legal

Privacy Policy

Last updated · 10 June 2026·Version 2026-06-10

Privacy Policy

Just Good Leads — Notice on the processing of personal data under Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR) and D.Lgs. 196/2003 as amended by D.Lgs. 101/2018 (the Italian Personal Data Protection Code, Codice Privacy) Last updated: 2026-06-10

1. Controller and contact

The controller of the processing of personal data is Samuel Longo, a sole proprietor (ditta individuale) based in Italy (the "Controller", "we"). For any request relating to the processing of personal data, exercise of rights, questions about the source of data, or any other communication, the only official channel is:

email: info@justgood.ai

Additional identifying and tax details of the Controller (registered address, codice fiscale, VAT number / partita IVA) are available upon legitimate, motivated request sent to the same address, and in any case appear on the tax documents (invoices) issued under contract. The choice not to publish them is taken for reasonable personal-safety reasons of an individual operator; it does not prejudice data-subject rights or the effectiveness of communications with the supervisory authority.

Data Protection Officer (DPO). The Controller has assessed the criteria of Article 37 GDPR and concluded that appointing a DPO is not mandatory at this time (single-person organisation, no large-scale processing of special-category data). The assessment will be reviewed upon roll-out of the lead-enrichment feature.

2. What we mean by "personal data"

We primarily process two groups of personal data:

A. Data about Service users (registered customers, people who write to us): natural persons who register to use JGL.

B. Data about contacts inside the lead bank (businesses and decision-makers): to the extent such data identify natural persons — specifically sole proprietors (ditte individuali), self-employed practitioners (liberi professionisti), individual VAT-holders, and named company representatives — they are personal data within the meaning of Article 4 GDPR. Data about capital companies (S.r.l., S.p.A.) and other entities with separate legal personality is not personal data and is not covered by the GDPR (Recital 14 GDPR), save for the names of natural-person representatives.

3. Categories of data processed

3.1 Service users

  • account data: name (as declared), email, password (stored as a hash), preferences;
  • billing data: VAT number / partita IVA, Codice SDI / PEC (for professional users), name and surname or business name, and any details needed for the invoice;
  • payment data: the Controller does not store card data; such data is processed by Stripe (see §6) as an autonomous payment-service provider;
  • Service-usage data: history of conversations with the AI agent, searches run, leads exported, technical logs (timestamp, IP, user-agent) for security and diagnostics;
  • communications: contents of emails and messages sent to support.

3.2 Lead bank — listed subjects

  • identifying and contact data of the business/professional: business name or trade name, sector of activity, address, city, country, approximate geolocation, website, telephone number, business email where publicly listed;
  • provenance data: source from which the record was collected, date of first collection, date of last verification;
  • (future, when the enrichment feature is activated) data relating to named decision-makers: name, role, professional email, public professional profile. This feature is not currently operational; on activation, data subjects will be informed under Article 14 GDPR and this notice will be updated.

We do not process special-category data (Article 9 GDPR — health, political opinions, religious beliefs, etc.) or criminal-conviction data (Article 10 GDPR).

4. Purposes and legal bases

For each purpose, the specific legal basis under Article 6 GDPR is indicated.

# Purpose Legal basis
4.1 Service delivery, account management, contract performance, support Article 6(1)(b) — performance of a contract with the user
4.2 Invoicing, payments, accounting and tax obligations (invoice retention, VAT records) Article 6(1)(c) — legal obligation (Articles 2214 and 2220 of the Italian Civil Code, Presidential Decree 633/1972, tax legislation)
4.3 Service security, fraud prevention, technical logs, diagnostics Article 6(1)(f) — legitimate interest of the Controller in the security of the systems and the user base
4.4 Response to support communications / rights requests Article 6(1)(b) and Article 6(1)(c) (for the GDPR response obligation)
4.5 Defence in court, ascertainment and protection of rights Article 6(1)(f) — legitimate interest
4.6 Collection, organisation, and provision to customers of the lead bank (publicly accessible business contacts) Article 6(1)(f) — legitimate interest (see §5 for the specific analysis and data-subject rights)
4.7 Service communications to customers (e.g. contractual updates, security) Article 6(1)(b) or Article 6(1)(f)
4.8 Email marketing communications by the Controller to its own customers Only with prior consent (Article 6(1)(a)) or where the conditions of Article 130(4) of the Italian Personal Data Protection Code on "soft spam" (own customers, similar products, clear opt-out) are met

The Controller does not use lead-bank contacts to send its own marketing communications. Doing so would require the data subjects' consent under Article 130 of the Italian Personal Data Protection Code / the ePrivacy Directive.

