Legal · Privacy

Privacy Policy

Last updated: 2026-05-01. This is the draft Privacy Policy that applies while Syttra is in private beta.

Draft document. This policy will be reviewed by legal counsel before General Availability. If you're a beta user with a specific concern, email privacy@syttra.com and we'll address it directly.

1. Who we are

Syttra is a web scraping service operated as a solo project by Filip Van Landuyt, based in Belgium. Contact: hello@syttra.com.

For the purposes of the EU General Data Protection Regulation (GDPR), Syttra is the data controller for personal data collected through syttra.com and the Syttra API.

2. What data we collect

We collect only what we need to run the service:

Account data: email address (from your beta request or future signup), company name if you provide it.
API usage data: URLs you submit for scraping, the jobs created on your behalf, request/response timing, HTTP error codes, IP address of the API caller for rate limiting and abuse detection.
Content data: the scraped web pages you request — stored temporarily to deliver them back to you, then deleted.
Technical data on syttra.com: anonymized visit statistics (page views, referrer, approximate country). We do not use tracking cookies, third-party advertising pixels, or session replays.
Communications: emails you send us and our replies.

3. Why we collect it (legal basis)

We process your data under the following GDPR legal bases:

Contract performance (Art. 6(1)(b)) — to deliver the scraping API you signed up for: executing jobs, returning results, billing (post-launch).
Legitimate interest (Art. 6(1)(f)) — abuse prevention (rate limiting, fraud detection), service security, and aggregated analytics to improve the product.
Legal obligation (Art. 6(1)(c)) — tax record retention for invoicing (post-launch).

4. How long we keep it

Scraped content: 24 hours after job completion, then permanently deleted.
Job metadata (URL, timestamps, status, page count): 30 days, for debugging and usage reporting.
Account data: until you delete your account, or 12 months of inactivity (we'll email first).
Invoices and billing records: 7 years (Belgian tax law requirement, post-launch only).
Support emails: 24 months after the thread concludes.

5. Where your data lives

All personal data and scraped content is stored in the European Union — specifically Amazon Web Services in Frankfurt, Germany (eu-west-1 / eu-central-1). The website syttra.com is served from Vercel's global CDN, but no personal data is stored there.

We do not transfer personal data outside the EU/EEA. If that ever changes (e.g. an enterprise customer in the US), we'll rely on Standard Contractual Clauses and update this policy before doing so.

6. Who we share it with

We don't sell your data. We share only with service providers who help us run Syttra:

Amazon Web Services (AWS) — hosting, database, storage, compute (eu-west-1).
Vercel — hosting the marketing site (syttra.com, no personal data stored there).
Payment processor (post-launch, likely Stripe) — payment and invoice processing.
Email provider — transactional and support emails.

Each is bound by a Data Processing Agreement. We don't share data with advertisers, data brokers, or third-party analytics platforms that build profiles across sites.

7. Your rights under GDPR

If you're in the EU/EEA (or anywhere, really — we extend these rights globally):

Access: request a copy of all personal data we hold on you.
Rectification: correct inaccurate data.
Erasure ("right to be forgotten"): delete your account and associated data. Done within 30 days unless we're legally required to keep something (e.g. invoices).
Portability: export your data in a machine- readable format.
Restriction: ask us to stop processing while a dispute is resolved.
Objection: object to processing based on legitimate interest.
Complaint: file a complaint with the Belgian Data Protection Authority (dataprotectionauthority.be) if you think we've mishandled your data.

Self-service. Access, portability, and erasure are one-click in your dashboard at /dashboard/settings under Privacy & data. The export is a JSON file containing every field we hold about your account, your API keys, and the metadata of every job. Deletion is immediate and cascades to all related rows in a single transaction.

For the other rights (rectification, restriction, objection, complaint), or anything the self-service surface doesn't cover, email privacy@syttra.com. We respond within 30 days; in practice within 7.

8. About scraped content

When you use the Syttra API to scrape a website, that content is fetched from the public internet and processed on your behalf. The content may include third-party personal data (e.g. names on a public webpage). By submitting a scrape job, you represent that you have the legal right to process that data for your stated purpose.

Syttra respects robots.txt and refuses jobs for sites whose Terms of Service prohibit automated access. This is enforced at the crawler level, not just a policy on paper.

9. Security

All traffic uses TLS 1.2+ (HTTPS everywhere).
API keys are hashed (SHA-256) at rest — we never store plaintext.
Database and storage encrypted at rest (AWS defaults).
Access to production infrastructure is limited to the operator and audited.
No third-party JavaScript on syttra.com that could exfiltrate data.

10. Changes to this policy

If we change this policy materially, we'll notify you by email before the change takes effect and post the new version here with an updated "last updated" date. Minor editorial changes (typos, clarifications) happen without notice.

11. Contact

Privacy matters: privacy@syttra.com
General: hello@syttra.com