Beolta

Privacy Policy

Version: 1.4.2 Effective date: 1 May 2026 Last reviewed: 7 June 2026

Changelog v1.4.2 (2026-06-07): UK go-live readiness (no change to actual processing). (1) §16 now names the Information Commissioner's Office (ICO) as the supervisory authority for data subjects in the United Kingdom, and corrects the complaint-route wording so a UK data subject is no longer pointed only to an "EU member state" authority. (2) §7 now discloses the transfer safeguard for UK personal data — the UK International Data Transfer Addendum to the EU SCCs (primary, with a transfer risk assessment), and the UK–US Data Bridge as a supplementary adequacy layer where the subprocessor is certified — and confirms UK→EEA transfers need no additional safeguard. These align the public notice with the UK GDPR ahead of any UK outreach (which remains suppressed until a UK Article 27 representative is appointed).

Changelog v1.4.1 (2026-06-07): Synchronised the §5.2 public data-source list with the 2026-06-05 go-live of the construction, legal-services and marketing-agencies verticals. Added five public sources that have been active since that go-live: CourtListener (public US court-records register), municipal building-permit registers (Socrata-hosted open-data portals), and the public professional directories Lawyers.com, Best Lawyers, and the USGBC/LEED directory. Also made the §2 "Contractor-side Contacts" collection description source-agnostic (it now points to the §5.2 list rather than naming only the IT directories). No change to actual processing or lawful basis — each source is covered by the relevant in-force Legitimate Interest Assessment; this addition brings the public source disclosure into line with existing practice. All five are first-party or public-record sources, not Article 28 subprocessors, so the §6.1 subprocessor table is unchanged.

Changelog v1.4.0 (2026-06-07): Added a storage-limitation cap for contractor-side scraped data to the §9 retention table: decision-maker contact data (name, email, phone, LinkedIn) for agencies that were scraped from public directories (Clutch, DesignRush, TechBehemoths, etc.) but never registered on the platform is anonymised after 36 months of inactivity, consistent with the buyer-side cap already in force (company-level firmographic profile data is not personal data and is retained). No change to actual processing — this addition brings the disclosure into line with existing (now amended) automated-retention practice. Also clarified §4.2 to distinguish relevance-gated disclosure of individual decision-maker contact data from the aggregate, company-level market-intelligence digest shown to subscribers (which contains no personal contact data). Propagated the Contractor-side Contacts group consistently through the document: added a §4.3 legal-basis table, made §8.4 retention source-agnostic, and extended the §10 rights scope to include Contractor-side Contacts.

Changelog v1.3.0 (2026-06-07): (1) Added a third data-subject group — "Contractor-side Contacts" (decision-makers at agencies scraped from public directories such as Clutch, DesignRush, TechBehemoths) — to the §2 taxonomy and broadened §8 to cover both buyer-side and contractor-side third-party-sourced individuals (Art. 14 GDPR). (2) Added SAM.gov (US federal procurement register) to the §5.2 data-source list; it has been active since platform launch. (3) Retired Clearbit from all disclosure tables — no connector has ever been active in production; Clearbit removed from the §5.2 source list, §6.1 subprocessor table, and §8.1 source enumeration. (4) Removed a disclosed "privacy-preserving analytics" cookie from §11 that does not exist — app.beolta.com uses no analytics package. (5) Added an Art. 14(1)(e) recipient-category sentence to §8.2 naming matched contractors as recipients of buyer-side DM professional contact data. No change to actual processing.

Changelog v1.2.0 (2026-06-05): Expanded the §9 retention table to disclose three personal-data retention periods already enforced by our automated retention job: (i) outreach correspondence — messages sent to buyer-side contacts and their replies — retained for 3 years; (ii) a storage-limitation cap on buyer-side contact details (anonymised after 24 months of no engagement, or 36 months of company-record inactivity, whichever occurs first); and (iii) data-subject-rights request records (including records evidencing withdrawal of consent) retained for 2 years. No change to processing — these additions bring the disclosure into line with existing practice.

Changelog v1.1.2 (2026-05-19): Removed PredictLeads (4see, Inc.) from the subprocessor and data-source disclosures following retirement of that connector on 2026-05-19; signal coverage previously attributed to PredictLeads is now covered by Apollo, TheirStack, Apify and SEC EDGAR.

