About This Privacy Policy
DataLiftor is a B2B contact intelligence platform operated by AI for Apt LLC, a Virginia limited liability company headquartered at 722 East Market Street, Suite 102, Leesburg, VA 20176, United States ("DataLiftor," "we," "us," or "our"). We provide verified B2B contact data, contact intelligence products, and related services to commercial customers.
This Privacy Policy describes how we collect, use, share, and protect personal information relating to two distinct populations of individuals:
- Website Visitors — individuals who visit dataliftor.com, submit forms, request samples, correspond with us, or become customers. These individuals interact with us directly.
- Business Contacts — professionals whose business contact records appear in our licensed database, compiled from public and licensed sources. These individuals may not have interacted with us directly, and the legal treatment of their data — including lawful basis, retention, and rights procedures — differs materially.
Where the treatment differs between these two groups, we identify it explicitly. This Policy is designed to comply with applicable privacy laws including the General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other US state privacy laws.
If you are a business professional and want your record removed from our database, jump to Section 12 (Exercising Your Rights) for the procedure.
Definitions
- "DataLiftor," "we," "us," "our" — AI for Apt LLC, a Virginia limited liability company operating the DataLiftor brand.
- "Personal Information" or "Personal Data" — any information relating to an identified or identifiable natural person.
- "Website Visitor" — any individual who accesses or interacts with dataliftor.com or any DataLiftor-operated site.
- "Business Contact" — a business professional whose business contact record appears in the DataLiftor database, sourced from public and licensed channels.
- "Data Subject" — the individual to whom personal information relates.
- "Customer" — a company or individual that licenses data or services from DataLiftor.
- "Processing" — any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
- "Services" — the DataLiftor website, contact database, contact intelligence products, samples, custom lists, API access, and related services.
Information We Collect
From Website Visitors
When you visit our website, submit a form, request a sample, or otherwise interact with us, we collect the following categories of information:
- Contact information you provide: name, business email address, phone number, company name, job title.
- Communication content: messages, inquiry details, sample requirements, campaign specifications.
- Account information (if you have an account): username, hashed password, subscription details.
- Payment information (processed by a third-party payment processor; we do not store card numbers).
- Technical data: IP address, browser type and version, operating system, referring URL, pages visited, time spent on pages, device identifiers.
- Cookie and tracking data: session identifiers, preferences, and (with your consent where required) analytics and marketing identifiers.
From Business Contacts (Database Records)
For business contacts whose records appear in our licensed database, we collect and process the following categories:
- Full name and, where publicly available, honorific and credentials.
- Business email address.
- Business phone number, including direct-dial when publicly available.
- Job title, seniority level, and function.
- Employer name and business address.
- Publicly available professional profile links (e.g., LinkedIn URL).
- Industry and company data: revenue band, employee count, headquarters location.
- Vertical-specific enrichments where publicly available: medical specialty codes for healthcare records, regulatory registrations for financial services records, tech-stack signals for technology records.
Our database does not contain financial account information, protected health information (PHI), consumer / personal contact details, government-issued identifiers, biometric data, or any other special categories of personal data as defined under GDPR or CCPA. Our contact intelligence is strictly business-to-business.
Sources of Personal Information
For Website Visitors
We collect information directly from you when you interact with our website, submit forms, or communicate with us. We also automatically collect technical and cookie data via our website, as described in Section 9.
For Business Contacts
Records in our licensed database are compiled from a mix of public and contractually licensed sources, including:
- Publicly available corporate websites, press releases, and directories.
- Government registries and regulatory filings (SEC EDGAR, state professional licensing boards, business filings).
- Publicly accessible business directories and professional association rosters.
- Licensed data providers operating under written contract.
- Public academic, professional, and industry publications.
- Public conference attendee lists and speaker rosters where publicly disclosed.
Every record in our database carries source attribution — meaning we track where each data point originated. This enables us to respond to data subject inquiries about the origin of a specific record and to demonstrate lawful basis on request.
