Your global marketplace for trading recyclable materials

Do business with verified professionals

Privacy policy


1. General information

At Samoving, S.L. we are committed to complying with applicable data protection regulations and with the best market practices in this respect, both nationally and internationally. That is why we have created this Data Protection Policy which, in compliance with (i) Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of individuals with regard to the processing of Personal Data and the free movement of such data; and (ii) Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights, and we hereby inform you on how we process your Personal Data, our purposes and the rights that you can exercise at any time.

Samoving is the owner of the ScrapAd platform, a global marketplace for buying and selling recyclable materials. ScrapAd is a leading global recycling platform, adapted to today’s demands, with two main objectives: firstly, to help recyclers find - to the best of their ability and the confluence of third party buyers’ willingness to purchase such materials - the best buying or selling counterpart for their materials, in a transparent transaction at a click of a button; secondly, to minimise the waste that ends up in landfills, supporting circular economy and caring for the environment.

Samoving has entered into an agreement with Lemonway SAS, whose registered office is at 8 rue du Sentier, 75002 Paris, France, registered in the Paris Trade and Companies Register under number 500 486 915 and authorised on 24 December 2012 by the Autorité de Contrôle Prudentiel et de Résolution (Prudential Control and Resolution Authority, "ACPR", France, website, 4 place de Budapest CS 92459, 75436 Paris, as payment institution, under number 16568, pursuant to which Lemonway acts as payment institution for transactions concluded on the ScrapAd platform.

Any user wishing to open an account on the ScrapAd platform who is interested in marketing raw materials and recovered material through the ScrapAd platform (the “User”) accepts this data protection policy.

2. Data controller

Your Personal Data will be processed by SAMOVING, S.L., with NIF number B-75.237.651, with registered office in Éibar (Gipuzkoa), calle Iñaki Goenaga, 5-Edificio Tekniker and registered in the Companies Register of Gipuzkoa, under Volume 2,944, Folio 57, Page SS-42.586, Entry 1 (hereinafter, “Samoving”), which will function as Data Controller.

Samoving has not appointed a Data Protection Officer, as according to the applicable regulations, such an appointment is not necessary in view of its company structure. In any case, Samoving declares that it has a management team that monitors and ensures Samoving’s compliance with all legal provisions on data protection, as well as all data security requirements.

3. Personal Data Category

According to the different purposes for which we process your data, and which we identify in this document, we will process your identification and contact data (name and surname, address, country, telephone number and e-mail address), data on the material purchased, as well as bank data, commercial and financial data when the User is a legal entity (hereinafter, the “Personal Data”).

Personal Data may be provided by sending the file or document containing them or at the time of registration, by filling in the forms provided for this purpose on the ScrapAd platform.

The User guarantees that the data provided to Samoving for the provision of the services requested are true to the current situation and that he/she will communicate any changes that affect them, as well as having the consent or any other legitimate basis that allows Samoving to use the User’s data. Consequently, the User shall be liable to Samoving and third parties for any damages caused as a result of the breach of the obligations assumed in this clause.

4. Purpose and Legitimation

We process your Personal Data for specific purposes that are always legitimate in accordance with the provisions of the GDPR. In particular, depending on the capacity in which you interact with us, we process your data for the following purposes and under the following legitimacy:

4.A. Creation of a profile on the ScrapAd Platform and implementation of pre-contractual measures

We process your Personal Data when you create a profile on ScrapAd. We will also process your telephone number and/or e-mail address when we deal with you as our customer, or potential customer, when you call us by telephone, send us a message on WhatsApp or Telegram or when we contact you by e-mail. Finally, we process your Personal Data to send you further information about our services when you request it directly on our website.

4.B. Our legitimate interest for the provision of services

The buyer’s and seller’s data will be processed for the purpose of providing services to enable them to transact raw materials and recovery material through the ScrapAd Platform, which, among other activities, involves: (i) their registration as a client; (ii) processing and responding to their questions, queries or complaints; (iii) contracting a goods verification service; (iv) contracting the transport service; and (v) processing the payment flow with Lemonway.

4.C. Compliance with legal obligations

Within the scope of our relationship with you, we may need to process your Personal Data in order to comply with legal obligations, from time to time.

In fulfilling these obligations, Samoving may communicate your data to Public Administrations and courts, provided that such information is required in accordance with established legal processes.

