Legal
Legitimate Interests Assessment
Our documented Legitimate Interests Assessments for the processing activities where we rely on Art. 6(1)(f) GDPR.
Operated by Lyne Systems & Consultancy (LSC), Groeneweg 17, 9320 Aalst, Belgium · BCE/KBO BE1011.024.466
On this page
This page summarises the Legitimate Interests Assessments (LIAs) we have conducted for processing activities where we rely on Article 6(1)(f) GDPR — Legitimate Interests as our lawful basis. Publishing this summary is not legally mandatory under GDPR, but is consistent with the Belgian DPA's (APD/GBA) guidance on transparency, demonstrates good faith, and allows data subjects to understand our reasoning before exercising their rights.
For full details of all processing activities and data subject rights, see our Privacy Policy. To object to any of the processing activities below, email privacy@getfoundi.com.
What is a Legitimate Interests Assessment?
Under Art. 6(1)(f) GDPR, processing personal data is lawful if it is necessary for our legitimate interests — provided those interests are not overridden by your fundamental rights and freedoms. The law requires us to apply a three-part test before relying on this basis:
1. Purpose test: Is the purpose legitimate?
2. Necessity test: Is processing necessary — is there no less intrusive way to achieve the same purpose?
3. Balancing test: Do our interests outweigh the data subject's interests, rights, and freedoms?
We are required to carry out this test and document it. We are also required to tell you about it and to honour your right to object (Art. 21 GDPR).
LIA 1 — Auto-creating unclaimed listings from public registries
Processing activity: Importing, normalising, and storing business listing data from government registries and commercial directories (KBO/BCE, Companies House, KVK NL, SIRENE FR, DIRCE ES, Offenes Handelsregister DE, VIES, Yelp, Gouden Gids, Yell, Checkatrade, partner feeds) to create draft listings in the GetFoundi directory.
Date of assessment: June 2026
Review date: June 2027
Purpose test
Our purpose: To build an accurate, comprehensive AI-discoverability directory by collecting publicly available business registration data and making it structured and machine-readable for AI assistants.
Is it legitimate? Yes. Business registration data is published by government authorities for the explicit purpose of business transparency and public discovery. Using it to help AI assistants accurately describe businesses is a natural extension of that public-disclosure purpose. We have a commercial interest in building a comprehensive directory and a public interest in improving AI accuracy about local businesses.
Is the purpose clearly defined? Yes. We collect only the data fields necessary to build a business listing (name, address, category, contact details, company status). We do not collect financial data, credit information, or private director personal data beyond what appears in the business registration.
Conclusion — Purpose test: SATISFIED.
Necessity test
Is processing necessary? Yes. There is no way to build a comprehensive AI-discoverability directory without ingesting publicly available business registration data. The alternative — waiting for each business owner to self-register — would result in incomplete coverage and defeat the purpose of the service.
Is there a less intrusive way to achieve the same result? No. We have considered:
- Only accepting self-registrations: would exclude the vast majority of SMEs who are not aware of GetFoundi.
- Aggregating at business-type level without individual records: would not allow AI assistants to retrieve accurate information about specific businesses.
- Using only anonymised/aggregated data: not possible — the purpose requires individual business-level data to be accurate and queryable.
Data minimisation: We import only the fields necessary to build a listing and do not import fields that are irrelevant to discoverability (e.g. internal financial filings). The `email_discovery_method` field tracks how contact data was obtained, which allows us to apply category-appropriate minimisation.
Conclusion — Necessity test: SATISFIED.
Balancing test
Data subjects' interests: Business owners and directors may have an interest in controlling how their business information is used. However, the data we process is:
- Already publicly disclosed by government registries for transparency purposes
- Business (not private) data — company name, registered address, company status
- The same data that appears in Google Business listings, LinkedIn, and other publicly available directories
Our interests vs data subjects' interests:
| Factor | Assessment |
|---|---|
| Nature of data | Business registration data — low sensitivity (already public) |
| Reasonable expectations | Businesses should reasonably expect their public registration to be used for directory purposes |
| Impact on data subjects | Low — data is already public; we add discoverability, not new exposure |
| Safeguards | Art. 14 notification within 1 month; claim or remove available at all times; data minimisation applied |
| Data subject rights | Right to erasure honoured within 24 hours; suppression list maintained permanently |
Conclusion — Balancing test: Our interests outweigh data subjects' interests. The impact is low (data already public), the safeguards are strong (erasure within 24h, permanent suppression), and the purpose is proportionate to the public disclosure purpose for which the data was originally published.
Overall LIA 1 conclusion: LEGITIMATE INTERESTS BASIS IS SATISFIED.
How to object
Email privacy@getfoundi.com with subject "Object to listing — LIA 1". We will remove your listing and suppress your details within 24 hours and ensure you are not re-imported.
LIA 2 — Professional listings (individuals from public sources)
Processing activity: Collecting and storing professional listing data about individual professionals (name, title, practice area, professional registration, contact details) from public professional registries, licensing bodies, and commercial directories.
Date of assessment: June 2026
Review date: June 2027
Purpose test
Our purpose: To make individual professionals discoverable by AI assistants and by recruiters and potential clients using the GetFoundi platform.
Is it legitimate? Yes. Professionals in public-facing roles — freelancers, consultants, licensed practitioners — actively make themselves discoverable by publishing professional profiles, registering with licensing bodies, and listing themselves in directories. Aggregating this publicly available information to improve AI discoverability is a legitimate extension of the same discoverability purpose.
