Privacy Policy
This privacy policy describes how Espero-Soft Informatiques SRL, publisher of CompanyBelgium (hereinafter "we"), collects, uses, retains and protects personal data, in accordance with Regulation (EU) 2016/679 (GDPR) and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data. It supplements our Terms of Use and our Cookie Policy.
1. Data Controller and Contact
The data controller is Espero-Soft Informatiques SRL (BE 1033.022.383), with registered office at Rue de la Colonne 1A, 1080 Molenbeek-Saint-Jean, Belgium, operating the website https://companybelgium.be. For any question regarding the protection of your data or to exercise your rights, you may contact our data protection point of contact at dpo@espero-soft.com, or by post at the registered office address. For security matters: security@espero-soft.com.
2. Scope
This policy governs the processing for which we act as data controller, namely data relating to the creation and management of your account, billing, support, Platform security and, where applicable, identity verification of the account holder. Personal data of third parties that you upload or generate through the Modules (CRM, Invoicing, Accounting, Compliance, Human Resources, Recruitment, etc.) is subject to a separate regime described in Article 4. Public company data from the CBE/KBO is covered by dedicated information on the "Your personal data" page.
3. Categories of Data Processed
Depending on your use of the Services, we may process the following categories of data:
- Identification and account data: surname, first name, email address, password (hashed, never stored in plain text), affiliated organisation, role and preferences
- Billing and payment data: billing details, VAT number, subscription and invoice history; card data is processed exclusively by our payment provider and does not transit through our servers in plain text
- Usage and technical data: API requests and logs, API key identifiers, IP address, browser type, operating system, connection and security data
- Verification data (KYC): where a verification is required, an identity document and supporting evidence, processed with strict adherence to the data minimisation principle
- Communication data: history of exchanges with our support and of account-related notifications
4. Our Role: Controller and Processor
For the data referred to in Article 3, we act as data controller. By contrast, for the personal data of third parties (customers, prospects, directors, employees, candidates, suppliers) that you upload or generate through the Modules, you act as the data controller and we act as a processor within the meaning of Article 28 of the GDPR: we process such data only on your documented instructions and solely for the purposes of providing the Services. The terms of this processing are set out in Article 6 of our Terms of Use and may be the subject of a separate data processing agreement (DPA), concluded on request at dpo@espero-soft.com.
5. Purposes and Legal Bases
We process your data for the following purposes, on the corresponding legal bases (Article 6 of the GDPR):
- Creation and management of your account, authentication and provision of the Services — performance of the contract (Art. 6(1)(b))
- Billing, debt collection and bookkeeping — performance of the contract and legal obligation (Art. 6(1)(b) and 6(1)(c))
- Security, prevention and detection of abuse and fraud, rate limiting — legitimate interest (Art. 6(1)(f))
- Improvement of the Services and production of aggregated, anonymised statistics — legitimate interest (Art. 6(1)(f))
- Account- and service-related communications — performance of the contract; any promotional communications — consent (Art. 6(1)(a)), withdrawable at any time
- Compliance with our legal, accounting and tax obligations and, where applicable, anti-money-laundering obligations — legal obligation (Art. 6(1)(c))
6. Recipients and Sub-processors
We never sell or rent your data. Your data is accessible only to authorised members of our organisation and may be disclosed to processors offering sufficient guarantees within the meaning of Article 28 of the GDPR, acting on instructions and bound by confidentiality and security obligations. These processors fall within the following categories: hosting and cloud infrastructure (within the EEA), payment provider (processing of payments and subscriptions), delivery of transactional emails, and technical monitoring. Your data may also be disclosed to the competent authorities where the law so requires. Public company data originates from the CBE/KBO (FPS Economy).
7. International Data Transfers
Your data is, in principle, hosted and processed within the European Economic Area (EEA). Should a transfer to a third country become necessary, it would only take place subject to appropriate safeguards (an adequacy decision or European Commission standard contractual clauses, supplemented where necessary by additional measures), in accordance with Articles 44 to 49 of the GDPR.
8. Retention Periods
We retain your data only for as long as necessary for the purposes pursued. Account data is retained for the entire duration of the contractual relationship. Upon closure or deletion of your account, your personal data is erased or irreversibly anonymised within a reasonable period, except for data we are legally required to retain: accounting records and invoices for seven (7) years (Article III.86 of the Code of Economic Law); anti-money-laundering documents and assessments for ten (10) years after the end of the business relationship (Act of 18 September 2017); and data necessary for the establishment, exercise or defence of legal claims, until the applicable limitation periods expire.
9. Your Rights
In accordance with the GDPR, you have, within the conditions and limits it provides, the following rights:
- Right of access to your data and to obtain a copy
- Right to rectification of inaccurate or incomplete data
- Right to erasure (the "right to be forgotten"), subject to our legal retention obligations
- Right to restriction of processing
- Right to portability of the data you have provided to us, in a structured, machine-readable format
- Right to object to processing based on legitimate interest, on grounds relating to your particular situation
- Right to withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal
- Right to issue directives on the fate of your data after your death
- Right to lodge a complaint with the Data Protection Authority (see Article 14)
10. Exercising Your Rights
You may exercise your rights at any time by writing to dpo@espero-soft.com or to our registered office address. To prevent unauthorised access to your data, we may reasonably verify your identity before acting on your request. We respond within one (1) month of receipt, a period that may be extended by two (2) months where requests are complex or numerous, in which case you will be informed.
11. Automated Decision-making and Profiling
We do not take any decision producing legal effects concerning you, or similarly significantly affecting you, based solely on automated processing within the meaning of Article 22 of the GDPR. The financial scores and indicators displayed by the Platform concern companies and result from a statistical model applied to public data; they do not constitute an automated decision regarding you.
12. Security
We implement appropriate technical and organisational measures to protect your data:
- TLS 1.3 encryption for all communications with our servers
- Strong password hashing (bcrypt) — never stored in plain text
- Two-factor authentication (2FA) available on every account
- Encrypted and redundant database backups
- Continuous monitoring, access logging and intrusion alerts
- Data access strictly restricted to authorised personnel
- Regular security audits and prompt patching of vulnerabilities
13. Cookies and Protection of Minors
Our site uses cookies essential to the operation of the service (authentication, language and theme preferences); for details, see our Cookie Policy. Our Services are also intended exclusively for professionals and adults. We do not knowingly collect data concerning minors under 16; if you believe a minor has provided us with data, please contact us so we can delete it without delay.
14. Complaint to the Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the Data Protection Authority (DPA), Rue de la Presse 35, 1000 Brussels, contact@apd-gba.be, https://www.dataprotectionauthority.be — in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.
15. Policy Changes
We may amend this policy to reflect legal, technical or organisational developments. The date of the latest update appears at the top of this page. In the event of a substantial change, you will be notified by email or via an in-site notice before the changes take effect.