Privacy Policy
Your privacy matters to us. This policy explains how we collect, use, and protect your personal data in compliance with the General Data Protection Regulation (GDPR).
Table of Contents
Data Controller
The data controller responsible for your personal data is:
Ontwikkelingsmaatschappij Boudewijn B.V.
Trading as: Scraler
Chamber of Commerce (KvK): 74174622
Country: The Netherlands
Email: privacy@scraler.com
For trainers and studios using Scraler to manage their clients, the trainer/studio acts as the data controller for their clients' data, and Scraler acts as a data processor on their behalf under Article 28 GDPR.
Data We Collect
We collect the following categories of personal data:
For Trainers & Studios:
- Account information (name, email, password)
- Business information (studio name, address, subdomain)
- Payment and billing information (processed via Stripe)
- Usage data (feature usage, login times)
For Clients (via Trainers):
- Identity data (name, email, phone, date of birth, gender)
- Profile photo
- Communication data (chat messages, which are end-to-end encrypted)
- Payment data for trainer services (processed via Stripe Connect)
Automatically Collected Data:
- IP address and approximate location (country/region)
- Browser type and version
- Device type and operating system
- Pages visited and feature usage
- Timestamps and session duration
Note: Health and fitness data is classified as "special category data" under GDPR Article 9 and is detailed in the next section.
Health & Fitness Data (Article 9)
To provide personalized fitness and nutrition coaching, we process the following special category data as defined by GDPR Article 9:
- Physical measurements: Height, weight, body measurements, body fat percentage
- Health information: Medical conditions, injuries, physical limitations
- Dietary information: Allergies, dietary restrictions, food intolerances
- Fitness data: Workout performance, exercise records, strength metrics (1RM)
- Progress data: Progress photos, weight tracking, body composition changes
- Nutrition logs: Food intake, macro tracking, meal plan adherence
Legal Basis (Article 9(2)(a)): We process this data based on your explicit consent, which you provide when signing up as a client with your trainer.
You may withdraw this consent at any time by contacting your trainer or deleting your account. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
Legal Basis for Processing
We process your personal data under the following legal bases (GDPR Article 6):
Contract Performance (Article 6(1)(b))
Providing our services, managing your account, processing payments
Legitimate Interests (Article 6(1)(f))
Improving our services, ensuring security, preventing fraud
Legal Obligation (Article 6(1)(c))
Tax records, responding to legal requests
Explicit Consent (Article 9(2)(a))
Processing health and fitness data (special category data)
How We Use Your Data
We use your personal data for the following purposes:
- Service Delivery: Providing the Scraler platform, enabling trainer-client relationships, managing workouts and meal plans
- Communication: Sending service notifications, appointment reminders, and support responses
- Payment Processing: Processing subscriptions and trainer-client payments via Stripe
- AI-Assisted Features: Generating personalized workout and meal plan suggestions (see Section 6)
- Security: Protecting accounts, detecting fraud, and maintaining platform integrity
- Legal Compliance: Meeting tax, accounting, and regulatory requirements
We do not use your data for automated decision-making that produces legal effects. AI-generated plans are always reviewed and assigned by your trainer.
AI Processing & Automated Features
Scraler uses artificial intelligence to help trainers create personalized workout and meal plans for their clients.
How AI is Used:
- Generating workout plan suggestions based on fitness goals and preferences
- Creating meal plan recommendations based on dietary requirements and macro targets
- Suggesting recipes that match nutritional needs
AI Provider:
We use OpenAI (OpenAI, L.L.C., USA) to power these AI features. When generating plans:
- Your fitness goals, preferences, and relevant health information may be sent to OpenAI
- OpenAI does not store or use API data to train their models
- Data is processed under OpenAI's Data Processing Addendum with Standard Contractual Clauses (SCCs)
Human Oversight: All AI-generated plans are suggestions only. Your trainer reviews and approves any plan before it is assigned to you. You are never subject to decisions based solely on automated processing.
Data Sharing & Processors
We share your data only with trusted service providers who process data on our behalf under Data Processing Agreements (DPAs) as required by GDPR Article 28:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, storage | EU (Frankfurt) |
| Vercel | Hosting, serverless functions | Global (SCCs) |
| Stripe | Payment processing | EU & US (SCCs) |
| OpenAI | AI plan generation | US (SCCs) |
| Resend | Transactional emails | US (SCCs) |
| Upstash | Caching (rate limiting) | EU |
We do not sell, rent, or trade your personal data to third parties for marketing purposes.
International Data Transfers
Your primary data is stored in the European Union (Supabase, Frankfurt, Germany). However, some of our service providers process data outside the EU.
