Privacy Policy
This Privacy Policy explains how Scrubbe Ltd collects, uses, stores, and protects personal data in connection with the Scrubbe incident intelligence platform and our marketing presence. We are committed to processing personal data lawfully, transparently, and in accordance with UK GDPR, EU GDPR, and all applicable data protection law.
Overview & Scope
Data you own
Customer incident and telemetry data remains yours. We process it only on your instructions.
Art. 28 UK GDPR ProcessorWhere it lives
Processed and stored in the EEA and UK by default. Enterprise residency options available.
EEA / UK defaultHow long we keep it
Account data is deleted within 90 days of termination. Audit logs retained for 7 years.
30-day export windowYour rights
Access, rectification, erasure, portability, restriction, objection — respond within 30 days.
Art. 15-22 UK GDPRBreach notification
We notify you within 72 hours of a confirmed breach affecting your personal data.
Art. 33-34 UK GDPRNo selling of data
We never sell, rent, or trade personal data to third parties for marketing purposes.
Zero data brokeringThis Privacy Policy applies to all personal data processed by Scrubbe Ltd in connection with:
- ›The Platform: Personal data of Authorised Users who access the Scrubbe incident intelligence platform under a subscription.
- ›The Website: Personal data of visitors to www.scrubbe.com, visitors to and any associated marketing pages or documentation portals.
- ›Sales & Support: Personal data collected during pre-sales conversations, customer onboarding, technical support engagements, and account management.
- ›Customer Data (as processor): Telemetry, alert data, log payloads, and other operational data that Customers submit to the Platform. We process this as a data processor acting on Customer instructions — not as a controller.
This Policy does not govern data processed by third-party services that you may connect to the Platform via Connectors (e.g. PagerDuty, Datadog, AWS). You should review the privacy policies of those services separately.
Controller vs Processor
For personal data in Customer-submitted incident payloads and telemetry, Scrubbe acts as a Data Processor and the Customer is the Data Controller.
Our Data Processing Agreement ("DPA") governs that relationship. This Policy primarily describes our activities as a data controller in our own right.
Data Controller
The data controller responsible for personal data processed under this Policy is:
| Company | Scrubbe Ltd |
| Jurisdiction | England & Wales |
| Website | www.scrubbe.com |
| Privacy contact | privacy@scrubbe.com |
| Lead supervisory authority | Information Commissioner's Office (ICO), United Kingdom. Registration number maintained on the ICO register. |
Data We Collect
We collect personal data in the following categories depending on how you interact with Scrubbe:
| Category | Examples | Source |
|---|---|---|
| Account & identity | Name, work email address, job title, organisation name, profile picture | Provided by you or your employer at onboarding |
| Authentication data | Hashed passwords, SSO tokens, MFA state, session tokens | Generated at login; never stored in plaintext |
| Usage & activity | Feature interactions, dashboard views, playbook configurations, incident approvals/rejections, API calls | Automatically collected via platform instrumentation |
| Audit events | User ID, action type, timestamp, IP address, policy version evaluated, outcome | Automatically generated for every state transition |
| Device & technical | IP address, browser type and version, operating system, viewport size, time zone | Automatically collected on web access |
| Communications | Support tickets, email correspondence, sales call notes, product feedback | Provided by you directly |
| Connector credentials | API keys, OAuth tokens, service account identifiers for third-party integrations | Provided by Customer Authorised Users; stored encrypted |
| Marketing & website | Name, work email, company, interest area from contact or demo request forms; cookie identifiers | Provided by you on the website |
| Payment data | Billing contact name and email, company name, VAT number. Card details are handled exclusively by our payment processor and never stored by Scrubbe. | Provided at subscription purchase |
We do not knowingly collect special category personal data (health, biometric, racial or ethnic origin, political opinions, etc.) in the normal course of operating the Platform. If any such data appears in Customer-submitted incident payloads, it is processed as Customer Data under the DPA and the Customer is responsible as controller for its lawfulness.
