Privacy Policy

Effective starting: June 24, 2022.

We are very pleased about your interest in Scotfy, our website at, and our Services. Data protection is of a particularly high priority for Scotfy, and processing your personal data when using our website is always done in accordance with the French Data Protection Act (DPA) and the General Data Protection Regulation (GDPR).

As the controller, Scotfy of 33 rue de la République 69002 Lyon, France (hereinafter “Scotfy”, “we”, “us” or “our”) has implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed through this website. Nevertheless, Internet-based data transmissions can always be subject to security vulnerabilities, so absolute protection cannot be guaranteed. For this reason, every data subject is free to transmit personal data to us by alternative means, for example, by telephone.

Principles of data processing

We process users’ personal data only in compliance with the relevant data protection regulations. User data is only processed if the following legal permissions exist:

  • to provide our contractual services and online services
  • processing is required by law
  • with your consent
  • based on our legitimate interests (i.e., interest in the analysis, optimization and economic operation and security of our online offer within the meaning of Art. 6 para. 1 lit. f) GDPR, in particular in measuring reach, creating profiles for advertising and marketing purposes, and collecting access data and using third-party services).

The above legal bases are set out as follows:

  • Consent Art. 6 para. 1 lit. a. and Art. 7 GDPR
  • Processing for the fulfillment of our services and implementing contractual measures Art. 6 para. 1 lit. b) GDPR
  • Processing for the fulfillment of our legal obligations Art. 6 para. 1 lit. c) GDPR
  • Processing to protect our legitimate interests Art. 6 para. 1 lit. f) GDPR

Purposes of use of personal data and legal basis

a) Log Files

We only collect and process access data that your internet browser automatically transmits to us for technical reasons to provide the website. Depending on the access protocol used, the protocol data record contains general information with the following contents: Your session data (usage behavior, length of stay, which links were clicked on, etc.), your abbreviated and unabbreviated IP address, your browser version, your operating system, your website-specific settings, your cookie IDs, your pixel IDs. This data does not allow any direct inference to your person and is processed to improve our website offer and defend against attempted attacks on our web server. The legal basis for processing your personal data is Art. 6 para. 1 lit. f) GDPR. We have a legitimate interest in presenting you with a website optimized for your browser and in enabling communication between our server and your device.

b) Cookies and similar technologies

For processing personal data using cookies and similar technologies on our website, please refer to our Cookie Policy, which is part of this privacy policy. The legal basis for processing your personal data is Art. 6 para. 1 lit. f) GDPR. We have a legitimate interest in presenting you with a functional, secure, and user-friendly website. As well as Art. 6 para. 1 lit. a) GDPR your consent in case you agree to our use of cookies.

c) Contact, inquiry, and request forms

Inquiries via our contact, inquiry, and request forms may include your name, address, email address, the subject of your contact, and your message. We process and store the personal data provided in the contact inquiry solely to process and respond to your inquiry and contact you. The legal basis for processing your personal data is Art. 6 para. 1 lit. b) GDPR.

d) Newsletter

When registering for our newsletter, you must provide your email address. Insofar as you have given us your consent to data processing when registering for the newsletter, we process and store the personal data provided when registering for the newsletter exclusively to provide the newsletter and inform you about Scotfy solutions, services and/or promotions in accordance with the newsletter you have subscribed to. The legal basis for processing your personal data is Art. 6 para. 1 lit. a) GDPR. You can revoke your consent at any time with effect in the future.

e) HubSpot Chat

We use HubSpot as part of our legitimate interest in economically efficient customer communication for a live chat on our site. If the HubSpot Chat is called up, HubSpot temporarily collects the IP address at the beginning to determine the country from which the chat was started. This makes it possible to offer visitors customer service tailored to their needs. The collection of the IP address is solely for this purpose and is not permanently stored by HubSpot.

If you do not wish data to be transmitted to HubSpot, you can prevent HubSpot from setting cookies by making the appropriate settings in your browser. Please refer to our general description of cookies in this statement.

