GDPR Statement (EU/UK)

What Scravio is (and isn’t)

• Software tool, not a data broker. Scravio is a customer-controlled tool that locates and structures publicly available business contact details found on public web pages discoverable via search engines.
• No login bypassing. We do not access content behind authentication, paywalls, CAPTCHAs or technical access controls.
• Public-source only. We retrieve only information that is publicly visible without sign-in and respect site access rules and reasonable rate limits.
• B2B focus. Scravio is designed for business contexts. Customers should avoid using personal or sensitive data and must follow direct-marketing rules.

Roles under GDPR/UK GDPR

• Controller (our operations). For our website, billing, security/fraud-prevention and platform telemetry, Scravio acts as a controller.
• Processor (your lead discovery jobs). When you start a job (e.g., keywords/targets), Scravio acts on your instructions to find public pages, validate addresses you select, and generate exports. A Data Processing Addendum (DPA) is available, including sub-processor disclosures and SCCs/IDTA where applicable.

Categories of data we handle for you (processor scope)

Data elements: Publicly visible business contact details (e.g., work email published on a business page), page/source URL, “first seen / last checked,” validation metadata, and your account/job identifiers.

Sources: Public webpages that are accessible without login and often discovered through search engines.

No special categories: We do not seek or process special-category data or data about minors. Customers should filter out non-business/personal addresses.

Lawful basis (your use of data)

Many B2B controllers rely on legitimate interests for prospecting, subject to the three-part test (purpose, necessity, balancing) and applicable direct-marketing rules (e.g., PECR in the UK). Scravio supports necessity/minimisation by limiting collection to public sources, attaching source URLs, and enabling suppression/removal workflows. Your organisation is responsible for choosing and documenting a lawful basis.

Transparency & Article 14 support

Where contact details are not collected directly from the individual, controllers may have Article 14 transparency duties. Scravio helps by including source URLs in exports so you can meet information-notice obligations and maintain accurate records.

Data subject rights (Articles 12–23)

We provide tools and channels to help you respond to access, rectification, erasure, restriction, objection, and portability requests relevant to data you control. We support suppression/removal in your exports and can block re-collection of specific addresses upon request.

Retention & deletion

You control retention for exports and job outputs, with configurable retention windows.

We honour deletion and suppression requests for our controller-scope systems and maintain logs evidencing actions taken.

International transfers & subprocessors

For transfers outside the EEA/UK in processor or controller contexts, we use appropriate safeguards (e.g., SCCs/IDTA) and publish a current sub-processor list. We conduct due diligence and require equivalent protections via contract.

Security

• Encryption in transit and at rest
• Least-privilege access, audit logging
• Rate-limited retrieval and abuse monitoring
• Independent vulnerability management and incident response procedures

Acceptable use & direct-marketing rules

• No spam / unlawful outreach. Customers must comply with applicable anti-spam and privacy laws (e.g., CAN-SPAM, PECR) and honour opt-out mechanisms.
• No prohibited categories. Do not target or process sensitive categories or private individuals.
• Respect websites’ terms and technical measures.

Contact (EU/UK privacy): [email protected]

Last updated: 29 September 2025