Funnelfeedr Logo

Legitimate Interest Assessment

Viimeksi päivitetty: 2026-04-28

Takaisin oikeudelliseen portaaliin

At any given time, the version in force is https://funnelfeedr.com/legal/legitimate-interest-assessment. Last updated on 2026-04-28

This document records the Legitimate Interest Assessment (LIA) carried out by Funnelfeedr AB ("Funnelfeedr") in respect of the processing of business contact data of EU-resident individuals who are not Funnelfeedr users. It supports our reliance on legitimate interests as the lawful basis under Article 6(1)(f) of the General Data Protection Regulation (GDPR), and complements our Privacy Policy and Data Processing Agreement.

Controller and scope

Controller: Funnelfeedr AB (org. nr. 559536-3150), Sweden.

Scope of this assessment: Processing of professional B2B contact data of EU-resident data subjects who are not Funnelfeedr users, where Funnelfeedr acts as controller. Specifically, data ingested via:

  • The Sidekick browser extension when a user actively visits a public professional profile and triggers a capture
  • Public business registries (e.g., Bolagsverket, Brønnøysundregistrene, CVR, PRH)
  • Email-signature extraction performed by AI Email Support on a user's own inbox after explicit opt-in
  • Data the Funnelfeedr user pushes into, or syncs from, their own CRM (including HubSpot)

The categories of personal data processed are limited to: first and last name, professional job title or role, company name, company domain, business email, and business phone number. Funnelfeedr does not collect personal phone numbers, personal email addresses, home addresses, biometric data, financial account data, health data, or any GDPR Article 9 special-category data.

1. Purpose Test — Is there a legitimate interest?

Funnelfeedr's interest. Operating a B2B sales-intelligence and lead-generation platform that helps subscriber businesses identify, research, and contact other businesses for legitimate commercial purposes (sales, partnerships, supplier discovery).

Third-party interests. Funnelfeedr's subscribers (who are data controllers in respect of their own CRM) have a parallel legitimate interest in conducting B2B outreach. Data subjects, who are professionals acting in a business capacity, have a corresponding interest in receiving relevant business communications from prospective counterparties.

Recognition. Recital 47 GDPR expressly recognises direct marketing as a potential legitimate interest. The European Data Protection Board (EDPB) and national supervisory authorities — including the Swedish IMY, the UK ICO, and CNIL — have repeatedly confirmed that B2B prospecting using professional contact data can be lawful under Article 6(1)(f) where appropriate safeguards are in place.

Lawful, ethical, real. The interest is lawful (no breach of any other regulation), ethical (B2B commerce is a normal and expected business activity), and a real, present commercial interest — not speculative or trivial.

Conclusion. A legitimate interest exists.

2. Necessity Test — Is processing necessary?

The platform's core value proposition — identifying relevant business prospects for subscribers — cannot be delivered without processing professional contact data. Without this processing, subscribers cannot determine who to contact at a target organisation, and the service has no purpose.

Less-intrusive alternatives considered and rejected:

  • Consent-only model. Obtaining consent from every business professional whose public profile is captured is not workable: data subjects have no pre-existing relationship with Funnelfeedr, contact would itself require processing, and refusal would prevent the very service that supports the data subject's own commercial interests.
  • Aggregated or anonymous data. Aggregation defeats the purpose, since subscribers must reach an identifiable individual at a target company.
  • Purchased third-party lists. Less transparent and carries higher risk of stale or unlawfully sourced data than capturing public professional profiles via direct user action.

Data minimisation. Processing is limited to professional B2B contact attributes only. Private contact details, sensitive data, and Article 9 categories are explicitly excluded both in policy and at the ingestion layer.

Conclusion. Processing is necessary and minimised.

3. Balancing Test — Do the interests of data subjects override the interest?

FactorAssessment
Nature of the dataProfessional / B2B only. No special-category data, no private contact details, no children's data. Low sensitivity.
Source of the data(i) Public professional profiles surfaced by user-initiated Sidekick capture; (ii) public business registries; (iii) email signatures from a user's own inbox via opt-in AI Email Support; (iv) the user's own CRM. No covert scraping, no purchased grey-market lists, no background crawling.
Reasonable expectationsA professional who publishes their name, role, and business email on a public networking site or a corporate website reasonably expects that this information may be used for B2B outreach. EDPB guidance treats reasonable expectations as central — these are met here.
Relationship to data subjectNone directly. This is mitigated by the B2B context, the public nature of the source, and the safeguards listed below.
Impact on data subjectsMinimal. The likely outcome is receiving a relevant business email or call from a Funnelfeedr subscriber. No automated decision-making with legal effect. No profiling beyond firmographic categorisation (industry, company size). No combination with sensitive data.
ChildrenThe Service is not directed at children; the data processed concerns adult professionals only.
Vulnerable individualsNot targeted; processing concerns business roles, not private circumstances.

Safeguards implemented

  1. Data minimisation — only the professional fields listed above are collected.
  2. No special categories — explicit exclusion in the privacy policy and at the ingestion layer.
  3. Source restriction — only public professional sources or user-supplied data; no covert scraping.
  4. User-triggered capture — the Sidekick only operates when a Funnelfeedr user actively visits a profile and triggers a capture. There is no background crawling.
  5. Opt-in for AI Email Support — email-signature extraction occurs only after a user explicitly enables the feature on their own inbox.
  6. Transparency — disclosed in a public, plain-language Privacy Policy, including a dedicated section explaining the Article 6(1)(f) basis for Sidekick and AI Email Support.
  7. Easy exercise of rights — data subjects can object, request access, correction, or deletion at any time at privacy@funnelfeedr.com. Deletion requests propagate to prevent re-collection.
  8. Purpose limitation — data is not sold, rented, or shared for third-party marketing. The Privacy Policy explicitly prohibits this.
  9. Sub-processor controls — all sub-processors (Microsoft Azure EU, Stripe EU, MailerSend) are bound by GDPR-compliant DPAs as listed in the Data Processing Agreement.
  10. Retention limits — data is retained only for as long as needed for the documented purposes or until a deletion request is honoured.
  11. Security — encryption in transit, role-based access control, account-scoped tenant isolation, audit logging.
  12. Customer obligations — Funnelfeedr's Terms and DPA require subscribers to comply with applicable privacy and anti-spam laws when contacting individuals identified through the platform.

Outcome of the balancing test

Given (i) the strictly B2B, low-sensitivity scope of the data, (ii) the public and professional nature of the sources, (iii) the reasonable expectations of the data subjects, (iv) the user-initiated nature of capture, and (v) the safeguards above, the interests of Funnelfeedr and its subscribers are not overridden by the rights and freedoms of the data subjects.

4. Conclusion

Funnelfeedr's processing of B2B professional contact data of EU-resident data subjects satisfies all three limbs of the legitimate-interest test under Article 6(1)(f) GDPR. The lawful basis is documented in the public Privacy Policy and reviewed periodically. This LIA is reviewed at least annually and whenever the nature, scope, context or purposes of processing materially change.

5. Data-subject rights and contact

Data subjects have the right to object to processing based on legitimate interests under Article 21 GDPR, as well as the rights of access, rectification, erasure, restriction, and data portability under Articles 15–20 GDPR.

Requests can be submitted to privacy@funnelfeedr.com and will be responded to within 30 days as required by GDPR.

6. Review

This LIA is owned by Funnelfeedr's data protection function and reviewed at least annually, or sooner if there are material changes to the processing activities, sources of data, applicable law, or supervisory-authority guidance. The version in force is always the version published at https://funnelfeedr.com/legal/legitimate-interest-assessment.