Postbag GDPR privacy notice. (in further text referred to as we, us and our) is run by an EU/EEA company and processes personal information of EU/EEA citizens and residents. Therefore, it is required that we operate under the GDPR regulation guidelines. In this privacy notice, we explain what types of data we process as Data Processors for our customers acting as Data Controllers. Also, we describe where do we source the data from and how do we process it. In addition, this notice also sets out requirements that our Data Controller Customers need to fulfill in order for their processing of data to be compliant with GDPR.


We help connect story sources with journalists, brands with bloggers and companies with web masters covering their niche. As it was common practice even before our platform, they look for each other by using search engines to find highly related web pages, followed by the search for the person who created the content with their email address, and reaching out to them one-on-one. We are a specialized search engine that automates all these steps via a simple single-query user interface. Subsequent sections will explain exactly how, and at what point, we process personal data to help organizations with people matching based on their public work.


Postbag crawls the whole web and builds an index of web pages just like classical search engines. However, unlike the traditional search engines, it does not search just by keyword but by niche as well. When you do a search, our AI algorithms search this index to return only either news publications, high quality blog posts covering certain topics from multiple perspectives, and web pages offering different views in form of guides, resources and selection of products and services. This is the part of our system that does not process any personal data.

Contact matching.

When a web search is done, our backend takes a list of URLs found and starts crawling them. Robots.txt restrictions are completely obeyed throughout this process. During the crawl, our natural language processing algorithms find and extract the person responsible for the given URL, in addition to their email address in real-time. Of course, only if that information is publicly available at a given moment. This is the part of our system where we do process publicly available personal data on your demand. In particular, names and emails only. As this happens only at your request, and only you collect, process and use this personal data, you are a Data Controller and we are a Data Processor as defined by GDPR. Because of this, multiple requirements arise as described in further text. If you are using our solution for a purely personal or household activity as described in Article 2 section 2, GDPR regulation does not apply. In addition, if you are using for journalistic, academic, artistic or literary expression purposes, there is a range of exceptions available to you as described under Article 85 section 2 of GDPR.

DPA contract.

GDPR requires you (Data Controller) to have a DPA contract with us (Data Processor) that governs processing of personal data pursuant to Article 28 section 3 of GDPR. Please contact us via to execute this contract as we have a template ready for signature.

Legal basis for processing.

Under the GDPR, you need to select a legal basis for processing of personal data as laid out in Article 6 section 1. As long as you are using our solution as intended and required by our Terms of Service - for merit-based outreach to publicize something related and of value - you can use Legitimate Interests as a legal ground for processing personal data.

For example, if you are a story source, brand or content owner, and you have something newsworthy that would be published based on merit, you have a legitimate interest to try and publicize it by contacting journalists, bloggers, and web masters covering related topics within your niche. This fulfills the Purpose Test.

In order to do so, it is necessary to find content they posted publicly along with their email addresses. Without this, it would be impossible to contact them. This fulfills the Necessity Test.

Furthermore, the Data Subject interests do not override your legitimate interest for targeted and related outreach. The two are rather aligned in this case because of how search was designed to process the data. Namely, we can find a natural person's name and email address as relating to publication only if the person publishing it made it publicly available on the web sites where the publication was found. For example, a journalist writing about financial health and publishing their contact information with that article, could reasonably expect people to contact them in regards to topics related to financial health. So could a blogger running a blog on a certain topic. And a web master operating a web site on a certain niche. This fulfills the Balancing Test.

Data subject information notice.

All the Data Subjects need to be served with a privacy notice by Data Controllers outlining all the information required by GDPR. As the personal data has not been obtained directly from the Data Subject, but public data sources instead, you are required to provide a privacy notice pursuant to Article 14 of GDPR. However, as personal data processed by us on your demand is being used exclusively for communication with the Data Subject, Article 14 section 3 paragraph (b) provides you with an option to provide the privacy notice at the time of the first communication with the Data Subject. This means that you must include your privacy notice with the first email to the Data Subject by either including the full content of it at the end of the email or, alternatively, publishing the privacy notice on your web site and then linking to it from the first email you send to the Data Subject.

Right to forget.

As we obtain personal information from public sources, in particular names and email addresses, it is enough for the Data Subject to either remove that information from the web site or restrict access with robots.txt file which we fully obey. However, this can not always be possible for reasons such as publication outlets not being under direct Data Subject control. In any case, Data Subject always has the right to request immediate end to all processing activities on their personal data. They need to contact you, the Data Controller, and request this explicitly as described in your privacy notice. If this happens, you can always contact us and we'll provide you with an interface to exclude processing of a given Data Subject from all activities under your account.

This document was last edited in Almere, Netherlands on 10th of June, 2020.

Data27 Technologies
Ganzenstraat 1
Amersfoort, 3815 JA
The Netherlands
KvK number: 78185629

We use cookies. By using our site, you consent to our privacy policy.   OK