5. Deep dive on the lead bank — legitimate interest and reasonable-expectations analysis

The lead bank is the shared business-contact database that powers the Service. We consider that the processing of such data may rest on our legitimate interest (Article 6(1)(f) GDPR) in operating an efficient B2B lead-generation service, avoiding repeated collection of the same data for each customer, and enabling our professional customers to discover relevant commercial counterparties.

Consistent with EDPB Guidelines 1/2024 and CJEU C-621/22 (KNLTB, 4 October 2024), we have conducted a three-step test (purpose — necessity — balancing). Honestly stated, the balancing summary is:

  • In favour of the processing: the data concerns the subject's business or professional activity; it is collected from publicly accessible sources (corporate websites, maps, registries, professional directories); it is not sensitive in nature; the "collect once, reuse many times" model reduces the overall pressure on public sources; customers of the Service are contractually bound not to use the contacts for unsolicited marketing without an independent lawful basis.
  • Against the processing: part of the contacts concern sole proprietors and self-employed practitioners for whom the contact details have a personal dimension (e.g. a mobile number); the "shared bank" model — making the same contacts available to a plurality of customers — may exceed what the data subject expected when they published their contact details (precedents: CNIL, KASPR, December 2024; Italian Garante, Grizzaffi Management, 17 May 2023; investigation against Lusha, 8 April 2025).

Measures adopted to re-balance: transparency via this notice; a dedicated channel for access, rectification, objection/erasure requests (info@justgood.ai); an absolute right to object to processing for marketing purposes (Article 21(2) GDPR); a defined retention period and review/deletion cycle for personal data in the lead bank; a permanent suppression list of contacts who have requested erasure, so they are not re-included on a subsequent collection; exclusion of categories particularly sensitive (e.g. clearly private personal mobile numbers); respect for robots.txt and source-website Terms of Service where these restrict automated collection; a contractual ban on customers using the data for unsolicited marketing.

Honest limit: the lawfulness of our model — particularly the cross-customer sharing dimension of scraped sole-proprietor/practitioner data — is not legally consolidated. A supervisory authority could take a different view. The Controller will revisit the analysis before launching the enrichment feature targeting named decision-makers, conducting a dedicated DPIA.

The data subject may object to the processing at any time (see §10) and request erasure from the lead bank. The objection for marketing purposes is absolute and not subject to balancing.

6. Recipients and processors

The data is processed by the Controller and, where necessary, by external processors appointed under Article 28 GDPR within the limits of the instructions given. Below is the list of the main providers and the relevant bases for non-EU transfers.

Provider Function Location / Transfer Non-EU transfer mechanism
Vercel Inc. Front-end hosting / edge functions USA EU-U.S. Data Privacy Framework (DPF) — Vercel is DPF-certified
Stripe Payments Europe Ltd. + Stripe, Inc. Payments, invoicing IE / USA DPF (Stripe, Inc. is DPF-certified) + Standard Contractual Clauses (SCCs) as fallback
Google LLC (Google Maps Platform / Places API) Geographic enrichment of searches USA DPF — Google LLC is DPF-certified
Supabase Inc. (EU region — Frankfurt) Database (Postgres), authentication, storage EU (hosting), USA (corporate) EU-region hosting + SCCs (Article 46(2)(c) GDPR) and Transfer Impact Assessment
Anthropic, PBC Large-language model (Claude) for the conversational agent USA SCCs, Module 2 (controller → processor) + TIA. Not currently DPF-certified
Serper.dev (Serper Sp. z o.o.) Programmatic web search USA / EU — to verify Treated as a non-EU transfer subject to SCCs + TIA absent a positive DPF certification check
(future) People Data Labs, Inc. (PDL) Decision-maker data enrichment USA To be implemented only after a dedicated DPIA and on a basis of SCCs + TIA, subject to any future DPF certification

Sub-processors of the above providers (underlying cloud providers, CDNs, etc.) are governed by their respective DPAs.

