Effective Date: 11 May 2026

Last Updated: 11 May 2026

Version 1.1 — Amendments shown in bold

This Privacy Policy explains how CELESTIAL BUSINESS, S.L., a private limited liability company (sociedad de responsabilidad limitada) incorporated under Spanish law, with registered number (CIF): B56911621, registered at the Registro Mercantil de Madrid (“Celestial Business”, “we”, “us”, “our”) collects, uses, discloses, stores and protects personal data when you access or use our website at https://www.celestbe.com (the “Website”), communicate with us, request information, or use related business services.

Celestial Business operates a professional business intelligence and SaaS platform focused on corporate information, legal records, financial data, and related business due diligence tools for professional and commercial users.

We are committed to handling personal data responsibly and in accordance with applicable privacy and data protection laws, including where relevant:

• Regulation (EU) 2016/679 (GDPR)

• UK GDPR and UK Data Protection legislation

• Spanish Ley Orgánica 3/2018 (LOPDGDD) and Real Decreto 1720/2007 where applicable

• ePrivacy / cookies rules

• Other laws that may apply depending on your location and use of our services
  

1. Introduction

Your privacy matters to us. This Privacy Policy describes:

• what information we collect;

• how we collect it;

• why we use it;

• the legal grounds for processing;

• when we may share it;

• your rights; and

• how to contact us.
  

By using the Website, contacting us, or otherwise interacting with us, you acknowledge this Privacy Policy.

2. Who We Are / Data Controller Details

For purposes of applicable data protection law, the controller of personal data processed through the Website is:

CELESTIAL BUSINESS, S.L.

CIF: B56911621.

Calle Juan de Mena 10, Madrid, 28014, Spain

Email: info@celestbe.com

Where services are provided through affiliated entities, subsidiaries, contractors or group companies (including where relevant UK commercial entities), personal data may also be processed jointly or independently in accordance with applicable law and contractual arrangements. In such cases, the identity of any joint controller and the allocation of data protection responsibilities will be disclosed to affected data subjects in accordance with Article 26 GDPR.

3. Languages of this Policy

This Privacy Policy is published in English and may also be made available in other languages for convenience, including Spanish.

In the event of any conflict, inconsistency or ambiguity between translated versions and the English version, the English version shall prevail, except where mandatory Spanish or EU law requires the Spanish-language version to govern, in which case the Spanish version shall apply to the extent required by law.

4. Scope of this Policy

This Privacy Policy applies to personal data collected through:

• the Website;

• contact forms;

• inquiry forms;

• newsletter or business communication forms;

• email correspondence;

• customer onboarding;

• business account creation;

• platform access requests;

• service delivery interactions; and

• other communications with us.

It does not apply to third-party websites, services or platforms not controlled by us.

5. Information We Collect

Depending on how you interact with us, we may collect:

Identity and Contact Data

• full name

• company name

• business email address

• telephone number (if provided)

• job title

• country / region

Communication Data

• messages submitted through forms

• inquiries

• support requests

• correspondence records

Technical Data

• IP address

• browser type

• device information

• operating system

• language settings

• referral source

• pages visited

• timestamps

• cookie identifiers

Commercial Data

• requested products or services

• subscription interests

• onboarding information

• transaction-related information where applicable

Compliance / Verification Data

Where relevant for B2B onboarding or regulated services:

• business ownership information

• authorised representative details

• due diligence documentation

• sanctions / AML screening inputs where legally permitted

The collection of Compliance / Verification Data is carried out in accordance with our obligations under Spanish Ley 10/2010 de prevención del blanqueo de capitales y de la financiación del terrorismo and, where applicable, EU Anti-Money Laundering Directives. Such data is collected only to the extent strictly necessary and will not be used for any other purpose without a separate legal basis.

6. Information Obtained from Public / Corporate Sources

Because our services relate to business intelligence and corporate records, we may also obtain or compile information from lawful sources such as:

• official public registries

• company filings

• court or insolvency records where lawfully accessible

• government publications

• licensed data providers

• commercial databases

• reputable business information sources

Such information may include names of directors, officers, beneficial owners, representatives, and business contact details where lawfully available.

We process such information only where there is an appropriate legal basis.

Where personal data is obtained from public or third-party sources rather than directly from the data subject, we will provide the information required under Article 14 GDPR, including the source of the data, the purposes and legal basis for processing, and applicable data subject rights; within a reasonable period and no later than one month after obtaining the data, unless an exemption under Article 14(5) GDPR applies. Relevant exemptions include where providing such information proves impossible or would involve disproportionate effort in the context of business intelligence compilation from public registries.

7. How We Collect Information

We may collect data:

• directly from you when you complete forms or contact us;

• automatically through cookies and analytics tools;

• from your employer or organisation;

• from publicly available sources;

• from service providers;

• during onboarding or account setup;

• through communications and meetings;

• through security or fraud-prevention systems.

