Privacy Policy

Version dated 25 May 2026. This version replaces all previous versions of the Dato Capital privacy policy.

1. Data controller

The domains datocapital.com, datocapital.uk, datocapital.lu, datocapital.nl, datocapital.vg, datocapital.ky, datocapital.es, datocapital.com.pa, datocapital.com.gi, datocapital.mt, datocapital.com.ve and all their subdomains (hereinafter "the website") are owned by DATO CAPITAL LTD and operated under the "Dato Capital" brand.

The data controller responsible for the processing of personal data carried out through the website, within the meaning of Article 4(7) of Regulation (EU) 2016/679 (the "GDPR"), is:

Netamo determines the purposes and the means of the processing of personal data carried out through the website.

DATO CAPITAL LTD, a wholly-owned subsidiary of Netamo incorporated under the laws of England and Wales (company number 09987396, registered office at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom), owns the website and operates the underlying platform on Netamo's behalf. For the purposes of the GDPR, Dato Capital LTD acts as a processor within the meaning of Article 4(8) GDPR, on the basis of a written agreement compliant with Article 28(3) GDPR.

Note on commercial relationships

For commercial purposes, the entity acting as Service Provider (contracting party) for a given client is determined by the type of product or service requested, in particular the target country of the requested report. The Service Provider for a given transaction is identified on the order form and on the invoice issued to the client. Where Dato Capital LTD acts as Service Provider, it is the controller for the limited personal data of the client necessary to deliver the contract and to invoice that client (see section 8). For the personal data of the persons appearing on the website (see sections 3 to 7), the controller is always Netamo.

2. Scope of this Privacy Policy

This privacy policy describes how Netamo (and, in the limited circumstances identified in section 8, Dato Capital LTD) processes personal data of the following categories of data subjects:

• Persons appearing on the website whose data are sourced from official public registers — sections 3 to 7;
• Clients of Netamo or of Dato Capital LTD (registered users, paying customers) — section 8;
• Visitors of the website, in connection with their browsing activity — section 9;
• Persons who contact Netamo or Dato Capital LTD in any other capacity — section 10.

Sections 11 to 17 set out provisions that apply to all categories of data subjects (rights, supervisory authority, security, sub-processors and international transfers, automated decision-making, changes and applicable law).

By browsing the website, you acknowledge having had the opportunity to read this privacy policy. It is complemented by the Cookie Policy available on the website.

3. Persons appearing on the website — categories of personal data

Netamo processes the following categories of personal data concerning natural persons holding or having held a position in companies appearing in the public business registers of jurisdictions covered by the website (directors, managers, members of supervisory or management boards, shareholders where disclosed, beneficial owners, persons with significant control, statutory auditors or equivalent):

• Full name and any variants disclosed in the source register;
• Position or function held in the company;
• Identity of the company concerned and its public-register identifiers;
• Dates of appointment, renewal and termination of mandate;
• Corporate postal address as disclosed in the source register;
• Where included in the source register: date of birth, national identification number or passport number, used only for the purpose of distinguishing persons with the same name;
• Any other information appearing in the source register entry concerning the person's professional activity.

These data concern only the professional activity of the person. No special categories of personal data within the meaning of Article 9 GDPR are knowingly processed.

4. Sources of personal data

The personal data referred to in section 3 originate exclusively from official publications of public access, including:

• The Spanish Boletín Oficial del Registro Mercantil (BORME) and the Registro Mercantil;
• The Luxembourg Registre de Commerce et des Sociétés (RCS) and Recueil Electronique des Sociétés et Associations (RESA);
• The United Kingdom Companies House;
• The Dutch Kamer van Koophandel;
• Equivalent official business registers in the other jurisdictions covered by the website.

These positions and data are considered public because they are published in a Gazette, official publication or public official register website. Netamo does not collect personal data directly from the data subjects, nor from private third-party sources, for the purposes of the publication on the website.

