Privacy Policy

1. Introduction

This Privacy Policy describes how CORE TECH LOGIC L.P. ("we", "us") collects, uses, and protects your data when using the bizlist.gr service and its API (api.bizlist.gr).

We are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR - Regulation EU 2016/679) and Greek legislation (Law 4624/2019).

2. Data We Collect

A. Public Business Data

We collect and process publicly available business data from official commercial registries:

• Company name and trade name
• GEMI (Greek Business Registry) number and Tax ID (VAT)
• Registered address
• Contact information (email, phone, website)
• Activity codes (KAD/NACE)
• Legal form and status
• Date of incorporation
• Management and representation details
• Published financial statements (balance sheets)

Data sources:

• General Commercial Registry (GEMI) - Greece
• Bulgarian Commercial Register - Bulgaria
• Companies Registration Office - Ireland
• Department of Registrar of Companies - Cyprus

B. User Account Data

When you register and use the service, we collect:

• Email address
• Name (if provided via Google OAuth)
• IP address at registration
• Timezone (optional)
• Referral source and campaign identifiers

C. Transaction Data

• Premium subscription status
• Credit balance and usage history
• Data export history
• AI analysis history

D. Email Campaigns (for users of this feature)

If you use the email campaigns feature:

• SMTP settings (encrypted with AES-256-GCM)
• Campaign content
• Contact lists
• Delivery statistics (opens, clicks)

E. API Access

For API users:

• API keys (stored encrypted)
• API usage logs

F. Technical Data

• IP address
• Browser type and version (user-agent)
• Pages visited
• Search queries

Technical data (IP, user-agent) is also temporarily used (up to 30 days) in hashed form for server-side attribution, i.e. linking your referral source (e.g. advertising campaign) to your account upon registration.

3. Legal Basis for Processing

We process your data based on the following GDPR legal bases:

Public business data originates from official public registries whose purpose is transparency and third-party access according to Law 4919/2022 (GEMI), EU Directive 2017/1132, and Law 4727/2020 (Open Data & Re-use of Public Sector Information). PEPs data originates from public sources and is maintained under Law 4557/2018. Sanctions data originates from official EU, UN, and OFAC publications.

4. Purposes of Processing

We use your data to:

• Provide business search and discovery services
• Manage your account
• Operate the credits and Premium subscription system
• Perform AI document analysis upon your request
• Operate email campaigns (if you use this feature)
• Ensure security and prevent fraud
• Improve our services
• Comply with legal obligations

5. Sharing with Third Parties

We may share data with the following third parties:

6. International Data Transfers

Some of our partners (e.g., AI service providers) may be located outside the European Economic Area (EEA).

In such cases, we ensure the protection of your data through:

• European Commission Standard Contractual Clauses (SCCs)
• Adequacy decisions (where available)

7. Data Retention Period

8. Your Rights

Under the GDPR, you have the following rights:

• Right of access: To know what data we hold about you
• Right to rectification: To correct inaccurate data
• Right to erasure: You can delete your account from Account Settings or request data deletion
• Right to restriction: To restrict processing
• Right to portability: To receive your data in a machine-readable format
• Right to object: To object to processing
• Right to withdraw consent: At any time, without affecting the lawfulness of prior processing

To exercise your rights, contact us.

Account deletion: You can delete your account at any time through your settings. Upon deletion, technical logs are retained for their remaining retention period. Logs contain only an internal identifier (user ID) which, after deletion, does not correspond to any person.

Complaint to the Data Protection Authority

You have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA).

9. Data Security

We implement technical and organizational measures to protect your data:

• Encryption of sensitive data (SMTP passwords with AES-256-GCM)
• Secure authentication (JWT tokens, OAuth)
• Role-based access controls
• Regular security updates
• HTTPS for all communications

10. Cookies and Tracking

We use only essential cookies:

• Session cookies: Essential for authentication and service operation
• User preferences: Language and display theme (localStorage)

We do not use: Tracking cookies, advertising pixels, profiling cookies, or attribution cookies. Campaign attribution is performed exclusively server-side without storing data on your device. Conversion tracking (Google Ads, Meta) is performed server-side using exclusively the click identifiers (gclid, fbc) generated by the platforms themselves. No hashed emails or other user identifiers are transmitted.

11. Third-Party AI Connectors (Claude / Anthropic)

When you connect your bizlist.gr account to a third-party AI assistant such as Claude (Anthropic) via our OAuth integration, an access token is issued that ties your bizlist account to that AI session. The third-party application uses this token to call our API on your behalf.

What we receive: only the tool calls (queries) the assistant makes against our API — for example, a search for companies in a region, or a request to analyze financial documents. We do not receive any other content of your conversation with the assistant.

What is stored: Anthropic stores an encrypted copy of the access token on their side. bizlist.gr stores a hashed refresh token and a short-lived revocation list. Tool calls are logged for billing and abuse-prevention purposes under the same retention rules as other API usage.

Revoking access: you can disconnect the integration at any time from your account settings on bizlist.gr or by removing the connector from your Claude account. Revocation invalidates the token immediately.

12. Browser Extension (Bizlist Extension)

We offer an optional browser extension that detects Greek business identifiers (Greek VAT/AFM, GEMI number, EU VAT, domain, email, phone, company names with legal suffixes) on the pages you visit and shows the corresponding public registry information from bizlist.gr.

How it works: Detection happens locally in your browser. When an identifier is found, the extension sends it to api.bizlist.gr to retrieve the matching public company data.

What we log:

• The lookups performed through the extension (the identifiers sent for lookup)
• When the extension matches a company on a page, it sends the page URL/host along with the secondary signals (domain, email, phone, name) that appeared on the page and were associated with that company. We use this data to enrich and improve the quality of our records
• Any feedback messages you voluntarily submit through the extension
• Browser user-agent string

What we do NOT collect from the extension:

• We do not store your IP address
• No account or login is required — usage is anonymous
• We do not read or transmit the full content of the pages you visit — only the specific identifiers detected
• We do not use cookies or tracking techniques
• We do not track browsing history

Legal basis: Legitimate interest (Article 6(1)(f) GDPR) for improving the service, preventing abuse and enriching public business data.

Retention: Extension logs are retained for 24 months, the same as other technical logs.

You can disable or uninstall the extension from your browser at any time.

13. Changes to This Policy

We may update this policy periodically. In case of material changes, we will notify you via email or a notification in the service.

Continued use of the service after changes constitutes acceptance of the updated policy.

14. Contact

For questions about the protection of your personal data or to exercise your rights: