Privacy Policy

Effective date: 7/7/2025

This Privacy Policy explains how Karavaev Aleksei, sole entrepreneur, trading as NewBusinessAlerts ("we", "our", or "us") processes personal data when providing the NewBusinessAlerts platform (the "Service").

Our Service has two distinct data subjects:

Subscribers – professional bookkeepers (or other professionals) who create an account and pay to receive business leads.
Entrepreneurs – individuals whose business contact details are published in the Polish CEIDG register and whose data we include in our leads.

We comply with the EU General Data Protection Regulation (GDPR) and relevant Czech & Polish data‑protection laws. All terms used in this Policy have the meaning given by the GDPR.

1. Who is the data controller?

Controller: Karavaev Aleksei, sole entrepreneur (trading as NewBusinessAlerts)
Reg. No 23286105
V Bažantnici 2639, Kladno, 27201, Czech Republic
Email: support@newbusinessalerts.com

We have not appointed a Data Protection Officer because our scale of processing does not require one (GDPR Art. 37).

2. What personal data do we process?

2.1 Data about Subscribers

Category	Details	Source	Purpose
Account identifiers	Name, business name, VAT/NIP/IČO or REGON, email, phone	Provided by subscriber	Create & manage account (Art. 6 (1)(b))
Login & security	Password (hash), login timestamps, IP logs	Generated during use	Authenticate & secure Service (Art. 6 (1)(b) / 6 (1)(f))
Billing	Invoicing address, VAT ID, payment reference, amount, dates	Payment processor (PayU, Stripe, etc.)	Issue invoices, comply with tax law (Art. 6 (1)(c))

2.2 Data about Entrepreneurs (CEIDG Leads)

We collect only what is already public in the CEIDG register and relevant to bookkeepers. The exact fields we store are visible in the code snippet above and include:

Business name, CEIDG ID and status codes
NIP, REGON (business identifiers)
Owner’s name & PESEL (if publicly listed)
Contact data: email, phone, electronic‑delivery address (EDE)
Main & additional PKD codes (business activity classifications)
Business life‑cycle dates: start, suspension, resumption, closure
City and correspondence address
Citizenship codes (if publicly listed)
Raw CEIDG JSON payload (stored for audit)

Sensitive data: CEIDG does not publish special‑category data (GDPR Art. 9); therefore we do not process any sensitive categories.

3. For what purposes and on what legal basis?

Purpose	Data subjects	Legal basis
Provide the Service (account creation, delivering hourly updates, customer support)	Subscribers	Contract necessity – GDPR Art. 6 (1)(b)
Issue invoices & comply with bookkeeping rules	Subscribers	Legal obligation – Art. 6 (1)(c) (Czech VAT Act, AO 593/1992 Coll.)
Detect abuse, secure servers, resolve bugs	Subscribers & Entrepreneurs	Legitimate interest – Art. 6 (1)(f)
Aggregate CEIDG entries and forward leads to subscribers	Entrepreneurs	Legitimate interest – Art. 6 (1)(f)
Direct transparency notice (Art. 14 GDPR emails)	Entrepreneurs	Legal obligation – Art. 6 (1)(c)
Analytics cookies (optional)	Subscribers & site visitors	Consent – Art. 6 (1)(a)

3.1 Legitimate-interest balancing test

We performed a Legitimate Interests Assessment and concluded that our interests are not overridden by data‑subject rights because:

Only publicly available business contact data is processed.
The data subjects are acting in a professional capacity.
We send a GDPR Art. 14 notice immediately with a one-click opt-out link.
We honour objections and remove the entrepreneur’s data from future updates.

4. How do we collect the data?

CEIDG API / daily XML dump – we ingest new business records and update existing ones via automated scripts.
Registration form – subscribers enter their own business data.
Payment processor webhooks – billing data.
Cookies & server logs – collected automatically.

5. Who receives the data?

Recipient	Country	Safeguard
Subscriber bookkeepers (only if the entrepreneur does not object)	EEA (mostly Poland)	Each subscriber is an independent controller; they must comply with GDPR and Polish e‑marketing law.
Infrastructure hosting (e.g., Hetzner, OVH)	EEA	Data‑processing agreement (Art. 28) in place.
Email delivery provider (e.g., Mailgun EU region)	EEA	Art. 28 DPA & encryption in transit.
Payment processor (e.g., PayU, Stripe)	EEA or US	Standard Contractual Clauses if outside EEA.

We do not sell or rent personal data. No automated decision‑making or profiling with legal effects is carried out.

6. International transfers

Our servers are located in the EU. If we use any service provider outside the European Economic Area, we rely on Standard Contractual Clauses or an adequacy decision (GDPR Chapter V). Details are available on request.

7. Data retention

Data set	Retention period
Subscriber account & billing records	10 years from end of fiscal year (Czech accounting law)
CEIDG Leads	Until: (a) 12 months after collection, or (b) entrepreneur objects, whichever is earlier. A hashed suppression list is kept indefinitely to enforce opt‑outs.
Server logs	90 days (security); aggregated thereafter.
Analytics cookies	As specified in the Cookie Policy or until consent withdrawn.

8. Your rights

Data subjects have the following rights (GDPR Arts. 15‑22):

Access – know what data we hold.
Rectification – correct inaccuracies.
Erasure – delete data (subject to legal retention).
Restriction – limit processing in certain cases.
Portability (subscribers only) – receive a copy in structured format.
Objection – entrepreneurs may object to processing based on legitimate interest at any time (opt‑out link in our notice email).
Lodge a complaint – with the Czech supervisory authority (ÚOOÚ) or the Polish authority (UODO).

Exercising your rights: Email support@newbusinessalerts.com or write to the address above. We will respond within 30 days.

9. Security measures

TLS encryption for data in transit.
Server-side encryption at rest (AES-256) for the lead database.
Role-based access – only the controller (and vetted contractors under NDA) can access raw data.
Daily off-site backups with 30-day retention.
Rate-limiting & brute-force protection on login endpoints.
Annual penetration test & security patch policy.

10. Cookies & tracking

We use essential cookies for session management and CSRF protection. With your consent we may set analytics cookies (e.g., Google Analytics with IP anonymization). Details and opt‑out options are described in our separate Cookie Policy.

11. Changes to this Policy

We may update this Policy from time to time. We will notify subscribers by e‑mail of any material changes at least 14 days before they take effect. The latest version is always available at https://newbusinessalerts.com/privacy.

Last updated: 7/7/2025

Contact