Skip to content
ScoutingAPI

Privacy Policy

This policy explains what personal data ScoutingAPI processes, why, who we share it with, and the rights you have. It covers two distinct groups: our customers and account holders, and the people whose public accommodation data appears in our API results.

Effective 2 July 2026Last updated 2 July 2026

Overview & who we are

ScoutingAPI (“ScoutingAPI”, “we”, “us”) operates a unified accommodation-data API and Model Context Protocol (MCP) server that returns availability, search and price-comparison data across platforms such as Airbnb, Booking.com, Vrbo and Google Hotels. We are a read-only resale layer over data that is collected from publicly reachable, non-authenticated web pages. We are the controller of the personal data described in this policy.

This policy covers two populations of personal data: (A) our own customers and account holders and their usage telemetry, and (B) data subjects who appear in scraped public content — hosts, reviewers and people who may be incidentally depicted in a listing. Both are addressed below.

Scope

The data we process

A. Customer & account data

  • Account identity. Your name (optional), email address, and any identity returned by a sign-in provider (Google or GitHub) when you use social sign-in.
  • Authentication data. A salted password hash (if you sign up with email), email-verification and password-reset tokens, and session cookies.
  • Billing identity. Your subscription and top-up records and a Stripe customer identifier. Card and payment data are handled by Stripe — we never see or store your full card number.
  • Usage telemetry. API request metadata — endpoint, platform(s), timestamps, credits charged, HTTP status, and the request’s IP address and user-agent — retained for security and abuse analytics. API keys and OAuth tokens are stored only as one-way hashes and are never logged.
  • Support & correspondence. Messages you send us and their contents.

B. Scraped public accommodation data

To answer a query, our sources fetch public, non-authenticated listing and review pages. That public content can contain limited personal data:

  • Host or owner public display names, and “superhost”-style status flags.
  • Reviewer public display names and the free text of public reviews.
  • Owner responses to public reviews.
  • Listing photographs (which may incidentally depict people). We never rehost photographs — we pass through the source image URL or omit it.

We deliberately do not collect contact details (email, phone, postal address) of third parties, payment data of third parties, government identifiers, or anything behind a login. We do not attempt to de-anonymize individuals, join identities across platforms, or enrich records with personal data from other sources.

How and why we use data

  • Provide and operate the service — authenticate requests, run and normalize queries, meter credits, and return results.
  • Billing — manage subscriptions, top-ups and the credit ledger through Stripe.
  • Security, abuse prevention & reliability — verify email before live credits are usable, detect free-tier farming and leaked keys, enforce rate limits, and monitor for anomalies.
  • Support & service communications — verification and password-reset emails, billing notices, and material changes to the service or this policy (sent via our email provider).
  • Legal compliance — respond to lawful requests, takedown notices and data-subject requests, and keep required financial records.

Legal bases (GDPR)

Where the EU/UK GDPR applies, we rely on the following lawful bases:

  • Contract (Art. 6(1)(b)) — to create and operate your account and deliver the API you signed up for.
  • Legitimate interests (Art. 6(1)(f)) — to secure the service against abuse, to operate a data-availability service over already-public information, and to meter usage. For scraped public content we maintain a documented Legitimate Interests Assessment, process only data the source already displays publicly, minimize it, and honor objection and erasure requests.
  • Legal obligation (Art. 6(1)(c)) — to keep financial records and to respond to valid legal and data-subject requests.
  • Consent (Art. 6(1)(a)) — where we ask for it, for example non-essential cookies; you may withdraw consent at any time.

Sharing & sub-processors

We do not sell personal data. We share it only with the service providers (“sub-processors”) below, each bound by a data-processing agreement and permitted to use the data only to provide their service to us. This list is kept current; material changes are announced per this policy.

ScoutingAPI sub-processors
Sub-processorPurposeData exposed
ApifySource data acquisition (runs the actors that fetch public pages)Query parameters (location, dates, occupancy); returns public listing/review data
AnthropicClaude / MCP — when you connect ScoutingAPI as a Claude ConnectorOAuth-delegated API requests you initiate through Claude on your behalf
StripePayments, subscriptions and top-ups (money system of record)Billing identity and payment data (Stripe holds card data; we do not)
ResendTransactional email (verification, password reset, service notices)Email address and message contents
Hosting & infrastructureRun the app/API/MCP, store data, and provide edge/WAF protectionAccount data, usage logs (including IP at the edge), transient cache
Observability (e.g. Sentry)Error monitoring, tracing and uptimeScrubbed operational telemetry; no scraped personal data; IPs scrubbed or DPA-covered

We may also disclose data where required by law, to enforce our Terms of Service, or in connection with a merger, acquisition or asset sale (with notice where required).