Changelog v1.1.1 (2026-05-13): Replaced indefinite raw-API-response caching with a seven-year hard cap anchored on the Estonian Accounting Act (Raamatupidamise seadus, §12) — restating §8.4 and §9 accordingly; clarified that the disclosed B2B contact-data providers (Apollo, PeopleDataLabs, Clearbit) are licensed B2B products operating under their own GDPR / CCPA compliance regimes and are distinct from consumer-marketing broker lists, which Beolta does not use; switched the subprocessor and data-source disclosures in §5.2 and §6.1 to render from a single canonical source.

Changelog v1.1.0 (2026-05-13): Expanded the disclosed B2B data-provider list to reflect all current enrichment sources; added explicit disclosure of raw-API-response caching with the surgical PII-redaction pipeline that mitigates it; aligned the retention table accordingly; cross-referenced our Legitimate Interest Assessment, Data Processing Agreement, and Breach Notification Protocol.

1. Who We Are

Data Controller: Editale OÜ Registry code: 17430609 Registered address: Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 7-557, 10117, Estonia

Trading as: Beolta Platform: app.beolta.com (web application), beolta.com (marketing site)

Privacy contact / Data Protection Officer: privacy@beolta.com

We are the data controller for all personal data described in this policy. This means we determine the purposes and means of processing your personal data and are responsible for it under the EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679.

UK representative (Article 27 UK GDPR): Editale OÜ has no establishment in the United Kingdom. For data subjects in the UK, and to the extent the UK GDPR applies to our processing, Editale OÜ will designate a UK representative under Article 27 UK GDPR. Until a representative is appointed, we do not dispatch outreach to UK recipients. Once a representative is appointed, its name and contact details will be published here and in the footer of every outreach message we send to UK recipients, so that UK data subjects and the Information Commissioner's Office can contact the representative on all matters relating to our processing. In the meantime, you can reach us directly at privacy@beolta.com.

2. Scope of This Policy

This Privacy Policy describes how Editale OÜ ("Beolta", "we", "us", or "our") collects, uses, shares, retains, and protects personal data in connection with:

This policy covers three distinct groups of individuals whose data we process:

Group Who they are How data is collected
Registered Users Service providers across multiple verticals (including IT outsourcing, construction, legal services, marketing agencies, and similar professional services) who create Beolta accounts Directly from you (Art. 13 GDPR)
Buyer-side Contacts Decision-makers at prospective buyer companies (e.g. CTOs, VP Engineering) whose professional data appears in our intelligence database From public sources and third-party data providers (Art. 14 GDPR)
Contractor-side Contacts Decision-makers at professional-services agencies (across IT outsourcing, legal services, construction, marketing and similar verticals) whose professional data is collected from public agency, professional and procurement directories (the full list is in §5.2) and used to invite their firm to claim a Beolta profile From public agency, professional and procurement directories and related public sources (Art. 14 GDPR)

If you are a Buyer-side Contact or a Contractor-side Contact who has not created a Beolta account, Section 8 is written specifically for you.

3. Personal Data We Collect

3.1 Registered Users

When you register and use Beolta, we collect and process the following categories of personal data:

Account and identity data

Company profile data (provided by you to power matching features)

Billing and payment data

Usage and technical data

Compliance records

3.2 Buyer-side Contacts

We maintain a database of professional contact information for decision-makers at companies that may be potential buyers for our users' services. For these individuals we process:

We do not collect home addresses, personal phone numbers, national identification numbers, financial data, special category data (Art. 9 GDPR), or any data about minors in respect of Buyer-side Contacts.

4. How and Why We Process Your Data (Legal Bases)

4.1 Registered Users

Purpose Data used Legal basis (GDPR Art. 6)
Creating and managing your account Name, email, password hash, company profile Art. 6(1)(b) — performance of a contract
Delivering platform features (signal matching, research briefs, outreach tools) Account data, company profile, usage logs Art. 6(1)(b) — performance of a contract
Processing payments and issuing invoices Billing data, transaction records Art. 6(1)(b) — performance of a contract; Art. 6(1)(c) — legal obligation (Estonian accounting law)
Sending transactional emails (onboarding, alerts, digests) Name, email address Art. 6(1)(b) — performance of a contract
Maintaining security and preventing fraud IP addresses, session data, access logs Art. 6(1)(f) — legitimate interests (securing our platform and users)
Product analytics to improve Beolta Aggregated and pseudonymised usage data Art. 6(1)(f) — legitimate interests (improving our service)
Retaining Terms of Service acceptance records Timestamp, IP address, ToS version Art. 6(1)(c) — legal obligation; Art. 6(1)(f) — legitimate interests (defending legal claims)
Responding to support requests Name, email, content of your query Art. 6(1)(b) — performance of a contract
Compliance with applicable law Various Art. 6(1)(c) — legal obligation

Our legitimate interests (Art. 6(1)(f)): Where we rely on legitimate interests, we have assessed that our interest is genuine and proportionate, and that it is not overridden by your fundamental rights. You have the right to object to processing based on legitimate interests — see Section 10.

