Back to Home

Privacy Policy

Last updated: April 30, 2026 · Effective from: April 30, 2026

Quick summary: BalticLeads is a B2B email outreach SaaS. We process two distinct categories of data: (1) your account data - we are the Controller; (2) recipient business contact data sourced from official EU public registries - you (the User) are the Controller, we are the Processor acting under your instructions. All processing complies with GDPR (Regulation (EU) 2016/679) and national laws of Estonia, Latvia, and Lithuania.

1. Who We Are

FANARI OÜ ("BalticLeads", "we", "us", "our") is a private limited company registered in the Republic of Estonia.

Legal nameFANARI OÜ
Registration code16648170
Registered addressTallinn, Estonia
Platformbalticleads.ee
Contact for privacy mattersinfo@balticleads.ee
Lead supervisory authorityEstonian Data Protection Inspectorate (Andmekaitse Inspektsioon) - aki.ee

You may contact us at any time about this Privacy Policy, your personal data, or to exercise your rights. We will respond within 30 days as required by GDPR Article 12(3).

1a. Communication Channels - how we reach out and where to write

For transparency under GDPR Articles 13-14, we operate three role-based email addresses. Knowing which is which helps you know where your reply will be read.

info@balticleads.ee New users / onboarding. Email-verification messages, welcome emails, and pre-sales questions. Use this address before you have an account or during the first days of use.
support@balticleads.ee Existing users (primary support channel). Billing questions, plan changes, technical issues, account-recovery requests, abuse reports, replies to admin notifications. Replies to automated noreply@ messages are routed here automatically.
noreply@balticleads.ee Automated transactional messages only. Password resets, system notifications, queue updates. Do not reply - the inbox is not monitored. Replies are auto-forwarded to support via the Reply-To header.
Data subject & privacy requests For GDPR requests under Articles 15-22 (access, rectification, erasure, restriction, portability, objection): write to info@balticleads.ee. We respond within 30 days as required by Article 12(3). To lodge a complaint with our supervisory authority: aki.ee.

2. Roles and Responsibilities - Important

BalticLeads operates in two different capacities under GDPR depending on the data being processed:

2.1 We act as Data Controller for:

  • Your user account data (email, name, password hash, company name, registration code, phone, billing data, SMTP credentials, settings, language preference)
  • Your usage data (login history, send statistics, plan tier, support correspondence)
  • Visitor data on our public website (essential cookies, security logs)

2.2 You act as Data Controller, and we act as Data Processor, for:

  • Recipient business contact data that you select to include in your campaigns (company names, business email addresses, registration codes, addresses, NACE/EMTAK industry codes)
  • Email content you compose and send (subject lines, body text, attachments)
  • Send history attributable to your campaigns (recipient address, timestamps, status, replies received via IMAP)

By registering and using the BalticLeads platform, you instruct us to process recipient data on your behalf for the documented purpose of B2B outreach. The legal basis for your processing of recipient data is legitimate interest under GDPR Article 6(1)(f), as further described in Section 5.

The Data Processing Addendum ("DPA") forming part of our Terms of Service Section 8 governs our role as Processor and includes all elements required by GDPR Article 28(3).

3. Personal Data We Collect (as Controller)

3.1 Account Information

When you register, we collect and process:

  • Full name and display name
  • Email address (used for login and service notifications)
  • Password - stored only as a salted bcrypt hash; we never store, log, or transmit plain-text passwords
  • Company name and business registration code (required to verify B2B status under Section 2 of our Terms)
  • Country of registration
  • VAT number (optional, for invoicing)
  • Legal address and contact phone
  • For sole proprietors only: personal identification code (id_code), where required by Estonian law for invoicing to natural persons engaged in business activity
  • Account type indicator (company vs sole proprietor)
  • Self-declared business activity sector (free text or NACE Rev.2 code)
  • Acceptance records of GDPR / B2B / Terms / Privacy / Anti-spam consents at registration, including timestamp, IP address, and user-agent string - retained as evidence of informed consent under GDPR Article 7(1)

3.2 Authentication and Session Data

  • Server-side session tokens (Flask session cookies, HttpOnly, Secure, SameSite=Lax)
  • CSRF protection tokens
  • Login timestamps and IP addresses (last_login)
  • Email verification tokens (one-time, expire after use)
  • Password reset tokens (one-time, expire after 1 hour)

