Skip to content
contactctl

Legal

Privacy Policy

What we collect, why, how long we keep it, and the rights you have. Written to be read, not skimmed past.

effective: 2026-06-10

Who we are

ContactCTL ("the Service") is a command-line tool and HTTPS API for finding, verifying, and enriching B2B contact data. It is operated by Miha Cacic s.p., a sole proprietor registered in Slovenia, European Union ("we", "us"). For everything in this policy, we are the data controller of your account and billing data, and you can reach us at miha@contactctl.com.

What we collect

We collect three categories of data, and nothing beyond them:

  • Account data. Your email address, authentication identifiers, and hashes of your API keys. We store only a hash of each API key — the full key is shown once and cannot be recovered from our records.
  • Usage and billing records. Your subscription state, credit balance, and an immutable ledger of actions: the action type, credits charged, timestamps, and request fingerprints. This ledger is how we bill you correctly, detect abuse, and meet accounting obligations. Payment card details are held by our payment processor, not by us.
  • Lookup inputs and results. The names, company domains, email addresses, profile URLs, and CSV files you submit are processed to fulfil your request. Inputs and results of a run are retained for 30 days so you can re-download and resume batch jobs, then deleted. We do not use your lookup inputs to build or train anything.

We also keep short-lived technical logs (IP address, request metadata) for security and rate limiting.

How we use it, and on what legal basis

  • Providing the Service — running your lookups, managing credits, sending transactional email such as receipts and key-security notices. Basis: performance of a contract (GDPR Art. 6(1)(b)).
  • Billing and accounting — keeping the usage ledger and invoices. Basis: legal obligation (Art. 6(1)(c)) and contract.
  • Security and abuse prevention — rate limiting, fraud detection, log review. Basis: legitimate interest (Art. 6(1)(f)).

We do not sell your data and we do not run advertising of any kind.

B2B contact data: what we are and what we are not

ContactCTL acts as a conduit to licensed business-contact data sources. When you run a lookup, your query is forwarded to one or more professional data providers and the result is returned to you. We do not compile or market our own database of business contacts; results exist in your account only for the 30-day run-retention window described above.

For the lookup inputs you submit and the exports you create, you are the data controller and we process them on your behalf. You are responsible for having a lawful basis for your enrichment and outreach — typically legitimate interest for B2B contact under GDPR, plus whatever anti-spam law applies where your recipients are.

If you are a data subject — a person whose business contact details were returned by the Service — you can object or request suppression by emailing miha@contactctl.com. We will suppress the address from future results on our side and forward your request to the relevant upstream sources.

Processors and recipients

We use a small set of processors, each bound by a data-processing agreement and used only for the role described:

  • Payment processing — Stripe handles checkout, card data, and invoices.
  • Infrastructure and hosting — providers that run our API, database, and website.
  • Email delivery — a provider that sends transactional email (receipts, notices).
  • Business-contact data providers — licensed sources that receive your lookup queries in order to answer them.

Some processors operate outside the EEA. Where they do, transfers rely on adequacy decisions or EU Standard Contractual Clauses.

Data retention

DataKept for
Account dataWhile your account exists; deleted within 30 days of account deletion
Run inputs and results30 days after the run completes
Usage and billing ledger10 years, as required by Slovenian tax and accounting law
Technical logs30 days

Your rights

Under the GDPR you can, at any time:

  • request access to the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data erased (except records we must keep by law, such as the billing ledger);
  • restrict or object to processing based on legitimate interest;
  • receive your data in a portable format.

Write to miha@contactctl.com; we respond within 30 days. If you are unsatisfied, you can lodge a complaint with the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec) or your local supervisory authority.

Cookies

The website sets essential session cookies only — the ones needed to keep you logged in to the dashboard. There are no advertising cookies, no cross-site tracking, and no third-party analytics scripts. Because we set nothing non-essential, there is no cookie banner to click through.

Changes to this policy

If we change this policy in a way that matters — new data categories, new purposes, new processors handling personal data — we will email account holders at least 14 days before the change takes effect and update the effective date above. Minor clarifications take effect on publication.

Contact

Miha Cacic s.p., Slovenia, EU. Privacy and data-subject requests: miha@contactctl.com.