Legal Basis for Processing
We rely on the following legal bases under UK GDPR Article 6 for our processing activities:
| Processing Activity | Legal Basis |
|---|---|
| Provisioning and operating your account | Contract — Art. 6(1)(b) |
| Authentication, session management, security controls | Contract — Art. 6(1)(b) |
| Billing, invoicing, and payment processing | Contract — Art. 6(1)(b) |
| Product usage analytics (aggregated, to improve the Service) | Legitimate Interests — Art. 6(1)(f) |
| Audit trail and compliance record-keeping | Legal Obligation — Art. 6(1)(c) |
| Security monitoring, fraud detection, abuse prevention | Legitimate Interests — Art. 6(1)(f) |
| Customer support and account communications | Contract — Art. 6(1)(b) |
| Marketing emails to prospects and existing customers | Consent — Art. 6(1)(a)&Legitimate Interests |
| Non-essential cookies and analytics tracking on website | Consent — Art. 6(1)(a) |
| Compliance with legal obligations (tax, regulatory) | Legal Obligation — Art. 6(1)(c) |
Where we rely on Legitimate Interests, we have conducted a Legitimate Interests Assessment (LIA) and are satisfied that our interests are not overridden by the rights and freedoms of data subjects. You may request a summary of our LIA by contacting privacy@scrubbe.com.
How we use Data
We use personal data collected as controller for the following purposes:
| Service delivery: | Provisioning accounts, authenticating users, enforcing role-based access controls, routing notifications, and delivering all platform features within Subscription entitlements. |
| Security and integrity: | Detecting, investigating, and responding to security incidents, abuse, and policy violations. Maintaining the immutable audit trail of all platform actions. |
| Product improvement: | Analysing aggregated, anonymised usage patterns to prioritise features, improve agent accuracy, and optimise system performance. We do not use individual-level usage data to build personal profiles for advertising. |
| Customer communications: | Sending service notifications, release notes, security advisories, billing communications, and support responses. These are non-optional for account holders. |
| Marketing: | Sending product updates, case studies, webinar invitations, and relevant content to prospects and customers who have opted in. You may withdraw consent at any time. |
| Legal compliance: | Meeting obligations under applicable law, including responding to lawful requests from regulatory authorities. |
| Business operations: | Managing our commercial relationships, processing payments, and maintaining corporate records. |
No Automated Decision-Making on You
While the Scrubbe Platform uses AI agents to make automated decisions about operational incidents, we do not use automated decision-making or profiling about individual users or data subjects that produces legal or similarly significant effects — as defined under Art. 22 UK GDPR.
Customer & Incident Data
When Customers submit telemetry, alerts, log payloads, and related operational data to the Platform, Scrubbe acts exclusively as a data processor under Article 28 UK GDPR. This means:
- ›We process Customer Data only on documented instructions from the Customer (as set out in the DPA and Order Form).
- ›We do not use Customer Data for any purpose other than providing and maintaining the Service, unless required by law.
- ›We impose binding confidentiality and data protection obligations on all sub-processors who access Customer Data.
- ›We assist Customers in responding to data subject rights requests relating to personal data contained within Customer Data.
- ›We maintain records of all processing activities performed on behalf of each Customer tenant.
- ›Upon termination, Customer Data is retained for 30 days to allow export and then securely deleted within 90 days, except where law requires longer retention.
Customer Responsibility
Customers are responsible as data controllers for ensuring they have a lawful basis for submitting personal data to the Platform via Connectors. Scrubbe's ingestion pipeline processes all submitted data without inspecting it for personal data at the point of entry — it is the Customer's responsibility to apply appropriate data minimisation at source.
Scrubbe maintains a Data Processing Agreement ("DPA") that governs all processor-level processing. Enterprise Customers must execute the DPA prior to submitting personal data to the Platform. Our standard DPA is available at www.scrubbe.com/dpa.
