Effective Date: 8 June 2026
This document outlines the responsibilities of Scrappey.com, hereafter referred to as Scrappey, to its customers concerning data protection, particularly in compliance with the General Data Protection Regulation (GDPR) of the European Union.
Scrappey operates as a Data Processor on behalf of its customers. For the avoidance of doubt, this Agreement applies only to the account and billing personal data that Customers provide to Scrappey in order to use the Service (such as name, email address, and payment details). It does not apply to any data that Customers scrape, collect, or otherwise process through the Service, with respect to which the Customer acts as an independent Data Controller and Scrappey is neither a controller nor a processor, as set out in the Terms of Service. Customers of Scrappey.com are individuals or organizations who pay to utilize the Scrappey service. Free trial users are not considered Customers. Scrappey's Customers are Data Controllers. "Personal data" refers to any information relating to an identified or identifiable person. "Data Protection Laws" encompass EU Directive 95/46/EC, as incorporated into the domestic legislation of each Member State, and any subsequent amendments, replacements, or supersedings, including the GDPR and relevant implementing or supplementary laws. "Services" refer to the Scrappey.com service, including the web application accessed through the browser-based user interface and API (application program interface), as well as any professional services provided by Scrappey. "Sub-processor" denotes any Data Processor engaged by Scrappey. "Data Subject" pertains to the individual to whom Personal Data relates.
By using the Scrappey service, it implies that Scrappey may process personal data on behalf of the Data Controller, adhering to the requirements of Data Protection Laws. The Data Controller must ensure that their users' instructions for processing personal data comply with Data Protection Laws. The Data Controller assumes sole responsibility for the accuracy, quality, legality, and acquisition of Personal Data. The data provided to Scrappey.com is stored in a centralized database. In certain cases, data may also be stored on other services to adequately perform the functionality of the service. Scrappey maintains an up-to-date and comprehensive description of its data protection practices on its website at gdpr, which is periodically updated to reflect any changes in practices.
Scrappey ensures that necessary consent is obtained from Data Subjects to allow for the processing of personal data on behalf of the Data Controller. In the event that Scrappey receives a request from a Data Subject for access to or deletion of their personal data, Scrappey will promptly notify the Data Controller, subject to legal permissions. Scrappey will not respond to such requests without the prior written consent of the Data Controller, except to confirm that the request pertains to the Data Controller. It is the sole responsibility of the Data Controller to fulfill such requests in compliance with applicable laws.
Scrappey ensures that its personnel engaged in the processing of personal data are aware of the confidential nature of the data. They receive appropriate training on their responsibilities and have agreed to confidentiality obligations that remain in effect even after their employment or engagement with Scrappey has ended. Scrappey takes commercially reasonable measures to ensure the reliability of its personnel involved in personal data processing, limiting access to personal data to only those personnel who require it to perform the Services. As per the GDPR, Scrappey does not require a data protection officer. However, for data protection inquiries, you can contact us via email at [email protected].
The Data Controller agrees that Scrappey may engage third-party Sub-processors to provide the Services. Such Sub-processors may access personal data solely for the purpose of delivering the services entrusted to Scrappey, without using it for any other purpose. Scrappey agrees to assume liability for the acts and omissions of its Sub-processors to the same extent as if Scrappey were directly performing the services of each Sub-processor under the terms of this agreement.
Current Sub-processors: As of the effective date of this Agreement, Scrappey engages the following Sub-processors to process account and billing personal data on its behalf:
Sub-processor Changes: Scrappey may add or change Sub-processors from time to time. We will notify the Data Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Data Controller the opportunity to object to such changes. If the Data Controller objects to such changes, they may terminate the Service in accordance with the termination provisions of the main service agreement. If no objection is raised within thirty (30) days of notification, the Data Controller is deemed to have accepted the new Sub-processor.
Scrappey agrees to implement and maintain the administrative, technical, and physical safeguards of personal data stored using the Services.
If Scrappey becomes aware of unlawful access to the Data Controller's personal data stored through the Services or unauthorized access to the Services resulting in loss, disclosure, or alteration of the Data Controller's personal data ("Security Breach"), Scrappey will, without undue delay (and in any event in a manner that enables the Data Controller to meet its own notification obligations under Articles 33 and 34 of the GDPR, including any 72-hour deadline):
The Data Controller agrees that an unsuccessful Security Breach attempt will not be subject to this Section 7 above. An unsuccessful Security Breach attempt is one that results in no unauthorized access to the Data Controller's personal data or to the Services storing the Customer's Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers), or similar incidents.
Notification(s) of Security Breaches, if any, will be delivered to one or more of the Customer's business, technical, or administrative contacts by any means Scrappey selects, including via email. It is the Customer's sole responsibility to ensure it maintains accurate contact information on Scrappey's support systems at all times. Scrappey's report of and/or response to a Security Breach under this Section will not be construed as an admission by Scrappey to fault or liability with respect to the Security Breach.
Scrappey agrees to delete Customer personal data in accordance with Scrappey's procedures and Data Protection Laws. At a Customer's request, Scrappey will provide the Customer with a certification of deletion of personal data.
Data Return: Upon termination of the Service, at the Data Controller's request, Scrappey will return all Customer personal data in a structured, commonly used, and machine-readable format, or delete such data, as requested by the Data Controller, unless applicable law requires retention of such data.
Scrappey will make available to the Data Controller all information necessary to demonstrate compliance with the obligations set out in this Agreement and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
Scope and Limitations: Audit rights are subject to the following limitations: (a) audits must be conducted during normal business hours and with reasonable prior notice (at least 30 days); (b) audits must not unreasonably interfere with Scrappey's business operations; (c) the Data Controller must bear the costs of any audit; (d) audits must be conducted in a manner that maintains the confidentiality of Scrappey's proprietary information and the information of other customers; (e) audits are limited to once per calendar year unless required by applicable law or a supervisory authority; and (f) Scrappey may require the auditor to sign a confidentiality agreement before conducting the audit.
As a Data Processor, Scrappey's liability under this Agreement is limited to the extent permitted by applicable Data Protection Laws. Scrappey's total liability for any claims arising out of or related to this Agreement or the processing of personal data shall not exceed the total amount paid by the Data Controller to Scrappey in the twelve (12) months immediately preceding the event giving rise to the claim, or one hundred euros (€100), whichever is greater.
Scrappey shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to lost profits, lost revenue, or business interruption, even if Scrappey has been advised of the possibility of such damages. This limitation does not affect Scrappey's liability for damages caused by intentional misconduct or gross negligence.
Scrappey and its personnel shall maintain strict confidentiality regarding all personal data processed under this Agreement. This obligation of confidentiality shall survive the termination of this Agreement and shall continue indefinitely. Scrappey shall ensure that any person authorized to process personal data is subject to appropriate confidentiality obligations, whether contractual or statutory.
Upon termination of the Service or this Agreement, Scrappey will, at the Data Controller's option, either return or delete all Customer personal data, except where Scrappey is required by applicable law to retain such data. The Data Controller must specify their preference (return or deletion) within thirty (30) days of termination. If no preference is specified, Scrappey will delete the data in accordance with its standard procedures.
Notwithstanding the foregoing, Scrappey may retain personal data to the extent required by applicable law, including for tax, accounting, or regulatory compliance purposes. Any retained data will be subject to the confidentiality and security obligations set forth in this Agreement.
This Agreement is governed by and construed in accordance with the laws of the Netherlands, without regard to its conflict of law provisions, and subject to applicable Data Protection Laws. Any dispute arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the competent courts of the Netherlands. In the event of any conflict between this Agreement and the Terms of Service with respect to the processing of personal data, this Agreement prevails.
This agreement comes into effect from the 1st of June 2022 for all existing customers or from the time of purchase of a Scrappey subscription. It expires with the cessation of the Customer's Scrappey subscription.