GDPR Compliance

Last Updated: February 10, 2026

Our commitment:

FineData is committed to protecting the personal data of our users and complying with the General Data Protection Regulation (GDPR). We act as a data processor for our users' scraping activities and as a data controller for account and billing data. We do not store scraped content on our servers.

1. Scope and Application

This GDPR Compliance page applies to all individuals and organizations located in the European Economic Area (EEA), United Kingdom (UK), and Switzerland who use FineData.ai services or visit our website. It supplements our Privacy Policy with specific information about how we comply with the GDPR.

Quality Network US LLC is a United States-based company. While we are not established in the EU, we provide services to EU-based users and therefore process personal data subject to the GDPR.

2. Our Roles Under GDPR

Under the GDPR, organizations handling personal data act as either a data controller (determining the purposes and means of processing) or a data processor (processing data on behalf of a controller). FineData acts in both capacities depending on the context:

As Data Controller

We are the data controller for personal data we collect directly from you in the course of providing our services. This includes:

Account registration data (email, name, company)
Billing and payment information
API usage metadata and logs
Customer support communications
Website analytics data

As Data Processor

When you use our API to scrape web pages, we act as a data processor operating on your behalf. In this capacity:

You (the user) are the data controller for any personal data contained in scraped content
We process data only to fulfill your API requests
We do not store, cache, or retain scraped content beyond immediate delivery
We do not use scraped data for our own purposes
You are responsible for ensuring your scraping activities have a valid legal basis under the GDPR

3. Legal Bases for Processing

Under Article 6 of the GDPR, we process personal data based on the following legal bases:

Processing Activity	Legal Basis
Providing API services	Performance of contract (Art. 6(1)(b))
Processing payments	Performance of contract (Art. 6(1)(b))
Customer support	Performance of contract (Art. 6(1)(b))
Abuse prevention and security	Legitimate interest (Art. 6(1)(f))
Service improvement and analytics	Legitimate interest (Art. 6(1)(f))
Tax and accounting records	Legal obligation (Art. 6(1)(c))
Marketing communications	Consent (Art. 6(1)(a))
Website analytics cookies	Consent (Art. 6(1)(a))

Where we rely on legitimate interest, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting our data protection contact.

4. Data Processing Details

4.1 Categories of Data Subjects

Registered users and account holders
Website visitors
Contact form submitters
Business contacts and prospects

4.2 Categories of Personal Data

Identity data (name, email address)
Financial data (payment method details via Stripe, billing address)
Technical data (IP address, browser type, API usage logs)
Communication data (support tickets, emails)

4.3 Retention Periods

Account data: duration of account plus 30 days after deletion
Billing records: 7 years (legal requirement)
API request logs: up to 90 days
Aggregated usage data: up to 12 months
Website analytics: up to 12 months (anonymized)
Support communications: 2 years after last interaction

5. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights. We will respond to any valid request within 30 days (extendable to 90 days for complex requests, with notice):

Right of Access (Art. 15)

Request a copy of all personal data we hold about you, along with information about how it is processed.

Right to Rectification (Art. 16)

Request correction of inaccurate personal data or completion of incomplete data.

Right to Erasure (Art. 17)

Request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or when you withdraw consent. Subject to legal retention obligations.

Right to Restriction (Art. 18)

Request restriction of processing in specific circumstances, such as when you contest the accuracy of data or object to processing.

Right to Data Portability (Art. 20)

Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV), and transmit it to another controller.

Right to Object (Art. 21)

Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

Right to Withdraw Consent (Art. 7(3))

Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in your EU/EEA member state. We encourage you to contact us first so we can address your concern directly.

To exercise any of these rights, email support@finedata.ai with the subject line "GDPR Request." We may need to verify your identity before processing the request.

6. Data Protection Measures

We implement appropriate technical and organizational measures to protect personal data, as required by Article 32 of the GDPR:

Technical Measures

Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
Hashing of passwords and API keys
Network segmentation and firewall protection
Regular vulnerability scanning and security patching
Automated intrusion detection systems
Encrypted backups with access controls

Organizational Measures

Access to personal data is restricted on a need-to-know basis
Multi-factor authentication required for all production system access
Regular security training for all team members
Documented incident response procedures
Vendor security assessments for all sub-processors

7. International Data Transfers

Quality Network US LLC is based in the United States. When you use our services, your personal data may be transferred to and processed in the United States.