Notice on the DPF. The U.S.-EU Data Privacy Framework, on which some of the above transfers rest, is currently subject to a pending challenge before the Court of Justice of the EU (the Latombe case, T-553/23 at first instance and C-703/25 P on appeal; cf. EDPB and NOYB statements). An invalidation would automatically migrate those transfers to SCCs + TIA, which the Controller has already arranged contractually as a fallback with the providers concerned.

The data may also be communicated, where necessary: to the Controller's professional advisors (lawyers, accountants) bound by secrecy; to judicial or administrative authorities upon a legitimate request.

7. Data retention

Category Period
Account data For the duration of the contractual relationship + 30 days after account closure, save legal obligations
Invoicing and accounting data 10 years from the date of the invoice (Article 2220 of the Italian Civil Code and tax legislation)
AI conversation history For the duration of the relationship, with the option for the user to request earlier deletion
Technical / security logs Generally up to 12 months
Lead bank — personal data (sole proprietors, practitioners, decision-makers) Periodic verification and review with deletion of non-reconfirmed entries after a defined cycle (indicatively 12-24 months); immediate deletion on request from the data subject; permanent suppression list
Lead bank — data on capital companies Retained for Service purposes until removal request or Service termination (not personal data)
Support communications Up to 24 months unless needed for legal defence

At the end of these periods, data is deleted or anonymised.

8. Non-EU transfers — summary

As stated at §6, certain non-EU transfers rest on the DPF (for certified providers) and others on Standard Contractual Clauses (SCCs) supplemented by Transfer Impact Assessments (TIAs). Supporting documentation is held by the Controller and can be provided to a data subject who legitimately requests it.

9. Automated decisions and profiling

The Service uses a conversational agent based on a large language model (Anthropic Claude) to interpret user requests and generate search results. No solely-automated decisions producing legal effects or significantly affecting users are taken within the meaning of Article 22 GDPR. The future decision-maker enrichment feature, when activated, will constitute limited profiling of those decision-makers and will be preceded by a DPIA and by an updated notice.

10. Data-subject rights

As a data subject, at any time and free of charge, you may exercise against us the following rights under Articles 15–22 GDPR:

  • right of access (Article 15) to your data and to information on the processing;
  • right of rectification (Article 16) of inaccurate data or completion of incomplete data;
  • right to erasure ("right to be forgotten", Article 17) in the cases provided;
  • right to restriction of processing (Article 18);
  • right to data portability (Article 20) for data processed by automated means on the basis of contract or consent;
  • right to object (Article 21): – to processing based on legitimate interest, for reasons connected to your particular situation (Article 21(1)); the processing ceases unless we demonstrate compelling overriding grounds; – for direct-marketing purposes: the objection is absolute, at any time, and the processing for such purposes ceases without balancing (Article 21(2) GDPR);
  • right to withdraw consent (Article 7(3)), where the processing is based on consent, without prejudice to the lawfulness of processing already carried out;
  • right not to be subject to solely-automated decisions producing legal effects or significantly affecting you (Article 22).

How to exercise your rights. Write to info@justgood.ai stating the right you intend to exercise and providing the minimum elements to identify the data (for example, for those appearing in the lead bank: business name, address, telephone number or website to be removed). We reply as a rule within one month, extendable to three for particularly complex requests, with notice of the reason.

Origin of lead-bank data. On request, we provide information on the source from which the data was collected and the date of collection (Article 14 GDPR), to the extent this is not impossible or disproportionate.

11. Complaint to the Italian Personal Data Protection Authority (Garante)

You have the right, under Article 77 GDPR and Articles 140-bis et seq. of the Italian Personal Data Protection Code, to lodge a complaint with the Italian supervisory authority, without prejudice to other remedies:

Garante per la protezione dei dati personali Piazza Venezia 11, 00187 Roma switchboard: +39 06 696771 email: protocollo@gpdp.it — PEC: protocollo@pec.gpdp.it complaint (dedicated PEC): garante@pec.gpdp.it website: https://www.garanteprivacy.it

The complaint is free. The authority generally expects that the data subject has first sought to exercise their rights with the controller; the Controller responds within 30 days.

