Privacy Policy for CorporateOS

Effective date: February 25, 2026
Last updated: February 25, 2026

CorporateOS is operated by CompanyOS, L.L.C. ("CompanyOS", "we", "us"), a company incorporated/registered in Poland. This Privacy Policy explains how we collect, use, disclose, and otherwise process personal data in connection with:

• the CorporateOS website at corporateos.io and any pages that link to this Privacy Policy (the "Website");
• the CorporateOS platform, applications, APIs, and related services (collectively, the "Services");
• our marketing, sales, and events.

Important: This Privacy Policy does not describe third-party practices (e.g., CRMs, email providers, or other integrations you connect). Their privacy practices are governed by their own policies.

1) Roles and responsibilities (Controller vs. Processor)

A. When CorporateOS is a Processor

CorporateOS is typically a data processor when we process personal data on behalf of our business customers in connection with the Services. In that case, the customer is the data controller and determines the purposes and essential means of processing (for example, which individuals to include, targeting criteria, campaign configuration, message content, sending rules, retention settings, and the lawful basis relied upon).

If you are an individual whose information is included in a customer's dataset or outreach, the customer's privacy notice (and instructions to CorporateOS) govern the processing.

B. When CompanyOS is a Controller

CompanyOS acts as a data controller for:

• our Website operations (including analytics and essential functionality);
• account administration and user management for the Services;
• our own sales, marketing, billing, and corporate operations;
• security monitoring, fraud prevention, and misuse detection.

2) Personal data we collect and process

The personal data we process depends on how you interact with CorporateOS.

A. Website visitors

• Device and connection data: IP address, browser type, operating system, device identifiers, language, approximate location inferred from IP.
• Usage data: pages viewed, clicks, referral pages, timestamps, and similar interaction data.
• Cookie data: identifiers and preference data via cookies and similar technologies (see Section 8).

B. CorporateOS users (customer admins and end users)

• Account and profile data: name, work email, organization name, role/permissions, authentication data (passwords are stored hashed).
• Support and communications: messages and requests sent to support, feedback, and attachments.
• Service usage data: features used, access logs, audit logs, error logs, performance metrics.

C. Lead/contact data generated by CorporateOS (no customer contact uploads)

CorporateOS is designed so that customers do not upload their own contact lists into the Services. Instead, CorporateOS provides lead/contact data generated from publicly available online sources and public data.

CorporateOS may process and present the following business contact data (where available):

• Identity and role: name, job title, department/function;
• Company details: employer/company name, company website/domain, industry and related business attributes;
• Business contact details: professional email address and professional phone number (if available);
• Source and audit information: source URLs and related provenance metadata stored and made available to customers for audit trail and compliance review.

CorporateOS also processes platform-generated operational metadata (e.g., record statuses, tags, scores/prioritization fields, and suppression/opt-out status) created through use of the Services.

If customers use CorporateOS for outreach, CorporateOS may process campaign delivery and response events (e.g., sends, bounces, and replies) depending on configuration. CorporateOS does not track opens or clicks.

D. Billing and payments

We process billing contact details and invoicing information. Payment card processing is performed by payment service providers; we do not intend to store full payment card numbers.

3) Sources of personal data

A. Public sources for lead/contact procurement

CorporateOS is designed so that lead/contact data made available through the Services is sourced from publicly available online sources and public data (for example, company websites, publicly accessible business directories, and public business registries).

We store and provide source links/provenance associated with lead records to support customer audit trails and compliance review.

B. Other sources

We may also receive personal data from:

• You (e.g., when you create an account, contact support, or visit the Website);
• Integrations you enable (e.g., when you connect a CRM or other business tools and instruct us to sync data).

4) How we use personal data

We use personal data to:

• Provide and operate the Services (account creation, authentication, access control, feature delivery).
• Process data under customer instructions (when acting as processor).
• Maintain security and integrity (monitoring, detecting abuse, preventing fraud, and protecting users).
• Improve and develop the Website and Services (debugging, analytics, performance, and product development).
• Provide support and respond to inquiries.
• Run our business (billing, accounting, internal recordkeeping).
• Marketing and sales (subject to applicable law and your choices).

5) Legal bases for processing (EEA/UK/Switzerland)

Where the GDPR or similar European data protection laws apply, CompanyOS relies on one or more of the following legal bases:

• Contract: to provide the Services you or your organization requested.
• Legitimate interests: to operate, secure, and improve the Services; prevent fraud; and communicate with business users about our Services.
• Consent: for certain cookies and marketing communications where required.
• Legal obligation: to comply with applicable laws.

Legitimate interests disclosure: When we rely on legitimate interests, our interests may include: keeping CorporateOS secure, improving product performance and reliability, preventing misuse/fraud, and operating a B2B software business.

6) Automated processing, profiling, and AI

CorporateOS includes automation features (which can include AI/ML) to help users work more efficiently (for example, drafting assistance, categorization, deduplication, prioritization, and recommendations).

Lead scoring / matching (profiling)

CorporateOS uses automated methods to score and prioritize business leads and to help match leads to customer-selected criteria (e.g., role, company, industry, and related professional attributes). This constitutes profiling in the GDPR sense.

CorporateOS lead scoring is used to support business prospecting workflows and is not used to make decisions that produce legal effects or similarly significant effects about individuals.

If enabled, these features may process lead record attributes, customer-selected criteria, and platform usage metadata.

We may use third-party service providers to support these features.

Customers control what data they submit and which features are enabled. We recommend avoiding submission of sensitive personal data unless a specific feature explicitly requires it and appropriate safeguards are in place.

7) How we share personal data

We may disclose personal data to:

• Service providers (subprocessors) that help us operate the Website/Services (e.g., hosting, database infrastructure, email delivery for service notices, security, analytics, support tooling, and payment processing).
• Integration partners when you enable integrations and instruct us to share data (e.g., to sync records to your CRM).
• Professional advisers (legal, audit, insurance).
• Authorities and others as required by law or to protect rights, safety, and security.
• Successors in a merger, acquisition, financing, or asset sale.

We do not sell personal data for money in the ordinary sense. Some jurisdictions define "sale" or "sharing" broadly (e.g., certain advertising-related disclosures). Where applicable, we provide opt-out mechanisms.

8) Cookies and similar technologies

We use cookies and similar technologies for:

• Strictly necessary functions (security, authentication, load balancing);
• Preferences (language and settings);
• Analytics (usage measurement and product improvement);
• Marketing (campaign measurement and, where enabled, interest-based advertising).

You can control cookies through your browser settings and, where available, through our cookie preferences interface. Some features may not work without certain cookies.

9) Hosting location and international transfers

A. Primary hosting in Europe

CorporateOS is designed so that customer data is hosted on servers located in Europe.

B. When cross-border processing may still occur

Even when data is hosted in Europe, limited cross-border processing may occur in some cases, for example:

• when a customer enables an integration or third-party service that processes data outside Europe;
• when CompanyOS uses globally distributed support, security, or incident-response resources;
• when certain service providers process limited data from locations outside Europe (e.g., for communications delivery, fraud prevention, or analytics), depending on configuration.

C. Transfer safeguards (EEA/UK/Switzerland)

Where required for transfers of personal data from the EEA/UK/Switzerland to countries without an adequacy decision, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) and (where relevant) supplementary measures.

You can request information about applicable transfer safeguards by contacting us (see Section 15).

10) Data retention

We retain personal data for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide and secure the Services, comply with legal obligations, resolve disputes, and enforce agreements.

Because the GDPR does not set fixed maximum retention periods, we apply storage limitation principles and recommend retention settings aligned to business need and regulatory expectations. The following are recommended maximums (customers may configure shorter periods):

• Lead/contact records generated by CorporateOS: retain up to 12 months from the date the record is generated or last materially updated in the platform (whichever is later), unless a longer period is documented as necessary for an ongoing B2B relationship.
• Operational and security logs (including audit trail events): retain up to 12 months.
• Customer support records: retain up to 24 months from ticket closure.
• Billing and accounting records: retain for the period required by applicable law.
• Platform-level suppression list (opt-outs/objections): we retain the minimum data necessary to honor opt-outs and prevent re-contact (for example, a hashed email address and timestamp). This data may be retained for as long as needed to respect the objection/opt-out, subject to periodic review.

When we no longer need personal data, we delete or anonymize it.

11) Security

We use administrative, technical, and organizational measures designed to protect personal data, such as access controls, encryption in transit, logging, and security monitoring. No method of transmission or storage is completely secure; you use the Services at your own risk.

12) Your rights and choices

A. If you are contacted by a CorporateOS customer (prospects / Article 14 GDPR)

If your business contact information is processed in CorporateOS in connection with a customer's outreach or relationship management, that customer is typically the controller and is responsible for providing you with the information required under GDPR Article 14 (where applicable), including the customer's purposes, lawful basis, and how to exercise your rights.

Data sources: In many cases, customers source business contact data from publicly available online sources and public data (see Section 3).

How to object / opt out:

• If you receive an outreach email, you may use the unsubscribe mechanism in that message (where provided) to object to further marketing/outreach from that sender.
• You may also contact the sender (the customer/controller) directly.
• If you contact CompanyOS, we will take reasonable steps to route your request to the relevant customer/controller or, where technically feasible, apply suppression at the platform level in accordance with customer instructions and applicable law.

B. Marketing choices (CompanyOS controller communications)

You can opt out of CompanyOS marketing emails by using the unsubscribe link in those messages or by contacting us.

C. GDPR rights (EEA/UK/Switzerland)

If the GDPR applies, you may have rights to:

• access;
• rectification;
• erasure;
• restriction;
• objection (including objection to direct marketing);
• data portability;
• withdraw consent (where processing is based on consent).

D. How to exercise rights

To exercise your rights, contact us at privacy@corporateos.io.

If we process your data as a processor on behalf of a CorporateOS customer, we may refer your request to the customer/controller or assist the customer in responding, as appropriate.

E. Complaints

You can lodge a complaint with your local supervisory authority. In Poland, this is the President of the Personal Data Protection Office (UODO).

13) Children

CorporateOS is intended for business use and is not directed to children. We do not knowingly collect personal data from individuals under 16.

14) Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post changes on the Website and update the "Last updated" date. Material changes may be communicated through the Services where appropriate.

15) Contact

For privacy inquiries or to exercise rights:

CompanyOS, L.L.C.
Poznańska 7, Warsaw, Poland
Email: privacy@corporateos.io

Data Protection Officer (DPO)

If we are required to appoint a Data Protection Officer, we will publish the DPO's contact details here. If no DPO is appointed, you can still contact us at privacy@corporateos.io.