To ensure adequate protection for data transferred from the EEA/UK to the US, we rely on the following safeguards:

Standard Contractual Clauses (SCCs) — we use the European Commission's Standard Contractual Clauses as the primary mechanism for data transfers, as adopted under Commission Implementing Decision (EU) 2021/914
Supplementary measures — in addition to SCCs, we implement technical and organizational measures to ensure the level of protection required by the GDPR (encryption, access controls, monitoring)
Transfer impact assessments — we conduct assessments of the data protection laws in recipient countries to evaluate and mitigate any risks to your data

Our sub-processors who process EU data are also bound by appropriate data transfer mechanisms. See Section 8 for our list of sub-processors.

8. Sub-Processors

We use the following sub-processors who may process personal data on our behalf:

Sub-Processor	Purpose	Location
Stripe, Inc.	Payment processing	United States
Lago Labs	Usage metering and billing	France / EU
Amazon Web Services	Cloud infrastructure hosting	EU (Frankfurt)
Hetzner Online	Infrastructure hosting	Germany / EU

We will notify users of any intended changes to sub-processors, providing the opportunity to object before the change takes effect. Notifications will be sent to the email address associated with your account.

9. Data Breach Notification

In the event of a personal data breach, we will:

Notify the supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR (unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects)
Notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34
Document all breaches in an internal breach register, including the facts, effects, and remedial actions taken
Notify affected customers (where we act as data processor) without undue delay so they can fulfill their own notification obligations

10. AI and Automated Processing

Our Service includes AI-powered data extraction features. In compliance with GDPR requirements regarding automated processing, we disclose the following:

10.1 How AI Is Used

AI models process web page content in real time to extract structured data on behalf of our users
AI features are invoked only when explicitly requested through specific API parameters (extract_schema, extract_prompt)
Processing occurs in memory during the API request lifecycle and content is not retained afterwards

10.2 Data Usage for AI

No model training. Scraped content and API request data are never used to train, fine-tune, or improve AI models.
No data retention for AI. Content processed by AI features is not stored, logged, or cached beyond the immediate response.
Aggregated analytics only. We use anonymized usage metrics (volumes, error rates) for service improvement. This data is non-personal.

10.3 Automated Decision-Making (Art. 22)

We do not engage in automated decision-making that produces legal effects concerning data subjects or similarly significantly affects them. Our AI features are tools provided for users to extract data — they do not make autonomous decisions about individuals. No profiling of end users or data subjects is performed by our AI systems.

11. Cookies and Consent

In accordance with the ePrivacy Directive and GDPR, we obtain consent before placing non-essential cookies on your device.

Strictly necessary cookies are placed without consent as they are essential for the website to function (authentication, security tokens)
Analytics cookies are only placed after you provide consent. You can withdraw consent at any time through your browser settings or by contacting us
No advertising cookies — we do not use any advertising or remarketing cookies

12. Data Protection Contact

For all GDPR-related inquiries, data subject access requests, or concerns about how we handle personal data, contact our Data Protection team:

Data Protection Contact

Quality Network US LLC

Email: support@finedata.ai

Subject line: "GDPR Inquiry" or "Data Subject Request"

We aim to respond to all GDPR-related requests within 30 days. For complex requests, we may extend this period by an additional 60 days with prior notice.

13. Data Processing Agreement

If you require a Data Processing Agreement (DPA) for compliance purposes, we provide a standard DPA that covers:

Subject matter and duration of processing
Nature and purpose of processing
Types of personal data and categories of data subjects
Obligations and rights of the controller
Standard Contractual Clauses for international transfers
Technical and organizational security measures
Sub-processor management provisions

To request a DPA, contact support@finedata.ai with the subject line "DPA Request." DPAs are available for all paid plan tiers at no additional cost.

14. Contact

For GDPR-related questions, data subject requests, or to exercise your rights:

Quality Network US LLC

30 N Gould St STE R
Sheridan, WY 82801
United States

Data protection: support@finedata.ai

General: info@finedata.ai

Phone: +1 (332) 214-8125

This page is provided for informational purposes and does not constitute legal advice. For specific legal questions about GDPR compliance, consult with a qualified legal professional. This GDPR information should be read in conjunction with our full Privacy Policy and Terms of Service.