Privacy Policy

Last updated: 2 April 2026

ScopeMatch is a pan-European ISO 17025 accredited laboratory directory operated by Constellation Design. This policy explains what data we collect, why we collect it, and your rights under the General Data Protection Regulation (GDPR) and the UK GDPR.

1. What we collect

We collect the following categories of data:

1.1 Data you provide directly

  • Contact form submissions โ€” name, email address, and message content when you use the contact form.
  • API registration โ€” name and email address when you register for an API key.
  • Lab owner accounts โ€” email address and (optionally) a password when you claim or manage a laboratory listing.

1.2 Data we collect automatically

  • Session cookie โ€” a short-lived browser cookie used to maintain your login session. No tracking cookie is set for anonymous visitors.
  • Theme preference โ€” stored in localStorage on your device. Never transmitted to our servers.
  • Analytics โ€” anonymised page-view events via Umami, a self-hosted, cookie-free analytics platform. No personal data or cross-site tracking is performed.

1.3 Data we obtain from public sources

We compile laboratory listing data from publicly accessible databases maintained by national accreditation bodies. These databases are published under legal mandate (EU Regulation (EC) No 765/2008 and national implementations) so that the public can identify and contact accredited conformity assessment bodies. The accreditation bodies we currently source data from include:

  • DAkkS (Deutsches Akkreditierungssystem, Germany)
  • UKAS (United Kingdom Accreditation Service, United Kingdom)
  • COFRAC (Comite francais d'accreditation, France)
  • ACCREDIA (L'Ente Italiano di Accreditamento, Italy)
  • RvA (Raad voor Accreditatie, Netherlands)
  • ENAC (Entidad Nacional de Acreditacion, Spain)

The data we collect from these sources includes: laboratory name, accreditation number, accreditation status, address, accreditation scope (test methods and standards), and, where published in the database, contact information such as telephone numbers, email addresses (including named professional email addresses), and website URLs.

We use this data for two purposes:

  1. Directory listings. Displaying laboratory accreditation information on the ScopeMatch platform so that buyers of testing services can find accredited laboratories.
  2. Profile notification outreach. Contacting laboratory representatives to notify them that their laboratory is listed on ScopeMatch and to invite them to verify the accuracy of their listing. This outreach is limited to a maximum of one initial email and one follow-up per contact. See Section 2 for the legal basis.

2. Legal basis for processing

Processing activity Lawful basis Detail
Compiling and displaying publicly available accreditation data from national accreditation bodies Legitimate interest (Article 6(1)(f) GDPR) We have a legitimate interest in operating a directory that helps buyers find accredited testing laboratories and helps laboratories be found. The data is sourced from public regulatory databases that exist for this purpose.
Profile notification outreach to laboratory contacts Legitimate interest (Article 6(1)(f) GDPR) We have a legitimate interest in notifying laboratory contact persons that their laboratory is listed on ScopeMatch and inviting them to verify the accuracy of their listing. We have conducted a Legitimate Interest Assessment (LIA-2026-001) documenting this basis. This outreach is limited to professional email addresses obtained from public accreditation body databases and is directly relevant to the recipient's professional role. You have the absolute right to opt out of this outreach at any time (see Section 3).
Operating anonymised analytics Legitimate interest (Article 6(1)(f) GDPR) We use Umami, a cookie-free, self-hosted analytics platform, to understand how the directory is used and to improve it. No personal data is collected.
Processing lab owner account and payment data Contract performance (Article 6(1)(b) GDPR) When you create an account or subscribe to a paid listing, we process your data as necessary to provide the service.
Processing contact form submissions and API registration requests Consent (Article 6(1)(a) GDPR) You actively submit your data through these forms. You may withdraw consent at any time by contacting us.

3. Your rights

Under the GDPR (and UK GDPR for UK residents) you have the right to:

  • Access โ€” request a copy of the personal data we hold about you.
  • Rectification โ€” ask us to correct inaccurate or incomplete data.
  • Erasure โ€” request deletion of your personal data, subject to legal retention obligations.
  • Portability โ€” receive your data in a structured, machine-readable format.
  • Object โ€” object to processing based on legitimate interest. If you object to processing of your data for direct marketing purposes (including profile notification outreach), we will stop processing immediately. This right is absolute and requires no justification.
  • Restriction โ€” ask us to restrict processing while a dispute is resolved.
  • Information about data source โ€” if we hold personal data about you that we did not obtain directly from you, you have the right to know the source of that data. For laboratory contact data, the source is the relevant national accreditation body database (see Section 1.3).

To exercise any of these rights, contact us at the address in Section 8, or use the unsubscribe link provided in any outreach email. We will respond within 30 days.

4. Data retention

  • Contact form messages and API registration records: retained for up to 2 years, then deleted.
  • Lab owner account data: retained for as long as the account is active, plus 1 year after account closure.
  • Laboratory listing data from public sources: retained and refreshed for as long as the laboratory holds active accreditation. When accreditation is withdrawn or the laboratory requests removal, the listing is removed.
  • Outreach email addresses (non-responders): retained for a maximum of 12 months from the date of outreach, then deleted from the outreach database. The laboratory listing itself (sourced from public data) is not affected.
  • Outreach email addresses (opted out): the email address is retained only on a suppression list to ensure we do not contact the individual again. No further marketing processing occurs.
  • Anonymised analytics events: retained for up to 2 years with no link to identifiable individuals.
  • Session cookies: expire at the end of the browser session or after a fixed timeout (whichever is sooner).

5. Third-party services

  • Umami Analytics โ€” self-hosted on our own infrastructure. No data is sent to third-party analytics providers. Umami does not use cookies and does not collect personal data.
  • Mollie Payments โ€” payment processing for premium lab listings. Mollie is a PCI-DSS-compliant payment provider operating under Dutch law. When you make a payment, Mollie processes your card data directly; we do not store card numbers. Mollie's privacy policy.
  • Moneybird โ€” invoicing and accounting for paid lab subscriptions. Moneybird is a Dutch invoicing platform operating under Netherlands law. When you subscribe to a paid plan, your contact name, business email address, billing address, and payment amount are shared with Moneybird to generate and store invoices. Invoices are retained for seven years in accordance with Dutch fiscal law. Moneybird's privacy policy.
  • OAuth sign-in providers (Google, LinkedIn, Microsoft) โ€” if you sign in using a third-party account, we initiate an OAuth 2.0 / OpenID Connect flow with that provider. The provider receives your IP address and browser information as part of the redirect. After you grant permission, we receive a UserInfo response. We retain only your email address (for account matching) and an opaque provider-specific identifier (to link your account on future logins). We do not store your access token, profile photo, or display name.
  • Email delivery service โ€” we use Scaleway Transactional Email (TEM) to send profile notification outreach emails and transactional emails (such as account verification and password reset). Scaleway processes email addresses on our behalf as a data processor under a data processing agreement. Scaleway's privacy policy.
  • Google Fonts (email only) -- font files are loaded from Google servers when you open an email sent by ScopeMatch (e.g. account verification, password reset). Your email client may transmit your IP address to Google when retrieving these fonts. On the website itself, all fonts are self-hosted and no requests are made to Google. Google's privacy policy.
  • Carto (map tiles) -- on pages that display a map (search results, laboratory profiles, test method pages, and the home page), background map tiles are loaded from basemaps.cartocdn.com. Carto receives your IP address when these tiles are requested. Carto's privacy policy.
  • Leaflet / unpkg (home page) -- on the home page, the Leaflet mapping library is loaded from unpkg.com, a public CDN. unpkg receives your IP address when the script is requested. On other pages with maps, Leaflet is served from our own infrastructure. unpkg.com.
  • Brandfetch (home page) -- accreditation body logos on the home page are loaded from cdn.brandfetch.io. Brandfetch receives your IP address when these images are requested. Brandfetch's privacy policy.

6. Cookies

We use the following cookies:

  • Session cookie โ€” strictly necessary, set only when you log in. Expires at session end or after a fixed timeout.
  • CSRF token โ€” strictly necessary, protects form submissions from cross-site request forgery. Session-scoped.

No advertising or tracking cookies are used. The analytics system (Umami) is cookie-free. Theme preference is stored in localStorage, not a cookie.

7. Data transfers

Our servers are hosted within the European Union (Scaleway, France). We do not intentionally transfer personal data outside the EEA. However, some client-side resources -- such as map tiles (Carto), CDN-hosted scripts (unpkg), and logos (Brandfetch) -- are loaded directly by your browser from third-party servers that may be located outside the EEA. These requests transmit your IP address. Where applicable, these providers operate under standard contractual clauses, an approved adequacy framework, or equivalent safeguards. Payment processing (Mollie), invoicing (Moneybird), and email delivery (Scaleway) also operate under appropriate data transfer mechanisms.

8. Data controller

The data controller is Constellation Design, trading as ScopeMatch. For any privacy enquiry or to exercise your rights, email <a href="mailto:privacy@scopematch.eu">privacy@scopematch.eu</a>, use our <a href="/contact/">contact form</a>, or write to: Constellation Design, The Netherlands.

If you are unsatisfied with our response, you have the right to lodge a complaint with your national data protection authority. For example:

  • Netherlands: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl)
  • United Kingdom: Information Commissioner's Office (ico.org.uk)
  • Germany: The data protection authority (Datenschutzbehorde) of your federal state
  • France: Commission Nationale de l'Informatique et des Libertes, CNIL (cnil.fr)
  • Italy: Garante per la protezione dei dati personali (garanteprivacy.it)
  • Spain: Agencia Espanola de Proteccion de Datos, AEPD (aepd.es)
0 labs selected
Compare