5. Purposes and legal basis

The personal data referred to in section 3 are processed for the following purposes:

• Providing a structured, free-of-charge service of secondary access to corporate information published in official European and international business registers;
• Generating company and executive reports requested by clients (directors, shareholders, beneficial owners, persons with significant control);
• Enabling clients to comply with the mandatory information and due-diligence requirements imposed by Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and by Spanish Law 10/2010 of 28 April on the prevention of money laundering and terrorist financing, and equivalent national legislation.

The legal basis for the processing is Article 6(1)(f) GDPR — legitimate interests pursued by the controller and by third parties. The legitimate interests pursued are, in particular:

• Supporting transparency in commercial transactions;
• Enabling journalists, compliance professionals, counterparties, financial institutions and the general public to identify the persons holding or having held corporate positions;
• Facilitating compliance with anti-money-laundering and counter-terrorist-financing legislation by Netamo's clients;
• Facilitating access to corporate information that is, by design of the relevant legal framework, intended to be publicly available.

A balancing of interests has been carried out, taking into account the public-interest character of the underlying business registers, the corporate (non-private) nature of the data, and the absence of sensitive categories. That balancing is reviewed on a case-by-case basis where a data subject objects to the processing under Article 21 GDPR (see section 11).

6. Recipients

The personal data referred to in section 3 are made publicly accessible through the website and may therefore be consulted by any visitor.

Netamo does not sell, license or transfer individual personal data profiles to third parties on a commercial basis outside the ordinary delivery of reports to clients. Netamo does not operate any individualised monitoring or scoring service in respect of the persons appearing on the website. Where clients subscribe to a monitoring service, that service tracks changes in companies and their corporate-officer composition published in the source registers; it does not profile individuals as data subjects.

Netamo relies on the services of Dato Capital LTD (processor, see section 1) and on the sub-processors listed in section 14.

7. Retention

Personal data sourced from public business registers are retained for as long as the corresponding information remains present in the source public register, since that is the period during which the underlying data remain publicly available at source. The Dato Capital website is updated regularly to reflect changes in the source registers.

Where a data subject has validly exercised the right to object under Article 21 GDPR or the right to erasure under Article 17 GDPR, and Netamo has given effect to that exercise, the personal data concerning that data subject are removed from the public website. Netamo retains a minimum internal record of the exercise of the right (containing only the information necessary to identify the data subject and prevent re-publication) for the duration necessary to give effect to the objection and to demonstrate compliance under Article 5(2) GDPR.

8. Clients (registered users and paying customers)

Where the data subject is a client of Netamo or of Dato Capital LTD (registered user, paying customer or representative of a corporate client), the following provisions apply.

Controller

The controller is the entity that contracts with the client (the Service Provider identified on the order form and the invoice): Netamo or Dato Capital LTD, depending on the type of product or service requested, in particular the target country of the report.

Categories of data processed

• Identification and contact details: name, position, email address, postal address, telephone number, VAT or tax identification number;
• Account credentials (login, password — passwords are stored in hashed form);
• Billing details (including the last four digits of the credit card and metadata returned by the payment gateways; the Service Provider does not store full credit card numbers);
• Records of the products and services requested, supplied and invoiced;
• Communications between the client and the Service Provider.

Purposes

• Performance of the contract: delivery of the requested products and services, invoicing, payment, customer support;
• Operation of the automatic monitoring system that informs the client of changes in the companies, directors or other items subject of the requested reports;
• Compliance with legal obligations applicable to the Service Provider (tax, accounting, anti-money-laundering, consumer protection);
• Where the client has consented or otherwise opted in, sending commercial communications about products and services of the Service Provider.

Legal basis

• Article 6(1)(b) GDPR — performance of the contract with the client;
• Article 6(1)(c) GDPR — compliance with legal obligations (tax, accounting, anti-money-laundering, consumer protection);
• Article 6(1)(f) GDPR — legitimate interest in the operation of the monitoring system, the management of the customer relationship and the prevention of misuse of the services;
• Article 6(1)(a) GDPR — consent, in respect of any commercial communications that require consent under applicable law.

Recipients

The personal data of clients are processed by the personnel of Netamo and of Dato Capital LTD authorised to handle the customer relationship. Payment data are processed by the payment gateways identified in section 14 (Banco Santander, Stripe, PayPal). Tax and accounting data may be communicated to tax authorities or auditors as required by law.

Retention

Personal data of clients are retained for the duration of the business relationship and thereafter for the periods required by applicable tax, accounting, commercial and anti-money-laundering legislation (typically up to ten years for accounting and AML-related documents under Spanish and UK law).

9. Visitors of the website

Categories of data processed

• IP address of each visitor, collected actively when visiting the website and clicking links, and passively from requests sent by the browser;
• Browser and device information: browser version, plugins, operating system, available resolution, connection speed, cookie availability, time zone;
• Activity information: access dates and times, pages visited, interactions with keyboard, screen, mouse or other input devices, associated with the IP address;
• Data collected through cookies and similar technologies, as described in the Cookie Policy available on the website;
• Where applicable, data submitted voluntarily through contact, search or feedback forms.

Purposes

• Operating, maintaining and securing the website (including the prevention and investigation of fraudulent or abusive use);
• Producing aggregated and anonymous statistics on the use of the website;
• Where applicable, remarketing in connection with third-party services. Visitors can opt out of personalised advertising at https://myadcenter.google.com/personalizationoff;
• Responding to communications submitted through forms;
• Complying with legal obligations applicable to Netamo.

Legal basis

• Article 6(1)(f) GDPR — legitimate interest, in respect of strictly necessary technical and security processing, and the operation of the website;
• Article 6(1)(a) GDPR — consent, in respect of cookies and similar technologies that are not strictly necessary, where consent is required under applicable law (in particular the ePrivacy Directive 2002/58/EC and the implementing national law).

Retention

• Server logs: retained for a limited period necessary for security and operational purposes, typically not exceeding twelve (12) months;
• Cookies: as described in the Cookie Policy;
• Form submissions: retained for the time necessary to respond and to comply with any applicable legal obligation.

10. Persons who contact Netamo or Dato Capital LTD

Netamo processes personal data of persons who contact Netamo or Dato Capital LTD by email, postal mail, telephone or any other channel, including data subjects exercising their rights under Articles 15 to 22 GDPR, journalists, professionals and any other persons writing in any other capacity.

Categories of data processed: name, contact details, content of the communication, attachments and metadata of the communication (date, time, channel, status of the request). Where the correspondent exercises rights under Articles 15 to 22 GDPR, additional identification data may be requested where reasonable doubts as to identity arise (Article 12(6) GDPR).

Purposes: handling, recording and responding to the communication; where applicable, examining and giving effect to data subject rights requests; maintaining a record of communications and responses to demonstrate compliance with the GDPR; defending the rights and interests of Netamo, including in the context of any complaint, claim, dispute, proceeding or supervisory investigation.

Legal basis: Article 6(1)(c) GDPR (compliance with a legal obligation) in respect of data subject rights requests; Article 6(1)(f) GDPR (legitimate interest) in respect of the management of incoming communications and the defence of Netamo's rights and interests.

Retention: personal data of correspondents are retained for the duration necessary to handle the communication and, in any event, for the period required by applicable limitation periods. In respect of communications exercising data subject rights, the minimum information necessary to give effect to the exercise of the right and to demonstrate compliance is retained on a long-term basis.

11. Rights of data subjects

In accordance with Articles 15 to 22 GDPR, data subjects have the following rights:

• Right of access (Article 15 GDPR);
• Right to rectification (Article 16 GDPR);
• Right to erasure (Article 17 GDPR), subject to the exceptions provided for in Article 17(3) GDPR;
• Right to restriction of processing (Article 18 GDPR);
• Right to data portability (Article 20 GDPR), where applicable;
• Right to object (Article 21 GDPR), at any time, on grounds relating to their particular situation, to the processing of personal data concerning them carried out on the basis of Article 6(1)(f) GDPR. Following such an objection, Netamo will give effect to the objection unless it can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject;
• Right to withdraw consent at any time, where the processing is based on consent.