Conclusion — Purpose test: SATISFIED.
Necessity test
Is processing necessary? Yes. We cannot make professionals discoverable by AI assistants without holding their professional details in structured form.
Data minimisation: We hold only the professional details necessary for the listing (name, title, practice area, registration category, location, contact). We apply heightened minimisation for regulated professions where processing could reveal sensitive attributes under Art. 9 (e.g. we do not store medical registration numbers where the category alone is sufficient for the listing).
Conclusion — Necessity test: SATISFIED.
Balancing test
Data subjects' interests — additional considerations for individuals:
Unlike incorporated businesses, individuals have stronger privacy interests even in their professional capacity. We apply the following safeguards beyond those for business listings:
| Factor | Assessment |
|---|---|
| Nature of data | Professional (not private) data — already public via registries/directories |
| Reasonable expectations | Professionals who register with licensing bodies or list in directories should expect professional discoverability |
| Art. 9 risk | Assessed by category — heightened minimisation applied for health, legal, financial professionals |
| Impact on data subjects | Low-medium — professional details are already public; we do not add private contact information |
| Safeguards | Art. 14 notification within 1 month; erasure within 24 hours; suppression maintained permanently; Art. 9 case-by-case review |
Conclusion — Balancing test: Our interests outweigh data subjects' interests for professional data. The privacy impact is low (data already public), reasonable expectation of professional discoverability exists, and we apply additional minimisation for sensitive professional categories.
Overall LIA 2 conclusion: LEGITIMATE INTERESTS BASIS IS SATISFIED. Subject to ongoing Art. 9 category review.
How to object
Email privacy@getfoundi.com with subject "Object to listing — LIA 2". We will remove your professional listing within 24 hours and add you to our permanent suppression list.
LIA 3 — Cold outreach to unclaimed listing owners
Processing activity: Sending unsolicited email to business owners and professionals whose listings have been auto-created from public sources, inviting them to claim or remove their listing.
Date of assessment: June 2026
Review date: June 2027
Purpose test
Our purpose: (1) To fulfil our Art. 14 GDPR obligation to notify data subjects that their data has been processed. (2) To give listing owners the practical opportunity to claim and take control of their listing. (3) To enable us to grow the directory of claimed, verified, high-quality listings.
Is it legitimate? Yes. Our Art. 14 obligation is not merely legitimate — it is legally required. The commercial interest in growing the claimed directory is also legitimate. The combination of legal obligation and commercial interest is a strong legitimate interests basis.
Conclusion — Purpose test: SATISFIED. The Art. 14 notification purpose is additionally supported by Art. 6(1)(c) (legal obligation) as a co-basis.
Necessity test
Is processing necessary? Yes. Email is the only practical channel to reach listing owners at scale without access to physical addresses or phone numbers for every listing.
Is there a less intrusive way? We limit outreach to a maximum of three emails (claim, reminder, final notice) before the draft listing expires. We do not pursue listing owners beyond this sequence. Physical letters are sent in certain jurisdictions where email is unavailable.
Conclusion — Necessity test: SATISFIED.
Balancing test
| Factor | Assessment |
|---|---|
| Nature of data | Email address — moderate sensitivity |
| Purpose of outreach | Legal notification + practical service invitation — directly related to subject's business activity |
| Reasonable expectations | B2B context; outreach relates directly to the recipient's business/professional listing |
| Frequency | Maximum 3 emails; draft expires after 14 days of final notice |
| Safeguards | One-click unsubscribe in every email; permanent suppression on opt-out; no marketing content beyond the claim invitation |
| Data subject rights | Art. 21(2) absolute right to opt out of direct marketing; honoured within minutes of unsubscribe click |
| Belgian ePrivacy rules | B2B context; outreach relates directly to professional/business activity — satisfies Belgian soft opt-in exception |
Consumer contacts: We do not knowingly send cold outreach to B2C email addresses (personal email accounts unconnected to a business or professional registration). Where our email-discovery heuristics identify a consumer address, we apply a conservative flag and suppress outreach for that record. This is documented in the `email_discovery_method` field.
Conclusion — Balancing test: Our interests (legal notification obligation + commercial purpose) outweigh data subjects' interests. The safeguards (one-click opt-out, permanent suppression, 3-email maximum, B2B-only targeting) are proportionate and robust.
Overall LIA 3 conclusion: LEGITIMATE INTERESTS BASIS IS SATISFIED.
How to object
Click the Unsubscribe link in any email from GetFoundi, or email privacy@getfoundi.com with subject "Opt out of cold outreach — LIA 3". Your opt-out will be honoured within minutes (unsubscribe link) or within 24 hours (email request).
Review schedule
These LIAs will be reviewed:
- Annually (next review: June 2027)
- When there is a material change to the processing activity (new data sources, new outreach channels, change to volume or frequency)
- When a regulatory guidance update from the APD/GBA or EDPB requires reassessment
To request a copy of our full internal LIA documentation, contact privacy@getfoundi.com.
Contact
Email: privacy@getfoundi.com
Data controller: Lyne Systems & Consultancy (LSC), Groeneweg 17, 9320 Aalst, Belgium
Belgian DPA:
Autorité de protection des données / Gegevensbeschermingsautoriteit (APD/GBA)
Rue de la Presse 35 / Drukpersstraat 35, 1000 Brussels, Belgium