Privacy Policy

1. Introduction

This Privacy Policy describes how Core Tech Logic Srl ("we", "us") collects, uses, and protects your data when using the bizlist.gr service and its API (api.bizlist.gr).

We are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR - Regulation EU 2016/679) and Greek legislation (Law 4624/2019).

Data Controller: Core Tech Logic Srl

Contact Email: support@bizlist.gr

2. Data We Collect

A. Public Business Data

We collect and process publicly available business data from official commercial registries:

  • Company name and trade name
  • GEMI (Greek Business Registry) number and Tax ID (VAT)
  • Registered address
  • Contact information (email, phone, website)
  • Activity codes (KAD/NACE)
  • Legal form and status
  • Date of incorporation
  • Management and representation details
  • Published financial statements (balance sheets)

Data sources:

  • General Commercial Registry (GEMI) - Greece
  • Bulgarian Commercial Register - Bulgaria
  • Companies Registration Office - Ireland
  • Department of Registrar of Companies - Cyprus

B. User Account Data

When you register and use the service, we collect:

  • Email address
  • Name (if provided via Google OAuth)
  • IP address at registration
  • Timezone (optional)

C. Transaction Data

  • Premium subscription status
  • Credit balance and usage history
  • Data export history
  • AI analysis history

D. Email Campaigns (for users of this feature)

If you use the email campaigns feature:

  • SMTP settings (encrypted with AES-256-GCM)
  • Campaign content
  • Contact lists
  • Delivery statistics (opens, clicks)

E. API Access

For API users:

  • API keys (stored encrypted)
  • API usage logs

F. Technical Data

  • IP address
  • Browser type and version
  • Pages visited
  • Search queries

3. Legal Basis for Processing

We process your data based on the following GDPR legal bases:

Data Category Legal Basis
Public business data Legitimate interest - Article 6(1)(f)
Account data Contract performance - Article 6(1)(b)
Transaction data Contract performance - Article 6(1)(b)
Technical data Legitimate interest - Article 6(1)(f)

Public business data originates from official public registries whose purpose is transparency and third-party access according to Law 4919/2022 (GEMI), EU Directive 2017/1132, and Law 4727/2020 (Open Data & Re-use of Public Sector Information). PEPs data originates from public sources and is maintained under Law 4557/2018. Sanctions data originates from official EU, UN, and OFAC publications.

4. Purposes of Processing

We use your data to:

  • Provide business search and discovery services
  • Manage your account
  • Operate the credits and Premium subscription system
  • Perform AI document analysis upon your request
  • Operate email campaigns (if you use this feature)
  • Ensure security and prevent fraud
  • Improve our services
  • Comply with legal obligations

5. Sharing with Third Parties

We may share data with the following third parties:

Category Purpose
OpenRouter / Google Gemini AI analysis of financial documents
Payment providers Processing payments for credits/Premium
Email services (transactional) Sending verification and notification emails
Meta (Facebook) Conversions API Server-side transmission of anonymized conversion events (e.g. registration, purchase) using hashed identifiers for advertising campaign optimization. No client-side tracking or pixels are used.
We do not sell personal data. Data shared with advertising platforms consists exclusively of pseudonymized (SHA-256 hashed) identifiers. The transfer is based on Standard Contractual Clauses (SCCs).

6. International Data Transfers

Some of our partners (e.g., AI service providers) may be located outside the European Economic Area (EEA).

In such cases, we ensure the protection of your data through:

  • European Commission Standard Contractual Clauses (SCCs)
  • Adequacy decisions (where available)

7. Data Retention Period

Category Retention Period
Account data Duration of account + 3 years
Transaction data 7 years (legal requirement)
Technical logs 12 months
Business data Regularly updated from sources

8. Your Rights

Under the GDPR, you have the following rights:

  • Right of access: To know what data we hold about you
  • Right to rectification: To correct inaccurate data
  • Right to erasure: To request deletion of your data
  • Right to restriction: To restrict processing
  • Right to portability: To receive your data in a machine-readable format
  • Right to object: To object to processing
  • Right to withdraw consent: At any time, without affecting the lawfulness of prior processing

To exercise your rights, contact us.

Note on public business data:

Sole proprietorships: Individuals with a sole proprietorship may request removal of their data. The data is removed from the platform and added to a blocklist to prevent reappearance.

Legal entities (OE, EE, IKE, EPE, SA): Corporate publicity data is not removed. It concerns data mandatorily published in GEMI under Law 4919/2022 and Directive 2017/1132/EU. The names of partners, board members, and managers constitute corporate publicity data and are not subject to the right of erasure. Their publication does not require consent.

Politically Exposed Persons (PEPs): PEPs data is maintained under Law 4557/2018 (Prevention of money laundering) and is not removed.

Persons on sanctions lists: Data of persons on sanctions lists (EU, UN, OFAC) is maintained for AML/KYC compliance and is not removed.

The data also remains publicly available on GEMI (businessportal.gr).

Complaint to the Data Protection Authority

You have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA).

9. Data Security

We implement technical and organizational measures to protect your data:

  • Encryption of sensitive data (SMTP passwords with AES-256-GCM)
  • Secure authentication (JWT tokens, OAuth)
  • Role-based access controls
  • Regular security updates
  • HTTPS for all communications

10. Cookies and Tracking

We use limited cookies:

  • Session cookies: Essential for authentication and service operation
  • Language preferences: To remember your language choice
  • Attribution cookies: First-party cookies that store the source through which you arrived at our service (e.g. advertising campaign, referral link). These are used exclusively for measuring the effectiveness of our marketing campaigns and are not shared with third parties in their original form.

We do not use: Third-party tracking cookies, advertising pixels, or profiling cookies. All conversion tracking is performed server-side using anonymized data.

11. Changes to This Policy

We may update this policy periodically. In case of material changes, we will notify you via email or a notification in the service.

Continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact

For questions about the protection of your personal data or to exercise your rights:

Email: support@bizlist.gr

Or use our contact form.

Last updated: March 2026