The Data Broker in Your Sales Stack: What AI Sales Tools Do With the Data You Feed Them

The pitch is clean. Connect your CRM, and the tool will deduplicate it, fill in missing phone numbers and job titles, verify the email addresses, and — increasingly — let an AI agent run outreach for you. CRM hygiene, enrichment, automation. All of it useful.

The part that does not make the pitch deck is in the terms. When you upload a list, some vendors take a licence to keep it.

The inversion: the customer is also the supplier

Apollo, one of the larger B2B data platforms, states it plainly. When customers submit data, the company "may use such information to grow, enrich, and verify the information included in our Contributory Database, which is made available to other Apollo customers" (privacy policy, updated 16 September 2025). It retains that data, in its own words, "as long as it is useful in our products."

Read that back slowly. The contacts you uploaded — the relationships you built, the customers you won — are folded into a dataset that is then sold to whoever else pays, your direct competitors included. You pay to use the dataset. You also pay to build it, in the only currency the vendor actually wants: your data. The model only works because thousands of customers are quietly contributing the same way.

This is not a rogue operator. It is a published, standard term at a mainstream vendor. In substance these tools are a new kind of B2B data broker — one you feed yourself — and it is a pattern, not an outlier.

Three things that can happen to your data

The mechanism shows up in three forms. A single tool may use one, or all three.

Absorption — the contribution licence. The clearest version appears at the enrichment vendors. Prospeo, a B2B data company, takes "a perpetual, worldwide, royalty-free license to ingest, use, and retain" the records its customers upload, and is explicit that the data "will continue to be stored and processed" after the account is closed. Apollo's "Contributory Database" is the same idea under a friendlier name. The upload is not a transaction. It is a deposit, and it does not come back.

Training — your conversations become the model. The AI sales-assistant category goes a step further: it trains on what it captures. Sybill, an AI meeting assistant, uses customer data to "train our expression recognition engine, and speech-to-text engine and improve our machine learning and data analytics models." An expression-recognition engine is trained on the faces and voices of the people on your sales calls — your prospects and customers — who never signed anything and were never asked. Emotion-recognition systems are among the uses the EU AI Act restricts, which makes a tool built on expression analysis both a contractual and a regulatory exposure for the company that deployed it.

The hidden layer — infrastructure you never chose. Many AI sales products do not record calls themselves; they resell a meeting-recording layer underneath. Default, an AI go-to-market platform, lists Recall.ai among its sub-processors. Recall is the bot that joins the call to capture audio, video, and transcripts. Its own data-processing agreement describes the data subjects as "Participants in meetings... likely to include Customer's prospects, customers, business partners, and vendors." One infrastructure vendor, sitting under many products, ends up with a view into a great many companies' meetings — a concentration most buyers never see when they pick the tool on top.

Why the people in your CRM never find out

For any of this to be lawful in the EU, somebody has to have a legal basis and somebody has to tell the data subjects. In practice, both duties get blurred.

The first move is the controller/processor switch. A vendor will present itself as a processor — handling your data on your instructions — for the part of the service you see, while acting as a controller for its own dataset. Compelling, a German B2B intelligence provider, is candid that it is the controller for its own dataset, assembled from public sources including LinkedIn, XING, and the commercial register, on a legitimate-interest basis. Apollo says it acts "as a processor for our Customers" in some cases and, in those cases, tells data subjects to take their rights requests elsewhere. The same record can be processor-data to you and controller-data to them.

The second move is the transparency exemption. Where a company collects personal data indirectly — not from the person, but from a list or a scrape — the GDPR (Article 14) still requires it to inform that person. Vendors lean on the carve-out in Article 14(5)(b), which excuses notification where it would involve "disproportionate effort." Prospeo cites it by name. It is how your prospects, customers, partners, and vendors end up inside a commercial dataset they cannot see and were never told about.

The exposure does not stop at the vendor. It runs back to you.

Can the company be held accountable if it did not know?

This is the question that decides whether the section above is interesting or actionable. If you deploy one of these tools and never read the terms — or the vendor never disclosed the re-use in plain sight — can you, the company using it, be held responsible? The short answer under the GDPR is yes, and the case law already points one way.

