Privacy policy
This policy describes Overt's actual data practices and is being finalised with counsel ahead of general availability. Items in brackets are pending confirmation.
The short version
- The Overt product analyses the publicly observable infrastructure of companies (DNS, response headers, certificates, public registries) — not the personal data of individuals.
- We collect personal data only where needed to run the service: your account/identity, your workspace data, and any contact you send us.
- Workspace and corpus data are stored on Cloudflare in the EU. Authentication is handled by Descope, currently in the United States.
- No advertising cookies, no cross-site tracking, no sale of personal data.
What we collect and why
| Data | Why | Where |
|---|---|---|
| Account identity (name, work email, authentication method) | To create and secure your login and workspace | Descope (US) |
| Workspace data (saved lists, pipeline stages, notes, API-key metadata, audit log) | To provide the product to your team and isolate it from other tenants | Cloudflare D1 (EU) |
| Contact-form submissions (name, work email, company, optional account list) | To respond to a live-scan request | Forwarded to our team inbox; not stored by the website |
| In-product contact enrichment (names, titles, business contact details of prospects) | Sales-intelligence features you invoke, sourced from licensed providers | Cloudflare D1 (EU), cached with retention limits |
| Usage analytics (page views, aggregate events) | To understand and improve the site | Cloudflare Web Analytics (cookieless) |
The product's data sources
Overt's intelligence is derived from publicly observable signals about organisations: HTTP response headers, DNS and email records, certificate-transparency logs, public routing data, public job boards, and official company registries. This is company infrastructure data, not personal data. Detection is passive; the one active check is opt-in and limited to targets you are authorised to assess. Where the product surfaces business contacts, that data comes from third-party providers under their licences and lawful bases.
Overt browser extension
The Chrome Web Store listing for the Overt extension links to this section. It describes exactly what that extension does with the sites you visit.
What it collects. When enabled, the extension sends the domain names of sites you visit — the registrable apex only (e.g. example.com) — to Overt, to show the on-file coverage badge for that domain and to improve Overt's shared market-intelligence coverage. We collect only the apex domain — never the full URL, page path, query string, page content, form data, or anything you type. A visit to https://example.com/account?id=123 is recorded only as example.com.
Anonymous by design. The visited-domain stream is anonymous: the domains are not linked to your name, account, email or IP — by construction there is no field tying a domain to a person. We do not build a browsing profile of you. Discovered domains feed a shared coverage corpus used across Overt, not a per-user record.
Your control — off anytime. The extension shows a clear disclosure the first time you use it, and the domain file-back begins only after you've seen it. You can turn it off anytime with a one-click toggle in the extension's settings. With it off, the extension's in-page technology detection still works and nothing is sent to Overt.
Retention. Raw visited-domain data is kept for at most 30 days, then deleted. Only the anonymous derived signal — that a domain exists in Overt's shared market-coverage corpus — is kept beyond that; it is public, domain-level market data (not personal data), so it is not subject to the 30-day window.
We never sell or share it. We do not sell the visited-domain data, share it with third parties for their own use, or use it for advertising. It powers Overt's coverage and intelligence features only.
Signed-in features (future). If you connect the extension to an Overt account, data you access is governed by this Privacy Policy and your workspace settings, protected by the same access controls as the Overt app.
Our role & lawful basis
Who is the controller. For your account and workspace data, you (your organisation) are the data controller and Overt is your processor — we process it on your documented instructions to provide the service, under a data processing agreement. For Overt's own corpus, website and marketing, Overt is the controller.
- Account & workspace data — lawful basis: performance of a contract (Art. 6(1)(b)) — we need it to give you the service you signed up for.
- Contact & firmographic enrichment (business contacts of prospects) — lawful basis: legitimate interests (Art. 6(1)(f)) in B2B sales intelligence, balanced against the data subject's rights; sourced from providers operating under their own lawful bases and notice obligations. You remain responsible for your lawful basis when you act on that data (see Terms).
- Website & lead form — lawful basis: legitimate interests in responding to your enquiry and operating the site.
- We do not process special-category data and do not use the data for automated decisions with legal effect on individuals.
Sub-processors
- Cloudflare — hosting, database (D1), edge analytics. Data stored in the EU.
- Descope — authentication and identity. Currently processes auth data in the US. [EU data residency available on a higher plan — to be enabled before EU-customer GA if required.]
- Apollo, Lusha — business-contact and firmographic data, for in-product enrichment you invoke.
- Google Workspace — delivery of contact-form submissions to our team.
- [Final sub-processor list and DPA available at contract signature.]
International transfers & residency
Your workspace and the corpus live in the EU on Cloudflare. Authentication data is currently processed by Descope in the United States under the EU Standard Contractual Clauses (2021) as the transfer mechanism. We will state any change to this arrangement here. [EU data residency for authentication available on a higher plan — to be enabled before EU-customer GA if required.]
Retention
Workspace data is kept for the life of your account. Contact-enrichment caches and buying-team data are purged on a rolling retention window. Contact-form submissions are kept only as long as needed to respond. You can request deletion at any time.
Your rights
Under the GDPR you may request access to, correction of, export of, or deletion of your personal data, and you may object to or restrict processing. Contact security@icwt.cloud; we respond within one month (extendable by two further months for complex requests, with notice). Where Overt acts as a processor (your workspace data), we will forward your request to the relevant controller or assist them in responding. You may also lodge a complaint with your supervisory authority — in Poland, the UODO.
Cookies
We use no advertising or cross-site tracking cookies. Authentication uses the minimum storage needed to keep you signed in. Analytics is cookieless.
Changes
We'll update this page as the service evolves and note the date above.