4.2 Buyer-side Contacts

Purpose Data used Legal basis
Compiling and maintaining a B2B prospects database Name, title, work email, LinkedIn URL, employer Art. 6(1)(f) — legitimate interests
Presenting prospect profiles to Beolta's registered users All contact data above Art. 6(1)(f) — legitimate interests
Generating AI-assisted sales intelligence briefs Name, title, employer, public signals Art. 6(1)(f) — legitimate interests
Generating outreach messages on behalf of registered users Name, title, employer Art. 6(1)(f) — legitimate interests
Suppression list management (honouring opt-outs) Email address Art. 6(1)(c) — legal obligation / Art. 6(1)(f) — legitimate interests

Legitimate interests assessment for Buyer-side Contacts: Beolta operates exclusively in the B2B context. Our registered users are professional-services providers across verticals (including IT outsourcing, construction, legal services, and marketing agencies); the contacts in our database are professional decision-makers at companies that buy services in those verticals. The processing is limited to professional contact data that is publicly available or sourced from established B2B data providers. We apply signal-based targeting so that contacts are only presented to providers whose services are relevant to that contact's apparent needs. This signal-based relevance targeting governs the presentation of an individual decision-maker's professional contact data to providers. Separately, we may show registered users aggregate market-intelligence summaries — counts of newly-detected companies and buying signals, and company-level firmographics such as company name, industry, and size band — for activity across the verticals we serve; these summaries contain no decision-maker personal contact data, and for lower-tier subscribers company names are anonymised to a vertical-and-size-band label. We consider that this use of professional data for B2B outreach is within the reasonable expectations of business professionals, is proportionate, and does not override the rights and freedoms of the individuals concerned. You may object to this processing at any time — see Section 8 and Section 10.

4.3 Contractor-side Contacts

Purpose Data used Legal basis
Compiling a directory of professional-services agencies Decision-maker name, title, work email, LinkedIn URL, employer Art. 6(1)(f) — legitimate interests
Presenting an agency to buyers whose signals match its services Agency firmographics; decision-maker name/title Art. 6(1)(f) — legitimate interests
Inviting the agency to claim and control its Beolta profile Decision-maker name, work email Art. 6(1)(f) — legitimate interests
Suppression list management (honouring opt-outs) Email address Art. 6(1)(c) — legal obligation / Art. 6(1)(f) — legitimate interests

Legitimate interests assessment for Contractor-side Contacts: The same B2B legitimate-interest analysis as for Buyer-side Contacts applies (professional contact data, publicly sourced, proportionate, within reasonable expectations), assessed in our Legitimate Interest Assessment. The processing purpose is to present the agency to relevant buyers and to invite the firm to claim its profile. You may object at any time — see Section 8 and Section 10.

5. How We Collect Data

5.1 Registered Users

We collect data directly from you when you:

We also collect technical data automatically through standard web server logs when you visit beolta.com or use app.beolta.com. We do not deploy analytics packages on app.beolta.com.

5.2 Buyer-side Contacts

We do not collect this data directly from the individuals concerned. We aggregate it from a defined set of B2B data providers and public registries. The current list is:

We additionally use publicly available professional information outside this provider list — LinkedIn public profiles, company websites, press releases, and public job boards — where data subjects or their employers have placed that information in public circulation.

Each provider operates under its own privacy policy and, where applicable, provides data to us under data-sharing agreements consistent with GDPR requirements. Our Article 6(1)(f) legitimate-interest balancing test for aggregating across this source list — and for caching the raw responses for up to seven years from fetch (see §9) — is documented in our Legitimate Interest Assessment.