Sources We Do Not Use
We do not, and will not, source data from:
- Consumer databases or personal (non-business) contact records.
- Scraping of platforms whose Terms of Service prohibit such use.
- Health records or medical registries containing protected health information.
- Data breach compilations, leaked credential dumps, or otherwise unlawfully obtained data.
- Sources whose provenance cannot be documented or whose lawful basis cannot be established.
How We Use Personal Information
Website Visitors
We use information collected from Website Visitors to:
- Respond to your inquiries and provide the information, samples, or services you request.
- Deliver quotes, samples, product information, and account-related communications.
- Send administrative, transactional, and service-related messages.
- Send marketing communications where you have consented or where a legitimate interest applies under applicable law.
- Operate, secure, and improve our website and services (including analytics).
- Detect, prevent, and investigate fraud, security incidents, and misuse.
- Comply with legal, regulatory, and contractual obligations.
Business Contacts
We process information about Business Contacts to:
- License database records to Customers for lawful B2B sales and marketing purposes, subject to the restrictions in our Terms & Conditions.
- Continuously verify record accuracy and refresh the database on a 30-day cycle.
- Cross-reference records against opt-out and suppression lists.
- Respond to data subject rights requests (access, correction, deletion).
- Improve database quality, coverage, and product performance.
- Comply with legal and regulatory obligations.
Legal Bases for Processing (GDPR)
For individuals located in the European Economic Area, the United Kingdom, or Switzerland, we process personal data on the following legal bases, depending on the specific processing activity:
- Consent — where you have given specific, informed, and unambiguous consent (for example, for certain marketing communications or non-essential cookies).
- Contractual necessity — where processing is necessary to provide services you have requested, deliver an Order, or fulfill a contract with you or your organization.
- Legitimate interest — the primary basis for our B2B contact intelligence activities. Our legitimate interests include compiling professional contact data for lawful B2B use, maintaining data quality, securing our systems, and communicating with prospective business customers. We have conducted Legitimate Interest Assessments (LIAs) for our core database operations, weighing our commercial interests against the rights and freedoms of data subjects, and concluded that legitimate interest is an appropriate basis for professional B2B contact intelligence.
- Legal obligation — where processing is necessary to comply with an applicable law, court order, or valid regulatory request.
You have the right to object to processing based on legitimate interest at any time. If you object, we will stop the processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where the processing is necessary for legal claims. See Section 11.
International Data Transfers
DataLiftor is based in the United States, and our systems, service providers, and Customers may be located in multiple jurisdictions. When we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to the United States or another country outside those regions, we implement appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with service providers and, where applicable, Customers.
- UK International Data Transfer Addendum for transfers from the United Kingdom.
- Data Processing Agreements with all sub-processors that reflect GDPR Article 28 requirements.
- Reliance on adequacy decisions where available.
- Additional supplementary measures where required by law.
You may request a copy of our transfer safeguards documentation by emailing contact@dataliftor.com.
Cookies & Tracking Technologies
Our website uses cookies and similar tracking technologies to operate, secure, analyze, and improve our services. Categories include:
- Strictly necessary cookies — required for core site functionality (session management, form submission, security). These cannot be disabled.
- Functional cookies — remember your preferences and settings to improve your experience.
- Analytics cookies — help us understand how visitors use our website. We use Google Analytics with IP-anonymization where applicable.
- Marketing cookies — set only with your consent where required, used to measure the effectiveness of our marketing campaigns.
You can manage your cookie preferences at any time via our cookie consent banner (where displayed) or through your browser settings. Disabling non-essential cookies will not affect access to core site functionality, but may affect your experience.
Our website recognizes and respects the Global Privacy Control (GPC) browser signal as an opt-out preference signal for the purposes of CCPA/CPRA. If your browser sends a GPC signal, we will treat it as a request to opt out of any "sale" or "sharing" of personal information in that browsing session.
