Privacy Policy
Last updated: June 16, 2026
1. Data Controller
The Data Controller for the Compabase platform is Content Writer Sp. z o.o., headquartered at ul. Strzelecka 29A/39, 61-846 Poznań, Poland.
KRS (National Court Register): 0001088645
NIP (Tax ID): 7792567297
Data Protection Contact: [email protected]
The Controller has not appointed a Data Protection Officer. For GDPR-related matters, please contact us at the address above.
Compabase services are provided under the Compabase brand (compabase.com). Information notices under Article 14 of the GDPR may be sent from the compabase-legal.com domain—both domains are operated by the same Controller (Content Writer Sp. z o.o.).
2. Scope of this Policy
This Privacy Policy describes:
- how we process data of users with an account on the Compabase portal,
- how we process data of users purchasing datasets,
- how we process and publish data from public business registers (KRS),
- how we fulfill the information obligation under Article 14 of the GDPR,
- how we enable self-service updating and correction of data on an entity's profile (including without creating an account) — see § 14,
- how the artificial intelligence (AI) assistant available on the platform operates — see § 15,
- how we protect technical and transactional data related to platform usage.
Compabase is a B2B platform for analyzing economic data and is intended exclusively for professional use. Access to company profiles and data exports are subject to this policy.
3. Categories of Processed Data
3.1. Portal User Account Data
When registering and using an account, we may process:
- email address associated with the account,
- user identifier in the authentication system,
- data provided during onboarding (e.g., represented company, contact person, settings),
- content of queries to the platform assistant (if used),
- list of observed entities (watchlist).
3.2. Transactional and Billing Data
We collect only the data necessary to execute contracts, deliver ordered services (including platform exports), and issue invoices, including:
- email address,
- company name,
- tax identification number (NIP/VAT),
- invoice details.
3.3. Payment Data
Payments are processed by external payment service providers (e.g., Stripe). We do not store payment card numbers or bank account access credentials.
3.4. Technical Data
Basic technical logs may include:
- IP address,
- query metadata,
- timestamps.
This data is used solely to ensure security, system stability, and to prevent abuse and fraud.
3.5. Public Data from Business Registers
Compabase processes and structures data sourced primarily from publicly available official registers and documents, including:
- National Court Register (KRS),
- financial statements submitted to public repositories,
- the VAT taxpayer list (the "white list") maintained by the Minister of Finance (VAT status and business bank accounts reported to the list).
The platform covers registered companies (KRS). Profiles may present: entity name, KRS, NIP, REGON, legal form, address, status, registration dates, algorithmically calculated financial indicators, business descriptions, VAT registration status and business bank accounts from the VAT taxpayer list, connections between entities (relationship graphs), and—to the extent described in § 3.6—personal data of individuals.
Data regarding VAT status and business bank accounts relate to the business entity (not to an individual) and originate from a public, official register maintained under tax law.
3.6. Publication of Personal Data from Registers
Personal data from public registers is published on the platform only after fulfilling the information obligation under Article 14 of the GDPR towards the given economic entity. This involves sending a notice to the public email address disclosed in the register, containing a link to this privacy policy. In other cases, we present only information necessary to identify the entity and describe its business activities, without data enabling the identification of individuals.
We process and present personal data of individuals only in relation to entities towards which we have fulfilled the information obligation under Article 14 GDPR (i.e., we sent a notice to the entity's public email address from the register). We do not present personal data of individuals connected to entities for which this obligation has not been fulfilled, either in the representation module or in the connections module.
Entities registered in KRS (commercial companies, associations, corporate entities):
- after fulfilling the obligation under Article 14 GDPR—based on the current register entry, we publish data of individuals in representation bodies, shares held by individuals, and in the connections module;
- if the entity's public email is unavailable or the information obligation was not fulfilled—personal data of individuals is not presented on that entity's profile in the above scopes;
- if the same individual appears connected to another entity for which the Article 14 obligation was fulfilled, information about that person may be visible on the profiles of connected entities;
- data of legal entities in the ownership structure is presented regardless of the above.
Data minimization principle (Article 5(1)(c) GDPR). To limit the scope of personal data presented to the necessary minimum, with respect to individuals:
- we do not present the PESEL number or full date of birth; where it is helpful to distinguish individuals with identical first and last names, we present only the approximate age calculated from the year of birth (e.g., "47 yrs"). The full date of birth and the PESEL number are not made available in the platform interface, via the application programming interface (API), or in data exports;
- we limit the scope of personal data to information arising from the function held within the entity (first name, last name, function, shares held by the individual, approximate age).
Protection of the public email address against misuse. The entity's public email address disclosed in the register is not visible to non-logged-in users and remains hidden (masked) in the public view. We make it available only to logged-in platform users. This measure—an additional data security safeguard (Article 32 GDPR)—aims to limit the automated harvesting (scraping) of addresses and to counter abuse, in particular unsolicited marketing communications. Compabase merely makes register data available; any user intending to make contact using such an address is independently responsible for having an appropriate legal basis and the required consents (including with respect to direct marketing and electronic communications).
4. Data Sources
Data from business registers, financial statements, and the VAT taxpayer list originates from publicly available official sources and is not collected directly from individuals.
User account data and transactional data come directly from the user or are generated through service usage.
In addition, data presented on an entity's profile may come directly from a person authorized to represent the entity or connected to it who has used the self-service profile data update and correction feature (see § 14). Data submitted in this way is stored as a separate supplementary layer of information and does not modify the content of official public registers.
Public email addresses from register documents are published solely within the entity's profile and after fulfilling Article 14 GDPR. Upon request of the data subject or to exercise GDPR rights, we may cease publishing the email address on the profile, even if it remains in the public register.
5. Purposes and Legal Bases for Processing
We process data on the following legal bases:
5.1. Performance of a Contract (Article 6(1)(b) GDPR)
To:
- maintain the portal account and provide platform services,
- execute contracts and deliver ordered services,
- confirm payments.
5.2. Legal Obligation (Article 6(1)(c) GDPR)
To:
- issue VAT invoices,
- maintain accounting records.
5.3. Legitimate Interest (Article 6(1)(f) GDPR)
To:
- provide structured access to publicly available economic information from KRS, and reports,
- maintain economic transparency and verify contractors,
- build and present connections between entities and persons (within the limits of § 3.6),
- ensure platform security and prevent fraud,
- establish, exercise, or defend legal claims,
- maintain the technical integrity of data processing systems.
Non-personal data from registers is processed under Article 6(1)(f) GDPR to provide structured access to public business information. Personal data is processed under Article 6(1)(f) GDPR exclusively after fulfilling the obligation under Article 14 GDPR and within the scope described in § 3.6. A Legitimate Interest Assessment has been conducted to ensure proportionality.
6. Information Obligation (Article 14 GDPR)
When personal data is not collected directly from individuals, we fulfill the obligation under Article 14 GDPR towards the economic entity concerned based on the following principles:
- if a public email address is available in the register — we send an electronic information notice (e.g., from the compabase-legal.com domain) with a link to this policy. After providing such information, we publish the personal data of individuals associated with that entity on the platform within the scope defined in § 3.6;
- if there is no public email address in the register — we do not send the notice, and consequently, we refrain from publishing and presenting personal data on that entity's profile;
- in the case of individuals who contact us directly (e.g., to exercise their GDPR rights or obtain support) — we process the data contained in the correspondence, and we fulfill the related information obligation by providing this Policy.
Information correspondence under Article 14 does not constitute marketing communication and serves solely to fulfill legal obligations.
7. Automated Processing and Data Transformation
Compabase performs automated collection, normalization, and analysis of publicly available data.
Financial indicators may be derived, calculated, or interpreted algorithmically as an analytical representation of public financial data.
The platform may generate business descriptions based on public information and build relationship graphs (within the limits of § 3.6).
The platform may take actions to ensure data currency and quality, including technical verification.
Compabase does not use automated decision-making within the meaning of Article 22 GDPR and produces no legal effects concerning individuals.
8. Data Sharing and Recipients
We do not sell personal data as separate products and do not engage in behavioral advertising. The platform grants users access to publicly available company data (browsing profiles in the service, access via the API, and exporting datasets), including—after fulfilling Article 14—personal data disclosed in registers.
Personal data of representatives disclosed in registers (including first name, last name, function) constitutes a component of the entity's register data and—after fulfilling Article 14 GDPR—is available to users as part of that register data through profile browsing, the application programming interface (API), and data export. Personal data is, however, not a separate commercial product—it is not sold or made available as a standalone personal-data database or for marketing purposes.
Data may be entrusted or shared with:
- payment service providers (e.g., Stripe),
- cloud hosting and database providers (e.g., Supabase — EU infrastructure),
- tools for sending Article 14 GDPR notices,
- providers of AI models and services powering the AI assistant (see § 15), acting as processors on our behalf and without the right to use the submitted content to train their models,
- accounting and tax service providers,
- entities supporting platform security, maintenance, and development.
All data processors operate under Data Processing Agreements (Article 28 GDPR) where required.
9. Data Transfers Outside the EEA
Due to the global nature of some infrastructure providers (e.g., payments), data may be processed outside the European Economic Area. In such cases, appropriate safeguards are applied, including EU Standard Contractual Clauses or equivalent legal mechanisms. The primary platform infrastructure and databases are hosted in the EU.
10. Data Retention Period
Accounting and billing records: for the period required by tax law.
User account data: for the duration of the active account, and after deletion—until the expiration of general statute of limitations periods for civil claims (typically 3 or 6 years, depending on applicable law).
Transaction-related emails: only as long as necessary for delivery and technical issue resolution.
Technical logs: for a limited period necessary for system security.
Public register data (non-personal): as long as it remains in official registers or is necessary for economic information continuity.
Personal data from registers: until deleted or anonymized in the relevant public register, unless grounds for cessation of publication arise earlier (e.g., honoring a valid objection). After removal from the platform, data may be archived solely for the duration of the statute of limitations for legal claims.
11. Data Subject Rights
All individuals whose personal data we process (both platform users and individuals disclosed in business profiles) have the right to:
- access their data (Article 15 GDPR),
- request rectification (Article 16 GDPR),
- request erasure (Article 17 GDPR)—within legal limits, especially when data remains in public registers,
- request restriction of processing (Article 18 GDPR),
- data portability (Article 20 GDPR)—for data processed automatically based on a contract,
- object to processing based on Article 6(1)(f) GDPR (Article 21 GDPR).
Each request and objection is evaluated individually. We respond without undue delay, no later than one month from receipt (Article 12(3) GDPR). If an objection or request is justified, processing may be restricted, modified, or—where technically possible—personal data may be removed from platform presentation.
Requests can be submitted to: [email protected] (Subject: "GDPR").
You have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO) in Poland.
12. Cookies
Compabase uses only strictly necessary technical cookies required for session management, payment processing, and proper system functionality. We do not use tracking tools or behavioral analytics.
13. Security Measures
We implement appropriate technical and organizational measures to protect data, including secure infrastructure, access control mechanisms, data transmission encryption, and monitoring to prevent unauthorized access.
As part of risk minimization, we apply, among others, hiding the public email address from non-logged-in users (see § 3.6), limiting the scope of personal data presented (including no PESEL and no full date of birth, only the approximate age), and technical restrictions on data access via the application programming interface (API) and the AI assistant.
14. Self-Service Update and Correction of Profile Data
We provide a feature enabling persons authorized to represent an entity or connected to it to independently supplement, update, and correct data presented on the entity's profile (e.g., business description, logo, contact details). This feature serves to ensure the accuracy and currency of the data (Article 5(1)(d) GDPR) and facilitates the exercise of the right to rectification (Article 16 GDPR).
The feature can be used in two ways:
- after logging into the portal and confirming authority to manage the profile (verification based on a business email domain matching the entity's register data),
- without creating an account — in one-time edit mode, after confirming control over the business email address (domain verification via a one-time, time-limited link sent to an address in the entity's domain).
Domain verification is intended to ensure that data is modified only by a person controlling the entity. We process data submitted through this feature on the basis of Article 6(1)(f) GDPR (ensuring the currency and quality of economic information). Data entered in this way constitutes a supplementary layer of information and does not change the content of official public registers.
15. AI Assistant (Artificial Intelligence)
On the platform we provide an artificial intelligence (AI) assistant that allows questions in natural language about the economic data available in the service and presents answers and visualizations based on them.
- No training of models on user data. We do not train, fine-tune, or build our own AI models based on user data, query content, or platform data. We use models provided by third-party providers acting as processors on our behalf; content submitted to the model is not used by the provider to train its models.
- Limited, controlled access to data. The assistant accesses data exclusively through tools defined by us (an MCP-type interface), which constitute predefined, parameterized, read-only database queries. These tools operate on a limited set of data and views that already incorporate the restrictions on personal data described in this policy (including the Article 14 GDPR gate and no access to the PESEL number or full date of birth).
- No automated decision-making. The AI assistant is solely informational and auxiliary. It does not make decisions concerning individuals that produce legal effects or are similarly significant within the meaning of Article 22 GDPR. Results generated by the assistant may contain inaccuracies and require independent verification.
- Interaction content. The content of queries directed to the assistant, the content of responses, and the related technical metadata (chat history) are recorded and stored to provide the service, ensure its security, maintain quality, perform audits, prevent abuse, and document any attempts to circumvent or manipulate safeguards (Article 6(1)(b) and (f) GDPR). Chat history is not used to train AI models; it may, however, serve as evidence in proceedings concerning breaches of the Terms, including attempts to circumvent safeguards.