Welcome to FullEnrich's Privacy & Legal Center

Yes, FullEnrich complies with GDPR and CCPA and takes them into account to provide its services and run its company.

For instance, when FullEnrich acts as a processor under GDPR, FullEnrich complies with obligations set in its DPA (i.e. security measures, data retention, clients’ instructions, etc.). When FullEnrich acts as a controller under GDPR, information on its compliance and handling of personal data is described in its Privacy Policy (i.e. legal basis, retention periods, recipients, etc.).

Furthermore, FullEnrich provides privacy rights for data subjects and responds to their requests to exercise their rights.

The categories of personal data processed by FullEnrich depends on the purpose of the data processing:

- To provide the services, we can process personal data about the person for whom you wish to enrich the data or included in our database:
- Identity and contact details;
- Work experience;
- Information about the company they work for.
- For account management, contract conclusion and support, we can process personal data about customers and prospects:
- Identity and contact details;
- Contractual and payment data;
- Support data such as support needs and Customer communications as well as description of difficulties encountered by the user.
- To obtain analytics and improve our services, we can process personal data about Customers and prospects:
- Browsing data including cookie data, IP address, logs, user journey;
- Usage data including service utilization, user feedback and reviews, and session history;
- User device identification data including browser type, operating system, and processor.
- For recruitment purposes, we can process personal data about applicants:
- Identity and contact data;
- Application data such as professional background, education, experience, resumes, professional needs, and cover letters.

For more information, please refer to our privacy policy, data processing agreement or cookie policy.

FullEnrich implements technical and organizational measures in accordance with Article 32 of the GDPR, including:

- Personal data pseudonymization and encryption measures (bcrypt with a cost of 14 rounds for password & pseudonymization techniques, such as anonymized logging with user identifiers);
- Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services (secured databases connected to a virtual private cloud (VPC));
- Regular testing, assessment, and evaluation processes for technical and organizational measures;
- User identification and authorization measures (session cookies (JWT) signed with HMAC using the SHA256 algorithm & role-based access control (RBAC));
- Data protection measures during transmission (all data transmissions are secured via HTTPS/SSL tunnels, extending robust encryption from the user endpoint to our databases);
- Data protection measures during storage (data at rest is protected by AES encryption);
- Measures to ensure physical security of locations where personal data are processed (data hosting provider (DigitalOcean) is compliant with SOC 2 and ISO 27001 standards);
- Event logging measures (kept for 1 year & encrypted at rest);
- Data minimization measures;
- Limited data retention measures;
- Technical and organizational measures for (sub)-processors.

FullEnrich is certified SOC 2 Type II and performs regular pentests. For more information, please refer to our security documentation available in the Privacy & Legal center and in our trust center.

Yes, we provide our security documentation in the trust center where you can request access to all of our security policies and SOC 2 Type II Report.

You also have access to security documentation related to data privacy in our data processing agreement and in our Privacy & Legal center.

Yes, FullEnrich is SOC2 Type II certified. You can request access to our SOC 2 certification by clicking here.

FullEnrich’s hosting service provider is called Digital Ocean and hosts data in the European Union.

Yes, FullEnrich’s services include data transfers outside the EEE or the UK. FullEnrich’s head office is located in the USA and several sub-processors and data providers are located outside the EEE or the UK.

When there are data transfers outside the EEE or the UK, such transfers are governed by the Standard Contractual Clauses adopted by the European Commission.

You can read more about it in the DPA here.

Yes, when FullEnrich acts as processor, the data processing agreement contains a process in case of data breach. It states that FullEnrich will inform the Customer without undue delay after becoming aware of the data breach and describes what the notification must contain. You can read more about it in the DPA here.

When FullEnrich acts as controller, in case of data breach, FullEnrich will directly inform data subjects if necessary.

Yes, when FullEnrich acts as processor, the data processing agreement allows Customers to carry out audits of the processing activities covered in the DPA. You can read more about the conditions in the DPA here.

No, FullEnrich does not re-use the Customer data for its own purposes. FullEnrich undertakes to solely process the personal data added by the Customer for the purposes of providing the services.

No, FullEnrich does not re-use the enriched data for its own purposes. FullEnrich undertakes to solely process the enriched personal data obtained by the Customer to transfer it to the Customer.

FullEnrich stores the enriched data obtained by the Customer on the Customer account for 3 months then automatically deletes it. The Customer can access and upload its data at any time during the 3 months.

Data subjects can exercise their rights through FullEnrich’s portal available here.

The contract contains 3 documents: the signed Quote (when applicable), the Terms and Conditions of Use and Sale and the Data Processing Agreement (DPA).

Yes. The DPA is publicly available on our Privacy & Legal Center here. It covers obligations under Article 28 of the GDPR and can be signed by FullEnrich as part of the commercial relationship.

At the end of the contractual relationship with a Customer, by principle FullEnrich deletes all personal data processed on behalf of the client. By exception, FullEnrich may retain specific data if the law requires it.

Waterfall Enrichment gives Customers the possibility to find someone’s email or mobile phone number with a LinkedIn profile URL or with their full name and company name.

You can use the service manually by uploading a request once at a time, use the API or use CSV/Excel files to enrich them automatically.

Waterfall Enrichment relies exclusively on data providers to obtain email addresses and mobile phone numbers on behalf of Customers. You can choose to use all providers or some of them only.

Waterfall Enrichment does not use a database and does not create one either.

FullEnrich acts as data processor when providing the Waterfall Enrichment service.

For this service, FullEnrich only processes data on behalf of the Customer and under its instructions.

No, the Waterfall Enrichment service does not rely on a database and does not create one either with the data obtained for the Customer.

Yes, if a Customer wants to use Waterfall Enrichment, they can sign a data processing agreement with FullEnrich.

The enriched data is provided by several data providers. On behalf of Customer, FullEnrich searches data through different data providers one by one until the relevant data is found.

Yes, Waterfall Enrichment relies on several data providers to obtain and verify the matching but each Customer can choose to use all providers or only some of them.

To provide Waterfall Enrichment, FullEnrich uses data providers. Most of the data providers have their own databases and transfer the requested data to Customer through FullEnrich services. As a result, they act as independent controllers and Customer also acts as an independent controller when receiving and using the data. Some of the data providers do not have their own databases and only generate email addresses based on the last name, first name and company domain name. In that case, they act as a sub-processor.

Customers have to conduct their own due diligence on data providers compliance and can remove data providers if they do not wish to use them for Waterfall Enrichment.

To remove a data provider, Customers must send a request to FullEnrich at support@fullenrich.com. For the avoidance of doubt, when a data provider is removed, it is removed for all further Waterfall Enrichment activities.

Yes, FullEnrich does use sub-processors for Waterfall Enrichment. Upon signature of the DPA, FullEnrich has the Customer’s general authorization to use the sub-processors mentioned in the agreed list.

FullEnrich conducts due diligence on its sub-processors, ensures the sub-processors have similar obligations to those imposed in the DPA with the Customer and remains liable to the Customer regarding sub-processors’ performance of their obligations. The list of sub-processors is available here.

Yes, as stated in the DPA, FullEnrich will assist the Customer if they receive a data subject request in connection with the use of Waterfall Enrichment and the Customer needs information about the data processing.

If FullEnrich receives a data subject request on behalf of a Customer, the Customer will be informed promptly and FullEnrich can assist the Customer to respond if needed.

Please read our DPA for more information.

Data enriched and provided by the Customer is only stored for three (3) months on our platform and then automatically deleted. However, during these 3 months, the Customer can upload the data at any time.

People & Company Search is a service that allows Customers to access a database of contacts from which they may create contact lists based on several criterias such as job titles, seniority, professional experience and background, location, educational background, and the characteristics of the companies for which the contacts work and/or have worked.

This service can be used for recruitment or sales prospecting purposes.

People & Company Search contains a database created by FullEnrich that Customers can access, consult, perform filtered searches on and extract data from.

FullEnrich acts as an independent data controller when it provides the People & Company Search service.

FullEnrich relies on the legitimate interest legal basis to provide People & Company Search.

Yes, FullEnrich uses a database to provide People & Company Search. The database was created by FullEnrich for this service.

FullEnrich’s database is updated every month to provide Customers with accurate and up-to-date information.

The database’s data comes from 2 data providers chosen by FullEnrich for the accuracy and completeness of their data.

When using People & Company Search, the Customer acts as an independent data controller, in particular when the Customer is consulting the database and extracting data from it.

When using People & Company Search, the Customer acts as data controller and as such, must make sure the processing carried out are GDPR (and all other applicable personal data regulations) compliant. The Customer must particularly respect obligations from article 5 of the GDPR.

In particular, the Customer must ensure each data processing has an appropriate legal basis and a specific, explicit and legitimate purpose.

The Customer is solely responsible for its use and processing of the data.

As FullEnrich and the Customer act as independent data controllers for People & Company Search, data subject requests must be handled by each controller independently.

If FullEnrich receives a data subject request regarding data rectification, erasure or limitation, it will inform Customers.