Legal
Last updated: 30 April 2026
Scrumpy is a scrum board and sprint planning tool, built and operated from the Netherlands.
For privacy questions, email support@scrumpy.it. For security disclosures, email security@scrumpy.it.
Legal entity
Jeroen van Dijk, operating as Scrumpy from The Netherlands.
Postal address available on request.
Below is everything we collect about you, the reason we need it, and the GDPR legal basis under which we process it.
Account data Legal basis: contract performance (Art. 6(1)(b))
Your name and email address. Required to create your account, log you in, and send you transactional email (password resets, verification, sprint notifications, billing receipts).
Authentication data Legal basis: contract performance (Art. 6(1)(b))
Your password is stored only as a one-way hash; we cannot read it. If you enable two-factor authentication, we store an encrypted TOTP secret and recovery codes.
Content data Legal basis: contract performance (Art. 6(1)(b))
Stories, sprints, epics, comments, attachments, and related content you create in your workspace. You own your content and can export or delete it at any time.
Workspace roles and assignments Legal basis: contract performance (Art. 6(1)(b))
The roles you and your teammates define within your scrum workspace (e.g. "developer", "designer") and which stories are assigned to which person. These are user-generated workspace labels — we do not collect your professional job title.
Billing data Legal basis: contract performance (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c))
We store your subscription status, plan, and seat count. Payment details (card or bank info) are handled entirely by Lemon Squeezy, who acts as the Merchant of Record — we never see or store them. Lemon Squeezy's privacy policy applies to payment data. Invoices are retained for 7 years to meet Dutch tax-record obligations.
Support and feedback Legal basis: legitimate interests (Art. 6(1)(f))
If you email us a support request, bug report, or feedback, we keep that correspondence so we can answer you and improve the product.
Security and operational logs Legal basis: legitimate interests (Art. 6(1)(f))
We log authentication events (login, logout, password reset), rate-limit metadata, and server-side application errors. This protects accounts from abuse and lets us diagnose and fix issues.
Usage information Legal basis: legitimate interests (Art. 6(1)(f))
We may record aggregate, non-identifying usage signals (which features are used, performance and error rates) to improve product reliability and security. We do not use third-party analytics, advertising networks, or behavioural tracking. We do not sell or share your data with third parties for marketing.
For clarity, Scrumpy does not collect:
We use only strictly necessary cookies. These do not require consent under the ePrivacy Directive. No tracking or advertising cookies are set.
| Cookie | Purpose | Duration |
|---|---|---|
| session | Keeps you logged in | Session / 2 hours |
| XSRF-TOKEN | Protects against cross-site request forgery | Session |
| sidebar_state | Remembers whether the sidebar is collapsed or expanded | 1 year |
| cookie_consent | Remembers that you acknowledged this cookie notice | 1 year |
We rely on the following third-party processors to operate the service. Each has been selected for EU data residency or adequate data protection guarantees (Standard Contractual Clauses for non-EU transfers).
| Processor | Purpose | Data location |
|---|---|---|
| Laravel Cloud | Application hosting, database, file storage | European Union |
| Lemon Squeezy | Payment processing (Merchant of Record) | United States (Standard Contractual Clauses) |
| MailerSend | Transactional email delivery | European Union |
Application data is stored within the European Union. All connections are encrypted via HTTPS. We use industry-standard security practices: hashed passwords, CSRF protection, optional two-factor authentication, encryption at rest for backups, and access controls limiting administrative access to the production environment.
We keep your account data for as long as your account is active. You can export everything at any time from the Organization settings.
If you delete your account or organization, your content and personal data are permanently removed within 30 days, except where law requires us to keep specific records longer (for example, billing data is retained for 7 years to meet Dutch tax obligations).
Server-side error and security logs are retained for up to 90 days, then deleted automatically.
If you are in the European Economic Area, you have the following rights regarding your personal data:
To exercise any of these rights, email support@scrumpy.it and we will respond within 30 days.
When you use Scrumpy on behalf of an organization whose team members are also users, that organization is the controller of those team members' personal data and Scrumpy acts as a processor. A Data Processing Agreement is available on request — email support@scrumpy.it.
If we make significant changes to this policy, we will notify active users by email before the changes take effect. The "Last updated" date at the top reflects the most recent change.
Questions about this policy? Email support@scrumpy.it.