Does your website use third-party services? Get GDPR compliant in minutes.

ScapBot

What does ScapBot do?

ScapBot is a third party JavaScript chatbot widget embedded on websites for lead capture, basic conversational analytics, and visitor engagement. It collects IP address, user agent, chat message content, email addresses and behavioural session data, with processing primarily hosted in the United States.

What is ScapBot

ScapBot is a niche third party AI chatbot widget that loads as JavaScript on a publisher website. It engages visitors in conversation, captures leads (typically email addresses and contextual information), and feeds basic conversational analytics back to the website operator. As a small vendor with limited public documentation, ScapBot should be treated as an opaque processor with elevated due diligence requirements.

Data collected and processing context

ScapBot collects visitor IP address, user agent string, device and browser metadata, session identifiers, the full content of chat messages, and any email address or contact data the visitor submits. Because chat is free text, content may incidentally include health, financial, religious or political information that qualifies as Article 9 GDPR special category data. The widget also logs behavioural signals such as time spent, page context and conversation outcome for analytics.

Legal basis and consent

Under GDPR Article 6, consent (6(1)(a)) is the recommended basis for the analytics and lead capture functions. The core chat function may rest on legitimate interest (6(1)(f)) where it is strictly necessary to deliver a service the visitor has explicitly requested, subject to a balancing test. ePrivacy Directive Article 5(3) requires prior, informed consent for any cookie or local storage read or write that is not strictly necessary for delivering the service, which applies to ScapBot analytics identifiers.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

International transfers and Schrems II

ScapBot infrastructure is hosted in the United States. Transfers from the EEA and UK require Standard Contractual Clauses, a Transfer Impact Assessment, and supplementary technical and organisational measures consistent with Schrems II. Where ScapBot relies on the EU US Data Privacy Framework, verify current certification status on the official DPF list before relying on it as a transfer mechanism.

Risks specific to chat content

Free text chat is a high risk surface because visitors can paste credentials, identifiers, health symptoms or other sensitive content. Implement message redaction or filtering on submission, restrict retention to the minimum necessary, and document a clear process for handling Article 9 disclosures and data subject deletion requests targeting individual conversations.

Implementation checklist

Block the ScapBot script until consent is given via your CMP, sign a DPA listing ScapBot as a processor, run and document a DPIA, configure short retention windows, restrict admin access, update the privacy notice with ScapBot, its US transfer basis and visitor rights, and re audit annually or on any version change.

GDPR consent category

Analytics

Websites using ScapBot must obtain user consent under GDPR regulations.

Legal basisconsent

Risk levelmedium_high

Applicable regulationsGDPR, ePrivacy Directive Article 5(3), Schrems II, CCPA/CPRA

DPIA considerations

A DPIA is recommended before deploying ScapBot because the widget can capture free form chat content that may include special category data (Article 9 GDPR), email addresses and behavioural analytics. Key risks: unfiltered chat input that may contain health, financial or political information, US data transfers requiring SCCs and TIA per Schrems II, persistent identifiers used for analytics requiring prior consent under ePrivacy 5(3), and potential profiling through conversation history.

Sample consent text

We use ScapBot, a chatbot service, to answer your questions, capture leads and analyse conversations. ScapBot stores cookies on your device, processes your IP address, browser data, the content of your chat messages, and any email address you provide. Some data may be transferred to the United States under appropriate safeguards. By clicking 'Accept', you consent to this processing. You can withdraw consent at any time via the cookie banner.

Technical details

Tracking methodJavaScript widget, cookies, server logs, websocket session telemetry

Server locationUnited States

Data transferred outside the EUData is transferred to the United States where ScapBot operates its conversational AI infrastructure and lead capture backend. EEA/UK transfers rely on Standard Contractual Clauses with supplementary measures consistent with Schrems II guidance, including encryption in transit and at rest, access controls, and a Transfer Impact Assessment.

Third-party domains contacted

scapbot.comcdn.scapbot.comapi.scapbot.comws.scapbot.comanalytics.scapbot.com

Cookies placed

Name	Type	Duration	Purpose
_scapbot_sid	http_cookie	session	Session identifier used to maintain conversation state across page navigations during a visit. Strictly necessary when the chat is actively engaged but should be blocked until consent if loaded proactively.
_scapbot_vid	http_cookie	12 months	Persistent visitor identifier used to recognise returning visitors, link chat sessions, and feed conversational analytics. Requires prior consent under ePrivacy Article 5(3).
_scapbot_consent	http_cookie	6 months	Stores the visitor consent state for the ScapBot widget so the choice persists across sessions. Considered strictly necessary as it records the consent decision.
_scapbot_lead	http_cookie	90 days	Records lead capture status (for example whether the visitor has already provided an email) to avoid duplicate prompts. Marketing purpose, requires consent.
scapbot_analytics	local_storage	13 months	Local storage entry holding aggregated analytics signals: page context, conversation outcome, response timings. Analytics purpose, requires consent.
scapbot_chat_history	local_storage	until cleared	Client side cache of recent chat messages used to restore the conversation if the visitor reloads the page. Should be cleared on consent withdrawal and on session end where possible.
_scapbot_ab	http_cookie	30 days	A/B testing identifier used by ScapBot to evaluate conversation flows and prompts. Optimisation purpose, requires consent.

ScapBot collects user analytics data — you legally need a consent banner. Try FlowConsent free.

Get started free Scan your site

Frequently asked questions

Does ScapBot set cookies?

Yes. ScapBot uses cookies and similar storage (typically a session identifier and persistent visitor cookie) to maintain conversation continuity, recognise returning visitors and feed analytics. Because these are not strictly necessary for delivering a service the visitor expressly requested, ePrivacy Directive Article 5(3) requires prior, granular consent before they are read or written.

Is consent required to load ScapBot?

Yes for the analytics and lead capture identifiers and, in most cases, for the chat function itself if it is launched proactively or relies on persistent identifiers. The widget script must be blocked behind your Consent Management Platform until the visitor consents to the relevant purpose. A purely visitor initiated chat that uses only strictly necessary storage may rely on legitimate interest, subject to a documented balancing test.

What is the appropriate legal basis under GDPR Article 6?

For analytics, behavioural profiling and marketing oriented lead capture, the appropriate basis is consent (Article 6(1)(a)). For the strictly necessary chat function, legitimate interest (Article 6(1)(f)) can apply with a balancing test. If chat content captures special categories of data (Article 9), an additional Article 9 condition such as explicit consent is required.

Where does ScapBot send my visitors data?

ScapBot is US hosted, so EEA and UK personal data is transferred internationally. Transfers require Standard Contractual Clauses, a Transfer Impact Assessment per Schrems II, and supplementary measures such as encryption and access controls. If the vendor self certifies under the EU US Data Privacy Framework, verify current status on the official DPF list before relying on it.

Is a DPIA mandatory for ScapBot?

A DPIA is strongly recommended and often mandatory. Triggers include large scale processing of free text that may contain special category data (Article 9), systematic monitoring of visitor behaviour, profiling, and international transfers to a third country without an adequacy decision. Document risks, mitigations and the residual risk decision before go live.

How should I implement ScapBot to stay compliant?

Block the script until consent is obtained, sign a DPA naming ScapBot as a processor, run a DPIA, set short retention windows, restrict admin access on a need to know basis, redact or filter sensitive content from chat transcripts where possible, publish the vendor and its US transfer basis in your privacy notice, and re audit annually or on every version change.

Are there compliant alternatives to ScapBot?

EU hosted chatbot and lead capture providers reduce transfer risk and tooling overhead. Open source self hosted solutions (for example Rasa or Botpress) deployed in an EEA region give the strongest data sovereignty. When evaluating alternatives, compare contractual safeguards, hosting region, sub processor chain, retention controls and Article 9 handling.

How do I update my cookie policy and privacy notice for ScapBot?

Add a dedicated entry for each ScapBot cookie and identifier with name, purpose, duration and category (functional, analytics, marketing). In the privacy notice, list ScapBot as a processor, describe data categories collected (including potential Article 9 content from chat), explain the US transfer mechanism and visitors rights, and link to the ScapBot privacy policy and DPA.

Get compliant — Try FlowConsent free

Free plan · 10-min setup