5. Personal Data disclosure to third parties

The User expressly authorises the Personal Data to be disclosed to Lemonway SAS. Likewise, the User expressly authorises that the identification and contact data (name and surname, address, country, telephone number and e-mail), commercial data when the User is a legal entity and data of the purchased goods be communicated to the SGS Group, the Alex Stewart Group and the logistic operator or operators who will be in charge of loading, transport, unloading and delivery of the goods proposed by Samoving and accepted by the buyer. In this regard, it is not foreseen that your data will be communicated to persons other than those mentioned above.

Likewise, in the case of international shipments, and in order to comply with the request made by the User, it is essential that Samoving communicates the data of the buyer, the seller and the description of the goods to the customs authorities and the logistics operators who will be responsible for making the delivery.

In this regard, the User is informed that both the customs authorities and the logistics operator may be located in a country whose data protection regulations have not been declared adequate by the European Commission and/or may not provide adequate safeguards for data processing. You can consult the list of countries whose data protection legislation presents an adequate level of security on the website of the AEPD and the European Commission. We also inform you that such international transfer of data is legitimised due to being necessary to provide the service by the sender, in accordance with article 49.1.b) of the GDPR.

6. Obligations

Samoving and all its staff undertake to:

  1. Use the personal data that is subject to processing solely for the purpose of this commission. In no case may they use the data for their own purposes.
  2. Process the data in accordance with the User’s instructions.

    If Samoving considers that any of the instructions infringe the regulations in force regarding the protection of Personal Data, it will immediately inform the User of this fact.

  3. Keep a written record of all categories of processing activities conducted on behalf of the User, which will contain:
    1. Where applicable, transfers of Personal Data to a third country or international organisation, including the identification of such third country or international organisation and, in the case of transfers referred to in Article 49, paragraph 1 of the GDPR, documentation on appropriate safeguards.
    2. General description of the technical and organisational security measures related to:
      1. The pseudonymisation and encryption of personal data, where necessary.
      2. The ability to guarantee the permanent confidentiality, integrity, availability and resilience of the processing systems and services.
      3. The ability to restore the availability and access to the personal data rapidly in the event of a physical or technical incident.
      4. A process for the regular verification, evaluation, and assessment of the effectiveness of the technical and organisational measures to ensure the security of the processing.
  4. Not to communicate the Personal Data to third parties, except with the express authorisation of the User of the processing, in the legally admissible cases and except as indicated in the following section.

    Samoving may communicate the Personal Data to other processors of the same User, in accordance with the User’s instructions. In this case, the User will identify, in advance and in writing, the entity to which the Personal Data must be disclosed, the type of Personal Data to be disclosed and the security measures to be applied to proceed with the disclosure.

    If Samoving must transfer Personal Data to a third country or international organisation, by virtue of the law of the European Union or of the Member States that is applicable, it will inform the User of this legal requirement in advance, unless such Law prohibits it due to important reasons of public interest.

  5. Not to subcontract any of the services that form part of the object of the services provided by Samoving that involve the processing of Personal Data, except with the entities Lemonway SAS, the SGS Group, the Alex Stewart Group and the logistics operator or operators that will be responsible for carrying out the loading, transport, unloading and delivery of the goods proposed by Samoving and accepted by the buyer, subcontracting that is expressly authorised at this time.

    If it is necessary to outsource any processing in additional to that expressed herein, the User must be informed of this fact in advance and in writing with three days’ notice, indicating the processing actions that are intended to be outsourced and clearly and unequivocally identifying the subcontractor company and its contact details. Outsourcing may be conducted if the User does not express its opposition within the established period.

    The subcontractor, who will also be considered as a data controller, is also obliged to comply with the obligations established in this Data Protection document for Samoving and the instructions issued by the User. It is up to Samoving to regulate the new relationship so that the new controller is subject to the same conditions (instructions, obligations, security measures...) and with the same formal requirements as the former, regarding the proper processing of Personal Data and the guarantee of the rights of the affected persons. In the event of non-compliance by the sub-controller, Samoving will continue to be fully responsible before the User in relation to the fulfilment of the obligations.

