Overview: the two kinds of data we handle
FUNEL handles two distinct categories of personal data: (a) data of customers who use FUNEL — the account, billing, and usage information of the people and businesses who hold a FUNEL account; and (b) business-contact data we process about third parties, compiled from publicly available business and professional sources. Each category is governed by its own practices and lawful basis.
(a) Customer data
This is information about you when you sign up for, pay for, and use FUNEL. It includes your account details, billing information, and how you interact with the product. We process it to deliver the service you have asked for under our contract with you.
(b) Business-contact data about third parties
This is professional contact information about individuals in their business capacity — for example, a work email, job title, employer, and professional profile — that FUNEL compiles and enriches from publicly available business and professional information and other public web sources. We process this data so customers can identify and reach relevant business contacts. If you appear in our database and want to be removed, see the section "How people in our database can opt out."
We are transparent about this processing and treat the individuals in our database with the same respect as our own customers. The remainder of this policy addresses both categories; where a practice applies to only one, we say so.
What data we collect
For customers, we collect the account, billing, and usage information needed to run your account. For third-party business contacts, we collect professional contact and firmographic details drawn only from publicly available business and professional sources. We do not collect special-category data, and we do not target the personal or private lives of individuals.
Customer data we collect
- Account data: name, work email, company name, role, and login credentials.
- Billing data: billing contact, plan, and transaction records (card details are handled by our payment processor — see Data sharing).
- Usage data: features used, searches and queries run, settings, and product activity used to operate, secure, and improve the service.
- Communications: support requests, feedback, and messages you send us.
- Customer-provided content: data you upload, import, or connect — including contacts you add to your workspace or sync from your CRM.
Third-party business-contact data we process
- Professional identity: name and job title or role in a business context.
- Business contact details: work email address and, where available, business phone and professional profile or page references.
- Employer and firmographic data: company name, industry, size, and location associated with the contact's professional role.
- AI-enriched attributes: inferred or structured business details our AI derives from the above to improve accuracy and relevance.
We describe our inputs only by category — publicly available professional and business information, public data sources, professional networks, local business directories, and public web sources. We do not collect data that individuals have made private.
How we use your data
We use customer data to provide, secure, bill for, and improve FUNEL, and to communicate with you. We use third-party business-contact data to build and maintain verified business contact records that customers can search, enrich, and use for legitimate B2B outreach. We do not use either category for purposes incompatible with these.
How we use customer data
- Provide and operate the service, including search, AI enrichment, outreach, and CRM sync.
- Authenticate users, secure accounts, and prevent fraud and abuse.
- Process payments and manage subscriptions.
- Provide support and send service and administrative messages.
- Analyze usage to maintain reliability and improve features.
- Comply with legal obligations and enforce our terms.
How we use third-party business-contact data
- Compile and structure verified business contact records from public sources.
- Enrich records with AI to improve accuracy, completeness, and relevance.
- Make these records available to customers for legitimate business-to-business outreach.
- Validate, de-duplicate, and keep records current, and honor opt-out and suppression requests.
Lawful bases for processing
Under the GDPR and UK GDPR (Article 6), we rely on contract to process customer data, legitimate interests to process third-party business-contact data for B2B purposes, and consent where the law requires it. We always offer a clear right to object and to opt out of the legitimate-interest processing.
- Contract (Art. 6(1)(b)): processing customer account, billing, and usage data to provide the service you have signed up for.
- Legitimate interests (Art. 6(1)(f)): processing business-contact data about third parties to provide a B2B sales-intelligence service. We have balanced this interest against the rights of the individuals concerned, limited our processing to professional information from public sources, and provide a straightforward opt-out.
- Consent (Art. 6(1)(a)): where required — for example, certain cookies and analytics, or marketing communications. You may withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)): where processing is necessary to comply with applicable law.
Where we rely on legitimate interests, you have the right to object at any time. We honor objections and removal requests promptly (see "How people in our database can opt out").
Data sharing and sub-processors
We do not sell personal information for money. We share data only with vetted service providers (sub-processors) who process it on our behalf under contract, and where required by law. We identify sub-processors by category, and a current list naming our vendors is available on request and under our Data Processing Addendum (DPA).
Categories of sub-processors
- Cloud hosting provider — infrastructure and data storage.
- Email delivery provider — sending outreach and service communications.
- Payment processor — handling subscription billing and card data.
- Analytics provider — measuring and improving product performance.