We do not use consumer-marketing broker lists or purchased prospect lists of unverified provenance, do not scrape access-controlled platforms, and do not ingest data from sources outside the list above. The disclosed B2B contact-data providers (Apollo, Hunter, PeopleDataLabs) are licensed B2B products operating under their own published GDPR / CCPA compliance regimes — a distinct category from consumer-marketing list brokers.

6. Data Sharing and Subprocessors

We do not sell personal data to third parties. We share data only with trusted subprocessors who help us operate the platform, and only to the extent necessary for the service they provide.

6.1 Our Subprocessors

The list below is also published as our Subprocessor List and in Annex II of our Data Processing Agreement.

Subprocessor Role Data Processed Location Transfer Mechanism
Supabase, Inc. Database hosting, authentication, file storage All Personal Data stored in the Services (account data, usage logs, ToS acceptance records, contractor profiles, buyer-side contact data) EU (Frankfurt, AWS eu-central-1) Intra-EEA — no transfer outside EEA
Railway Corp. Web application hosting (app.beolta.com, SSR) HTTP request metadata, session data, application logs US / EU SCCs (EC Decision 2021/914) Module 3
Amazon Web Services, Inc. (AWS Amplify) Static-site hosting (beolta.com landing) Web server access logs EU (eu-west-1) default; CDN edges global SCCs Module 3 for any non-EEA edge cache; otherwise intra-EEA
Stripe, Inc. Payment processing and billing Billing name and address; tokenised payment-method details; invoice records US / EU SCCs; PCI DSS Level 1 certified; EU–US Data Privacy Framework where applicable
Anthropic, PBC AI model inference (research briefs, outreach drafts) Prospect and company context included in prompts (no registered-user PII transmitted) US SCCs; EU–US Data Privacy Framework where applicable; API terms preclude training on customer data; prompts not retained beyond standard short-term operational logs
OpenAI, LLC AI model inference (fallback / supplementary) Prospect and company context included in prompts (no registered-user PII transmitted) US SCCs; EU–US Data Privacy Framework where applicable; API terms preclude training on customer data; prompts not retained beyond standard short-term operational logs
Functional Software, Inc. (Sentry) Error monitoring and performance tracking Stack traces; limited session context (user ID, email on error) US SCCs; EU–US Data Privacy Framework where applicable; data-minimisation configured
Trigger.dev Ltd Background job processing (signal pipeline, retention, email digest) Job payloads (may contain user IDs and prospect data while in flight) EU / US SCCs; EU–US Data Privacy Framework where applicable
Resend, Inc. Transactional email delivery Recipient email address; email content US SCCs; EU–US Data Privacy Framework where applicable
Unipile SAS LinkedIn outreach API (connection requests, InMail, direct messages to buyer-side decision-makers) Buyer-side decision-maker LinkedIn profile identifiers (LinkedIn URN / profile URL, display name) and the content of outreach messages sent to them; sender LinkedIn account identifiers EU (France) Intra-EEA — no transfer outside EEA
Enrich Labs FZ L.L.C. (InboxKit) Cold-outreach mailbox provisioning and email-warmup infrastructure Sender mailbox identity data (mailbox display names, usernames, mailbox email addresses on sender-controlled domains) and warmup peer-traffic recipient addresses; SMTP/IMAP credentials for provisioned mailboxes UAE (Dubai); data processed in US / EU / UAE per InboxKit Privacy Policy; provisioned mailboxes on US-region Google Workspace / Microsoft 365 Standard Contractual Clauses (EC Decision 2021/914) per InboxKit's published Privacy Policy; engaged via acceptance of InboxKit's online terms (click-wrap), no separately negotiated DPA
Apollo.io, Inc. B2B contact and company data enrichment (buyer-side contact sourcing) Business contact data of buyer-side decision-makers (name, business email, business phone, business title, employer, public LinkedIn URL) US SCCs; Apollo operates under its own GDPR / CCPA compliance regime
People Data Labs, Inc. B2B contact and company data enrichment (corroborating coverage) Business contact data of buyer-side decision-makers (same categories as Apollo; overlapping coverage for cross-verification) US SCCs; PDL operates under its own GDPR / CCPA compliance regime
Hunter Web Services, Inc. Business-email enrichment (email-finder, domain-search, email-verifier); fallback to Apollo in the decision-maker email cascade Sent: buyer-side decision-maker first name + last name + employer company domain. Received and stored: business email address, deliverability / confidence score, and domain-level email patterns US / EU SCCs
TheirStack, S.L. Public job-posting and technology-signal aggregation Public job postings; company-level data; hiring-manager names only where publicly listed EU (Spain) Intra-EEA — no transfer outside EEA
BuiltWith Pty Ltd Public technology-stack scanner Per-domain technology signals; no personal data US / AU SCCs
Apify Technologies s.r.o. Operator of scrapers against public marketplaces (Clutch, DesignRush, TechBehemoths) Public agency / contractor directory listings; public decision-maker profile snippets US / EU SCCs