Transfer Safeguards:
For transfers to countries without an EU adequacy decision (such as the USA), we rely on:
- Standard Contractual Clauses (SCCs) approved by the EU Commission (Decision 2021/914)
- Data Processing Agreements with all processors
- Supplementary measures including encryption and access controls
You may request a copy of the relevant SCCs by contacting privacy@scraler.com.
Data Retention
We retain your data only for as long as necessary for the purposes outlined in this policy:
| Data Type | Retention Period |
|---|---|
| Active account data | Duration of account + 30 days |
| Inactive client data | 30 days after last activity, then anonymized |
| Financial/billing records | 7 years (legal requirement) |
| Chat messages | Until account deletion |
| Workout/meal history | Until account deletion |
| Security/audit logs | 3 years |
After these periods, data is either deleted or anonymized so it can no longer identify you.
Your Rights Under GDPR
Under GDPR, you have the following rights regarding your personal data:
Right of Access (Article 15)
Request a copy of all personal data we hold about you
Right to Rectification (Article 16)
Correct inaccurate or incomplete data via your account settings
Right to Erasure (Article 17)
Request deletion of your data ("right to be forgotten")
Right to Data Portability (Article 20)
Receive your data in a structured, machine-readable format (JSON/CSV)
Right to Restrict Processing (Article 18)
Temporarily restrict how we use your data
Right to Object (Article 21)
Object to processing based on legitimate interests
Right to Withdraw Consent (Article 7(3))
Withdraw consent for health data processing at any time
How to Exercise Your Rights:
- Access, Rectification, Erasure: Via your account settings or by emailing privacy@scraler.com
- Data Export: Request via your account settings (My Account → Download My Data)
- Other requests: Email privacy@scraler.com
We will respond to your request within 30 days. If we need more time, we will inform you within the initial 30-day period.
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. For the Netherlands, this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption in Transit: All data is transmitted over HTTPS/TLS
- Encryption at Rest: Database encryption via Supabase
- End-to-End Encryption: Chat messages are encrypted so only you and your trainer can read them
- Access Controls: Row-level security ensures trainers can only access their own clients' data
- Authentication: Secure password hashing, optional two-factor authentication
- Regular Audits: Security monitoring and vulnerability assessments
While we implement industry-standard security measures, no system is 100% secure. We encourage you to use a strong, unique password and enable two-factor authentication.
UK Residents
If you are located in the United Kingdom, your personal data is protected under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Your rights under UK GDPR are substantially similar to those under EU GDPR (see Section 10). You have the same rights of access, rectification, erasure, portability, restriction, and objection.
UK Supervisory Authority: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk
California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
Your CCPA Rights:
Right to Know
Request what personal information we collect, use, disclose, and sell
Right to Delete
Request deletion of your personal information
Right to Opt-Out of Sale
We do not sell your personal information to third parties
Right to Non-Discrimination
We will not discriminate against you for exercising your privacy rights
Right to Correct
Request correction of inaccurate personal information
Right to Limit Use of Sensitive Data
Limit use of sensitive personal information (health data) to service provision only
Categories of Personal Information Collected:
- Identifiers: Name, email, phone number, IP address
- Commercial information: Purchase history, subscription status
- Internet activity: Browsing history, feature usage
- Sensitive personal information: Health data, fitness metrics (with consent)
To exercise your CCPA rights, email privacy@scraler.com with the subject "CCPA Request". We will respond within 45 days.
Do Not Sell My Personal Information: Scraler does not sell personal information. We do not engage in cross-context behavioral advertising.
Children's Data
Scraler is not intended for use by individuals under the age of 16.
Trainers must ensure they have appropriate parental consent before adding clients under 16 to the platform. If you believe we have collected data from a child under 16 without appropriate consent, please contact us immediately at privacy@scraler.com.
Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms:
- We will notify the relevant supervisory authority within 72 hours (GDPR Article 33)
- If the breach poses a high risk, we will notify affected individuals directly (GDPR Article 34)
- Notification will include the nature of the breach, likely consequences, and measures taken
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last updated" date at the top
- For significant changes, we will notify you via email or in-app notification
- Continued use of Scraler after changes constitutes acceptance
We recommend reviewing this policy periodically.
Contact Us
If you have questions about this Privacy Policy, want to exercise your rights, or have concerns about our data practices:
Company Address
Ontwikkelingsmaatschappij Boudewijn B.V.
The Netherlands
GDPR Compliance Commitment
We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR). If you have any concerns, please don't hesitate to contact us.