8. Legal Bases for Processing (GDPR)

Where GDPR applies, we rely on one or more of the following legal bases. The specific legal basis applied to each processing activity is set out in the processing register maintained by Celestial Business, S.L. A summary is provided below.

Contractual Necessity (Article 6(1)(b) GDPR)

To provide requested services, respond to pre-contract requests, or manage accounts.

Legitimate Interests (Article 6(1)(f) GDPR)

For example:

• operating and improving the Website;

• B2B relationship management;

• responding to inquiries;

• fraud prevention;

• network security;

• internal analytics;

• business development;

• maintaining service quality.

We balance such interests against your rights. Where we rely on legitimate interests, a Legitimate Interests Assessment (LIA) is maintained internally. Data subjects may request information about the legitimate interests relied upon by contacting us at the details in Clause 23.

Consent (Article 6(1)(a) GDPR)

Where required, including for certain cookies or marketing communications. Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Legal Obligation (Article 6(1)(c) GDPR)

To comply with tax, accounting, regulatory, AML, sanctions, reporting or other legal duties.

Vital Interests / Public Interest (Article 6(1)(d)/(e) GDPR)

Where exceptionally required by law.

Where we process special categories of personal data (Article 9 GDPR), we will identify the applicable condition under Article 9(2) GDPR and, where required, obtain explicit consent or rely on a recognised legal exemption.

9. How We Use Personal Data

We may use personal data to:

• provide access to services;

• respond to inquiries;

• process demonstrations or onboarding requests;

• manage client relationships;

• verify identity or authority;

• conduct due diligence where relevant;

• improve services and user experience;

• monitor performance;

• maintain security;

• detect abuse or fraud;

• comply with laws;

• enforce legal rights;

• send operational notices.

We will not use personal data for any purpose materially different from those disclosed in this Policy without first providing updated notice and, where required, obtaining fresh consent.

10. Business Communications and Marketing

We may send B2B communications regarding services, updates, industry solutions or relevant offerings where permitted by law.

You may opt out at any time by:

• clicking unsubscribe links;

• contacting us at info@celestbe.com;

• requesting removal directly.
  

We do not knowingly send unlawful spam.

Where marketing communications are sent to individuals (as opposed to corporate addresses), we will rely on consent or the soft opt-in exemption where applicable under Spanish Ley 34/2002 (LSSI-CE) Article 21. Recipients in Spain have the right to object to direct marketing at any time, and we will honour such objections promptly and without charge.

11. Cookies and Tracking Technologies

We may use cookies and similar technologies. For full details of the categories of cookies used, their purposes, duration, and the legal basis for each, please refer to our Cookie Policy at https://www.celestbe.com/cookie-policy.

The Website displays a cookie consent banner offering controls such as Accept All, Reject All, and Manage Preferences.

For more information, please refer to our Cookie Policy.

12. Consent Management Choices

Where required by law, non-essential cookies will be used only after consent.

You may:

• accept all cookies;

• reject non-essential cookies;

• customise preferences;

• withdraw consent later through browser settings or available controls.

Disabling cookies may affect Website functionality.

Consent records are stored and time-stamped in accordance with our obligations under GDPR Article 7(1) and the Spanish LSSI-CE. You may request a record of your consent history by contacting us at info@celestbe.com.

13. Sharing Data with Service Providers

We may share personal data with trusted processors or partners such as:

• website hosting providers;

• cloud infrastructure providers;

• CDN/security services;

• analytics providers;

• CRM platforms;

• email communication providers;

• payment or invoicing providers;

• support tools;

• legal, audit or compliance advisers.

They may process data only under appropriate instructions or legal authority.

All third-party processors are subject to a written data processing agreement in accordance with Article 28 GDPR before any personal data is shared with them. We conduct reasonable due diligence on processors’ security and compliance standards prior to engagement.

We may also disclose data:

• if required by law;

• to regulators;

• in connection with corporate restructuring;

• to protect rights, users or systems.

In the event of a corporate restructuring, merger, or acquisition involving Celestial Business, S.L., affected data subjects will be notified of any change to the data controller’s identity and of their rights in relation to such change, in accordance with applicable law.

14. International Data Transfers

Personal data may be transferred outside the EEA, UK or your jurisdiction where necessary.

Where such transfers occur, we aim to implement appropriate safeguards, including where relevant:

• adequacy decisions;

• Standard Contractual Clauses (SCCs) approved by the European Commission;

• UK transfer addenda;

• technical and organisational protections.
  

A list of the countries to which personal data may be transferred and the safeguards applicable to each transfer category is available on request by contacting us via email. Where transfers are made on the basis of Standard Contractual Clauses, copies of the applicable clauses are available on request.

15. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes described, including:

• relationship management;

• service provision;

• legal compliance;

• dispute resolution;

• security;

• recordkeeping.

The following indicative retention periods apply, subject to specific legal obligations:

• Client and contractual records: 6 years from end of commercial relationship (consistent with Spanish limitation periods under the Código Civil and Ley de Enjuiciamiento Civil);

• Tax and accounting records: 4 years from the relevant tax period, in accordance with the Ley General Tributaria;

• Website technical logs and analytics: up to 13 months unless longer retention is required by law or security investigations;

• Marketing consent records: retained for the duration of the consent and for 3 years thereafter to demonstrate compliance.

Upon expiry of the applicable retention period, personal data will be securely deleted or anonymised.

16. Data Security Measures

We implement reasonable technical and organisational measures designed to protect data, including where appropriate:

• access controls;

• authentication measures;

• encryption in transit where supported;

• monitoring;

• backups;

• vendor due diligence;

• incident response processes.

No system is entirely risk-free, but we seek to maintain appropriate security standards.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Agencia Española de Protección de Datos (AEPD) without undue delay and, where feasible, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to data subjects, we will notify affected individuals without undue delay in accordance with Article 34 GDPR.

17. Your GDPR / UK GDPR Rights

Subject to applicable law, you may have rights to:

• access your personal data (Article 15 GDPR);

• rectify inaccurate data (Article 16 GDPR);

• erase data (Article 17 GDPR);

• restrict processing (Article 18 GDPR);

• object to processing (Article 21 GDPR);

• data portability (Article 20 GDPR);

• withdraw consent (Article 7(3) GDPR);

• complain to a supervisory authority (Article 77 GDPR).
  

Requests may be sent to info@celestbe.com.

We will respond to all data subject requests within one calendar month of receipt. Where requests are complex or numerous, this period may be extended by a further two months, in which case we will notify you of the extension and the reasons for it within the initial one-month period, in accordance with Article 12(3) GDPR.

We may request identity verification before responding.

We will not charge a fee for handling data subject requests unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act, providing written reasons in either case.

18. Spain-Based Users / Supervisory Authority Rights

If you are in Spain, you may also lodge a complaint with the competent authority, including:

Agencia Española de Protección de Datos (AEPD)

C/ Jorge Juan 6, 28001 Madrid

Website: https://www.aepd.es

We encourage users to contact us first so we may attempt to resolve concerns directly.

Under Spanish LOPDGDD Article 37, data subjects also have the right to bring claims before the AEPD in relation to infringements of their rights under GDPR and the LOPDGDD. The AEPD has powers to investigate, impose corrective measures, and levy administrative fines in accordance with Articles 83 and 84 GDPR.

19. Third Party Links

The Website may contain links to third-party websites or services. We are not responsible for their privacy practices, content or security. Please review their own privacy notices.

20. Children’s Privacy

Our Website and services are intended primarily for businesses and professionals.

We do not knowingly target children or intentionally collect personal data from children.

If you believe a child has submitted personal data, please contact us.

Under GDPR and Spanish LOPDGDD, the age of digital consent in Spain is 14 years. We do not knowingly collect personal data from individuals under the age of 14. If we become aware that personal data has been collected from a child under 14 without verifiable parental consent, we will delete it promptly.

21. Automated Decision Making / Profiling

We do not generally make solely automated decisions producing legal or similarly significant effects on individuals through the public Website.

Where analytical scoring, filtering, fraud detection or business intelligence tools are used, they are generally aimed at companies or commercial risk assessment rather than personal consumer profiling.

Where any processing that could constitute automated decision-making within the meaning of Article 22 GDPR is implemented, we will: (i) identify and document such processing; (ii) provide data subjects with meaningful information about the logic involved and the significance and envisaged consequences; and (iii) implement appropriate safeguards including the right to obtain human review, to express their point of view, and to contest the decision.

22. Changes to This Policy

We may update this Privacy Policy periodically to reflect:

• legal changes;

• operational changes;

• new technologies;

• service developments.

The updated version will be published on the Website with a revised “Last Updated” date.

Where changes are material, including changes to the purposes of processing, the legal bases relied upon, or the categories of recipients, we will provide advance notice of not less than 30 days by prominent notice on the Website, and we will re-obtain consent where required by applicable law.

23. Contact Details

For privacy inquiries, rights requests or complaints, contact:

CELESTIAL BUSINESS, S.L.

CIF: B56911621,

Calle Juan de Mena 10, Madrid, 28014, Spain

Email: info@celestbe.com

Supervisory Authority (Spain): Agencia Española de Protección de Datos (AEPD), C/ Jorge Juan 6, 28001 Madrid, www.aepd.es

Privacy Policy