Each sub-processor is bound by data-protection terms and may only process personal data on our documented instructions. We also share data when required to comply with a legal obligation, enforce our terms, or protect the rights, safety, and security of users and the public. If FUNEL is involved in a merger, acquisition, or asset sale, data may be transferred subject to this policy.
Customers who require contractual data-protection commitments can request our signed DPA, which sets out the full sub-processor list, processing terms, and transfer safeguards. Contact privacy@funel.to.
International data transfers
We may process and store data in countries other than your own. When we transfer personal data across borders from the EEA, the UK, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards — principally the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum — together with supplementary measures where needed.
These safeguards are designed to ensure your data receives an essentially equivalent level of protection wherever it is processed. A copy of the relevant transfer mechanism is available on request at privacy@funel.to.
Data retention
We keep personal data only for as long as it is needed for the purposes set out in this policy, or as required by law. Customer data is retained for the life of the account and a limited period afterward; third-party business-contact data is retained while it remains accurate and relevant, and is deleted or suppressed when we receive a valid removal request.
- Customer account and usage data: kept while your account is active and for a limited period after closure to meet legal, accounting, and security obligations, then deleted or anonymized.
- Billing records: retained as long as required by tax and financial-reporting law.
- Third-party business-contact data: retained while it remains accurate and relevant to our B2B service, and refreshed or removed as sources change.
- Opt-out and suppression records: we retain a minimal record of removal requests so we can keep honoring them and prevent re-collection.
How we keep data secure
We protect personal data with strong technical and organizational controls. All data is encrypted in transit with TLS and at rest with AES-256. We operate on a GDPR-compliant-by-design and CCPA-aligned basis and follow recognized information-security practices. Access to personal data is restricted on a least-privilege basis.
- Encryption in transit (TLS) and at rest (AES-256).
- A documented information-security program and regular security reviews.
- Role-based, least-privilege access controls and authentication safeguards.
- Monitoring, logging, and a defined incident-response process.
No system can be guaranteed completely secure, but we work continuously to protect your data. In the event of a personal-data breach, we will notify affected parties and regulators as required by law, without undue delay.
Your rights
You have rights over your personal data, and we honor them for both customers and individuals in our database. Depending on where you live, these include rights of access, correction, deletion, restriction, portability, and objection, and — for California residents — the rights to know, delete, correct, and opt out of any sale or sharing. To exercise any right, contact privacy@funel.to.
Rights under the GDPR and UK GDPR
- Access — obtain a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion (the "right to be forgotten").
- Restriction — limit how we process your data in certain cases.
- Portability — receive your data in a portable, machine-readable format.
- Objection — object to processing based on legitimate interests, including our processing of business-contact data.
Rights for California residents (CCPA/CPRA)
- Know — what personal information we collect, use, and disclose.
- Delete — request deletion of personal information we hold about you.
- Correct — correct inaccurate personal information.
- Opt out of sale or sharing — direct us not to sell or share your personal information.
- Non-discrimination — you will not receive different service for exercising your rights.
FUNEL does not sell personal information for money. We honor verified erasure and opt-out requests promptly — typically within 30 days. We will verify requests before acting and may ask for limited information to confirm identity. You also have the right to lodge a complaint with your local data-protection authority.
How people in our database can opt out
If you appear in FUNEL's business-contact database and do not want to be there, you can ask us to remove you — no account required. Email privacy@funel.to with the name and business email or profile you want removed, and we will delete your record and suppress it from re-collection, promptly and at no cost.
You can also object to our processing of your data at any time under the legitimate-interest basis described above. We will stop processing your data for B2B contact purposes unless we have a compelling legal reason to continue, and we keep only the minimal record needed to keep honoring your request.
Children's privacy
FUNEL is a business tool that is not directed to children. We do not knowingly collect personal data from anyone under the age of 16. Our service is intended for use by businesses and professionals in a commercial context. If we learn that we have collected data from a child, we will delete it.
Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the effective date and, where appropriate, notify you. The current version always governs our processing, and we encourage you to review it periodically.
Contact us
If you have questions about this policy, want to exercise a privacy right, or need to be removed from our database, contact us at privacy@funel.to. We aim to respond to all privacy requests promptly and within the timeframes required by applicable law.
- Privacy and data requests: privacy@funel.to
- Database removal / opt-out: privacy@funel.to (subject line "Data removal")
- DPA, sub-processor list, and transfer safeguards: available on request at privacy@funel.to
This Privacy Policy is governed by the laws of the jurisdiction in which FUNEL is established. Effective date: June 17, 2026.