AI providers — important note: When Anthropic or OpenAI process data on our behalf, they act as data processors under our instructions. We have agreed terms with both providers confirming that data submitted via the API is not used to train their models. Prompts and outputs are processed transiently to generate a response and are not retained by the provider beyond their standard short-term operational logs.

Public registries and open directories referenced in the data-source list at §5.2 (SEC EDGAR, GitHub topics, the Clutch / DesignRush / TechBehemoths public agency directories) are not subprocessors in the Article 28 GDPR sense; they are public sources from which we collect conspicuously published business information.

6.2 Other Disclosures

We may also disclose personal data to:

7. International Data Transfers

Several of our subprocessors are based in the United States or operate globally. Transfers of personal data from the European Economic Area (EEA) to these subprocessors are conducted under Standard Contractual Clauses (SCCs) adopted by the European Commission under Decision 2021/914, which provide appropriate safeguards for personal data under GDPR Chapter V.

Where a subprocessor participates in the EU–US Data Privacy Framework, we also rely on that adequacy mechanism where applicable.

Transfers of UK personal data. For personal data subject to the UK GDPR that is transferred to a country without UK adequacy regulations (including the United States), we rely on the UK International Data Transfer Addendum to the EU SCCs (an Article 46 UK GDPR transfer mechanism issued by the Information Commissioner's Office under section 119A of the Data Protection Act 2018) as our primary safeguard, supported by a transfer risk assessment. Where a US subprocessor is certified under the UK Extension to the EU–US Data Privacy Framework ("UK–US Data Bridge"), we may additionally rely on that adequacy mechanism while it remains in force; we do not rely on it as the sole safeguard. Transfers of UK personal data to the EEA require no additional safeguard, as the United Kingdom recognises the EEA as providing adequate protection.

A full list of subprocessors and the transfer mechanisms applicable to each is available on request at privacy@beolta.com.

8. Information for Third-Party-Sourced Individuals (GDPR Art. 14)

This section is specifically for individuals who have not created a Beolta account but whose professional information appears in our platform — whether as a decision-maker at a prospective buyer company ("Buyer-side Contact") or as a decision-maker at a contractor/agency company listed on public agency directories ("Contractor-side Contact").

For Buyer-side Contacts, the purpose is to introduce qualified service providers to companies whose needs match; for Contractor-side Contacts, the purpose is to present your firm to matched buyers and invite you or a colleague to claim your agency's profile. In both cases the lawful basis is Art. 6(1)(f) legitimate interest, assessed in our Legitimate Interest Assessment.

8.1 How We Obtained Your Data

Your professional contact information — your name, job title, work email, LinkedIn URL, and employer — was obtained from publicly available sources (such as your LinkedIn profile, your employer's website, public job postings, public regulatory filings, or public procurement records) or from one or more of the sources listed in Section 5.2 and the subprocessors listed in Section 6.1 (including the public agency directories and the third-party B2B data providers listed there). We did not receive your data directly from you. The complete source list and the legal-basis analysis are documented in our Legitimate Interest Assessment.

8.2 Why We Hold Your Data

We hold your professional data to enable service providers that use Beolta (across verticals such as IT outsourcing, construction, legal services, and marketing) to identify and reach potential clients whose needs may match the services they offer. This is standard B2B sales research activity. We have assessed our legitimate interests as described in Section 4.2.

Recipients of your data (Art. 14(1)(e)): Where you are a Buyer-side Contact, your professional contact data (name, job title, LinkedIn URL, and employer) may be disclosed to matched contractors — the service-provider companies registered on Beolta (for example IT-outsourcing agencies) — who receive a buyer's professional contact data when that buyer is shortlisted as a relevant prospect for their services.

8.3 What Data We Hold

We hold only professional data (name, job title, work email, LinkedIn URL, employer company). We do not hold sensitive personal data, home addresses, or personal contact details.

