Is public data scraping legal?

Yes. The hiQ Labs v. LinkedIn case (9th Circuit, 2022) established that accessing publicly available information does not constitute unauthorized access under the Computer Fraud and Abuse Act. We only collect data from public, unauthenticated pages, respect robots.txt as a signal, do not circumvent CAPTCHAs or access controls, and pace requests to minimize site impact.

Is ProWebScraper GDPR compliant?

Yes. We act as a data processor under Article 28, sign a DPA with all customers, provide DSAR assistance on request, offer 72-hour breach notification, and have a named DPO for EU customers.

Is ProWebScraper CCPA compliant?

Yes. We do not sell personal information, do not collect consumer PII, handle business contact data per CCPA requirements, and honor deletion requests.

What security measures does ProWebScraper use?

We use TLS 1.2+ encryption in transit, AES-256 encryption at rest per NIST standards, restrict customer data access to senior team only, conduct regular automated vulnerability scanning, perform annual third-party penetration testing, and offer EU and US data residency options. We never resell customer data.

How long does ProWebScraper retain data?

Active project data is retained for the duration of engagement plus 14 days. Data is removed from production systems within 14 days of project end. Backups are purged per backup rotation schedule. A signed deletion certificate is provided on request.

What compliance documents are available?

We provide NDA (Non-Disclosure Agreement), DPA (GDPR Article 28 compliant), MSA (Master Service Agreement) for enterprise customers, security summary with pen test and controls overview, legal memo on public data scraping position, and subprocessor list with notification process. All documents are available on request.

Trust & Security

Q: What data does ProWebScraper collect?

We collect publicly visible product pages, prices, stock levels, descriptions, seller names on marketplaces, ratings and reviews (aggregate), and promotional banners and badges. We do not collect anything behind logins, personal customer data (PII), private account information, paywalled or gated content, or internal pricing or inventory systems. If a normal shopper can see it without logging in, we can collect it. Nothing more.

How we protect your data, stay compliant, and operate legally.

Public web only

GDPR-ready

DPA included

Security audited

What We Collect

We Do Collect

Publicly visible product pages

Prices, stock levels, descriptions

Seller names on marketplaces

Ratings and reviews (aggregate)

Promotional banners and badges

We Don't Collect

Anything behind logins

Personal customer data (PII)

Private account information

Paywalled or gated content

Internal pricing or inventory systems

The rule: If a normal shopper can see it without logging in, we can collect it. Nothing more.

Legal Position

Public Data Collection

We focus on publicly available pages. In the U.S., courts (e.g., the Ninth Circuit in hiQ Labs v. LinkedIn) have held that accessing public pages isn't necessarily "without authorization" under the CFAA in that context.

Our approach:

We only collect data from public, unauthenticated pages

We respect robots.txt as a signal (not a legal barrier)

We do not circumvent CAPTCHAs or access controls

We pace requests to minimize site impact

Available on Request

Legal memo with counsel sign-off for your jurisdiction. We can provide documentation explaining our legal position and practices for your compliance review.

Request Memo

Privacy Compliance

GDPR

Data processor under Article 28

DPA signed with all customers

DSAR assistance on request

72-hour breach notification

Named DPO for EU customers

CCPA

No personal information sold

No consumer PII collected

Business contact data handled per CCPA

Deletion requests honored

Data Security

Control

Detail

Encryption in transit

TLS 1.2+ for all data transfers

Encryption at rest

AES-256 per NIST standards

Access control

Customer data restricted to senior team only

Vulnerability scanning

Regular automated scans

Penetration testing

Annual third-party tests (summary available)

Certifications

SOC 2 controls roadmap available on request

Data residency

EU and US options available

Data Retention & Deletion

Stage

Retention

Active project data

Duration of engagement + 14 days

Production systems

Removed within 14 days of project end

Backups

Purged per backup rotation schedule

On request

Signed deletion certificate provided

We never resell customer data.

Contracts & Documents

Available for all customers:

NDA

Non-Disclosure Agreement

Ready to sign

DPA

GDPR Article 28 compliant

Ready to sign

MSA

Master Service Agreement

For enterprise

Security Summary

Pen test & controls overview

On request

Legal Memo

Public data scraping position

On request

Subprocessor List

With notification process

Available

Need Compliance Documents?

Request our DPA, security summary, or legal memo. We'll send within 24 hours.

Request Documents

We'll send within 24 hours.