacy Notice for B2B Contact Data
Information about our processing of business contact information (GDPR Art. 14)
Last Updated: January 30, 2026
Why are you receiving this notice?
Under GDPR Article 14, we must inform you when we process your personal data obtained from third-party sources (rather than directly from you). This notice explains how we collect, use, and protect business contact information for our B2B prospecting platform.
1. Data Controller Identity
Name: SC GROWTH MIND TECH SRL
Registered Office: Str. Industriei nr. 1A, Corp B, Etaj 4, Biroul 4, Cluj-Napoca, Cluj, Romania
Registration Number: J12/3074/2024
CIF: RO50267770
Contact Email: mihai@growthmind.ro
DPO/Privacy Contact: mihai@growthmind.ro
2. What Business Contact Data We Process
We process the following categories of business contact information:
- Full Name: First name and last name
- Professional Title: Job title or position
- Work Email Address: Business email address
- Work Phone Number: Business phone number (if available)
- LinkedIn Profile: Public LinkedIn profile URL (if available)
- Company Affiliation: Name and registration details of employer company
- Industry Information: Business sector (CAEN code) of employer
We do NOT process: Personal email addresses, personal phone numbers, home addresses, demographic data, or any sensitive personal data (health, religion, political opinions, etc.)
3. Sources of Your Data
We obtain business contact information from the following sources:
- Apollo.io: A third-party B2B data provider that aggregates business contact information from public sources (company websites, LinkedIn, business directories, press releases)
- Public Business Registries: Romanian Trade Register (ONRC), company websites, public announcements
- Professional Networking Sites: Publicly available LinkedIn profiles and company pages
- Business Directories: Industry directories, chamber of commerce listings, trade association member lists
Important: We only process information that is publicly available or obtained through legitimate B2B data providers. We do not purchase consumer data or scrape private social media profiles.
4. Why We Process Your Data
We process business contact information for the following purposes:
- B2B Prospecting Platform: To enable our clients (Romanian sales teams) to identify and reach out to relevant business contacts for legitimate commercial purposes
- Lead Generation: To help businesses find decision-makers at companies that may benefit from their products or services
- Market Research: To provide insights about company structures, industries, and business trends in Romania
- Contact Verification: To validate and maintain accuracy of business contact information
We do NOT use your data for: Direct marketing to consumers, spam, unsolicited telemarketing, or any purposes unrelated to legitimate B2B commerce.
5. Legal Basis for Processing
Our legal basis for processing business contact data is Legitimate Interest under GDPR Article 6(1)(f):
Our Legitimate Interest: Operating a B2B sales intelligence platform that enables Romanian businesses to identify and connect with relevant business contacts for commercial purposes.
Balancing Test: We have conducted a Legitimate Interest Assessment (LIA) that balances:
- Your Rights: Privacy, data protection, freedom from spam
- Our Interests: Providing valuable B2B services to clients
- Safeguards: Data minimization, opt-out mechanism, limited retention, quality filtering
You have the right to object to processing based on legitimate interest at any time. See Section 8 for how to exercise your rights.
6. Who Has Access to Your Data
Your business contact information may be shared with:
- Paying Clients: Romanian businesses who subscribe to our platform and "unlock" your contact information to reach out for legitimate business purposes
- Data Processors: Third-party service providers who help us operate the platform:
- Apollo.io (B2B data provider, USA - adequate safeguards in place)
- Neon Database (PostgreSQL hosting, EU/Frankfurt)
- OpenAI (pitch generation, USA - no PII sent, aggregated data only)
- Stripe (payment processing, EU/USA - standard contractual clauses)
- Legal Authorities: If required by law or to protect our rights/property
We do NOT sell or rent your data to third parties.
6a. International Data Transfers
Some of our service providers process data outside the European Economic Area (EEA). We ensure your data is protected when transferred internationally:
Transfers to United States
We transfer personal data to the following US-based processors:
- Apollo.io: Contact enrichment API (safeguarded by Standard Contractual Clauses or EU-US Data Privacy Framework)
- OpenAI: AI-powered research and summarization (company names only, no direct contact PII)
- Resend: Transactional email delivery for DSAR notifications and password resets (safeguarded by Standard Contractual Clauses)
- Vercel (logs): Application logs and monitoring (safeguarded by Standard Contractual Clauses)
Transfer Safeguards
- Standard Contractual Clauses (EC-approved contracts ensuring GDPR-level protection)
- EU-US Data Privacy Framework certification (where applicable)
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Data minimization (only necessary information transferred)
For detailed information about international transfers, including specific transfer mechanisms for each vendor, see our complete International Transfers documentation or contact our DPO.