8.4 How Long We Hold Your Data

We refresh buyer-side and contractor-side contact data every 90 to 270 days depending on data signal freshness in our structured (active) database (contractor-side scraped data is additionally subject to the 36-month inactivity anonymisation described in Section 9). Raw API responses received from the B2B data providers listed in Section 6.1 are cached for up to seven (7) years from the date of fetch, after which they are automatically deleted by our scheduled retention job. The seven-year cap is the period mandated for accounting source documents under the Estonian Accounting Act (Raamatupidamise seadus, §12), which is the recognised statutory horizon for business records and for the establishment, exercise and defence of legal claims in our jurisdiction. We retain raw responses inside that window so that we can re-extract data accurately if our pipeline is improved, demonstrate to regulators and to data subjects what the upstream provider returned at any given time, and answer subject-rights requests completely.

When you request deletion (opt-out), we do two things in parallel, regardless of how long the raw response has been cached:

  1. Remove your data from our active database within 30 days and add a hashed identifier to a permanent suppression list to prevent re-import.
  2. Surgically redact your personal data inside any cached raw responses that remain within the seven-year window. We do not delete the cached responses themselves at that point — instead, every value that identifies you (e.g. your business email, your phone number, your LinkedIn ID) is replaced with the literal string [REDACTED] inside the cached payload, preserving its shape so our re-extraction pipeline stays valid but removing your personal data from the cache. A separate audit record is written for each redaction. The cached row itself is then deleted in due course when it crosses the seven-year mark, by the same weekly retention job.

A daily background process re-applies redaction across the cache for every entry on the suppression list, ensuring any new payloads that arrived after your initial opt-out are also covered.

8.5 Your Rights (Buyer-side and Contractor-side Contacts)

Whether you are a Buyer-side Contact or a Contractor-side Contact, you have the right to:

To exercise any of these rights: email privacy@beolta.com with the subject line "Contact Opt-Out" or "Contact DSAR", or submit a request via our Data Subject Access Request form. We will acknowledge within 72 hours and respond within 30 days.

9. Data Retention

We retain personal data only as long as necessary for the purposes set out in this policy, or as required by law.

Data category Retention period Rationale
Account data (profile, usage logs) Duration of active account + 3 years after closure Legitimate interests in resolving disputes; statute of limitations
Billing records and invoices 7 years from transaction date Estonian Accounting Act (Raamatupidamise seadus) mandatory retention
Terms of Service acceptance records 7 years from acceptance date Legal obligation / legitimate interests in defending legal claims
Session and authentication data 90 days rolling Security and fraud prevention
Buyer-side contact data (structured, active database) Refreshed every 90–270 days. Individual contact details (name, email, phone, LinkedIn) are anonymised once a contact has had no engagement for 24 months, or once the associated company record has been inactive for 36 months, whichever occurs first. Suppressed or deleted within 30 days of opt-out. Signal TTL-based freshness; opt-out compliance; storage limitation (Art. 5(1)(e))
Contractor-side scraped contact data (agencies that have not registered on the platform) Individual decision-maker contact details (name, email, phone, LinkedIn) are anonymised after 36 months of inactivity (measured from the contractor record's last-updated timestamp); rows are retained in anonymised form for referential integrity. Company-level firmographic profile data (services, team size, region, public case studies) is not personal data and is retained. Contractors that register are subject to the registered-account retention period above. Storage limitation (Art. 5(1)(e)); Art. 14 GDPR legitimate-interest balance
Outreach correspondence (messages sent to buyer-side contacts and their replies) 3 years from the date the message was sent or the reply received Legitimate interests in evidencing the lawful basis and content of B2B outreach and in resolving disputes
Cached raw API responses from B2B data providers Up to 7 years from fetch (hard cap; automatically purged by a weekly automated retention job). PII inside each cached response is surgically redacted on subject erasure or opt-out within 30 days, and a daily sweep re-applies redaction across the cache for every entry on the suppression list. Estonian Accounting Act (Raamatupidamise seadus) §12 statutory horizon; re-extraction accuracy; regulator-traceability; completeness of subject-rights responses — see §8.4
Support correspondence 3 years from last interaction Legitimate interests in resolving disputes
Error/diagnostic logs (Sentry) 90 days Operational necessity
Breach-incident records At least 7 years from incident closure Regulatory defence horizon; Estonian Accounting Act alignment
Data-subject-rights request records (access, erasure, objection logs, including records evidencing withdrawal of consent) 2 years from the date the request was made Accountability (Art. 5(2)); statute of limitations

After the applicable retention period, data is securely deleted or irreversibly anonymised.

