POLICY

Privacy Policy

Effective 2026-05-11

This Privacy Policy explains how Editale OÜ (registry code 17430609, Estonia), trading as Beolta (“we”, “us”, or “our”, “Beolta”, “the Service”), collects, uses, discloses, and protects personal data when you visit beolta.com or interact with our matchmaking platform. Beolta is a proactive matchmaking platform that detects buyer intent signals and introduces curated contractor shortlists across multiple industry verticals (including, among others, IT outsourcing, Specialty Construction, Legal & ALSP, and marketing agencies).

Governing version. This page is the public-website overview of our privacy practices. The full, operative Privacy Policy for the Beolta application and contractor accounts — including the detailed data-retention schedule — is published at app.beolta.com/legal/privacy and prevails over this page where the two differ.

1. Data Controller

The data controller responsible for your personal data is:

Name: Editale OÜ (registry code 17430609)
Registered address: Narva mnt 7-557, 10117 Tallinn, Harju maakond, Estonia
Email: hello@beolta.com
Privacy contact: privacy@beolta.com

2. Data We Collect

2.1 Data You Provide

When you contact us by email, or submit a request through an in-app form (for example the contractor support form in the console), we collect:

Your name (where provided)
Your email address
Message content
For in-app forms, your account and company context, so we can respond

When a contractor registers on the platform, we collect the information provided during registration, including company domain, profile data (via source URLs you submit for re-scraping), and your acceptance of the Terms of Service (version and timestamp).

2.2 Data Collected from Public Sources (Matchmaking)

As part of operating the matchmaking platform, we collect and process:

Buyer company data: company name, domain, industry vertical, detected intent signals (hiring patterns, funding events, regulatory filings, tender activity, and similar signals from public sources)
Decision-maker contact data: business email addresses and professional profile information of individuals at buyer companies, sourced from publicly available professional directories and signal sources
Contractor profile data: company name, domain, service specializations, case studies, and other professional data sourced from public platforms and third-party business-data providers (for example LinkedIn, Clutch, company websites, business-data and funding databases, and vertical-specific directories)

2.3 Data Collected Automatically

When you visit our website, we automatically collect:

Technical data: IP address, browser type and version, operating system
First-party funnel analytics: if you accept on the cookie banner, we set a first-party anonymous device identifier (beolta_anon) and first-touch campaign attribution (beolta_attr), and record minimal events about how you move through the site and into the application (page views, calls-to-action, and the handoff to app.beolta.com)

First-party funnel analytics. We operate our own first-party analytics to understand, in aggregate, how visitors progress from a marketing email or campaign through the site and into the application, and where they drop off. Setting the pre-authentication anonymous cookie and collecting these events is consent-based (Art. 6(1)(a) GDPR / ePrivacy): nothing is stored or collected unless you accept on the banner, and declining keeps it off. We practise data minimisation — we store an anonymous identifier rather than your name, never raw IP addresses, and no third-party analytics providers, advertising networks, or tracking pixels are involved. These analytics events are retained for approximately 13 monthsand then deleted. Once you sign in to the application, product telemetry is tied to your account and processed under legitimate interest (Art. 6(1)(f)) as described in the full policy.

2.3 Contractor-side Decision-Maker Data (Art. 14 GDPR)

In addition to buyer-side contacts, Beolta also collects professional data on decision-makers at contractor/agency companies (for example, IT-outsourcing agencies listed on Clutch, DesignRush, or TechBehemoths). This data — typically name, job title, and business email — is sourced from public agency directories (via Apify-operated scrapers) and from the third-party B2B data providers and public sources listed in Section 5 of the full policy (the same providers used for buyer-side contacts, such as Apollo, Hunter, PeopleDataLabs, GitHub, and SEC EDGAR). It is used to present the agency’s profile to matched buyers and to invite the agency to claim its Beolta profile. The lawful basis is Art. 6(1)(f) legitimate interest (assessed in our Legitimate Interest Assessment). These individuals have the same rights as buyer-side contacts (access, erasure, objection) — see Section 9 and the full policy at app.beolta.com/legal/privacy.

3. Legal Basis for Processing (GDPR)

We process personal data on the following legal bases:

Legitimate Interest (Art. 6(1)(f)): For processing B2B prospect data (buyer company records and decision-maker contact information) for matchmaking purposes. A Legitimate Interest Assessment (LIA) is documented per vertical and per recipient region, including a balancing test weighing our commercial interest against data subject rights.
Explicit Consent (Art. 6(1)(a)): For registered contractor data — consent is obtained via ToS acceptance at registration. For buyer decision-makers, email verification via magic link confirms the contact’s identity; it does not by itself constitute consent. The legal basis for processing and for outreach to buyer decision-makers remains Legitimate Interest (Art. 6(1)(f)), supported by a documented Legitimate Interests Assessment.
Contract Performance (Art. 6(1)(b)): For processing data necessary to provide subscription services and invoice success fees to registered contractors.
Legal Obligation (Art. 6(1)(c)): For retaining deal and financial records for the periods required by applicable tax law.

The table below summarizes the legal basis per data category:

B2B prospect data (buyer companies and decision-makers): Legitimate Interest — documented LIA per region
Registered contractor data: Explicit consent via ToS acceptance at registration
Buyer-verified contacts (magic link): Legitimate Interest (Art. 6(1)(f)) — magic-link verification confirms identity only; does not constitute consent
Deal and financial records: Legal obligation (tax / accounting)

3a. How We Contact Prospects (GDPR Art. 13 / 14 Notice)

Beolta proactively contacts business decision-makers (“prospects”) at companies that exhibit buying signals. This section serves as our first-contact transparency notice under GDPR Art. 13 (where we collect data directly) and Art. 14 (where we collect data from public sources).

Legal basis

We rely on Legitimate Interest (Art. 6(1)(f)) for contacting prospects. Our legitimate interest is to introduce qualified contractors to companies that have publicly signalled a need for the relevant services (for example by posting open engineering roles or announcing expansion plans). A Legitimate Interest Assessment (LIA) is documented per industry vertical and per recipient region, including a balancing test that weighs our commercial interest against the impact on data subjects.

What we send

The first contact message is a brief, personalised introduction presenting a curated shortlist of contractors relevant to the detected signal. Each message includes a clear “Reply STOP to opt out” instruction and a permanent unsubscribe link. We do not send unsolicited advertising, cold-call sequences, or non-relevant material.

Your rights on first contact

Upon receiving a first-contact message you have the right to:

Object (Art. 21): Reply “STOP” or click the unsubscribe link. You will be removed from outreach immediately and your PII purged within 30 days.
Request erasure (Art. 17): Request deletion of all personal data we hold about you by emailing privacy@beolta.com or via our Data Subject Access Request form.
Access your data (Art. 15): Request a copy of the data we hold about you, including the signal(s) that triggered inclusion in a shortlist.

We respond to all rights requests within 30 calendar days.

4. How We Use Your Data

We use the data we collect to:

Detect buyer intent signals and produce curated contractor shortlists (matchmaking)
Deliver proactive introductions to buyers and notifications to contractors via email, LinkedIn, and other channels
Operate the contractor portal, including profile display, analytics, subscription management, and deal tracking
Track deals within the attribution window and invoice registered contractors for success fees on confirmed closures
Respond to your email and in-app support inquiries
Protect our website and platform from spam, abuse, and fraud
Comply with legal obligations

5. Third-Party Processors (Subprocessors)

We do not sell personal data. We share data with the subprocessors below, each of which processes personal data on our behalf and only to the extent necessary for the service it provides. These are the main subprocessors that operate the Beolta platform. The authoritative, always-current list — with the specific data categories, hosting region, and international-transfer mechanism for each — is published at app.beolta.com/legal/subprocessors and is provided in full before you register an account.

Marketing site (beolta.com):

AWS Amplify (Amazon Web Services, Inc.) — static-site hosting for the beolta.com marketing site (web server access logs)

Platform infrastructure (app.beolta.com):

Supabase, Inc. — database hosting, authentication, and file storage; processes all personal data stored in the Service (hosted in the EU, Frankfurt)
Railway Corp. — web application hosting (SSR) for app.beolta.com; processes HTTP request metadata, session data, and application logs
Stripe, Inc. — subscription billing and success-fee invoicing; processes billing name and address, tokenised payment-method details, and invoice records
Trigger.dev Ltd — background job processing (signal pipeline, retention, email digests); processes job payloads that may contain user IDs and prospect data while in flight
Resend, Inc. — transactional email delivery; processes recipient email addresses and email content
Unipile SAS — LinkedIn outreach API (connection requests, InMail, and direct messages to buyer-side decision-makers); processes their LinkedIn profile identifiers and the content of outreach messages (hosted in the EU, France)
Enrich Labs FZ L.L.C. (InboxKit) — cold-outreach mailbox provisioning and email-warmup infrastructure; processes sender mailbox identity data (mailbox names and addresses) and warmup peer-traffic addresses
Functional Software, Inc. (Sentry) — error monitoring and performance tracking; processes stack traces and limited session context (user ID, email on error)

AI model inference:

Anthropic, PBC — AI model inference for research briefs and outreach drafts; processes prospect and company context included in prompts. API terms preclude training on our data.
OpenAI, LLC — AI model inference (fallback / supplementary); processes prospect and company context included in prompts. API terms preclude training on our data.

B2B data enrichment and signal sources: these providers both supply prospect data to us and process data on our behalf:

Apollo.io, Inc. — B2B contact and company data enrichment (buyer-side contact sourcing): business contact data of decision-makers (name, business email/phone, title, employer, public LinkedIn URL)
Hunter Web Services, Inc. — business-email enrichment (email-finder / domain-search / verifier) used in the decision-maker email cascade (US entity; data hosted in Google Cloud Belgium, EU; transfers under SCCs)
People Data Labs, Inc. — B2B contact and company data enrichment (corroborating coverage for cross-verification)
TheirStack, S.L. — public job-posting and technology-signal aggregation (hosted in the EU, Spain)
BuiltWith Pty Ltd — public technology-stack scanner (per-domain technology signals; no personal data)
Apify Technologies s.r.o. — operator of scrapers against public marketplaces (Clutch, DesignRush, TechBehemoths): public agency / contractor directory listings and public decision-maker profile snippets

Public registries and open directories we collect from for source transparency — SEC EDGAR, SAM.gov (US federal procurement register), GitHub, and the Clutch / DesignRush / TechBehemoths public agency directories — are public sources, not subprocessors in the Article 28 GDPR sense. Each subprocessor operates under its own privacy policy and, where applicable, a data processing agreement consistent with GDPR. International transfers are covered by the safeguards described in Section 8.

6. Data Retention

We retain personal data as follows:

Decision-maker contacts (active outreach): 24 months from the last engagement event
Decision-maker contacts (archive): An additional 12 months in anonymized, company-level form only, for analytics continuity. Individual PII is removed at the end of the active outreach period.
Buyer company records: 36 months from the date of last activity
Contractor records (active subscription): Retained indefinitely while the subscription is active
Contractor records (post-unsubscribe): 36 months from the date of opt-out, for historical deal attribution and tax record integrity; then purged
Deal records: 7 years (tax and accounting requirement)
Support and contact requests (email and in-app forms): Retained only as long as needed to handle your request and as set out in the full policy, then deleted — or sooner if you request deletion

7. Opt-Out and Deletion Scope

Different actors can exercise different opt-out rights, with the following effects:

Buyer decision-maker unsubscribes: Removed from outreach lists immediately; PII purged within 30 days; the buyer company’s signal and match history is retained in anonymized form.
Buyer company-wide opt-out: No outreach will ever be sent to that company; all active match-page tokens are revoked; the company domain is retained in internal records for deduplication purposes only, with no active signal processing.
Registered contractor pauses: Hidden from new match generation; historical data retained; subscription continues.
Registered contractor opts out: Removed from new matches; profile hidden from the contractor portal; historical intros and deal records are retained as required for commission obligations under the ToS; after 36 months, anonymized.
Unregistered contractor opts out (from notification): Excluded from all future matches; internal directory retains a “do not include” flag.

8. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our third-party processors operate. We rely on the following safeguards:

EU–US Data Privacy Framework for transfers to certified US organizations
Standard Contractual Clauses (SCCs) approved by the European Commission

9. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

Right of access: Request a copy of the personal data we hold about you
Right to rectification: Request correction of inaccurate data
Right to erasure: Request deletion of your personal data, subject to legal retention obligations
Right to restriction: Request limitation of processing in certain circumstances
Right to data portability: Receive your data in a structured, commonly used format
Right to object: Object to processing based on legitimate interest (including objection to use of your contact information for outreach)
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

Data Subject Access Requests (DSARs) will be responded to within 30 calendar days. To exercise any right, submit a request via our Data Subject Access Request form or contact us at privacy@beolta.com.

Note: deletion requests for decision-makers who are not the primary registered contractor account holder result in anonymization rather than full deletion, to preserve deal attribution integrity where required by law.

You also have the right to lodge a complaint with a supervisory authority, such as your local data protection authority.

10. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Categories of Personal Information Collected

Identifiers: name, email address, company domain, IP address
Commercial information: company name, inquiry details, subscription and deal records
Professional information: job title, professional profile data sourced from public directories

Your CCPA Rights

Right to know: Request disclosure of personal information collected, used, and shared
Right to delete: Request deletion of your personal information, subject to applicable exceptions
Right to opt-out: Opt out of the sale of personal information
Right to non-discrimination: We will not discriminate against you for exercising your rights

Do Not Sell My Personal Information

We do not sell your personal information. We do not exchange personal data for monetary consideration with third parties.

11. Children’s Privacy

Our Service is intended solely for business professionals and is not directed to individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have collected data from a minor, please contact us at privacy@beolta.com and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the effective date. We encourage you to review this policy periodically.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

General email: hello@beolta.com
Privacy / GDPR requests: privacy@beolta.com
DSAR form: app.beolta.com/dsar
Postal address: Editale OÜ, Narva mnt 7-557, 10117 Tallinn, Harju maakond, Estonia

See also: Cookie Policy, Terms of Service.

← Back to home