BrezelScraper Logo

Legal

GDPR Compliance

Last updated: May 27, 2026

This page explains how brezel.ai ("brezel.ai," "we") applies the European Union General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) when you use BrezelScraper (the "Service"). It is a focused companion to our Privacy Policy, which is the canonical record of what data we process and why.

1. Who is the controller, who is the processor

The roles under GDPR depend on which slice of data we are talking about:

  • For your account data (email, name, billing, support communications) — brezel.ai is the controller. We decide why and how to process that data, as described in the Privacy Policy.
  • For the business data you scrape through the Service — you (the user) are the controller, and brezel.ai acts as your processor. You decide the search criteria, the purpose of the collection, and what happens to the data after export. We process it on your documented instruction (your job configuration) and for no other purpose.

2. Lawful basis for processing (Article 6)

We process personal data on the following lawful bases:

  • Contract (Art. 6(1)(b)) — to provide the Service to you, including authentication, billing, and operating the scraper.
  • Legal obligation (Art. 6(1)(c)) — to retain financial records, respond to lawful requests from authorities, and handle tax-reporting requirements.
  • Legitimate interests (Art. 6(1)(f)) — to secure the Service against fraud and abuse, debug failures, and improve product quality based on aggregated usage. We have balanced these interests against your rights and concluded that the processing is necessary and proportionate.
  • Consent (Art. 6(1)(a)) — for the limited cases where we ask explicitly (for example, when you connect a Google account to enable Sheets export, we rely on your OAuth consent scoped to the permissions you grant).

3. Your rights as a data subject

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights with respect to your personal data:

  • Access (Art. 15) — request a copy of the personal data we hold about you.
  • Rectification (Art. 16) — correct inaccurate or incomplete data.
  • Erasure(Art. 17, "right to be forgotten") — request deletion of your account and associated personal data by emailing [email protected] from the address on your account. We honour verified requests within 30 days. Residual copies in encrypted backups are overwritten on the normal backup-rotation cycle, aligned with our retention policy.
  • Restriction (Art. 18) — limit how we process your data while a complaint is investigated.
  • Portability (Art. 20) — receive your data in a structured, machine-readable format. Job exports are already downloadable as CSV; for account-level data write to [email protected].
  • Objection (Art. 21) — object to processing based on legitimate interests.
  • No automated decision-making (Art. 22) — we do not make decisions about you based on solely automated processing that produces legal or similarly significant effects.

To exercise any of these rights email [email protected] from your account address. We respond within 30 days. Identity verification may be required for sensitive requests.

4. International data transfers

We are a U.S. company operating on cloud infrastructure located in the European Union, with some sub-processors located in the United States or other jurisdictions. Where we transfer personal data of EEA / UK / Swiss data subjects to a country that has not received an adequacy decision from the European Commission (or the equivalent UK or Swiss authority), the transfer is covered by the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum, the Swiss Addendum, or another lawful mechanism. Where third-party processors named in the Privacy Policy are involved, each commits to GDPR-aligned terms in its respective Data Processing Addendum.

5. Data protection contact

The point of contact for all GDPR and data-protection matters is: [email protected]. If you are located in the EEA or UK, contact us at the same address and we will route your request appropriately.

6. Right to lodge a complaint

If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority in your EU/EEA Member State of residence, place of work, or place of the alleged infringement (Art. 77). We would appreciate the opportunity to address your concerns first — please reach out to [email protected].

7. Our obligations as a processor

When we act as your processor — for scraped business data you direct us to collect — we commit to:

  • Process the data only on your documented instructions;
  • Ensure that personnel with access are bound by confidentiality;
  • Implement appropriate technical and organizational security measures (see our Security page);
  • Engage sub-processors only with our customary safeguards; the categories of sub-processors we rely on are described in the Privacy Policy §7, and the complete named list — including legal entity, processing location, and the categories of data each receives — is provided in our Data Processing Addendum on request;
  • Assist you, to the extent reasonably possible, with data-subject requests directed to you about the data you processed via the Service;
  • Notify you without undue delay of any personal-data breach affecting the data we process on your behalf;
  • Return or delete personal data at the end of the engagement, at your choice.

Customers with their own GDPR compliance program who require a signed Data Processing Addendum (DPA) can request one by emailing [email protected].

8. Contact

brezel.ai
[email protected]