Data Retention
We retain personal information only as long as necessary for the purposes for which it was collected, or as required by law. Specific retention periods depend on the nature of the data:
Website Visitor Data
- Inquiry and form submission data: retained for [24] months to respond to your request and for legitimate business follow-up.
- Customer account data: retained for the life of your account plus [12] months after closure, unless a longer retention is required by law.
- Analytics data: retained for [26] months, in line with Google Analytics defaults.
- Marketing consent records: retained for the duration of the consent plus [24] months after withdrawal, for legal defensibility.
- Billing and transaction records: retained for at least [7] years per US tax and accounting requirements.
Business Contact Data
- Records are continuously refreshed on a 30-day cycle; records that can no longer be verified are marked as inactive or purged.
- Upon receipt of a valid deletion request, we delete the record within [30] days and add the underlying contact to a permanent suppression list to prevent the record from being re-collected in future refresh cycles.
- Data under legal hold is retained as required by the applicable legal or regulatory obligation.
Your Privacy Rights
Depending on your location and applicable law, you may have the following rights with respect to your personal information. These rights apply to both Website Visitors and Business Contacts.
- Right of Access — request confirmation of whether we process your personal information and receive a copy of it.
- Right to Correction (Rectification) — request correction of inaccurate or incomplete personal information.
- Right to Deletion (Erasure / "Right to Be Forgotten") — request deletion of your personal information, subject to certain legal exceptions.
- Right to Object — object to processing based on legitimate interest, including for direct marketing.
- Right to Restriction — request restriction of processing in certain circumstances.
- Right to Data Portability — receive a copy of certain personal information in a structured, commonly used, machine-readable format.
- Right to Withdraw Consent — where processing is based on consent, withdraw that consent at any time (without affecting the lawfulness of processing before withdrawal).
- Right to Opt Out of Sale or Sharing — under CCPA/CPRA, opt out of the "sale" or "sharing" of your personal information.
- Right to Non-Discrimination — under CCPA/CPRA, we will not discriminate against you for exercising your privacy rights.
- Right to Lodge a Complaint — file a complaint with a supervisory authority in your jurisdiction (for EU residents, your local Data Protection Authority; for California residents, the California Privacy Protection Agency or Attorney General).
If you are a business professional whose record appears in our database and you would like your record removed, we honor deletion requests promptly. Once your record is deleted, we add your identifier to a permanent suppression list so that our future refresh cycles do not re-collect your data. See Section 12 for the request procedure.
How to Exercise Your Rights
To submit a rights request, email contact@dataliftor.com with the following information:
- Your full name and email address (or postal address).
- A clear description of the right you wish to exercise (access, deletion, correction, etc.).
- Sufficient information to help us verify your identity — for example, an email address associated with your record, your employer, and job title.
- If applicable, the specific data, account, or record you are referring to.
Response Timelines
- GDPR / UK GDPR requests: within 30 days (extendable by 60 days for complex requests, with notice).
- CCPA / CPRA requests: within 45 days (extendable by 45 days, with notice).
- Other requests: promptly and no later than any applicable statutory deadline.
Identity Verification
For security, we may need to verify your identity before processing your request. The level of verification will be proportionate to the sensitivity of the data and the risk of unauthorized access. We may decline requests that we cannot reasonably verify.
Authorized Agents
You may designate an authorized agent to make a rights request on your behalf. We will require proof of authorization and may separately verify your identity as the underlying data subject.
Appeals
If we decline your request, in whole or in part, we will explain our reasons. You have the right to appeal by emailing contact@dataliftor.com with "Privacy Appeal" in the subject line. If you remain dissatisfied, you have the right to lodge a complaint with your local supervisory authority.
No Fee
We do not charge a fee to respond to rights requests. In the exceptional case of manifestly unfounded or excessive requests, we may charge a reasonable fee or refuse to act, as permitted by law.
