GDPR Compliance

The EU General Data Protection Regulation (GDPR) is the most comprehensive change to EU data privacy law in decades. It took effect on the 25th May 2018. Scrupp is operated by Wism Corp Ltd (company number 15297767, registered office 24-26 Arcadia Avenue, Fin009, London, N3 2JU, United Kingdom) trading as Scrupp. We work hard to comply with the GDPR and apply its principles as we build new services.

Scrupp is an all-in-one B2B outreach platform. It lets customers (1) scrape leads from sources such as LinkedIn, Sales Navigator and Apollo, (2) enrich those leads with verified emails, phone numbers and firmographic data, and (3) run cold-email outreach — sending from connected Gmail or Outlook mailboxes via OAuth and from pre-warmed inboxes, with sequences, warmup, deliverability monitoring and a unified reply inbox. This statement explains how the GDPR applies across those activities.

Does this affect me?

The GDPR applies to any EU residents' personal data, regardless of where the processor or controller is located. If you use Scrupp purely to reach businesses outside the EU, the regulation may not apply to that activity. But if any of your prospects, leads or recipients are in the EU, you should pay close attention to it. In practice, most companies need to take the GDPR into consideration.

Controller and processor roles

The "data controller" is the entity that determines the purposes and means of the data processing taking place. The "data processor" is an entity acting on behalf of a controller in processing personal data. Scrupp's role depends on the data in question.

You are the controller for the prospect, lead and outreach data you source, enrich and send to. You decide which contacts to target, what messages to send, and the purpose and legal basis for that processing. Scrupp acts as your processor when it enriches that data on your instruction, sends email on your behalf from your connected mailboxes or pre-warmed inboxes, and processes the replies and message content that flow back into your unified inbox.

Scrupp is the controller for your own account, billing and usage data — the information we need to provide the service, bill you, analyze usage, prevent fraud and comply with applicable law.

Data Processing Addendum

Because Scrupp is in most cases a processor for your prospect and outreach data, under Article 28 of the GDPR you, as a data controller, need a data processing addendum (DPA) signed with your processors. We've made this simple and have the contract ready to be signed. You can find our DPA at scrupp.com/data-protection, or request a signed copy by emailing iv@scrupp.com.

Lawful bases for processing

Where Scrupp acts as a controller for account, billing and usage data, we rely on (a) contract — processing necessary to provide the service you have signed up for; (b) legitimate interests — to secure, improve and analyze the service and to prevent fraud and abuse; and (c) legal obligation — to meet accounting, tax and regulatory requirements.

When sourcing publicly available B2B contact data, we rely on the legitimate interest of businesses in connecting with one another. As the controller of the prospect and outreach data you process through Scrupp, you are responsible for identifying and documenting an appropriate lawful basis for your own use of that data — including any direct-marketing or cold-email sending — and for honoring any applicable consent, suppression and opt-out requirements.

Outreach, sending and connected-mailbox data

When you run outreach through Scrupp, our processing on your behalf may include the content of the messages you send, the contents and metadata of replies, and the credentials and metadata of the mailboxes you connect (for example, Gmail or Outlook accounts authorized via OAuth, or pre-warmed sending inboxes). We process this data only to deliver the sending, warmup, deliverability-monitoring and unified-inbox features you have enabled, and to operate the service. Mailbox access is granted through OAuth and can be revoked by you at any time from your account or your email provider.

Data-subject rights

Data subjects have the right to access, rectify, erase, restrict and object to the processing of their personal data, as well as the right to data portability. Where Scrupp is the controller (account, billing and usage data), you may exercise these rights by emailing iv@scrupp.com, and we will respond within one month as required by the GDPR.

Where Scrupp is acting as your processor (the prospect and outreach data you manage), requests from your prospects or recipients should generally be directed to you as the controller. If we receive such a request directly, we will forward it to you and assist you in responding, in line with our DPA.

Right of erasure

If you are a data subject who appears in our B2B contact database and would like to be removed, email iv@scrupp.com from the address you want removed (or include a verifiable reference to the profile in question). We process erasure requests within 30 days as required by Article 17 GDPR and notify any downstream recipients to whom the data may have been disclosed.

International data transfers

Our core servers and backups are located within the EU. Some of the sub-processors we rely on to operate the platform (for example, cloud hosting and email-sending providers) may process limited data outside the EU/EEA. Where that occurs, we put appropriate safeguards in place, including the European Commission's Standard Contractual Clauses (SCCs) and, where relevant, the UK International Data Transfer Addendum, so that your data continues to receive an adequate level of protection.

Sub-processors

To provide the service we engage a limited set of trusted sub-processors, each bound by data-protection terms consistent with our DPA. These include:

• Amazon Web Services (AWS) — cloud storage and infrastructure.
• Stripe — payment and billing processing.
• Google Workspace and Microsoft 365 — OAuth-connected sending mailboxes.
• Third-party SMTP, sending and warmup providers — cold-email delivery, pre-warmed inboxes, warmup and deliverability monitoring.
• AI providers (OpenAI, Google Gemini, OpenRouter) — AI-assisted features such as message drafting, classification and enrichment.
• PostHog — product analytics and usage monitoring.

An up-to-date list of sub-processors is available on request by emailing iv@scrupp.com.

Where our data is stored

We store and process our primary data within the EU, including our off-site backups. Where a sub-processor necessarily processes data elsewhere, the transfer safeguards described above apply.

Log retention

To improve, debug or prevent fraud on the service, we keep a variety of logs. We ensure logs are destroyed at most 2 months after their collection date. We never use those logs for anything other than monitoring and debugging.