Scampy← Back to home
Legal

GDPR Compliance

Last updated: 29 April 2026

Scampy is committed to the principles of the UK GDPR, EU GDPR, and the Data Protection Act 2018. This page summarises how we meet our obligations and how you can exercise your rights as a data subject.

1. Data controller and DPO

Scampy Ltd. is the data controller for personal data processed through our consumer apps and websites. You can reach our Data Protection Officer at dpo@scampy.app or by post at Scampy Ltd., Data Protection Officer, 1 Finsbury Avenue, London EC2M 2PF, United Kingdom.

2. EU representative

Under Article 27 GDPR our representative in the European Union is DataRep, Alexandra Park, Dublin, Ireland. You may contact them with any concern about how we process personal data of EU residents.

3. Lawful bases we rely on

  • Contract. To provide the service you have signed up for.
  • Legitimate interests. To secure the platform, prevent fraud, and improve product quality. We document a balancing test for each use.
  • Consent. For marketing communications, optional analytics, and any processing of special category data.
  • Legal obligation. To respond to lawful requests and comply with tax, accounting, and other applicable laws.

4. Your rights

If you are in the UK, EU, or EEA you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Request deletion of your data (the “right to be forgotten”).
  • Restrict or object to certain processing, including direct marketing.
  • Receive your data in a portable, machine readable format.
  • Withdraw consent at any time, without affecting prior processing.
  • Lodge a complaint with a supervisory authority such as the UK ICO or your local EU regulator.

5. How to make a request

Email dpo@scampy.app from the address on your account, or use the “Download my data” and “Delete my account” tools in settings. We respond within 30 days; if a request is complex we may extend by a further 60 days and will tell you why.

6. International transfers

Where personal data leaves the UK or EEA we use the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another safeguard recognised by the relevant regulator. A list of sub processors and their locations is available on request.

7. Records of processing

We maintain records of processing activities under Article 30 GDPR and conduct Data Protection Impact Assessments before launching features that involve significant new risks to data subjects.

8. Breach notification

We notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach where required, and notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

9. Vendor due diligence

Every processor that touches personal data is reviewed for security, location, sub processing, and contractual safeguards before onboarding, and reassessed annually.

10. Contact

For any question about this notice or your rights, write to dpo@scampy.app.