Privacy Policy

1. Introduction

This Privacy Policy describes how CORE TECH LOGIC L.P. ("we", "us") collects, uses, and protects your data when using the bizlist.gr service and its API (api.bizlist.gr).

We are committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR - Regulation EU 2016/679) and Greek legislation (Law 4624/2019).

Data Controller: CORE TECH LOGIC L.P.

Registered office: PITINI, 85600 Symi, Dodecanese, Greece

VAT: EL803127123 · GEMI: 190194820000

Contact Email: support@bizlist.gr

2. Data We Collect

A. Public Business Data

We collect and process publicly available business data from official commercial registries:

  • Company name and trade name
  • GEMI (Greek Business Registry) number and Tax ID (VAT)
  • Registered address
  • Contact information (email, phone, website)
  • Activity codes (KAD/NACE)
  • Legal form and status
  • Date of incorporation
  • Management and representation details
  • Published financial statements (balance sheets)

Data sources:

  • General Commercial Registry (GEMI) - Greece
  • Bulgarian Commercial Register - Bulgaria
  • Companies Registration Office - Ireland
  • Department of Registrar of Companies - Cyprus

B. User Account Data

When you register and use the service, we collect:

  • Email address
  • Name (if provided via Google OAuth)
  • IP address at registration
  • Timezone (optional)
  • Referral source and campaign identifiers

C. Transaction Data

  • Premium subscription status
  • Credit balance and usage history
  • Data export history
  • AI analysis history
  • Terms acceptance record: when you accept the Terms of Service, the Privacy Policy and the Acceptable Use Policy, we record the document and its version and the date/time of acceptance, linked to your account, as proof of acceptance. (We do not store an IP address or user-agent in this record.)

D. API Access

For API users:

  • API keys (stored encrypted)
  • API usage logs

E. Technical Data

  • IP address
  • Browser type and version (user-agent)
  • Pages visited
  • Search queries

Technical data (IP, user-agent) is also temporarily used (up to 30 days) in hashed form for server-side attribution, i.e. linking your referral source (e.g. advertising campaign) to your account upon registration.

F. Personal Data Within the Public Data

The public data we process also includes data relating to natural persons: names and roles of managers, partners, board members and legal representatives; data of sole proprietorships (self-employed professionals); public procurement and state aid records (Diavgeia); lists of politically exposed persons (Law 4557/2018) and international sanctions lists (EU, UN, OFAC); as well as natural persons included in the AADE/e-EFKA official publication of debtors (POL.1158/2017). In that case we show only a neutral presence indicator with a link to the official publication, without reproducing the debt amount and without combining it with other data into a creditworthiness assessment. We do not maintain infringement data (e.g. customs fuel-smuggling offences) or bankruptcy/insolvency data relating to natural persons.

  • Source: This data is not collected from the data subject themselves, but is drawn from the public sources and registers referred to above.
  • Categories: Full name, capacity/role, relationship or shareholding percentage and — where provided by the source — a presence indicator in the publication of debtors (no amount), public contract/aid or inclusion in a list.
  • Legal basis: Legitimate interest (Article 6(1)(f) GDPR), in the context of business transparency and the support of AML/KYC compliance, in conjunction with the framework for the re-use of public sector data (Law 4727/2020). For data of legal persons as such, the GDPR does not apply (Recital 14).
  • Right to object: Any natural person may object to the processing of their data (Article 21 GDPR) and request correction of any inaccuracy or mistaken identification, at support@bizlist.gr. Requests are handled as described in section 8.
  • Article 14 information: Because the data is not collected from the data subjects themselves and the number of persons concerned makes individual notification disproportionately burdensome, individual notice is omitted pursuant to Article 14(5)(b) GDPR. This Privacy Policy constitutes the public information provided for in that same provision.

3. Legal Basis for Processing

We process your data based on the following GDPR legal bases:

Data Category Legal Basis
Public business data Legitimate interest - Article 6(1)(f)
Account data Contract performance - Article 6(1)(b)
Transaction data Contract performance - Article 6(1)(b)
Technical data Legitimate interest - Article 6(1)(f)
Server-side attribution (IP, user-agent, referral) Legitimate interest - Article 6(1)(f)
Informational / onboarding emails to registered users soft opt-in, Article 11(3) of Law 3471/2006: the data was lawfully obtained in the context of the transactional relationship (registration and use of the service) and is used to promote our own similar services, with the option to object in a clear, easy and free-of-charge manner in every message. Transactional emails continue.
Terms acceptance record (document, version, time) Compliance with a legal obligation / legitimate interest (proof of consent & defence of legal claims)

Public business data originates from official public registries whose purpose is transparency and third-party access according to Law 4919/2022 (GEMI), EU Directive 2017/1132, and Law 4727/2020 (Open Data & Re-use of Public Sector Information). PEPs data originates from public sources and is maintained under Law 4557/2018. Sanctions data originates from official EU, UN, and OFAC publications.

4. Purposes of Processing

We use your data to:

  • Provide business search and discovery services
  • Manage your account
  • Operate the credits and Premium subscription system
  • Perform AI document analysis upon your request
  • Send informational / onboarding emails to registered users (every message includes an unsubscribe link)
  • Ensure security and prevent fraud
  • Improve our services
  • Comply with legal obligations

5. Sharing with Third Parties

We may share data with the following third parties:

Category Purpose
Google (Google AI / Gemini models) AI analysis of documents (financial statements & corporate documents)
Payment providers Processing payments for credits/Premium
Brevo (email service) Sending transactional verification and notification emails, as well as informational / onboarding emails
Meta (Facebook) Conversions API Server-side transmission of conversion events (e.g. registration, purchase) using exclusively the click identifier (fbc) generated by Meta upon ad click. No emails, names or other user identifiers are transmitted. No client-side tracking or pixels are used. With respect to conversion event data, Meta acts as a joint controller (Article 26 GDPR); the joint-controller arrangement provided by Meta applies, and the data subject may exercise their rights against Meta as well.
Google Ads Server-side offline conversion tracking using exclusively the click identifier (gclid) generated by Google upon ad click. No emails, names or other user identifiers are transmitted.
Cloudflare, Inc. Processor: CDN, WAF and network security (proxy, protection against malicious traffic). USA — under Standard Contractual Clauses (SCCs)/EU–US Data Privacy Framework and a data processing agreement (DPA).
We do not sell personal data. Data shared with advertising platforms is limited exclusively to click identifiers generated by the platforms themselves and the event type. No hashed emails or other user identifiers are transmitted.

6. International Data Transfers

Some of our partners (e.g., AI service providers) may be located outside the European Economic Area (EEA).

In such cases, we ensure the protection of your data through:

  • The EU–US Data Privacy Framework (DPF) adequacy decision, for providers certified under it (e.g., Google LLC)
  • European Commission Standard Contractual Clauses (SCCs), where no adequacy decision applies

7. Data Retention Period

Category Retention Period
Account data Duration of account + 3 years
Transaction data 7 years (legal requirement)
Technical logs 24 months
Server-side attribution data 30 days
Business data Regularly updated from sources
Terms acceptance record Retained even after account deletion, for the duration of the relevant limitation period for claims; after deletion it contains only an internal identifier (user id), document, version and time — no other data.

8. Your Rights

Under the GDPR, you have the following rights:

  • Right of access: To know what data we hold about you
  • Right to rectification: To correct inaccurate data
  • Right to erasure: You can delete your account from Account Settings or request data deletion
  • Right to restriction: To restrict processing
  • Right to portability: To receive your data in a machine-readable format
  • Right to object: To object to processing
  • Right to withdraw consent: At any time, without affecting the lawfulness of prior processing

To exercise your rights, contact us.

Account deletion: You can delete your account at any time through your settings. Upon deletion, technical logs are retained for their remaining retention period. Logs contain only an internal identifier (user ID) which, after deletion, does not correspond to any person.

Note on public business data:

Sole proprietorships: Individuals with a sole proprietorship may request removal of their data. The data is removed from the platform and added to a blocklist to prevent reappearance.

Legal entities (OE, EE, IKE, EPE, SA): Corporate publicity data is not removed. It concerns data mandatorily published in GEMI under Law 4919/2022 and Directive 2017/1132/EU. The names of partners, board members, and managers constitute corporate publicity data and are not subject to the right of erasure. Their publication does not require consent.

