Privacy Policy
Your privacy matters to us. This policy explains how we collect, use, and protect your personal data in compliance with the GDPR.
Last updated: April 16, 2026
Contents
1. Data Controller
The data controller responsible for your personal data is:
Ontwikkelingsmaatschappij Boudewijn B.V.
Trading as: Scraler
Chamber of Commerce (KvK): 74174622
Country: The Netherlands
Email: privacy@scraler.com
For trainers and studios using Scraler to manage their clients, the trainer/studio acts as the data controller for their clients' data, and Scraler acts as a data processor on their behalf under Article 28 GDPR.
2. Data We Collect
For Trainers & Studios:
- Account information (name, email, password)
- Business information (studio name, address, subdomain)
- Payment and billing information (processed via Stripe)
- Usage data (feature usage, login times)
For Clients (via Trainers):
- Identity data (name, email, phone, date of birth, gender)
- Profile photo
- Communication data (chat messages, which are encrypted)
- Payment data for trainer services (processed via Stripe Connect)
Automatically Collected:
- IP address and approximate location (country/region)
- Browser type and version
- Device type and operating system
- Pages visited and feature usage
- Timestamps and session duration
3. Health & Fitness Data (Article 9)
To provide personalized fitness and nutrition coaching, we process the following special category data as defined by GDPR Article 9:
- Physical measurements: Height, weight, body measurements, body fat percentage
- Health information: Medical conditions, injuries, physical limitations
- Dietary information: Allergies, dietary restrictions, food intolerances
- Fitness data: Workout performance, exercise records, strength metrics
- Progress data: Progress photos, weight tracking, body composition changes
- Nutrition logs: Food intake, macro tracking, meal plan adherence
Apple HealthKit Integration (iOS)
With your explicit permission, the Scraler mobile app reads health and fitness data from Apple HealthKit, including steps, heart rate, active energy burned, exercise minutes, sleep analysis, body mass, and workout sessions. We write completed workout data back to HealthKit.
HealthKit data is used solely to display your health metrics and share them with your assigned trainer. It is never used for advertising, marketing, or sold to third parties.
Legal Basis (Article 9(2)(a)): We process this data based on your explicit consent, which you provide when signing up. You may withdraw consent at any time by contacting your trainer or deleting your account.
4. Legal Basis for Processing
Contract Performance (Article 6(1)(b))
Providing our services, managing your account, processing payments.
Legitimate Interests (Article 6(1)(f))
Improving our services, ensuring security, preventing fraud.
Legal Obligation (Article 6(1)(c))
Tax records, responding to legal requests.
Explicit Consent (Article 9(2)(a))
Processing health and fitness data (special category data).
5. How We Use Your Data
- Service Delivery: Providing the platform, enabling trainer-client relationships, managing workouts and meal plans
- Communication: Sending service notifications, appointment reminders, and support responses
- Payment Processing: Processing subscriptions and trainer-client payments via Stripe
- AI-Assisted Features: Generating personalized workout and meal plan suggestions (see Section 6)
- Security: Protecting accounts, detecting fraud, and maintaining platform integrity
- Legal Compliance: Meeting tax, accounting, and regulatory requirements
We do not use your data for automated decision-making that produces legal effects. AI-generated plans are always reviewed and assigned by your trainer.
6. AI Processing
Scraler uses artificial intelligence (Google Gemini) to help trainers create personalized workout and meal plans. When generating plans, your fitness goals, preferences, and relevant health information may be sent to Google Gemini.
- Google does not use API data to train their models
- Data is processed under Google's Data Processing Addendum with SCCs
- All AI-generated plans are suggestions only — your trainer reviews and approves them before assignment
7. Data Sharing & Processors
We share your data only with trusted service providers under Data Processing Agreements (GDPR Article 28):
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, auth, storage | EU (Frankfurt) |
| Vercel | Hosting, serverless functions | Global (SCCs) |
| Stripe | Payment processing | EU & US (SCCs) |
| Google (Gemini) | AI plan generation | US (SCCs) |
| Resend | Transactional emails | US (SCCs) |
| Upstash | Caching (rate limiting) | EU |
We do not sell, rent, or trade your personal data to third parties for marketing purposes.