3.3 Payment Data

All payment processing is performed by Stripe Payments Europe, Limited (Ireland), an independent Data Controller. We do not store, process, or transmit:

  • Credit card numbers, CVC codes, or full card details
  • Bank account numbers (other than IBAN you may include in your invoice settings)
  • Authentication credentials for your bank or card issuer

We retain only the minimum necessary to manage subscriptions: Stripe customer ID, subscription status, plan tier, monthly billing date, payment method type indicator (card / SEPA), and invoice records as required by Estonian accounting law.

Stripe processes payment data under its own privacy policy, available at stripe.com/privacy. Stripe is certified under EU-US Data Privacy Framework and uses Standard Contractual Clauses where data is transferred outside the EEA.

3.4 SMTP and OAuth Credentials

  • SMTP credentials (host, port, username, password): stored encrypted in our database. Used solely to send emails on your behalf when you launch campaigns. We do not access, decrypt, or use these credentials for any other purpose.
  • Gmail OAuth tokens (if you connect Gmail): stored encrypted. Limited to scope gmail.send only - we cannot read, modify, or delete any of your existing emails.
  • Microsoft 365 OAuth tokens (if you connect Outlook/Office 365): same limitations.
  • IMAP credentials (derived automatically from your SMTP settings): used by our reply-tracking service to detect inbox replies to your campaigns and update your dashboard reply count. IMAP access is read-only via BODY.PEEK - we never mark your messages as read or modify your inbox.

3.5 Usage Data

  • Send history (recipient email, timestamp, status, error message, message ID)
  • Campaign metadata (name, filters, target counts, priority)
  • Template usage records
  • Quota counters (emails sent this month, credits used)
  • Reply detection records (matched Message-IDs and short reply excerpts - first 400 characters of the plain-text body, with quoted reply lines stripped)

3.6 Cookies

We use only strictly necessary cookies as defined in Article 5(3) of the ePrivacy Directive (these do not require prior consent):

  • session - signed Flask session cookie holding your user ID
  • csrftoken - CSRF protection
  • bl_lang - remembers your interface language preference

We do not use Google Analytics, Facebook Pixel, advertising cookies, or any other tracking technology. No data is shared with advertising networks.

4. Recipient Business Contact Data (Source and Lawful Basis)

4.1 Data Sources

Our platform aggregates publicly available business information from the following official EU government registries, under their respective open data licenses:

Estonia (EE) Äriregister - Estonian Centre of Registers and Information Systems (RIK)
avaandmed.ariregister.rik.ee
Open Data License - Estonian Public Information Act (Avaliku teabe seadus § 281)
Latvia (LV) Uzņēmumu reģistrs - Republic of Latvia Enterprise Register
via data.gov.lv Open Data Portal
License: CC BY 4.0
Lithuania (LT) Registrų centras - State Enterprise Centre of Registers
registrucentras.lt
Open data published per Lithuanian Right to Receive Information Act

The data fields we ingest are: company name, registration code, legal form, registration date, registered address, listed contact email and phone, listed website, and stated business activity (NACE Rev.2 / EMTAK code). We do not ingest beneficial-ownership data, financial statements, court records, or any data category requiring restricted access.

4.2 Email Address Discovery

For companies where no contact email is published in the public registry, we may use publicly available DNS infrastructure to derive a probable corporate contact address:

  • We construct a probable domain name from the company name and country TLD
  • We perform a DNS MX-record lookup to verify that the domain has functioning email infrastructure
  • If MX records exist, we infer a standard corporate role address (e.g. info@domain.tld) - never a personal name

This process uses only the public DNS system - no data brokers, scraped websites, leaked databases, or social-network sources are involved.

4.3 Personal Data Within Recipient Data

Recipient business records may incidentally contain personal data within the meaning of GDPR Article 4(1) where:

  • The company is a sole proprietor and the email address contains a personal name
  • The registered email address is in the form firstname@company.tld
  • The board member or contact person is named in the public registry

In all such cases the data has been made manifestly public by the data subject through their own act of registering a business with the public registry. The processing of such manifestly public business contact data for B2B communication purposes falls within the scope of Recital 47 GDPR and Article 6(1)(f).

5. Lawful Basis for Processing - Legitimate Interest Assessment

The processing of recipient business contact data for B2B outreach relies on GDPR Article 6(1)(f) - legitimate interest. We have conducted a Legitimate Interest Assessment ("LIA") in accordance with the European Data Protection Board "Guidelines on Article 6(1)(f)" and concluded as follows:

5.1 Purpose Test - what is the legitimate interest?

The legitimate interest pursued is enabling lawful B2B commercial communication between registered businesses operating within the European Single Market. Specifically: enabling Estonian, Latvian and Lithuanian companies to discover potential business partners, suppliers, customers and service providers from official public business registries, and to initiate first contact via email. This interest is recognized under Recital 47 GDPR ("the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.")

5.2 Necessity Test - is the processing necessary?

Yes. There is no less-intrusive alternative that achieves the same outcome. Pre-collected consent from every Estonian/Latvian/Lithuanian company would be impractical and is not required for B2B contact published in public registries. The processing is limited to data that has been deliberately published by the registries for the purpose of public access, including for commercial use.

5.3 Balancing Test - do data subject rights override?

We have weighed the legitimate interest against the rights and freedoms of data subjects (recipients) and concluded that recipient rights do not override our legitimate interest, on the following grounds:

  • Recipients are businesses, not consumers. The contact addresses processed are corporate role addresses (info@, sales@, etc.) or named business contacts who have published their address as a business contact point.
  • The data is already public. Recipients have already published this exact data in public registries with awareness that it would be accessible for any lawful purpose, including commercial.
  • Reasonable expectations. A business publishing its email in an official registry can reasonably expect to receive B2B inquiries from other businesses.
  • Minimization. We process only the minimum data necessary (corporate contact only, no personal/sensitive categories).
  • Mandatory unsubscribe. Every email sent through our platform contains a one-click List-Unsubscribe RFC 8058 header and a visible unsubscribe link, ensuring effective right to object.
  • Global blacklist. Once a recipient opts out, no User of our platform may ever send to that address again.
  • No special categories. We do not process special categories of personal data within the meaning of GDPR Article 9.
  • Service relevance. Smart industry filtering ensures only relevant offers reach recipients (NACE-based targeting), reducing nuisance.

A copy of the full Legitimate Interest Assessment is available on written request from info@balticleads.ee.

5.4 Lawful Bases - Summary Table

Account creation, authentication, billingArt. 6(1)(b) Contract performance
Sending emails on your behalfArt. 6(1)(b) Contract performance with you, plus Art. 6(1)(f) legitimate interest of you the User vis-à-vis recipients
Recipient data ingestion (registries, DNS lookup)Art. 6(1)(f) Legitimate interest in B2B communication
Reply detection via IMAPArt. 6(1)(b) Contract performance
Service improvement, security monitoringArt. 6(1)(f) Legitimate interest in service quality and security
Tax records, accountingArt. 6(1)(c) Legal obligation under Estonian law
GDPR consent records at registrationArt. 6(1)(c) compliance with Art. 7(1) accountability

6. Sub-Processors

We use the following third-party processors. Each is bound by a written contract meeting the requirements of GDPR Article 28(3). The list is updated whenever a sub-processor changes; you may subscribe to update notifications by contacting us.

Stripe Payments Europe, Ltd. (Ireland)Payment processing - privacy policy
Hetzner Online GmbH (Germany)Server hosting (EU-only data centres)
Google LLC (Gmail API)Optional - only if you connect Gmail. Scope gmail.send only
Microsoft Ireland Operations Ltd. (Office 365 OAuth)Optional - only if you connect Outlook
Domain registries (RIK, UR, RC)Source of public data only - no personal data shared back

We do not use: Google Analytics, Meta Pixel, Hotjar, Mixpanel, Amplitude, advertising networks, or any other behavioral-tracking sub-processor.

7. International Data Transfers

All your account data and recipient data is stored within the European Economic Area (Germany - Hetzner). Where data is transferred outside the EEA via sub-processors:

  • Stripe: relies on EU-US Data Privacy Framework certification and Standard Contractual Clauses
  • Google (Gmail): same - only used with your explicit OAuth authorization
  • Microsoft (Office 365): same

We do not transfer recipient data outside the EEA.

