CrawlHawk

1. Scope and Roles

Effective date: 10 July 2026  |  Last updated: 10 July 2026

This Data Processing Agreement (the "DPA") forms part of the Terms and Conditions of the CrawlHawk service (the "Service") operated by New Horizon Platforms Kft. (registered office: Hullám utca 8. 1. em. 10. ajtó, 6721 Szeged, Hungary; company registration number: 06-09-029974; the "Operator" or "Processor"). It applies automatically, without separate signature, to every User in whose respect the situation described in Section 1 arises. It is concluded pursuant to Article 28(3) of Regulation (EU) 2016/679 (the "GDPR").

Where the User instructs the Service to crawl, extract or otherwise process content from Target Websites that contains personal data of third parties — including, without limitation, through contact data extraction features — the User is the data controller ("Controller") and the Operator is the data processor ("Processor") in respect of that personal data ("Controller Data"). This DPA governs that processing. It does not apply to personal data that the Operator processes as an independent controller (such as the User's own account, billing and usage data), which is described in the Privacy Policy.

2. Details of Processing (Article 28(3) GDPR)

  • Subject matter: automated crawling, retrieval, extraction, temporary storage and delivery of content from Target Websites specified by the Controller, where that content contains personal data.
  • Duration: the duration of the relevant Crawl and the retention period of Crawl Results (up to 90 days following completion of the Crawl, as set out in the Terms and Conditions), and in any event no longer than the existence of the User's Account, subject to Section 9.
  • Nature and purpose: execution of Crawls on the Controller's documented instructions; production and delivery of Crawl Results to the Controller.
  • Types of personal data: personal data appearing on publicly accessible Target Websites as selected by the Controller, which may include names, positions, business contact details (email addresses, telephone numbers), profile information, images and other personal data contained in the crawled content.
  • Categories of data subjects: natural persons whose personal data appear on the Target Websites selected by the Controller (such as employees, representatives, customers or other individuals referenced on those websites).

3. Controller's Instructions and Responsibilities

The Crawl configurations submitted by the Controller through the Service (starting URL, scope, filters, output configuration and feature selection) constitute the Controller's complete, documented instructions. The Processor shall process Controller Data only on these documented instructions, unless required to do otherwise by Union or Member State law, in which case the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Controller warrants that it has a valid lawful basis for the processing it instructs — including, in respect of contact data extraction features, a valid and documented lawful basis under Article 6 GDPR as set out in Section 5.7 of the Terms and Conditions — and that it complies with its obligations as controller under the GDPR, including Articles 13 and 14 (information to data subjects). The Processor is entitled to refuse, suspend or interrupt instructions that it reasonably believes to infringe the GDPR or other applicable data-protection law, and shall inform the Controller where an instruction, in the Processor's opinion, infringes such law.

4. Confidentiality

The Processor ensures that persons authorised to process Controller Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Security (Article 32 GDPR)

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of data in transit (TLS), access controls and authentication, segregation of environments, logging and monitoring, and the automatic deletion of Crawl Results after the retention period. Details of the Processor's security practices are summarised in the Privacy Policy.

6. Sub-processors

The Controller grants a general authorisation for the engagement of the following categories of sub-processors for the processing of Controller Data:

  • RackForest Kft. (Hungary) — hosting and infrastructure;
  • Hetzner Online GmbH (Germany) — hosting and infrastructure;
  • Zyte Group Limited (Ireland) — advanced crawling and rendering infrastructure, where the Controller selects advanced processing modes;
  • OpenAI Ireland Limited / OpenAI, L.L.C. — AI-assisted extraction, where the Controller selects AI-assisted features;
  • Functional Software, Inc. (Sentry) (United States) — error and performance monitoring, which may incidentally process fragments of Controller Data contained in error contexts.

The Processor shall inform the Controller of any intended addition or replacement of sub-processors by updating the sub-processor list published on the Service and, in the case of material changes, by notice through the Service or by email, thereby giving the Controller the opportunity to object. Where the Controller objects on reasonable data-protection grounds and no alternative can be found, the Controller may terminate the affected processing by ceasing the relevant Crawls or closing the Account. The Processor imposes on each sub-processor, by way of contract, data-protection obligations essentially equivalent to those set out in this DPA, and remains fully liable to the Controller for the performance of the sub-processor's obligations.

7. Assistance to the Controller

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests for exercising data subjects' rights (Chapter III GDPR), and shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments and prior consultation), taking into account the nature of the processing and the information available to the Processor. If a data subject request is addressed directly to the Processor, the Processor shall forward it to the Controller without undue delay.

8. Personal Data Breach

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller Data, and shall provide the information reasonably required by the Controller to comply with its own notification obligations under Articles 33 and 34 GDPR.

9. Deletion and Return

Crawl Results, including any Controller Data they contain, are automatically deleted no later than 90 days after completion of the relevant Crawl. The Controller may download Crawl Results (return of data) at any time during the retention period. Upon closure of the Account, remaining Crawl Results are deleted in accordance with the retention rules set out in the Privacy Policy, unless Union or Member State law requires further storage. Upon the Controller's written request, the Processor shall confirm deletion.

10. Audits

The Processor shall make available to the Controller information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA, primarily in the form of documentation, certifications and written responses. Where this is insufficient, the Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable prior notice, at the Controller's expense, no more than once per year (except following a personal data breach), during normal business hours and without disrupting the Processor's operations or compromising the security or confidentiality of other customers' data.

11. International Transfers

Where the processing of Controller Data involves transfers outside the European Economic Area, the Processor relies on an adequacy decision of the European Commission (including the EU-US Data Privacy Framework for certified US recipients) or on the EU Standard Contractual Clauses, supplemented by additional measures where required, as described in the Privacy Policy.

12. Liability and Final Provisions

The liability of the parties under this DPA is subject to the limitations and exclusions set out in the Terms and Conditions, without prejudice to Article 82 GDPR. This DPA is governed by the laws of Hungary and, where applicable, by directly applicable EU law. In case of conflict between this DPA and the Terms and Conditions in respect of the processing of Controller Data, this DPA prevails. This DPA terminates automatically upon deletion of all Controller Data in accordance with Section 9.

13. Contact

For questions regarding this DPA, please contact us at support@crawlhawk.com.