  6. Uphold the duty of secrecy regarding the Personal Data to which access has been gained on the basis of this commission, even after the end of its purpose.
  7. Ensure that the persons authorised to process the Personal Data undertake, expressly and in writing, to respect confidentiality and to comply with the appropriate security measures, of which they are to be appropriately informed.
  8. Keep at the disposal of the User all documentation on compliance with the obligations laid down in the preceding paragraph.
  9. Ensure the necessary training in the field of personal data protection is provided to the people within the organisation authorised to process personal data.
  10. Assist the User in the response to the exercise of rights in relation to:
    1. Access, rectification, deletion, and opposition.
    2. Limitation of the processing.
    3. Transfer of the data.
    4. Not being subject to automated individualised decisions (including profiling).

    When the data subjects exercise their rights of access, rectification, deletion and opposition, limitation of processing, data transfer and the right not to be subject to automated individualised decisions, the Data Controller must communicate this by e-mail to the address indicated by the User. The communication shall be conducted immediately and, under no circumstance, any later than the business day following receipt of the request, together with, where appropriate, any other information that may be relevant for resolving the request.

  11. Samoving shall notify the User, without undue delay, and in any case before the maximum period of two business days, via e-mail, regarding the security breaches relating to the Personal Data for which the User is responsible and is aware, together with all the relevant information for the documentation and communication of the incident.

    Notification shall not be required where such a security breach is unlikely to constitute a risk to the rights and freedoms of data subjects.

    If available, at least the following information will be provided:

    1. Description of the nature of the Personal Data security breach, including, when possible, the categories and approximate number of affected parties, and the categories and approximate number of Personal Data records affected.
    2. Description of the possible consequences of the Personal Data security breach.
    3. Description of the measures adopted or proposed to remedy the Personal Data security breach, including, if applicable, the measures adopted to mitigate the possible negative effects.

    If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be provided gradually without undue delay.

  12. Provide support to the User in conducting impact assessments related to data protection, when appropriate.
  13. Provide support to the User in conducting prior consultations with the control authority, when appropriate.
  14. Make available to the User all the necessary information for proving compliance with its obligations, as well as for conducting the audits or inspections performed by the User or another auditor authorised by the latter.
  15. Implement at least the following security measures for:
    1. Guaranteeing the permanent confidentiality, integrity, availability and resilience of the processing systems and services.
    2. Restoring the availability and access to the Personal Data rapidly in the event of a physical or technical incident.
    3. Verifying, evaluating, and assessing on a regular basis the effectiveness of the technical and organisational measures implemented to ensure the security of the processing.
    4. Pseudonymising and encrypting Personal Data, where appropriate.

7. Preservation

The Personal Data of the sender and recipient will be kept for as long as they are necessary for the development of the contractual relationship. Once this period has elapsed, the data will be deleted in accordance with the provisions of the data protection regulations, which implies its blocking, being available only at the request of Judges and courts, the Public Prosecutor’s Office or the competent Public Administrations during the statute of limitation of the actions that may derive from it in order to be subsequently deleted. The statute of limitation may vary depending on the type of service, for exemplary purposes, in general the statute limitation for most personal civil actions is 5 years, as established in Article 1964, paragraph 2 of the Civil Code.

8. Rights

Our data protection regulations provide you with a series of rights in relation to the data processing involved in our services which can be summarised as follows:

  • Right to access: To know what type of data we are processing and the characteristics of the processing we are conducting.
  • Right to rectification: To be able to request the modification of the data if they are inaccurate or untrue.
  • Transfer rights: To be able to obtain a copy in an interoperable format of the data being processed.
  • Right to the limitation of processing in the cases set out in the Law.
  • Right to suppression: Request the deletion of your data when the processing is no longer necessary.
  • Right to opposition: To request the cessation of the sending of commercial communications under the aforementioned terms.
  • Right to withdraw the consent granted.

You may exercise your rights through any of the following channels, indicating the right to be exercised and enclosing a copy of your National Identity Card or equivalent document and any other documentation you consider appropriate:

a) Postal address:

Éibar (Gipuzkoa), calle Iñaki Goenaga, 5-Edificio Tekniker

b) E-mail:

On the website of the Spanish Data Protection Agency (AEPD) you can find a series of models that will help you to exercise your rights. We also inform you that you have the right to file a complaint with the supervisory authority (in Spain, the AEPD) if you consider your rights have been infringed.