GDPR and Data Processing Addendum Summary

Customer account holder (your business): generally the controller for personal data entered and processed in your customer workflows.

Scrubix: processor for service data handled on your instruction, and controller for account/security/billing/support data it must process itself.

Scrubix processes personal data strictly to provide platform workflows: customer records, jobs, quotes, invoices, communications, payment metadata, reconciliation tools and limited app activity records such as last app open, last seen, current page and app foreground/background state where needed for support and service reliability.

Scrubix implements technical and organisational measures including access controls, audit trails, authentication controls and secure transport.

Access to personal data is restricted to authorised staff and subprocessors with a need to know.

Scrubix may use vetted subprocessors for hosting, communications, payment infrastructure and diagnostics.

Subprocessors are bound by written data protection obligations.

Where personal data leaves the UK, Scrubix applies transfer safeguards required by UK GDPR.

Scrubix provides tooling and support to help controller customers respond to access, rectification, deletion and portability requests.

Scrubix maintains incident response procedures. Where legally required, affected controller customers are notified without undue delay.

Customer data is retained in line with service settings and legal obligations, then deleted or anonymised per policy.

Where connected bank account reconciliation is enabled, transaction feed data is processed to provide matching and finance workflow outputs.

Data protection requests: data@scrubix.co.uk.