Data Inventory & Data Flow

Knowing what Personal Data you store, where you store it and who you transfer it to is a key part of GDPR compliance. Luckily if you don't really do anything outside of using your SCRUMPY site then the Data Inventory & Data Flow documentation we've put together can be used as 'your documentation'.

What if I share Personal Data (email, name, phone, etc) with people outside of my business?

Sometimes if you're offering services such as external events, catering, party organisation, etc you might actually be transferring Personal Data outside of your business, this needs to be recorded.

  • You should notify individuals in your privacy policy of the companies that you may transfer their Personal Data to.
  • You should keep documentation on the companies you transfer Personal Data to including contact details.
  • You should have an agreement in place between you and the other company that states the responsibilities of both parties.

Data Inventory

You should be keeping track of the Personal Data you collect and store about individuals, we have produced a data inventory that lists the Personal Data collected and stored by SCRUMPY websites. This data inventory can serve either as your documentation or as a basis for your own documentation. You would only need to customise this data inventory if you were collecting data outside of SCRUMPY, e.g. phoning guests and asking them for some form of personally identifiable information.

When you visit our website, place a booking with us, call us or make an enquiry with us (among other actions) we collect information about you and your use of our website. We treat this information as falling into two broad categories: Guest Information and Usage Data.

The following apply to all types of data, specifics can be found below:

We primarily record guest & booking related data for the purposes of running a vacation rental business.

How long is data retained? 
By default, indefinitely unless asked to clear. Since the system is essentially a bookkeeping tool it's important that we have long lasting records of business activity. We will identify whether we still need to hold on to data and delete it where no longer needed.

How secure is it?
Our database is stored encrypted at rest on the storage device. Access is restricted by firewall rules and a username/password combination so that only machines within our hosting environment have access to the database.

Do we share it with third parties?
On the whole, no, however various marketing tools such as Facebook Analytics, Google Analytics & Google AdWords may gather data on customers. Also some data may be shared for the purposes of calendar synchronisation.

Which countries are personal data stored within?
United States of America, Germany, United Kingdom and Ireland.

Personal data that we collect via our website and as a matter of day to day business (e.g. phone calls, email enquiries, etc):

Guest Information:

You explicitly provide us with guest information when making an enquiry or placing any form of booking whether that be on our website, over the phone or via any other medium. Where possible we will gain your consent to store and process this data in accordance with our privacy policy, in some instances we may initially be going on implied consent (e.g. a telephone call) but we will seek to confirm this consent as soon as possible. Guest information can include:

  • The IP address you agreed to terms and conditions from
  • Full name
  • Email
  • Address
  • Telephone numbers
  • Payment information
  • In some instances: Your age and the gender you identify with

Usage Data:

We collect general information about how you use our site to help further improve its ease of use and its business performance. Your usage data can include:

  • Pages you've visited on our website
  • How you came to our website
  • The buttons and links you clicked on
  • Whether you have been to our website before
  • The IP Address being used to visit our site
  • Information on the device you're using to visit our site

Your IP address is considered Personal Data, we may use this for general geographic targeting, we store and treat your IP Address as any other kind of Personal Data.

Data Flow

You should be keeping track of where the Personal Data you collect ends up going, or rather who you send it to as part of day to day processing. You should also have an agreement in place (either signed or implied) stating the responsibilities each party has over Personal Data.

We have produced Data Flow documentation that should suffice for most SCRUMPY websites but if you send Personal Data to anyone else you may wish for this documentation to form the basis of your own document.

We have agreed to data processing agreements/amendments where provided by the services we may send personal data to, some of these are assumed in the usage of said system. We have contact details for each of the services we use.

    We use SCRUMPY to host our website, they act as a 'processor' of our data. They provide all the functionality of the website including the collection, storage, data access, data access controls and more.

  • Google Analytics:
    We use Google Analytics to gain an insight into the performance of current marketing efforts, analyse the performance of changes we make to our website and to help us understand where traffic comes from.

  • Google AdWords:
    We may at times add Google AdWords conversion tracking code to our site. We may on occasion use Google AdWords to run online advertising campaigns for our services. We may share email addresses we gather via our online enquiry form and via customers who have engaged with us both offline, via the phone or in email with Google AdWords to better target potential customers.

  • Facebook Analytics:
    We may use Facebook Analytics & Facebook Pixel to help monitor the performance of advertising campaigns. Enhanced tracking logic is used to help improve the accuracy of our advertisement targeting, this logic may send the email address gathered via enquiry forms back to Facebook.

  • Sentry:
    We use Sentry to capture and track errors on both the client side (via Javascript tracking logic added to web pages we serve) and on the server-side. We use Sentry’s built in exception blacklisting functionality to prevent the exposure of personal data in the tracked errors thus preventing personal data from being transferred to Sentry’s servers.

  • FullStory:
    We use FullStory to record a sampling of user sessions to help us gain an insight into how users use our sites so that we can improve the user experience over time. We use FullStory’s element blacklisting functionality to prevent the exposure of certain personal data in recorded sessions, thus preventing personal data from being transferred to FullStory’s servers. We do send a small amount (forename, surname) of personal data to FullStory to help annotate recorded sessions.

  • Amazon Web Services:
    We use Amazon Web Services for the hosting of a variety of services. A number of the services we use Amazon Web Services for are exposed to and store personal data including the web application servers on EC2, the database servers on RDS and the log storage on CloudWatch Logs. Specifically with regard to CloudWatch Logs we keep logs (web logs, etc) for 14 days. Personal data may be consumed by Amazon Quicksight, a business intelligence tool we use for querying our database.


Data flows between our primary web application where it is gathered to our database and log files, all three are hosted with Amazon Web Services within the European region.

Please note: These pages serve as advice and as such we cannot be held responsible for any damages occurring as a result of practicing any of the advice given.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us