GDPR Compliance

WholeDatabase is committed to full compliance with the General Data Protection Regulation (GDPR). As a B2B lead intelligence platform, we understand the importance of handling business contact data responsibly and transparently.

Our database consists exclusively of business-to-business (B2B) contact information collected from publicly available sources across the United States, United Kingdom, Canada, and Australia. We do not collect or process personal data related to individuals in their private capacity.

We continuously review and update our data practices to ensure alignment with GDPR requirements and evolving regulatory guidance across all jurisdictions in which we operate.

Under GDPR Article 6, we rely on the following legal bases for processing personal data:

The collection and processing of business contact information from publicly available sources qualifies under GDPR Article 6(1)(f) — Legitimate Interest. Here is how we ensure this legal basis is properly applied:

WholeDatabase honors all data subject rights under GDPR, regardless of the data subject's location. You do not need to be an EU/EEA resident to exercise these rights:

• Right of Access (Art. 15) — Request a copy of any personal data we hold about you, along with details about how it is processed
• Right to Rectification (Art. 16) — Request correction of any inaccurate or incomplete personal data
• Right to Erasure (Art. 17) — Request deletion of your personal data, processed within 72 hours of a valid request
• Right to Restriction (Art. 18) — Request that we limit the processing of your data in certain circumstances
• Right to Data Portability (Art. 20) — Receive your personal data in a structured, machine-readable format
• Right to Object (Art. 21) — Object to processing based on legitimate interest at any time, and we will cease processing unless we demonstrate compelling legitimate grounds

To exercise any of these rights, please use our contact form or reach out via our contact page. We respond to all requests within 30 days, as required by GDPR.

We have established a straightforward process for removing your data from our database. We aim to complete all removal requests within 72 hours:

• Step 1: Submit a Request — Contact us via our contact form or use our contact page with the subject line "Data Removal Request"
• Step 2: Provide Details — Include your full name, business email address, and company name so we can accurately locate your records
• Step 3: Verification — We may verify your identity to prevent unauthorized deletion requests. This is done promptly and with minimal friction
• Step 4: Processing — Your data is removed from all active databases and search indexes within 72 hours of verification
• Step 5: Confirmation — You will receive an email confirmation once the removal is complete, along with details of what data was deleted

We also maintain a suppression list to ensure previously removed records are not re-added to our database from public sources in the future.

We implement comprehensive technical and organizational measures to protect the personal data we process:

• Encryption — All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption
• Access Controls — Role-based access controls ensure that only authorized personnel can access personal data, with the principle of least privilege applied
• Regular Audits — We conduct regular security audits and vulnerability assessments to identify and address potential risks
• Employee Training — All team members receive GDPR awareness training and are bound by confidentiality obligations
• Incident Response — We maintain a documented incident response plan that is tested and updated regularly
• Data Backup — Secure, encrypted backups with controlled access ensure data integrity and availability

As WholeDatabase operates across multiple jurisdictions, personal data may be transferred internationally. We ensure all transfers comply with GDPR Chapter V requirements:

• Standard Contractual Clauses (SCCs) — We use EU-approved Standard Contractual Clauses for data transfers to countries without an adequacy decision
• Adequacy Decisions — Where applicable, we rely on European Commission adequacy decisions for transfers to recognized countries
• Transfer Impact Assessments — We conduct transfer impact assessments to evaluate the level of protection in recipient countries
• Supplementary Measures — Additional technical and organizational safeguards are implemented where necessary to ensure equivalent protection

For customers based in the EU/EEA or processing EU data subjects' information, we offer a comprehensive Data Processing Agreement (DPA) that meets the requirements of GDPR Article 28.

Our DPA covers the nature and purpose of processing, data categories, retention periods, sub-processor obligations, and data subject rights assistance.

• Available for all Enterprise and Business plan customers
• Can be requested by any customer who processes EU personal data through our platform
• Includes Standard Contractual Clauses as an annex where required

To request or execute a DPA, please visit our Data Processing Agreement page or reach out via our contact page.

We engage a limited number of sub-processors to support our services. All sub-processors are vetted for GDPR compliance and bound by data processing agreements:

We maintain an up-to-date list of sub-processors. Customers are notified in advance of any changes to sub-processors, with the right to object to new additions.

In compliance with GDPR Article 33, WholeDatabase maintains a robust data breach notification procedure:

• Detection & Assessment — Potential breaches are identified and assessed immediately by our security team
• Supervisory Authority Notification — Where a breach is likely to result in a risk to individuals' rights and freedoms, the relevant supervisory authority is notified within 72 hours of becoming aware of the breach
• Data Subject Notification — Where a breach is likely to result in a high risk to individuals, affected data subjects are notified without undue delay, per GDPR Article 34
• Customer Notification — Customers acting as data controllers are notified promptly so they can fulfill their own notification obligations
• Documentation — All breaches are documented, including facts, effects, and remedial actions taken, regardless of whether notification thresholds are met

We may update this GDPR Compliance page from time to time to reflect changes in our data practices, regulatory requirements, or operational procedures.

When material changes are made, we will update the "Last updated" date at the top of this page. For significant changes that may affect your rights, we will make reasonable efforts to notify affected parties directly.

We encourage you to review this page periodically to stay informed about how we protect and process personal data in compliance with GDPR.

If you have questions about our GDPR compliance, wish to exercise your data subject rights, or need to report a data protection concern, please reach out to us.

WholeDatabase acts as the data controller for the personal data processed through WholeDatabase. You may also contact us via our contact page for any data protection inquiries.

If you are unsatisfied with our response, you have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.