Politically Exposed Persons (PEPs): PEPs data is maintained under Law 4557/2018 (Prevention of money laundering) and is not removed.

Persons on sanctions lists: Data of persons on sanctions lists (EU, UN, OFAC) is maintained for AML/KYC compliance and is not removed.

AADE debtor indicator (natural persons / sole proprietorships): shown as an indicator + link, updated weekly so as to follow removals at the source, and removed upon request (fast-path).

Objections are assessed through a balancing test; for certain categories (AML — PEPs, sanctions) compelling legitimate grounds may override.

The data also remains publicly available on GEMI (businessportal.gr).

Complaint to the Data Protection Authority

You have the right to lodge a complaint with the Hellenic Data Protection Authority (HDPA).

9. Data Security

We implement technical and organizational measures to protect your data:

  • Encryption of sensitive data (AES-256-GCM)
  • Secure authentication (JWT tokens, OAuth)
  • Role-based access controls
  • Regular security updates
  • HTTPS for all communications

10. Cookies and Tracking

We use only essential cookies:

  • Session cookies: Essential for authentication and service operation
  • User preferences: Language and display theme (localStorage)

We do not use: Tracking cookies, advertising pixels, profiling cookies, or attribution cookies. Campaign attribution is performed exclusively server-side without storing data on your device. Conversion tracking (Google Ads, Meta) is performed server-side using exclusively the click identifiers (gclid, fbc) generated by the platforms themselves. No hashed emails or other user identifiers are transmitted.

11. Third-Party AI Connectors (Claude / Anthropic)

When you connect your bizlist.gr account to a third-party AI assistant such as Claude (Anthropic) via our OAuth integration, an access token is issued that ties your bizlist account to that AI session. The third-party application uses this token to call our API on your behalf.

What we receive: only the tool calls (queries) the assistant makes against our API — for example, a search for companies in a region, or a request to analyze financial documents. We do not receive any other content of your conversation with the assistant.

What is stored: Anthropic stores an encrypted copy of the access token on their side. bizlist.gr stores a hashed refresh token and a short-lived revocation list. Tool calls are logged for billing and abuse-prevention purposes under the same retention rules as other API usage.

Revoking access: you can disconnect the integration at any time from your account settings on bizlist.gr or by removing the connector from your Claude account. Revocation invalidates the token immediately.

12. Browser Extension (Bizlist Extension)

We offer an optional browser extension that detects Greek business identifiers (Greek VAT/AFM, GEMI number, EU VAT, domain, email, phone, company names with legal suffixes) on the pages you visit and shows the corresponding public registry information from bizlist.gr.

How it works: Detection happens locally in your browser. When an identifier is found, the extension sends it to api.bizlist.gr to retrieve the matching public company data.

What we log:

  • The lookups performed through the extension (the identifiers sent for lookup)
  • When the extension matches a company on a page, it sends the page URL/host to the server along with correlation signals (domain and, where detected, email/phone) solely to match the correct company. Emails and phone numbers are used momentarily for matching and are not logged or stored. From each lookup, only the corporate identifiers (Greek VAT/AFM, GEMI number, EU VAT, domain, company name) are recorded.
  • Any feedback messages you voluntarily submit through the extension

The recorded data (anonymous, no IP, no user account) is used for the quality and completeness of our database and to detect gaps (e.g. companies with an undeclared website). Possible future use for enriching public company data; not active today.

What we do NOT collect from the extension:

  • We do not store your IP address
  • No account or login is required — usage is anonymous
  • We do not read or transmit the full content of the pages you visit — only the specific identifiers detected
  • We do not use cookies or tracking techniques
  • We do not track browsing history

Legal basis: Legitimate interest (Article 6(1)(f) GDPR) for improving the service, preventing abuse and enriching public business data.

Retention: Extension logs are retained for 24 months, the same as other technical logs.

You can disable or uninstall the extension from your browser at any time.

13. Changes to This Policy

We may update this policy periodically. In case of material changes, we will notify you via email or a notification in the service.

Continued use of the service after changes constitutes acceptance of the updated policy.

14. Contact

For questions about the protection of your personal data or to exercise your rights:

Email: support@bizlist.gr

Or use our contact form.

Version 1.0 · Last updated: June 2026