GMaps Data Extractor
Sign inGet started free
Home/Legal/GDPR Compliance

GDPR Compliance

Effective: March 1, 2026Version: 1.0

1. Our Role Under GDPR

GMaps Data Extractor operates as a data processor when you use our API to extract and enrich business contact data on behalf of your organization. You, as the customer, act as the data controller — you determine the purpose and means of processing.

For data we collect about our own users (account data, billing information, usage logs), we act as a data controller under GDPR Article 4(7).

2. Legal Basis for Processing

We rely on the following legal bases:

  • Contract performance (Art. 6(1)(b)): Processing account and billing data to deliver the API service.
  • Legitimate interest (Art. 6(1)(f)): Fraud detection, abuse prevention, and security logging.
  • Legal obligation (Art. 6(1)(c)): Retaining billing records as required by tax law.

For B2B prospect data extracted via the API, our customers (as data controllers) are responsible for establishing their own legal basis — typically legitimate interest for commercial prospecting of business contacts.

3. Data Subject Rights

EU/EEA residents whose data appears in our platform have the following rights under GDPR:

  • Right of access (Art. 15): Request a copy of your personal data held by us.
  • Right to rectification (Art. 16): Correct inaccurate data.
  • Right to erasure (Art. 17): Request deletion of your data (“right to be forgotten”).
  • Right to restriction (Art. 18): Restrict processing in certain circumstances.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interest.

Submit requests to privacy@gmapsdataextractor.com. We respond within 30 days. We may require identity verification before fulfilling requests.

4. International Data Transfers

We transfer personal data to the United States and other countries that may not provide the same level of data protection as the EU. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to legitimise these transfers. A copy of the applicable SCCs is available on request.

5. Data Retention

We retain personal data only for as long as necessary:

  • Account data: duration of account + 90 days post-deletion
  • API access logs: 30 days (abuse detection), then purged
  • Billing records: 7 years (legal requirement)
  • Support tickets: 2 years

6. Security Measures

We implement appropriate technical and organisational measures including: TLS 1.3 in transit, AES-256 at rest, API keys stored as salted hashes, VPC-isolated production infrastructure, and regular third-party security audits.

7. Data Protection Officer

We have designated a Data Protection contact reachable at privacy@gmapsdataextractor.com. If you believe we have not addressed your concern adequately, you have the right to lodge a complaint with your local supervisory authority (for EU residents, this is your national Data Protection Authority).

8. Supervisory Authority

EU/EEA data subjects have the right to lodge a complaint with the supervisory authority in their Member State. A list of national DPAs is maintained at edpb.europa.eu.

9. Changes to This Notice

We will notify registered users at least 14 days before any material changes to our GDPR practices. Continued use after the effective date constitutes acceptance.