Scravio

Scravio GDPR Statement

Last updated: June 6, 2026

This GDPR Statement explains how Zorix, LLC, doing business as Scravio ("Scravio," "we," "us," or "our"), approaches GDPR, UK GDPR, and related data protection requirements for the Scravio Service.

This page is a summary. It should be read together with the Privacy Policy, Data Processing Addendum, Subprocessor Page, Security Page, and Terms of Service.

1. Roles under GDPR and UK GDPR

Scravio's role depends on the processing context.

Processing contextScravio role
Customer Content, task inputs, URLs, lists, public business contact data, Outputs, and exports processed under customer instructionsProcessor
Account registration, login, billing, support, security logs, product analytics, fraud prevention, abuse prevention, legal compliance, and Service administrationController
Payment processing handled by Stripe, Paddle, banks, card networks, or merchants of recordRole depends on provider terms and checkout flow

Customers are generally controllers for Customer Personal Data processed through the Service under their instructions.

2. Data Processing Addendum

Scravio provides a Data Processing Addendum for customers that require an Article 28 processor agreement.

The DPA addresses:

  1. subject matter and duration of processing;
  2. nature and purpose of processing;
  3. categories of personal data and data subjects;
  4. customer instructions;
  5. confidentiality;
  6. technical and organizational security measures;
  7. subprocessor authorization;
  8. data subject request assistance;
  9. security incident notification;
  10. deletion or return of Customer Personal Data;
  11. audit and information rights;
  12. international transfers; and
  13. CCPA/service-provider commitments where applicable.

3. Lawful basis

When Scravio acts as controller, we rely on legal bases described in the Privacy Policy, including contract, legitimate interests, consent, and legal obligation.

When Scravio acts as processor, the customer is responsible for identifying and documenting the lawful basis for processing Customer Personal Data, including any legitimate interests assessment, consent, notice, or other requirement that applies to the customer's use.

4. Public business contact data

Scravio is designed to process public, non-gated, non-password-protected business information based on customer instructions.

Customers are responsible for determining whether they may lawfully discover, validate, export, contact, or otherwise use business contact data in their jurisdiction and for their use case.

Customers must not use Scravio to process sensitive personal data, special category data, children's data, protected-class data, or data from private or access-controlled sources.

5. Data subject rights

If Scravio receives a data subject request relating to Customer Personal Data for which a customer is controller, Scravio may direct the requester to the relevant customer or Workspace owner and will support the customer as described in the DPA.

If Scravio receives a request relating to personal data for which Scravio is controller, Scravio will handle the request according to the Privacy Policy and applicable law.

Requests may be sent to [email protected].

6. Subprocessors

Scravio uses subprocessors to host, operate, secure, support, and maintain the Service.

Scravio provides general subprocessor authorization through the DPA and maintains a Subprocessor Page. Where required, Scravio will provide notice of material changes and allow customers to object on reasonable data protection grounds.

7. International transfers

Scravio is based in the United States. Scravio and its subprocessors may process personal data in the United States and other countries.

Where required for transfers from the EEA, UK, or Switzerland to countries without an adequacy decision, Scravio uses appropriate safeguards such as the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, Swiss transfer safeguards, and transfer impact assessments where applicable.

8. Security measures

Scravio uses technical and organizational measures designed to protect Customer Personal Data, including access controls, encryption in transit, logging, monitoring, backup practices, vulnerability management, personnel confidentiality, subprocessor controls, and incident response procedures.

More information is available in the Security Page and DPA Annex 2.

9. Retention and deletion

Retention depends on the data category, workspace settings, subscription status, legal obligations, and Service configuration.

Unless a different retention period applies, Customer task inputs, Outputs, and exports are typically retained for up to 90 days after task completion, and backups are overwritten on a rolling basis typically within 30 to 60 days.

Customers may export or delete certain data using available Service functionality, subject to plan limits and technical limitations.

10. Customer responsibilities

Customers are responsible for:

  1. lawful basis and notices;
  2. data subject rights handling;
  3. marketing and outreach compliance;
  4. opt-out, unsubscribe, suppression, and objection management;
  5. source and platform compliance;
  6. avoiding sensitive or prohibited data;
  7. reviewing and validating Outputs; and
  8. securing exports and downstream systems.

11. Contact

GDPR-related questions may be sent to:

Email: [email protected]
Company: Zorix, LLC, doing business as Scravio
Address: 1111B S Governors Ave STE 40623, Dover, DE 19904, United States
Phone: +13024402968