8. International Data Transfers
Your primary data is stored in the European Union (Frankfurt, Germany). For transfers outside the EU, we rely on Standard Contractual Clauses (SCCs), Data Processing Agreements, and supplementary measures including encryption and access controls.
You may request a copy of the relevant SCCs by contacting privacy@scraler.com.
9. Data Retention
| Data Type | Retention Period |
|---|---|
| Active account data | Duration of account + 30 days |
| Inactive client data | 30 days after last activity, then anonymized |
| Financial/billing records | 7 years (legal requirement) |
| Chat messages | Until account deletion |
| Workout/meal history | Until account deletion |
| Security/audit logs | 3 years |
After these periods, data is either deleted or anonymized so it can no longer identify you.
10. Your Rights Under GDPR
Right of Access (Article 15)
Request a copy of all personal data we hold about you.
Right to Rectification (Article 16)
Correct inaccurate or incomplete data via your account settings.
Right to Erasure (Article 17)
Request deletion of your data ("right to be forgotten").
Right to Data Portability (Article 20)
Receive your data in a structured, machine-readable format.
Right to Restrict Processing (Article 18)
Temporarily restrict how we use your data.
Right to Object (Article 21)
Object to processing based on legitimate interests.
Right to Withdraw Consent (Article 7(3))
Withdraw consent for health data processing at any time.
How to exercise your rights: Via your account settings or by emailing privacy@scraler.com. We will respond within 30 days.
Right to lodge a complaint: You may contact the Autoriteit Persoonsgegevens (Netherlands) at autoriteitpersoonsgegevens.nl.
11. Data Security
- Encryption in Transit: All data transmitted over HTTPS/TLS
- Encryption at Rest: Database encryption via Supabase (AES-256)
- Message Encryption: Chat messages encrypted in transit via TLS 1.3 and at rest via AES-256
- Access Controls: Row-level security ensures trainers can only access their own clients' data
- Authentication: Secure password hashing, optional two-factor authentication
- Regular Audits: Security monitoring and vulnerability assessments
12. UK Residents
If you are in the United Kingdom, your data is protected under the UK GDPR and Data Protection Act 2018. Your rights are substantially similar to EU GDPR (see Section 10).
UK Supervisory Authority: Information Commissioner's Office (ICO) at ico.org.uk.
13. California Residents (CCPA)
California residents have additional rights under the CCPA/CPRA:
Right to Know
Request what personal information we collect, use, and disclose.
Right to Delete
Request deletion of your personal information.
Right to Opt-Out of Sale
We do not sell your personal information.
Right to Non-Discrimination
We will not discriminate for exercising your privacy rights.
Right to Correct
Request correction of inaccurate personal information.
Right to Limit Use of Sensitive Data
Limit use of health data to service provision only.
To exercise CCPA rights, email privacy@scraler.com with subject "CCPA Request". We will respond within 45 days.
14. Children's Data
Scraler is not intended for individuals under the age of 16. Trainers must ensure they have appropriate parental consent before adding clients under 16.
If you believe we have collected data from a child without consent, contact us at privacy@scraler.com.
15. Data Breach Notification
In the event of a breach that poses a risk to your rights:
- We will notify the relevant supervisory authority within 72 hours (Article 33)
- If the breach is high risk, we will notify affected individuals directly (Article 34)
- Notification will include the nature of the breach, likely consequences, and measures taken
16. Changes to This Policy
We may update this policy from time to time. For material changes, we will notify you via email or in-app notification. Continued use after changes constitutes acceptance.
17. Contact Us
If you have questions about this policy, want to exercise your rights, or have concerns about our data practices:
Ontwikkelingsmaatschappij Boudewijn B.V.
Trading as: Scraler
Email: privacy@scraler.com
Response time: Within 30 days
We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR).