Privacy Policy

1. Who we are and how data roles work

Scrubix is the data controller for account, platform and operational data processed to provide the Scrubix service.

If you use Scrubix to store data about your customers, staff or business contacts, you (the customer) act as the data controller for that information and Scrubix acts as your data processor.

We act as a data controller only for the data we collect directly from you, such as account information, billing details and technical usage data.

This means that where you upload or manage customer, staff, scheduling, invoice or communications data inside Scrubix, you decide why that data is collected and how it is used in your business. We process that information only in order to provide the Scrubix service to you, maintain the platform, and support the features you choose to use.

Where we collect information directly from you about your account, subscription, support requests, diagnostics or platform usage, we determine the purposes and means of processing for those areas and act as the data controller.

Where Scrubix acts as your processor, you remain responsible for ensuring that you have a lawful basis for the personal data you upload into the platform and for responding to end-customer privacy requests where applicable.

Data protection contact: data@scrubix.co.uk.

2. The types of personal data we collect and process

We collect personal data that you provide directly, data created through use of the service, and limited technical data collected automatically when you access the platform.

Identity and account data: names, usernames, phone numbers, email addresses, roles, login timestamps, security events and authentication settings.

Business and profile data: trading name, invoice details, branding settings, subscription details, support contact preferences and related account profile information.

Customer records: customer names, service addresses, phone numbers, email addresses, internal notes, visit history, billing status and schedule history.

Staff and contractor records: names, roles, access permissions, assignment history, last activity signals and work allocation data.

Job, quote and invoice data: jobs, routes, calendar data, job notes, quote records, invoice records, payment statuses, reminders, credits, refunds and completion history.

Communications data: email and SMS content, timestamps, delivery status, thread metadata, templates, attachment references and message history stored to provide the communications features.

Payments and billing data: Stripe and GoCardless account identifiers, mandate references, payment and payout metadata, subscription status, app-store billing metadata and related operational records.

Reconciliation and finance data: uploaded bank transaction files, connected bank feed metadata, imported rows, matching status, reconciliation outcomes and related finance reporting records.

Google account integration data: when you connect Gmail, we may process your Google email address, OAuth connection details, refresh tokens, mailbox metadata, thread identifiers, message headers, message content needed for send, read and sync features, and connection status or error records.

Location data: where you enable location-based features such as route planning, job mapping or navigation support, the app may process location data needed to provide those features. You can control location permissions in your device settings.

Customer portal data: if your customers access the portal, we process the data they view, confirm or update in order to provide the portal experience and related account actions.

Cookies and similar technologies: essential, functional and performance cookies on the website, including security tools such as reCAPTCHA where enabled, and related browser/session information.

Technical and usage data: app version, device type, operating system, push tokens, IP address, API request logs, diagnostics, crash information, last app open, last seen, current page and app foreground/background state used for support, reliability and security.

Some of this data is entered by you or your users directly. Some is generated automatically when features are used, messages are sent, invoices are created, integrations are connected or technical events occur inside the app.

We do not intentionally collect more data than is reasonably required for the relevant feature or workflow.

3. Data we process as your processor

When you use Scrubix to manage your own customer base, staff records, routes, invoices, jobs, communications and related business operations, that information is processed by Scrubix on your behalf.

Examples include:

Operational records: customer information, jobs, round schedules, route planning, notes, visit history and assignment activity.

Financial workflow records: invoices, quotes, payment status, reminder history, reconciliation records and transaction matching workflows.

Communications records: customer emails, SMS messages, templates, attachments, thread history and delivery logs.

Portal and app records: customer portal actions, staff access, permissions and business configuration data entered by you.

We process this information only to provide the Scrubix service, to maintain the features you use, to support lawful instructions from the account owner and to maintain security, reliability and support operations.

We do not treat your operational business data as our own asset, and we do not repurpose it for unrelated commercial use.

4. Data we process as controller

We act as data controller for information we collect directly from you in connection with your use of Scrubix as a product and service.

Examples include:

Account data: your name, login details, email address, phone number, account status and security events.

Billing and subscription data: subscription status, plan, app store billing metadata, Stripe or GoCardless merchant setup metadata and customer support records linked to billing.

Technical data: IP addresses, diagnostics, crash records, device details, session logs, app activity indicators and system security events.

Support data: enquiries, troubleshooting records, support conversations and issue-handling notes.

We use this information to operate Scrubix, support your account, secure the platform, manage subscriptions, comply with legal obligations and improve reliability.

This includes account verification, subscription and billing administration, fraud prevention, service notices, diagnostic review and direct support interactions.

5. Why we process personal data and the legal basis

We process personal data to operate the Scrubix platform, provide the features you request, support account administration, secure the service and improve reliability.