Start with the most on-point decisions. In January 2024 the French regulator, the CNIL, fined FORIOU €310,000 for using data brokers' data for prospecting without confirming the people had validly consented. The decisive finding: although FORIOU had written contractual requirements into its supplier agreements, "no effective control of these requirements was carried out downstream." A contract was not a defence. Months later the CNIL fined HUBSIDE.STORE €525,000 on the same logic. The regulator's position is consistent — a company using data supplied by partners or brokers must itself ensure the data was collected lawfully. The duty to check sits on the user of the data, not only its source.

"We did not know" fares no better. In Deutsche Wohnen (C-807/21, December 2023), the Court of Justice of the EU confirmed that a GDPR fine requires negligence or intent — but that you do not have to prove anyone in management knew about or intended the breach. A company is liable for a negligent infringement committed in the course of its activity, full stop. Failing to do the due diligence is the negligence. And the maximum is calculated on group-wide worldwide turnover.

The transparency dodge has also been tested. The Polish authority fined the data aggregator Bisnode for relying on a website privacy notice instead of telling the people whose data it had scraped. Bisnode argued that individual notification would cost roughly €40 million — more than its annual turnover — and so was disproportionate under Article 14(5)(b). The regulator rejected it, and the courts upheld the rejection: the cost of informing people is part of the cost of holding their data, not a reason to skip it. The exact exemption your vendor is leaning on has already failed in front of a supervisory authority.

And the aggregator model itself has been found unlawful at scale. The Dutch Data Protection Authority fined Clearview AI €30.5 million in September 2024 for building a database by scraping images without a lawful basis and without informing the people in it — after similar €20 million fines in Greece and Italy. The "contributory database," followed to its conclusion, is the thing regulators are already sanctioning.

One honest caveat: there is not yet a flagship ruling on the precise fact pattern — a company fined because its SaaS vendor quietly absorbed its uploaded CRM into a resold dataset. FORIOU and HUBSIDE are the close cousins, and they concern buying broker data rather than feeding it. But the governing principle is settled, and every strand of it — accountability, downstream verification, the failure of the disproportionate-effort argument — points the same way. The fact pattern is simply early. First movers carry the untested exposure, not the safety.

Where NIS2 fits — and where it does not

It is worth being precise, because the two regimes get conflated. NIS2 is a cybersecurity directive, not a data-protection law. It does not regulate the commercial re-use of personal data, and it will not fine you for a vendor reselling your contacts — that is the GDPR's job.

What NIS2 adds, for the organisations in its scope (essential and important entities above the sector and size thresholds), is a supply-chain duty. Article 21(2)(d) requires entities to manage the security risks in their relationships with direct suppliers and service providers; Article 21(3) tells them to weigh each supplier's vulnerabilities and "the overall quality of products and cybersecurity practices" of that supplier; and Article 21(2)(f) makes that assessment an ongoing obligation, not a one-off at procurement. A tool that absorbs your customer list into a shared dataset is a confidentiality exposure you were expected to have assessed.

Above all of it sits Article 20: the management body must approve and oversee these measures and can be held personally liable for failing to. Accountability cannot be delegated, only execution can. (We cover that liability mechanism in detail in our analysis of NIS2 and personal liability for board members.) NIS2 obligations apply as transposed in each member state, and the detail varies — but the directive-level architecture is stable.

So the two regimes catch different failures. GDPR catches the data re-use and the failure to tell your data subjects. NIS2 catches the failure to vet the supplier and the board's failure to oversee it. They agree on one thing: not having looked is itself the breach.

Where the law is heading: the Digital Omnibus

The current rules are the floor, not the forecast. In November 2025 the European Commission published its Digital Omnibus — a package that proposes to simplify the GDPR, the AI Act, NIS2, ePrivacy, and others, and to cut administrative burden. As of mid-2026 it is still being negotiated between the Parliament and the Council, with adoption not expected before late 2026. It is a proposal, not law, and the detail is still moving.

For the model in this article, one proposed change matters most. The Omnibus would give AI providers a firmer footing to process personal data for AI development and operation on a legitimate-interest basis under Article 6(1)(f), subject to safeguards and an unconditional right for people to opt out. If it is adopted, the training leg — the part where your calls and contacts feed the vendor's models — becomes easier for the vendor to defend, not harder.