Data Sharing
We do not sell, rent, or trade personal data. We share personal data only in the following limited circumstances:
| Sub-processors | Third-party infrastructure and SaaS providers that process personal data on our behalf to deliver the Service (e.g. cloud hosting, email delivery, error monitoring, payment processing). A current list of sub-processors is maintained at www.scrubbe.com/sub-processors. We notify Customers at least 30 days before adding a new sub-processor. |
| Professional advisors | Lawyers, auditors, and accountants acting in an advisory capacity, subject to professional confidentiality obligations. |
| Regulatory authorities | We may disclose personal data to regulatory or law enforcement authorities where required by applicable law or a valid legal order. We will notify affected Customers where legally permitted to do so. |
| Business transactions | In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the successor entity, subject to equivalent privacy protections. We will notify affected individuals before any such transfer takes effect. |
| With your consent | For any sharing not described above, we will seek your explicit consent before proceeding. |
International Transfers
Scrubbe is headquartered in the United Kingdom. By default, personal data and Customer Data are processed and stored within the EEA and/or the UK, both of which have adequacy decisions or equivalent frameworks in place.
Where data is transferred to countries outside the UK/EEA (for example, via certain sub-processors), we ensure an appropriate safeguard is in place, including:
- ›UK International Data Transfer Agreements (IDTAs) for transfers from the UK to third countries.
- ›EU Standard Contractual Clauses (SCCs) for transfers from the EEA, supplemented by a Transfer Impact Assessment where required.
- ›UK/EU adequacy decisions where the receiving country has been granted adequacy status.
Enterprise Customers requiring data residency strictly within the UK or EEA may request this configuration in their Order Form. We will identify any sub-processors that may necessitate transfers outside these regions and provide appropriate documentation.
Transfer Records
You may request a copy of the transfer safeguards applicable to your data by contacting privacy@scrubbe.com. We maintain Article 30 records of processing activities including all international transfer mechanisms.
Retention
We retain personal data only for as long as necessary for the purposes described in this Policy, or as required by law. Our standard retention periods are:
Duration of subscription + 30 days
Account & profile data
Name, work email, role, and access records. Retained for 30 days post-termination to allow export, then permanently deleted.
Duration of subscription + 90 days
Customer incident & telemetry data
All Customer Data processed as a processor, including enriched incident records and agent action logs. Securely deleted within 90 days of contract end, unless law requires longer.
7 years
Audit trail & compliance records
The immutable audit log of all state transitions, approvals, policy evaluations, and action outcomes. Retained for regulatory compliance and legal defensibility.
7 years
Financial & billing records
Invoices, payment records, and associated contact data retained to satisfy statutory accounting obligations under UK Companies Act 2006.
3 years from last contact
Marketing & prospect data
Records of individuals who have expressed interest in Scrubbe but have not become customers. Suppression records (opt-outs) are retained indefinitely.
90 days rolling
Security & access logs
Server access logs, authentication events, and IP address records used for security monitoring and incident investigation.
Security
Scrubbe implements layered technical and organisational security measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include:
| Encryption in transit: | All data transmitted between clients and the Platform uses TLS 1.2 or higher. Internal service-to-service communication is encrypted. |
| Encryption at rest: | All stored personal data and Customer Data is encrypted using AES-256. |
| Access controls: | Scrubbe personnel access to Customer environments is strictly role-limited, logged, and subject to a least-privilege policy. Access requires multi-factor authentication. |
| Penetration testing: | Annual independent penetration tests and continuous automated vulnerability scanning of the Platform. |
| Incident response: | A documented information security incident response process, including escalation paths and Customer notification procedures. |
| Sub-processor assessment: | All sub-processors handling personal data are assessed for security posture before onboarding and periodically thereafter. |
| Immutable audit logs: | All access to Customer Data by Scrubbe personnel is logged in an append-only audit trail that cannot be modified or deleted. |
Breach notification. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware. We will notify affected Customers without undue delay where the breach is likely to result in high risk to individuals, providing sufficient information to allow them to fulfil their own notification obligations.