Furthermore, HubSpot saves communication in the chats. This can save you extensive explanations about your request. If you do not wish this, you are welcome to inform us of this using the contact details listed above. Stored chats will then be deleted by us immediately. We will also delete them after your inquiry has been dealt with unless they are needed for legal defense and a contract has been initiated or concluded within the scope of the chat. We (have to) retain this data as contract data.

f) Registration

If you register on our website, we will request mandatory and, where applicable, non-mandatory data in accordance with our registration form for the purposes stated below. The entry of your data is encrypted so that third parties cannot read your data when it is entered.

The basis for this storage is our legitimate interest in communicating with interested users, according to Art. 6 para. 1 lit. f GDPR and, in the case of contracts, also the storage of contract data, according to Art. 6 para. 1 lit. b GDPR.

Your data will remain stored for as long as the registration lasts; in particular, the storage is still necessary for the fulfillment/execution of the contract, for legal prosecution by us or our other legitimate interests, or if we are required by law to retain your data (e.g., within the framework of tax retention periods).

g) Convenience log in and sign up

Third-party Connect features such as Microsoft Connect are offered as an option to register with us. When registering via connect functions of third-party providers, you agree to the respective terms and conditions of these third-party providers and also consent to certain data from your respective profile being transferred to us.

  1. h) Purchases

When ordering our solutions, it is necessary, among other things, to provide your name, email address and postal address, and, if applicable, your payment data. We only process and store the personal data provided when you place an order to provide you with the ordered solutions. The legal basis for processing your personal data is Art. 6 para. 1 lit. b) GDPR.

i) Direct marketing in the context of a customer relationship

We use the data you provide to fulfill and process our contract and to respond to your inquiries in accordance with Art. 6 (1) (b) GDPR or based on your consent in accordance with Art. 6 (1) (a) GDPR. As you have also given us separate consent to process your data for consulting, quotation, and advertising purposes, Scotfy is entitled to contact you for these purposes via the communication channels you have ticked in this consent.

j) Comments and contributions in our blog or community forum

When users leave comments or other contributions, their IP addresses are stored for seven days based on our legitimate interests. This is done for our security in case someone leaves unlawful content in comments and posts (insults, prohibited political propaganda, etc.). In this case, we can be prosecuted for the comment or post and are therefore interested in the author’s identity.

Within the blog or community forum, you may display certain profile information, share certain details, engage with others, exchange knowledge and insights, and post and view relevant content. Content and data are publicly viewable. You have choices about the information in your comment. You don’t have to provide additional information on your comment; however, information helps you to get more from our Services. It’s your choice to include sensitive information on your comment and make that sensitive information public. Please do not post or add personal data to your profile that you would not want to be available. The legal basis for the storage is our legitimate interest Art. 6 para. 1 lit. f GDPR.

  1. k) When you watch our videos and video tutorials

On our website, we implement videos on the video portal “YouTube” of the company Google Inc.

In doing so, we use Google’s “extended data protection mode” option. When you call up a page with an embedded video, a connection is established to Google’s servers, and the content is displayed on the website by notifying your browser. According to Google’s information, in “extended data protection mode,” your data – in particular, which of our Internet pages you have visited and device-specific information, including the IP address – is only transmitted to the YouTube server in the USA when you watch the video. By clicking on the video, you consent to this transmission.

If you are logged in to Google at the same time, this information will be assigned to your YouTube member account. You can prevent this by logging out of your YouTube account before visiting our website.

Updating your information

If you believe that the information we hold about you is inaccurate or that we are no longer entitled to use it and want to request its rectification, deletion, or object to its processing, please do so within your user account or contact us. For your protection and the protection of all of our users, we may ask you to provide proof of identity before we can answer the above requests.

Keep in mind, that we may reject requests for certain reasons, including if the request is unlawful or if it may infringe on trade secrets or intellectual property or the privacy of another user. Also, we may not be able to accommodate certain requests to object to processing personal information, notably where such requests would not allow us to provide our service to you anymore.

Transfer of personal data

Scotfy will not disclose or otherwise distribute your personal data to third parties unless this is necessary for the performance of our services (the legal basis for processing: Art. 6 para. 1 lit. b) GDPR); you have consented to the disclosure (the legal basis for processing: Art. 6 para. 1 lit. a) GDPR) or relevant legal provisions permit the disclosure of data.

Scotfy is entitled to outsource the processing of your personal data in whole or in part to external service providers acting as processors for Scotfy pursuant to Art. 4 No. 8 GDPR within the framework of the data protection provisions. External service providers support us, for example, in the technical operation and support of the website, data management, the provision and performance of services, marketing, and the implementation and fulfillment of reporting obligations.

The service providers commissioned by Scotfy process your data exclusively in accordance with our instructions. Scotfy remains responsible for protecting your data, which is ensured by strict contractual regulations, technical and organizational measures, and additional controls by us.

Personal data may also be disclosed to third parties if we are legally obliged to do so, e.g., by court order (legal basis for processing: Art. 6 (1) (c) GDPR) or if this is necessary to support criminal or legal investigations or other legal investigations or proceedings at home or abroad or to fulfill Scotfy’s legitimate interests (the legal basis for processing: Art. 6 (1) (f) GDPR).

Scotfy will not sell, rent, or otherwise transfer your personal data to third parties. We will transfer your data to third parties if you have consented to this in accordance with Art. 6 (1) (a) GDPR or in the following cases:

Scotfy may occasionally engage other companies and individuals to fulfill its obligations to its customers on its behalf. This may involve sharing your data with these third parties to provide solutions or services to you. Examples include customer service, payment data processing, and marketing support. In these cases, data is transferred to such service providers and contractors (such as payment service providers, advertising providers, and technical service providers) to fulfill the contract in accordance with Art. 6 (1) (b) GDPR.

It goes without saying that Scotfy ensures that the respective service provider guarantees data security before passing on personal data. Scotfy will only commission companies that can guarantee secure and proper data processing based on their qualifications and technical and organizational capabilities.

Storage and retention

Your personal data will be stored by us only for as long as is necessary to achieve the purposes for which the data was collected or – if statutory retention periods exist that go beyond this point and for the duration of the legally prescribed retention period (typically 6 years). We then delete your personal data. Only in a few exceptional cases is your data be stored beyond this period, e.g., if storage is necessary for connection with the enforcement of and defense against legal claims against us.

Scotfy is entitled to process your personal data insofar as this is necessary to fulfill legal obligations. For this purpose, Scotfy may transfer this data to authorities, law enforcement agencies, and courts. In this case, the transfer of your data is required by Art. 6 (1) (c) GDPR for compliance with a legal obligation to which we are subject. Scotfy is further entitled to process personal data if and to the extent necessary to detect or prevent misuse of this website or to enforce claims of Scotfy, its employees, or users, whereby the data processing in these cases is necessary to protect these aforementioned legitimate interests of Scotfy pursuant to Art. 6 (1) (f) GDPR. Insofar as the disclosure of health data is necessary for the assertion of claims or the defense against claims, the related data processing is based on Art. 9 (2) f) GDPR.

When you send a data subject access request

The legal basis for processing your personal data in the context of handling your data subject access request is our legal obligation, and the legal basis for the subsequent documentation of t data subject access request is our legitimate interest and our legal obligation.

The purpose of processing your personal data in the context of processing data when you send a data subject access request is to respond to your request. The subsequent documentation of the data subject access request serves to fulfill the legally required accountability.

Your personal data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case of processing a data subject access request, this is three years after the end of the respective process.

You have the possibility at any time to object to processing your personal data in the context of processing a data subject access request for the future. In this case, however, we cannot process your request further. The documentation of the legally compliant processing of the respective data subject access request is mandatory. Consequently, you cannot object.

Legal defense and enforcement of our rights

The legal basis for processing your personal data in the context of legal defense and enforcement of our rights is our legitimate interest.

The purpose of processing your personal data in the context of legal defense and enforcement of our rights is the defense against unjustified claims and the legal enforcement and assertion of claims and rights. Your personal data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected.

Processing your personal data in the context of legal defense and enforcement is mandatory for legal defense and enforcement of our rights. Consequently, you cannot object.

SSL encryption

To protect the security of your data during transmission, we use state-of-the-art encryption procedures (e.g., SSL) via HTTPS.