The more sweeping idea — narrowing what counts as "personal data" so that pseudonymised records would fall outside the GDPR altogether — is the one that would most directly ease wholesale aggregation. It is also the part facing the strongest resistance: a leaked Council compromise text in early 2026 reportedly stripped the redefinition back out, and its fate is unsettled.

Read the direction of travel correctly. The reform lowers friction for the vendors, not for you. None of it removes your accountability, your duty to vet a processor, or your obligation to tell your own data subjects what you share — and an opt-out right, if it lands, is one more thing you would have to honour, not one less.

How to tell the difference: the three-clause test

None of this is an argument against using sales tools. It is an argument for reading three clauses before you connect your CRM to one — because the responsible vendors exist, and they say so in writing.

Fireflies, an AI meeting assistant, updated its policy in March 2026 to state: "We do not use personal information for AI model training and we contractually prohibit our vendors from using this information for their own model training," alongside a "Zero Data Retention policy for meeting content." Recall, the infrastructure layer, contracts purely as a processor and returns or deletes data on instruction. The difference between these and the absorption model is visible to anyone who looks. So look:

1. The contribution licence. Does uploading your data grant the vendor a licence to add it to a dataset it sells to others? Words like perpetual, irrevocable, or contributory database are the red flag. A clean processor takes no such licence.
2. The training clause. Is your content — calls, messages, contacts — used to train the vendor's models? Look for an explicit "we do not use your data to train our models." Silence is not the same as no.
3. The retention clause. What survives when you close the account? "Returned or deleted on termination" is the answer you want. "Retained as long as it is useful," or de-identified data kept indefinitely, is the answer that should give you pause — and even careful vendors keep de-identified data, so read the carve-out.

If a vendor will not answer these three questions clearly, that is itself the answer.

Why this belongs in procurement, not just security review

The instinct is to treat data exposure as an IT problem — something the security team catches. This one does not surface there, because nothing was breached. No attacker, no incident, no log entry. You signed a contract, and the contract did exactly what it said.

That is what makes it a governance problem. Your relationship graph — who you sell to, who buys from you, who you are courting — is among the most competitively sensitive assets you hold, and a contribution clause licenses it away in exchange for cleaner data. The decision to accept that trade is not a configuration setting. It is a procurement and board-level call about what you are willing to give up, to whom, and under what law. It is the same blind spot we describe in third-party risk versus supply-chain attack: the access and exposure that sit with the firms you hand your data to, not inside your own perimeter.

The work, then, is unglamorous and entirely doable: know which tools your sales and marketing teams have connected, read the three clauses in each, and decide deliberately rather than by default. The companies that get fined are not the ones that made a considered trade. They are the ones who never looked.

This article is analysis, not legal advice. Specific obligations depend on your role under the GDPR, your NIS2 scope, and how each instrument is transposed in your member state.

Sources

• Apollo, Privacy Policy (Contributory Database; retention), updated 16 September 2025.
• Prospeo (Defastra Tech Inc.), Privacy Policy and Terms of Service (contribution licence; Article 14(5)(b); "sale" under US state law), as published 17 June 2026.
• Sybill, Master Subscription Agreement (expression-recognition and ML training), sybill.ai/msa, as published 17 June 2026.
• Default (Tomo HQ, Inc.), Sub-processors list (Recall.ai, OpenAI, Apollo, HubSpot, Wiza), as published 17 June 2026.
• Recall.ai, Data Processing Agreement (processor role; meeting participants as data subjects).
• Compelling (seekwhens GmbH), Privacy Notice and GTC (controller for its own dataset; Article 6(1)(f)), as published 17 June 2026.
• Fireflies.ai, Privacy Policy (no AI model training on personal data; zero data retention for meeting content), updated 6 March 2026.
• CNIL, decisions fining FORIOU (€310,000) and HUBSIDE.STORE (€525,000) for use of broker data without verified consent, 2024.
• CJEU, Deutsche Wohnen SE v Berlin (C-807/21), judgment of 5 December 2023.
• UODO (Poland), first GDPR fine against Bisnode for breach of Article 14 information obligations, 2019.
• Autoriteit Persoonsgegevens (Netherlands), €30.5 million fine against Clearview AI, 3 September 2024.
• European Commission, Digital Omnibus package, published 19 November 2025 (proposal in negotiation).