12. Cookies and tracking

The website justgoodleads.com uses technical cookies only, strictly necessary for the operation of the Service — specifically for authentication in the private area (Supabase Auth). Under Article 122 of the Italian Personal Data Protection Code and the Italian Garante's Guidelines of 10 June 2021 (web doc. 9677876), such cookies do not require prior consent and are subject only to an information duty, satisfied here.

There are currently no analytics, marketing, profiling, third-party tracking cookies, or web-analytics tools (e.g. Google Analytics) in use. Should such tools be introduced in the future, this notice will be updated and a consent banner compliant with the Italian Garante's Guidelines will be enabled.

13. Security

The Controller adopts reasonable technical and organisational measures to protect the data against unauthorised access, loss, destruction, or tampering: encryption in transit (HTTPS), access management with authentication, password hashing, Row Level Security at the database level, role segregation, periodic back-ups. No system is infallible; in the event of a personal-data breach, the Controller fulfils its obligations of notification to the Italian Garante and of communication to data subjects within the statutory deadlines (Articles 33–34 GDPR).

14. Minors

The Service is intended for persons aged 18 or over and is not directed at minors. We do not knowingly collect data from minors.

15. Changes to this notice

This notice may be changed for regulatory, organisational, or product-related reasons. The current version is the one published on justgoodleads.com, with a date of last update. Material changes are notified to registered users by email.

GAPS AND CAVEATS — Privacy Policy

This section is for legal and operational review.

  1. No lawyer review. The text has not been validated by a lawyer. Priority items: §5 (legitimate-interest analysis and adequacy of mitigation measures), §6 (transfers catalogue — completeness and correctness of mechanisms), §7 (retention periods, particularly for the lead bank).
  2. Reduced controller identity. For the reasons stated at §1, the public notice does not show the Controller's address, codice fiscale, and partita IVA. Article 13(1)(a) GDPR requires "the identity and contact details of the controller": a single email covers the minimum, but authorities' practice favours fuller indications. The additional details are available upon legitimate, motivated request to info@justgood.ai and appear on tax documents. To be reassessed with a lawyer.
  3. Article 14 — notice to lead-bank data subjects. For data not collected from the data subject (lead bank), Article 14 GDPR requires, as a rule, that a notice be given within one month of collection or, at the latest, at the time of the first communication. The "impossibility or disproportionate effort" exemption (Article 14(5)(b)) applies. The Controller relies on that exemption for the generality of lead-bank entries but must document it in writing (volume, cost, absence of direct contact channel) and in any case make the general notice (this document) accessible, and individually notify cases in which the contact is available and feasible. To be finalised before launch.
  4. Verify DPF status of Serper.dev and PDL. The DPF certification status of Serper.dev and (at activation) People Data Labs must be verified on the official registry at https://www.dataprivacyframework.gov; in its absence, fall back to SCCs + TIA with supporting internal documentation.
  5. DPF under challenge. The reference to the Latombe case is factually correct at drafting time; monitor the outcome of appeal C-703/25 P and update the notice on ruling.
  6. DPO not appointed. The reasoning at §1 is defensible for a one-person organisation with no large-scale processing of special-category data, but is a choice. To be reassessed when the decision-maker enrichment feature ships. Appointing an external DPO would be a strong compliance signal.
  7. DPIA. The public notice does not mention the DPIA (correctly, an internal record), but the DPIA must in fact be produced before launch and kept current, especially for the enrichment feature.
  8. Lead-bank retention period. The "12-24 months" horizon for the review/deletion of personal data in the lead bank is a reasonable proposal in light of precedent (cf. KASPR: 5-year retention deemed disproportionate); the actual term must be fixed before publication and applied in a traceable way.
  9. AI-chat retention period. Set a maximum horizon (e.g. a rolling 12 months) with automatic deletion, save user requests.
  10. Law-enforcement disclosures. An internal protocol for evaluating authority requests (validity, legal basis, minimisation of disclosure) is not yet in place; recommended on review.
  11. Cross-border Service. The notice is in English; should the Service open to non-Italian EU users, consider local-language versions and adjustments to the relevant supervisory-authority information.
  12. Article 30 ROPA and DPIA. Although not public documents, they must be maintained and available to the Italian Garante on request; the Controller has noted this obligation and produces such documents internally (cf. the LIA in this folder and the DPIA to be produced).

Additional Controller identifying details (registered address, codice fiscale, partita IVA) are available upon legitimate, motivated request sent to info@justgood.ai.