6b. When We Provide This Notice
Under GDPR Article 14, we must provide this notice within specific timeframes. However, we rely on an exception for disproportionate effort:
Why We Don't Send Individual Notices
Direct individual notification to 1M+ business contacts would be:
- Disproportionately expensive (β¬500,000+ in postal/email costs)
- Likely ineffective (most would be filtered as spam, <1% read rate)
- Legally problematic (unsolicited emails may violate ePrivacy rules)
Alternative Transparency Measures: Instead, we make this notice publicly available on our website (accessible 24/7), provide an easy opt-out mechanism (DSAR form), and ensure data subjects can exercise their rights at any time. This approach is more effective and compliant with GDPR Article 14(5)(b) - disproportionate effort exception.
7. How Long We Keep Your Data
Cached Company Enrichment Data:
We cache company enrichment data (Google Places, website analysis, etc.) for 12 months to optimize platform performance and data quality. This cache is automatically purged after expiration.
Unlocked Contact Data (Revealed to Clients):
When a client "unlocks" your contact information (email/phone), we retain it for 2 years to fulfill our contract with paying customers. After 2 years, email/phone data is automatically deleted while name and title remain visible in preview state. Justification: This retention period is necessary for B2B relationship building cycles (typically 12-24 months).
Opt-Out Records (Suppression List):
If you request suppression (opt-out), we retain a cryptographically hashed record of your contact information indefinitely to honor your opt-out preference. Note: These hashes are treated as pseudonymized personal data under GDPR, not anonymous data.
Transaction and Audit Logs:
Transaction logs are retained for 6 months for security monitoring. DSAR request records are retained for 3 years for accountability and legal compliance.
8. Your Rights Under GDPR
You have the following rights regarding your business contact data:
Right to Access (Art. 15)
Request a copy of all business contact data we hold about you, including sources and recipients.
Right to Rectification (Art. 16)
Correct inaccurate or incomplete contact information.
Right to Erasure (Art. 17)
Request deletion of your contact data from our systems.
Right to Object (Art. 21)
Object to processing based on legitimate interest. We will stop processing unless we have compelling legitimate grounds or legal obligations.
Right to Data Portability (Art. 20)
Receive your data in a structured, machine-readable format (JSON/CSV).
Right to Restriction (Art. 18)
Request temporary restriction of processing (e.g., while we verify accuracy).
How to Exercise Your Rights
To exercise any of these rights, you can:
- Submit a DSAR (Data Subject Access Request): Fill out our DSAR form Submit a DSAR (Data Subject Access Request): Fill out our DSAR form
- Email us directly: mihai@growthmind.ro with subject "GDPR Request" mihai@growthmind.ro
Response Time: We will respond to your request within 30 days (extendable to 3 months for complex requests, with notification).
Verification: We may ask for identification proof to prevent unauthorized access (e.g., email verification, LinkedIn profile confirmation).
9. Quick Opt-Out (Suppression)
Want to remove your contact information immediately?
You can request to be added to our suppression list, which will:
- Prevent your contact data from appearing in future search results
- Block clients from unlocking your email/phone
- Remove your data from our cache within 90 days
10. Right to Lodge a Complaint
If you believe we have not handled your data properly, you have the right to lodge a complaint with:
Romanian Data Protection Authority (ANSPDCP):
- π Address: Bulevardul General Gheorghe Magheru 28-30, Sector 1, Bucharest, Romania
- π§ Email: anspdcp@dataprotection.ro anspdcp@dataprotection.ro
- π Website: www.dataprotection.ro www.dataprotection.ro
- π Phone: +40 21 252 5599
We encourage you to contact us first so we can address your concerns directly.
11. Changes to This Notice
We may update this notice periodically to reflect changes in our practices or legal requirements. Significant changes will be communicated through our website. The "Last Updated" date at the top of this page indicates when the most recent changes were made.
Questions or Concerns?
We are committed to transparency and respecting your privacy rights. If you have any questions about this notice or our data practices, please contact us.