Data subjects may exercise these rights by contacting:

Email: privacy@netamo.com

Postal mail: NETAMO SYSTEMS SL, Calle Zurbano 45, 1ª planta, 28010 Madrid, Spain

Netamo will respond without undue delay and in any event within one month from receipt, in accordance with Article 12(3) GDPR. That period may be extended by two further months where necessary, taking into account the complexity and number of requests; in such case, Netamo will inform the data subject of the extension within one month of receipt of the request, together with the reasons for the extension.

Netamo may request additional information to confirm the identity of the data subject where there are reasonable doubts, in accordance with Article 12(6) GDPR.

12. Right to lodge a complaint

Data subjects have the right to lodge a complaint with a data protection supervisory authority. The competent lead supervisory authority for Netamo is the Spanish Agencia Española de Protección de Datos (AEPD):

Address: C/ Jorge Juan, 6, 28001 Madrid, Spain
Website: www.aepd.es

Data subjects may also lodge a complaint with the supervisory authority of the EU Member State of their habitual residence, place of work or place of the alleged infringement.

13. Security

Netamo and Dato Capital LTD implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. The website is accessible through HTTPS. Sensitive information is encrypted in transit. Access to systems is role-based and protected by multi-factor authentication for administrative access. Backups are performed regularly and incident response procedures are in place. Personal data breaches are notified in accordance with Articles 33 and 34 GDPR.

14. Sub-processors and international transfers

The primary hosting of personal data processed through the website takes place in the United Kingdom. Netamo, as controller established in the European Economic Area, transfers personal data to Dato Capital LTD (processor, United Kingdom). This transfer is carried out on the basis of the adequacy decision adopted by the European Commission in respect of the United Kingdom (Commission Implementing Decision (EU) 2021/1772 of 28 June 2021, as renewed) pursuant to Article 45 GDPR.

Netamo relies on the following sub-processors in connection with the operation of the website and the services described in this privacy policy:

• UK Dedicated Servers Limited (United Kingdom) — provision of the primary hosting infrastructure operated by Dato Capital LTD. UK company number 05291070; registered office at Continuity House, 205 Torrington Avenue, Coventry CV4 9AP, United Kingdom. Data are hosted in the United Kingdom, on the basis of the United Kingdom adequacy decision referred to above;
• Amazon Web Services EMEA SARL (Luxembourg) — cloud storage services for application data, with physical hosting in the AWS Region eu-west-1 (Ireland), within the European Economic Area. No international transfer is involved in respect of this sub-processor;
• Google Ireland Limited (Ireland) — email services (Google Workspace / Gmail), with data processed on Google's global infrastructure. Transfers outside the European Economic Area, if any, are governed by the Standard Contractual Clauses adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, as incorporated into Google's Cloud Data Processing Addendum, and, where applicable, by the EU-US Data Privacy Framework adequacy decision (Commission Implementing Decision (EU) 2023/1795);
• Banco Santander S.A. (Spain) — payment processing for credit-card transactions where applicable;
• Stripe, Inc. (United States) — payment processing for credit-card transactions where applicable. Transfers to Stripe are governed by the Standard Contractual Clauses and, where applicable, by the EU-US Data Privacy Framework;
• PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg) — payment processing for PayPal transactions where applicable.

A complete and up-to-date list of authorised sub-processors is available on request at privacy@netamo.com.

15. Automated decision-making and profiling

Netamo does not carry out automated individual decision-making within the meaning of Article 22 GDPR in respect of the persons appearing on the website. The profile pages aggregate publicly available register data by reference to the name appearing in those registers; no scoring, evaluation or decisional inferences are made about the individuals concerned.

16. Changes to this privacy policy

Netamo may amend this privacy policy from time to time to reflect changes in legal requirements or in its processing activities. The version date appears at the beginning of this policy. Material changes will be communicated through the website.

17. Applicable law

This privacy policy is governed by the laws of Spain, without prejudice to the direct applicability of the GDPR and of any other applicable Union law.

— End of Privacy Policy —