This includes using data to create and manage accounts, authenticate users, maintain role-based access, provide customer and staff workflows, generate invoices and reminders, process communications, support payment and direct debit flows, and provide reconciliation tools.

This also includes using limited app activity data such as last app open, last seen, current page and foreground/background state so we can troubleshoot issues, confirm recent app activity and provide live support more effectively.

If you connect Gmail, we use Google account access only to let you send emails from Scrubix, sync relevant inbox emails into Scrubix email threads, maintain thread continuity and preserve the customer communication workflow you choose to use.

We may also use technical and operational data to detect abuse, investigate suspicious behaviour, prevent fraud, maintain performance, improve error handling and monitor overall service health.

We do not use customer data for advertising, data brokerage, unrelated profiling or unrelated secondary purposes. We only process data for the purposes described in this policy and the features you enable.

Contract: to provide the service you signed up for, operate your account, deliver platform features and manage paid subscription access.

Legitimate interests: to secure the service, prevent fraud and abuse, diagnose issues, monitor service health, defend claims and maintain support operations.

Legal obligation: to comply with tax, accounting, financial, regulatory and lawful disclosure obligations.

Consent: where optional features or local law require consent, such as certain website cookies or specific optional permissions.

In practice, most processing needed to deliver Scrubix is carried out because it is necessary to perform our contract with you, because we have a legitimate interest in keeping the platform secure and functional, or because we are legally required to retain or disclose specific records.

Automated decision-making: we do not use fully automated decision-making that produces legal or similarly significant effects. We may use automated tools for operational tasks such as message delivery, fraud screening, security monitoring and workflow automation.

Where consent is the relevant basis, you may withdraw it at any time, although this may affect features that depend on that consent being in place.

6. How we store and protect data

We use a combination of technical and organisational controls to protect personal data handled through Scrubix.

These controls include:

Encryption in transit: communications between browsers, apps, our servers and core service providers are protected using TLS.

Protection of sensitive credentials: sensitive integration credentials and tokens are stored using encryption or other appropriate secure storage controls.

Access controls: access to data is restricted by role, least-privilege principles and operational need.

Monitoring and logging: security events, access patterns and technical failures may be logged to help identify abuse, performance issues and attempted unauthorised access.

Backups and resilience: backups are taken and stored securely to support continuity and recovery processes.

Operational review: access to sensitive systems and data is reviewed as part of our operational security practices.

While no internet-based service can guarantee absolute security, we use commercially reasonable technical and organisational measures to protect personal data against unauthorised access, loss, misuse or disclosure.

If a personal data incident occurs, we assess it promptly and take the steps required under applicable law, including notification where legally required.

7. Third-party service providers and disclosures

We use specialist providers for hosting, infrastructure, notifications, communications, analytics, diagnostics, security and payments, including Stripe and GoCardless for enabled payment workflows.

Processors only receive the data they need to perform their function. They are required to act on our instructions where applicable and are bound by confidentiality and data protection obligations.

Where you choose to connect Google services such as Gmail, Google also acts as an independent provider under its own terms and privacy policies.

We do not sell personal data. We do not share Google user data for advertising or unrelated secondary purposes. We do not permit processors to use your data for their own marketing purposes.

We may disclose personal data in the following limited circumstances:

Service providers: where necessary to deliver hosting, messaging, payments, diagnostics, security or support services.

At your direction: where you choose to connect a third-party service, send communications or perform an action that requires data to be shared.

Legal or compliance reasons: where we are required to comply with a lawful request, enforce our terms or protect rights, property, users or the public.

Business restructuring: if Scrubix or related assets are reorganised, sold or transferred, data may be transferred subject to continued protection and lawful handling.

Except in those circumstances, we do not disclose personal data to third parties for their own independent marketing use.

8. GoCardless direct debit integration

GoCardless connection is optional. When enabled by an authorised account user, Scrubix may process GoCardless merchant identifiers, mandate references, payment status records, invite status, webhook events and related payment metadata needed to support direct debit workflows.

GoCardless data is used only to provide visible Scrubix payment features such as direct debit setup, customer invite links, mandate tracking, collection status and reconciliation support.

We do not use GoCardless data for advertising, resale or unrelated secondary purposes. GoCardless also acts as an independent provider under its own terms and privacy policies.

9. Google Gmail integration (Google user data disclosures)

Google OAuth

Gmail connection is optional. When enabled by an authorised account user, Scrubix requests Google permissions to send email, read inbox messages relevant to the email experience and maintain synced email threads inside Scrubix.

We request only the Google permissions needed for the Gmail features shown in Scrubix. This currently covers sending email, reading relevant inbox content for thread sync and identifying the connected Google mailbox. We do not request broader Google account access than is necessary to provide those features.