8. Data Retention

Account dataFor the duration of your account, plus 30 days after deletion request to allow rollback
Send history12 months from each send event, then automatic purge
Reply records12 months from receipt
SMTP credentialsUntil you remove them or your account is closed
Opt-out records (global blacklist)Indefinite - required to honour ongoing right to object under Art. 21
Subscription / Stripe customer IDFor the duration of subscription, plus accounting retention
Accounting / tax records7 years (Estonian Accounting Act § 12)
GDPR consent recordsFor the duration of your account plus 3 years (statute of limitations)
Server access logs30 days, then automatic deletion
Email verification & password reset tokens1 hour after issue, or immediately on use

9. Your Rights as a Data Subject

Under GDPR Articles 15-22, you have the following rights regarding personal data we process about you:

  • Right of access (Art. 15) - obtain confirmation of and a copy of your personal data
  • Right to rectification (Art. 16) - correct inaccurate or incomplete data
  • Right to erasure / "right to be forgotten" (Art. 17) - have your data deleted, subject to legal retention obligations
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20) - receive your data in a structured, machine-readable format
  • Right to object (Art. 21) - object to processing based on legitimate interest at any time
  • Right to withdraw consent (Art. 7(3)) - where processing is based on consent
  • Right not to be subject to automated decision-making (Art. 22) - we do not perform automated decision-making with legal effect

To exercise any right, contact info@balticleads.ee. We respond within 30 days. We may need to verify your identity before fulfilling certain requests.

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) - aki.ee, or with the supervisory authority in your country of residence.

10. Rights of Email Recipients (B2B)

If you received an email from a User of our platform, you have the same rights described in Section 9. In particular:

  • Click the unsubscribe link in any email from our platform - effective immediately, no account required
  • Visit our Opt-Out page and enter your address - same effect
  • Email info@balticleads.ee - we will block the address platform-wide and respond within 30 days
  • Request a copy of the data we hold about your business address
  • Request deletion of all related send history (note: the underlying public-registry record is published by the registry, not by us, and we cannot delete it from its source)

Once you opt out, your address is added to a global blacklist that prevents any User of our platform from sending you emails again. The block is enforced automatically on every campaign.

11. Data Security

We implement appropriate technical and organisational measures (TOMs) under GDPR Article 32:

  • HTTPS / TLS 1.2+ for all data in transit
  • Salted bcrypt hashing of passwords (no plain-text storage, ever)
  • SMTP credentials and OAuth tokens stored encrypted at rest
  • HttpOnly + Secure + SameSite=Lax session cookies
  • CSRF protection on all state-changing endpoints
  • Per-IP and per-account rate limiting on authentication and sensitive endpoints
  • Logical access control: every user can access only their own data; admin access is segregated and logged
  • Backups encrypted at rest, retained for 14 days, stored in EU
  • Server hardening: firewall, automated security updates, principle-of-least-privilege user accounts
  • Incident response: in case of a personal data breach affecting your data, we will notify the Estonian DPI within 72 hours per Art. 33, and notify affected data subjects without undue delay if the breach is likely to result in high risk to their rights (Art. 34)
  • No third-party access except listed sub-processors under DPA

12. Children

Our service is for businesses only and not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we hold data about a child, please contact us immediately for deletion.

13. Automated Decision-Making and Profiling

We do not perform automated decision-making producing legal effects within the meaning of GDPR Article 22. The smart industry recommendations shown in the platform are non-binding suggestions based on your declared sector and do not affect your legal rights.

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in law, services, or sub-processors. We will notify you of material changes at least 30 days in advance via email or in-platform notification. The "Last updated" date at the top of this page reflects the current version. Previous versions are available on request.

15. Contact & Complaints

For any privacy questions, requests, or complaints:

FANARI OÜ (BalticLeads)
Tallinn, Estonia
Registration code: 16648170
Email: info@balticleads.ee

If we are unable to resolve your complaint to your satisfaction, you may lodge a complaint with the Estonian Data Protection Inspectorate at aki.ee or with your local data protection authority.