International transfers

Our main operations are based in France, and your personal information is generally processed, stored, and used within France and other countries in the European Economic Area (EEA). In some instances, your personal information may be processed outside the European Economic Area. If and when this is the case, we ensure an appropriate level of security so your personal information is protected like it was used in France and the EEA.

Where we need to transfer your data outside France or the EEA, we will use one of the following safeguards:

  • The use of approved standard contractual clauses in contracts for the transfer of personal data to third countries.
  • Transfers to a non-EEA country with privacy laws that give the same protection as France and the EEA.

Automated decision-making

Automated decision-making, including profiling pursuant to Art. 22 (1) and (4) GDPR does not take place on the part of Scotfy.

Social Media

Social Media Presences

We maintain an online presence on the basis of our legitimate interests. We maintain online presences within social networks and platforms to communicate with customers, interested parties, and active users. Unless otherwise stated in this policy, we process users’ data if they communicate with us within the social networks and platforms, e.g., write articles on our online presence or send us messages.

Social Media Plugins

Social media plugins normally result in every visitor to a page being immediately recorded by these services with their IP address and their further browsing behavior logged. This can happen even if you do not click the button.

To prevent this, we use the Shariff method. This means that our social media buttons only establish direct contact between the social network and you when you click on the respective share button. If you are already logged in to a social network, this is done without another window for Facebook and Google+. On Twitter, a pop-up window in which you can still edit the tweet’s text.

You can thus publish our content on social networks without them being able to create complete surf profiles. Many websites already use the Shariff method to protect their users.

But at the latest, when you call the social media platform, your data will be processed there. The social media platform will usually store cookies on your device or even save your usage behavior to your account, especially if you are logged in. The social media platform can use your data to analyze your user behavior and use it for (interest-based) advertising. This may result in advertisements being displayed to you inside and outside the social media platform.

Social Media Links

We refer to our offered social media presence with links. Unlike social media plugins, links do not lead to the social media platform finding out about your visit when you call up our site. However, like any link, they will lead to your data being processed by the social media platform at the latest when you click on it. As a rule, the social media platform will save cookies on your device or even save your usage behavior to your account, especially if you are logged in yourself. The social media platform can use your data to analyze your user behavior and use it for (interest-based) advertising. This may result in advertisements displayed to you inside and outside the social media platform.

Cooperation with processors and third parties

If,  in the course of our processing, we disclose data to other persons and companies (order processors or third parties), transmit it to them or otherwise grant them access to the data, this will only be done based on legal permission (e.g., if transmission of the data to third parties, such as to payment service providers, is necessary for the performance of the contract pursuant to Art. 6 para. 1 lit. b GDPR), you have consented, a legal obligation provides for this or based on our legitimate interests (e.g., when using agents, web hosts, etc.). If we commission third parties to process data based on a so-called “processing agreement”, this is done based on Art. 28 GDPR.

a) Facebook Remarketing

Within our website, so-called “Facebook pixels” of the social network Facebook, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you are a resident of the EU, Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”), are used. With the help of the Facebook pixel, Facebook can determine the visitors to our offer as a target group for the display of advertisements, so-called “Facebook ads”. Accordingly, we use the Facebook pixel to display the Facebook ads we placed only to those Facebook users who have also shown an interest in our website. This means that with the help of the Facebook pixel, we want to ensure that our Facebook ads correspond to the potential interest of the users and do not have a harassing effect. With the help of the Facebook pixel, we can also track the effectiveness of the Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad.

The Facebook pixel is directly integrated by Facebook when our websites are accessed and can save a so-called cookie, i.e., a small file, on your device. If you subsequently log in to Facebook or visit Facebook while logged in, your visit to our website will be noted in your profile. The data collected about you is anonymous for us, so it does not allow us to draw any conclusions about the user’s identity. However, the data is stored and processed by Facebook to make a connection to the respective user profile possible. The processing of the data by Facebook takes place within the framework of Facebook’s data usage policy. Accordingly, in Facebook’s data usage policy, you can find more information on how the remarketing pixel works and generally on the display of Facebook ads:

You can object to the collection by the Facebook pixel and use your data to display Facebook ads. To do so, you can visit the page set up by Facebook and follow the instructions there on the settings for usage-based advertising:  or declare the objection via the US page or the EU page The settings are platform-independent. The settings are platform-independent, i.e., they are applied to all devices, such as desktop computers or mobile devices.

b) Google reCAPTCHA

We use “Google reCAPTCHA” on our websites. The provider is Google Inc. The purpose of reCAPTCHA is to check whether the data input on our websites is made by a human being or by an automated program, and reCAPTCHA also protects our users from SPAM when using the message function. For this purpose, reCAPTCHA analyses the website visitor’s behavior based on various characteristics. This analysis begins automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information (e.g., IP address, time spent by the website visitor on the website, or mouse movements made by the user). The data collected during the analysis is forwarded to Google.

The reCAPTCHA analyses run entirely in the background. Website visitors are not informed that an analysis is taking place. We have a legitimate interest in protecting our offers from abusive automated spying and our users from SPAM.

c) Mautic

We use the marketing tool Mautic. The provider is Acquia Inc, 53 State St, Boston, Massachusetts 02109, USA. Mautic is a tool for optimizing and automating our marketing activities. With Mautic, we can, among other things, build landing pages and forms, plan and evaluate marketing campaigns and manage our customer data.

Furthermore, we can analyze the user behavior of our website visitors. Based on this information can be used to trigger further marketing campaigns. For example, we can determine which customers have made a download from our site and are therefore eligible for certain and is therefore eligible for certain further marketing measures.

Mautic uses technologies that enable user recognition across pages to analyze user behavior. Website visitors receive an individual ID with which they can be recognized the next time they visit the website. Furthermore, the IP address, the user’s language, visited URLs, and the time of access.

The use of Mautic takes place based on the legitimate interest of the responsible for optimizing its marketing campaigns. Insofar as consent was requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.

d) Google Analytics

We use Google Analytics, a service provided by Google Inc. This means that the data collected can be transmitted to a Google server in the USA, whereby the IP addresses are anonymized by means of IP anonymization so that an allocation is not possible. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. You can object to the collection and processing of this data by Google Analytics by setting an opt-out cookie that prevents the future collection of your data when you visit this website:

e) Google Tag Manager

We use Google Tag Manager, a web analytics service provided by Google, Inc. (“Google”). This service allows website tags to be managed via an interface. The Google Tag Manager only implements tags. No cookies are set, and no personal data is collected. The Google Tag Manager triggers other tags that may collect data. The Google Tag Manager does not access this data.

If deactivation has been made at the domain or cookie level, it remains in place for all tracking tags as these are implemented with the Google Tag Manager. More information on the Google Tag Manager can be found at the following link: This service transmits data to the USA.

f) Hotjar

We use Hotjar to better understand our users’ usage patterns and needs and optimize our services and user experience. Hotjar allows us to better understand the user experience on our websites (i.e., how long users spend on which of our websites, which links they click on, what they like and don’t like, etc.) so that we can tailor our offerings based on user feedback.

Hotjar uses cookies and other technologies to collect information about users’ behavior and devices (in particular, a device’s IP address (which is collected and stored in anonymized form), screen size, device type (unique device identifiers), browser information, geographical information (on a country-by-country basis only), preferred language for viewing our website). Hotjar stores this data in a pseudonymized user profile. Neither Hotjar nor we use this data to identify individual users, nor is the data merged with other data about individual users. You can object to the creation of user profiles, the storage of data about your use of our website by Hotjar, and the use of tracking cookies by Hotjar on other websites at any time by following this link

g) Hubspot

When you visit certain sections of our website, our partner HubSpot uses the cookie listed below for functionality, performance, and tracking of visitors. This cookie is used to keep track of a visitor’s identity. This cookie is passed to HubSpot on form submission and used when deduplicating contacts. Please refer to HubSpot’s usage policy for more information. The legal basis for the collection and processing of the data is Art. 6 (1) f GDPR. The legitimate interest in collecting and processing the data is to evaluate your use of the website, compile reports on website activity, and provide the website operator with other website and internet use services.

h) Wistia

We have integrated components from Wistia on our website. Wistia is operated by Wistia, Inc., 17 Tudor Street, Cambridge, MA 02139, USA. The integration requires that Wistia can perceive the IP address of the user. The IP address is required to send the content to the user’s browser. Suppose you call up a single page of our website on which a Wistia component (video) is located. In that case, your internet browser will be prompted by the component to download a corresponding representation of the component. In this way, Wistia knows which specific sub-pages you have visited. If you are logged in to Wistia simultaneously, Wistia can track which of our sub-pages contains a video you have visited.