Google API Services User Data Policy (Limited Use): Scrubix's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

• Google user data we access: connected Google account email address, OAuth tokens, message and thread identifiers, email metadata such as sender, recipient, subject and timestamps, and message content needed for sending, reading and syncing emails within Scrubix. Where attachments form part of an email thread used in Scrubix, related attachment data may also be processed where necessary for that feature.
• How we use Google user data: to send emails from Scrubix, read and sync relevant inbox emails into Scrubix threads, keep message history accurate, surface replies in the customer communication workflow, and support related user-requested email functionality inside the app.
• Minimum scope and limited access: we only access Google user data after you authorise the Gmail integration through OAuth. We do not request or access Google Drive, Google Contacts, Google Calendar or other Google account data unless that access is separately described and authorised.
• Sharing/disclosure: we do not sell Google user data or use it for advertising. We only share Google user data with core service providers that help operate Scrubix securely, where required by law, or where necessary to prevent abuse, investigate security issues or comply with lawful obligations.
• Human access restrictions: access to Google user data is limited to authorised personnel and systems with a legitimate operational need, such as maintaining the service, investigating abuse, handling a support request you initiated, or complying with legal obligations.
• Data protection mechanisms: Google tokens and related credentials are stored encrypted at rest, all data in transit is protected with TLS, access is restricted by least-privilege controls, and activity is logged for audit and security purposes.
• Retention and deletion: Google user data is retained only while the Gmail integration is active and only as needed to provide the email features. If you disconnect Gmail, Scrubix revokes access and stops future sync. You can delete synced emails and message records inside the app, and if you request account deletion we remove retained Google user data unless we are legally required to keep it.
• No ads or model training: we do not use Google user data for advertising, marketing profiling, cross-service profiling or to train generalized machine learning models.

We do not access Google Drive files, Google Contacts or other Google account data unless we clearly state that functionality and obtain the required permission for it. Gmail access is limited to the email features you actively choose to use inside Scrubix.

If you revoke access from your Google account or disconnect the integration inside Scrubix, future Gmail access stops. Any retained Gmail-derived data inside Scrubix remains subject to the retention and deletion rules set out below.

If Google user data is handled in a new way in future, we would update this policy before using that data for the new purpose.

10. International transfers

Where data transfers occur outside the UK, we apply safeguards required under UK GDPR, including contractual and technical protections.

Depending on the services you enable, some providers may process limited data internationally in order to deliver hosting, messaging, email or infrastructure services. Where this happens, we take steps to ensure that appropriate safeguards are in place.

Those safeguards may include contractual commitments, technical controls and provider-level compliance mechanisms where available and appropriate.

11. How long we keep personal data

Account data: retained while your account is active and for required legal or operational periods thereafter (for example, tax and statutory obligations).

Customer and job records: retained in your account until you delete them or your account is closed. Some records may be retained where legally required.

Support and diagnostics: retained only for operational support, troubleshooting and security purposes.

Backups: encrypted backups rotate out on a rolling basis and are deleted in line with backup retention schedules.

Gmail integrations: connection tokens are retained only while the integration remains active or until revoked, expired or removed for security reasons. Synced email content retained in Scrubix follows Scrubix operational retention rules unless you delete it sooner where such controls are available.

We may retain certain records after account closure where required for tax, accounting, dispute handling, fraud prevention, legal compliance or to establish, exercise or defend legal claims. When retention is no longer required, data is deleted or anonymised.

Deletion from live systems may not always be instantaneous, but retained copies remain subject to security controls and are removed in accordance with our operational retention processes.

12. Your rights

You may request access, correction, deletion, objection, restriction or portability of your data where applicable.

If you are one of our customers, you may also have rights to withdraw consent where consent is the relevant legal basis, or to object to certain processing carried out under legitimate interests. If you are one of your business's end customers, you should usually direct your request to the Scrubix account holder who controls that data, although we may assist where appropriate.

You may also have the right to ask for inaccurate information to be corrected, for processing to be restricted in certain circumstances, or for data to be exported where portability rights apply.

Requests: data@scrubix.co.uk. You can also complain to the ICO or your relevant supervisory authority.

13. Cookies and similar technologies

Our website uses cookies and similar technologies to support core functionality, remember preferences, improve performance, and protect forms or login actions where security tools such as reCAPTCHA are enabled.

Some cookies are essential to make the site work. Others may be used to support analytics, functional preferences or security controls. You can manage cookie preferences through your browser settings, although some site features may not work properly if essential cookies are disabled.

More detail may also be provided in our Cookie Policy where separate cookie-level disclosures are appropriate.

14. Children

Scrubix is a business platform and is not intended for use by children. We do not knowingly collect personal data from children in connection with the service.

15. Changes to this policy

We may update this policy from time to time. The updated version and date are published on this page, and where changes are material we may also notify users through the app, website or account contact details.

16. Contact

If you have questions about this Privacy Policy, your data, or a request relating to your rights, please contact us at data@scrubix.co.uk.