To report a security vulnerability or suspected breach, contact security@scrubbe.com.
Your Rights
Under UK GDPR and EU GDPR, you have the following rights in relation to personal data we hold about you as controller. These rights apply to our processing of your personal data as a Scrubbe user, website visitor, or contact — not to Customer Data (where rights should be directed to the relevant Customer/controller).
Art. 15 UK GDPR
Right of Access
Request a copy of the personal data we hold about you, together with information about how and why we process it.
Art. 16 UK GDPR
Right to Rectification
Request correction of inaccurate or incomplete personal data we hold about you.
Art. 17 UK GDPR
Right to Erasure
Request deletion of your personal data where there is no lawful basis for us to continue holding it. Subject to legal retention requirements.
Art. 18 UK GDPR
Right to Restriction
Request that we limit our processing of your personal data in certain circumstances, such as while a dispute about accuracy is resolved.
Art. 20 UK GDPR
Right to Portability
Receive your personal data in a structured, machine-readable format and transfer it to another controller where technically feasible.
Art. 21 UK GDPR
Right to Object
Object to processing based on legitimate interests (including profiling) at any time. You may always unsubscribe from marketing communications.
Art. 7(3) UK GDPR
Right to Withdraw Consent
Withdraw consent at any time where we rely on it as a legal basis. Withdrawal does not affect the lawfulness of prior processing.
Art. 77 UK GDPR
Right to Lodge a Complaint
Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or your local supervisory authority if you believe we have infringed your rights.
To exercise any right, submit a request to privacy@scrubbe.com. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice). We may need to verify your identity before processing the request. Rights requests are free of charge, though we may charge a reasonable fee for manifestly unfounded or excessive requests.
Children's Privacy
The Scrubbe Platform and website are directed exclusively at business users and are not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children.
If you believe that a child has provided personal data to Scrubbe, please contact privacy@scrubbe.com and we will take prompt steps to delete the relevant data.
Policy Changes
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or new features. When we make material changes, we will:
- ›Notify account holders by email to the primary registered address at least 30 days before the changes take effect.
- ›Display a prominent notice within the Platform and on the Scrubbe website.
- ›Update the "Last updated" date at the top of this Policy.
- ›Maintain a version history so you can review what has changed.
Your continued use of the Platform after the effective date of an updated Policy constitutes acceptance of the changes. If you do not accept material changes, you may exercise your right to erasure or account closure by contacting privacy@scrubbe.com.
For non-material changes (such as clarifications, typographical corrections, or descriptions of existing practices), we will update the Policy without prior notice.
Contacts & Notices
For legal notices under these Terms, or to report a potential breach of these Terms, please contact Scrubbe's legal team using the details below. Notices sent by email are deemed received on the next business day. Notices sent by recorded post to the registered address are deemed received three business days after posting.
Legal enquiries
legal@scrubbe.comSecurity & data incidents
security@scrubbe.comGeneral enquiries
p.ifediora@scrubbe.comPhone
+44 7487 614645
Company
Scrubbe Ltd
Website
www.scrubbe.comCookie preferences
We use essential cookies to keep Scrubbe secure and functional. You can choose whether to allow analytics, preferences, and marketing cookies, and update your choices at any time.
Essential cookies
Required for security, session continuity, consent state, and core site functionality. These are always on.
Analytics cookies
Help us understand usage patterns so we can improve product pages, onboarding paths, and documentation quality.
Preference cookies
Remember selected settings such as region, UI preferences, and previously chosen site options.
Marketing cookies
Enable campaign measurement and more relevant follow-up communications across trusted channels.
Your choices are stored locally in this browser and can be updated at any time from the cookie settings button.