If you do not want the information transmitted to Wistia, log out of Wistia before you visit our website.

i) Polylang

For the multilingualism of our website, we use the program Polylang. Polylang is a product of WP SYNTEX, 28, rue Jean Sebastien Bach, 38090 Villefontaine, France. We write post pages and create categories and publish tags as usual and then define the language for each of them. Cookies from Polylang are set exclusively to recognize and record the language used or chosen by the user. These cookies remain stored for one year and are then deleted. The use of Polylang is based on your consent according to Art. 6 (1) (f) GDPR.

j) Cloudflare

We use Cloudflare on this website from Cloudflare, Inc. (101 Townsend St., San Francisco, CA 94107, USA) to make the website faster and more secure. Cloudflare provides web optimization and security services to enhance and protect websites. These include a reverse proxy, a passthrough security service, and a content distribution network. Cloudflare collects information from website visitors. This information may include but is not limited to IP addresses, system configuration information, and other information about traffic to and from the website. Cloudflare collects and uses log data to operate, maintain and improve its services following customer agreements. For example, log data may help Cloudflare detect new threats, identify malicious third parties and provide more robust security protection to this website.

Your Rights

You have several Data Subject Rights. Below is some information on what they are and how you can exercise them. There is more information on the Commission Nationale de l’Informatique et des Libertés (CNIL) website (

  • Information about the processing of your personal data.
  • Obtain access to the personal data held about you.
  • Ask for incorrect, inaccurate, or incomplete personal data to be corrected.
  • Request that personal data be erased when it’s no longer needed or if processing it is unlawful.
  • Object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation.
  • Request the restriction of the processing of your personal data in specific cases.
  • Receive your personal data in a machine-readable format and send it to another controller (data portability).
  • Request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers.
  • You also have the right in this case to express your point of view and to contest the decision
  • Where the processing of your personal information is based on consent, you have the right to withdraw that consent without detriment at any time through our contact form.

The above rights may be limited in some circumstances, for example, if fulfilling your request would reveal personal information about another person, if you ask us to delete information that we are required to have by law, or if we have compelling legitimate interests to keep it.

We will let you know if that is the case and will only use your information for these purposes. You may also be unable to continue using our services if you want us to stop processing your personal information.

We encourage you to contact us if you have any concerns about how we collect or use your personal information. However, you also have the right to complain directly to the CNIL; their contact details can be found on their website (

Security and confidentiality

To ensure the security and confidentiality of the personal data we collect on the website, we use data networks that are protected by, among other things, industry-standard firewalls and password systems. When handling your personal information, we take appropriate technical and organizational measures to protect your information from loss, misuse, unauthorized access, disclosure, alteration, or destruction and ensure its availability.

Personal information and children

The services available on this website are aimed at people aged 18 and over. We will not knowingly collect, use or disclose personal information from minors under the age of 18 without first obtaining consent from a legal guardian through direct offline contact. The parent or guardian will be provided with (i) information about the specific type of personal information being collected from the minor, (ii) the purpose for which it will be used, and (iii) the opportunity to object to any further collection, use or storage of such information. We comply with youth protection laws.


This policy and our commitment to protecting the privacy of your personal data can result in changes to this policy. Please regularly review this policy to keep up to date with any changes.

Queries and Complaints

Any comments or queries on this policy should be directed to us using the following contact details.

33 rue de la République 69002 Lyon, France
Contact us

If you believe that we have not complied with this policy or acted otherwise following data protection law, you should notify us. You can also make a referral to, or lodge a complaint with, the CNIL.