10. Your Rights Under GDPR (Art. 15–22)

If you are a Registered User, a Buyer-side Contact, or a Contractor-side Contact, you have the following rights under GDPR. These rights apply subject to applicable exemptions and limitations.

Right What it means
Access (Art. 15) Request a copy of the personal data we hold about you, along with information about how we use it
Rectification (Art. 16) Ask us to correct inaccurate or incomplete data
Erasure (Art. 17) Ask us to delete your data ("right to be forgotten"), subject to applicable legal retention obligations
Restriction (Art. 18) Ask us to limit processing while a dispute or objection is resolved
Data portability (Art. 20) Receive data you provided to us in a structured, commonly used, machine-readable format (applies to data processed by contract or consent)
Object (Art. 21) Object to processing based on legitimate interests, including direct marketing and profiling. For direct marketing objections, we must stop immediately with no balancing test.
Withdraw consent (Art. 7(3)) Where processing is based on consent, withdraw it at any time without affecting prior processing
Not be subject to automated decisions (Art. 22) Not be subject to a decision based solely on automated processing that produces significant legal effects — our AI features generate recommendations for human review; no automated decisions with legal effects are made

10.1 How to Exercise Your Rights

In-app (Registered Users): Settings → Privacy → Data Rights

By email: privacy@beolta.com Include your name, the email address associated with your account (or, for Buyer-side Contacts, the email address where you believe your data is held), and a description of your request.

Response timescales: We will acknowledge your request within 72 hours and provide a substantive response within 30 days (extendable by a further two months for complex or multiple requests, with notice to you).

We do not charge a fee for exercising your rights, unless requests are manifestly unfounded or excessive.

We may need to verify your identity before processing a request.

11. Cookies and Tracking Technologies

11.1 What We Use

Cookie / technology Type Purpose Duration
Auth session cookie Strictly necessary Maintains your authenticated session in app.beolta.com. Set as HttpOnly and Secure — cannot be accessed by JavaScript Session / configurable

We do not use analytics cookies or any analytics package on app.beolta.com. No traffic statistics, session replays, or similar tools are deployed.

11.2 What We Do Not Use

11.3 Cookie Management

You can control or delete cookies through your browser settings at any time. Disabling the auth session cookie will prevent you from logging in to app.beolta.com.

12. Security

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

No method of transmission or storage is 100% secure. If you become aware of a security concern, please contact privacy@beolta.com promptly.

Data breach notification: In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Estonian Data Protection Inspectorate within 72 hours of becoming aware, and will notify affected individuals without undue delay where required by Art. 34 GDPR.

13. Children's Data

Beolta is a B2B platform intended for use by business professionals. We do not knowingly collect personal data from individuals under the age of 18. If you believe that a child's data has been submitted to us, please contact privacy@beolta.com and we will delete it promptly.

14. Links to Third-Party Sites

Our platform and emails may contain links to third-party websites and services. This Privacy Policy does not cover how those third parties process your data. We encourage you to review the privacy policies of any third-party sites you visit.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

The current version of this policy is always available at app.beolta.com/legal/privacy and beolta.com/privacy.

Continued use of Beolta after the effective date of an updated policy constitutes acceptance of the changes, to the extent permitted by applicable law.

16. Supervisory Authority

If you believe we have not handled your personal data in accordance with applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority.

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) Website: www.aki.ee Email: info@aki.ee Address: Tatari 39, 10134 Tallinn, Estonia

If you are in the United Kingdom, your supervisory authority is the Information Commissioner's Office (ICO):

Information Commissioner's Office (ICO) Website: ico.org.uk Helpline: 0303 123 1113 Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom

You may also lodge a complaint with the supervisory authority in the EU member state where you reside or work, with the ICO if you are in the United Kingdom, or with the authority in the country where the alleged infringement occurred.

We ask that you contact us first at privacy@beolta.com so that we can attempt to resolve your concern directly.

17. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or your personal data:

Editale OÜ — Privacy Email: privacy@beolta.com Postal address: Narva mnt 7-557, 10117 Tallinn, Estonia

Editale OÜ — Registry code 17430609 — Tallinn, Estonia Privacy Policy v1.4.0 — Last reviewed 7 June 2026