CCPA-Specific Disclosures
The following disclosures apply to California residents under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA").
Categories of Personal Information We Collect
In the last 12 months, we have collected the following statutory categories of personal information:
- Identifiers (name, business email, business phone, IP address).
- Commercial information (services purchased, transaction history).
- Internet or other electronic network activity (browsing history on our site, interaction with our services).
- Professional or employment-related information (job title, employer, seniority).
- Inferences drawn from the above to create a professional profile (e.g., industry segment).
Categories of Sources
See Section 4.
Business or Commercial Purposes
See Section 5.
Categories of Third Parties We Share With
- Service providers (hosting, analytics, verification, payment).
- Customers who license Business Contact records under our Terms & Conditions.
- Legal and regulatory authorities where required by law.
- Acquirers or successors in the event of a corporate transaction.
"Sale" and "Sharing" of Personal Information
Under CCPA's broad definitions, our licensing of Business Contact records to Customers may constitute a "sale" or "sharing" of personal information, even though we do not sell personal information for consumer marketing purposes.
California residents have the right to opt out of the "sale" or "sharing" of their personal information. To opt out, email contact@dataliftor.com with the subject "Do Not Sell or Share My Personal Information," or use the Global Privacy Control browser signal, which we honor.
Sensitive Personal Information
We do not collect or process "sensitive personal information" as defined by the CPRA.
Retention
See Section 10.
Rights
California residents have the rights described in Section 11 and may exercise them following the procedure in Section 12.
Data Security
We implement technical and organizational security measures designed to protect personal information from unauthorized access, disclosure, alteration, or destruction. Our measures include:
- Encryption in transit using TLS 1.3.
- Encryption at rest using AES-256 for stored records.
- Role-based access controls and the principle of least privilege.
- Multi-factor authentication for internal systems.
- Regular vulnerability assessments and third-party security reviews.
- Employee training on data protection and information security.
- Formal incident response procedures with defined escalation paths.
- Contractual data protection commitments from all sub-processors.
Despite these measures, no security system is completely impenetrable. If we become aware of a data breach affecting your personal information, we will notify you and applicable supervisory authorities within the timeframes required by law (typically 72 hours for regulator notification under GDPR).
Children's Privacy
DataLiftor's Services are directed exclusively to businesses, business professionals, and adult individuals over the age of 18. We do not knowingly collect personal information from children under 16 (or under 13 in the United States, as defined by the Children's Online Privacy Protection Act, "COPPA").
If you believe that a child has provided personal information to us, please contact us immediately at contact@dataliftor.com. We will promptly investigate and delete any such information consistent with applicable law.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other operational factors. When we make material changes, we will:
- Update the "Last Updated" and "Effective" dates at the top of this Policy.
- Post a prominent notice on our website.
- For active Customers and account holders, notify by email at least [30] days before the changes take effect.
- Where required by law, obtain your fresh consent before applying the changes to your personal information.
Your continued use of our Services after the changes take effect constitutes acceptance of the updated Policy. We encourage you to review this Policy periodically.
Contact Us
If you have questions about this Privacy Policy, want to exercise your privacy rights, need to report a suspected privacy issue, or have any other privacy-related inquiry, you can reach us through any of the following channels.
DataLiftor Privacy Team
Privacy inquiries are handled directly by our team — not by a support bot or ticketing system. We aim to acknowledge general privacy inquiries within 5 business days, and to respond to formal rights requests within the statutory windows described in Section 12.
DataLiftor — Attn: Privacy Team
AI for Apt LLC
722 East Market Street, Suite 102
Leesburg, VA 20176, United States
For data protection inquiries from individuals in the European Union or the United Kingdom, you may contact our privacy team at contact@dataliftor.com. If we appoint a formal EU/UK representative under GDPR Article 27 or UK GDPR, we will publish that representative's contact details here.