Cookies & similar technologies

We use a small number of strictly necessary cookies to keep you signed in (session and CSRF cookies) and to remember interface preferences such as your selected theme. We do not use advertising or cross-site tracking cookies. You can block or delete cookies in your browser, but essential cookies are required for the dashboard to function.

Data retention

We keep personal data only as long as we need it, then delete or anonymize it:

Retention windows
DataRetention
Account dataFor the life of your account, then deleted on request
Request IP & user-agentIdentifiable for 90 days for security/abuse analytics, then truncated/hashed and kept only in aggregate
Raw source payloads (highest-PII)A transient debug store only, auto-expired within 24 hours; never persisted elsewhere
Normalized cached resultsShort per-endpoint TTLs (30 minutes to 24 hours), then hard-expired
Financial / credit-ledger recordsRetained as a legal record; anonymized where compatible with that obligation
Erasure suppression listRetained to prevent re-fetching data a subject asked us to erase

Scraped personal data is short-lived by design

International transfers

We and some of our sub-processors are located in, or transfer data to, the United States and other countries. Where we transfer personal data out of the EEA, the UK or Switzerland, we rely on the EU Standard Contractual Clauses (SCCs) and equivalent UK/Swiss transfer mechanisms, supplemented by a transfer-impact assessment where required. EU data-residency for the data store is available as an Enterprise option.

Your privacy rights

Depending on where you live, you may have the right to access, rectify, erase (“be forgotten”), restrict or object to our processing, to data portability, and to withdraw consent. To exercise any of these, email privacy@scoutingapi.com. We respond within the statutory window (for the GDPR, within one month, extendable where permitted). You also have the right to complain to your local supervisory authority.

On a valid erasure or objection request about scraped content, we (1) purge matching cached and raw rows, (2) add a suppression entry so the data is not re-fetched into cache, and (3) confirm completion. Because our retention is short and fetching is on-demand, the surface to erase is small.

California (CCPA/CPRA) notice

California residents have the right to know the categories of personal information we process, to request access and deletion, to correct inaccurate information, and to opt out of the “sale” or “sharing” of personal information. ScoutingAPI does not sell your personal information in the consumer-marketing sense, and we honor a “Do Not Sell or Share My Personal Information” request. The categories we process (customer-account, telemetry and scraped-subject data) and the sub-processors we disclose them to are described above. To exercise these rights, contact privacy@scoutingapi.com — the same intake serves both CCPA and GDPR requests. We will not discriminate against you for exercising a privacy right.

If your data appears in a listing

If you are a host, reviewer or other individual whose public accommodation data appears in our results and you want it removed or corrected, email privacy@scoutingapi.com (or, for copyright/photograph matters, dmca@scoutingapi.com). We will process erasure and takedown requests as described above and can suppress a specific listing or source from future fetches.

How we protect data

  • Encryption in transit (TLS everywhere) and encryption of data at rest.
  • API keys and OAuth access/refresh tokens are stored only as one-way SHA-256 hashes, shown once, and never written to logs, traces or error reports.
  • The Authorization header and any OAuth codes/tokens are redaction-listed in our logging and error pipelines.
  • Least-privilege infrastructure behind a WAF/CDN edge, with append-only audit and credit ledgers.

No system is perfectly secure, but we take these measures seriously because reliability and trust are our product. See our Terms of Service for the full data-handling and acceptable-use terms.

Children’s privacy

ScoutingAPI is a developer product not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact us and we will delete it.

Changes to this policy

We may update this policy as the service evolves. When we make material changes we will update the effective date above and, where required, notify account holders by email or an in-product notice. Continued use of the service after an update means you accept the revised policy.


Contact us

Questions, requests or complaints about privacy:

  1. Privacy & data-subject requests: privacy@scoutingapi.com
  2. Copyright / takedown: dmca@scoutingapi.com
  3. General & legal: legal@scoutingapi.com