Scravio

Scravio Privacy Policy

Last updated: June 6, 2026

Scravio is operated by Zorix, LLC, doing business as Scravio ("Scravio," "we," "us," or "our"). Scravio provides a cloud-based software-as-a-service platform available at scravio.com and related subdomains that helps business customers discover, validate, de-duplicate, enrich, organize, and export publicly available business contact information and related business data (the "Service").

This Privacy Policy explains how we collect, use, disclose, retain, and protect personal data when you visit our website, create an account, use the Service, contact us, or interact with us.

If you do not agree with this Privacy Policy, do not use the Service.

1. Important role clarification

Our privacy role depends on the context.

Processing contextScravio roleDescription
Website visits, account registration, login, billing, subscriptions, support, security logs, fraud prevention, abuse prevention, product analytics, legal compliance, and Service administrationControllerWe decide why and how this data is processed.
Customer Content, task inputs, URLs, lists, instructions, workspace data, and Outputs processed solely to provide the Service to a customer under that customer's instructionsProcessor / service provider / contractorThe customer is the controller or business. Scravio processes this data under the customer's instructions, our Terms, and our Data Processing Addendum where applicable.
Payment data processed by Stripe, Paddle, banks, card networks, or other payment providersRole depends on provider termsPayment providers may act as independent controllers, processors, merchants of record, or service providers depending on the checkout flow and provider terms.
Security investigations, abuse prevention, sanctions screening, legal requests, fraud prevention, enforcement of our Terms, and protection of the ServiceControllerWe may process relevant account data, logs, Customer Content, or Outputs where necessary to protect the Service, users, third parties, or comply with law.
Public business contact data processed outside a customer's documented instructions, if applicableIndependent controllerIf we independently decide to collect, cache, index, enrich, or reuse public business contact data for Scravio's own product or compliance purposes, we act as an independent controller for that processing.

For Customer Content that contains personal data and is processed under customer instructions, the Data Processing Addendum applies where required by applicable data protection laws.

2. Who we are and how to contact us

Controller / service provider: Zorix, LLC, doing business as Scravio
Address: 1111B S Governors Ave STE 40623, Dover, DE 19904, United States
Phone: +13024402968
Website: https://scravio.com
Email: [email protected]

If you are located in the EEA, UK, or Switzerland and need to contact our privacy representative or Data Protection Officer, if one has been appointed, email [email protected] and we will route your request appropriately.

3. Scope

This Privacy Policy applies to personal data we process in connection with:

  1. our website and online properties;
  2. the Scravio application and Service;
  3. account creation and authentication;
  4. billing, subscriptions, payments, and invoices;
  5. customer support and communications;
  6. Service analytics, logs, security, fraud prevention, and abuse prevention;
  7. marketing communications we send about Scravio; and
  8. legal, compliance, and business operations.

This Privacy Policy does not govern third-party websites, platforms, payment providers, social networks, or other services that we do not control. Their own privacy policies apply.

4. Personal data we collect

4.1 Data you provide directly

We may collect personal data that you provide directly, including:

  • Account and profile data: name, email address, password hash, workspace identifiers, role, company name, job title, team information, and user settings.
  • Business and billing data: billing name, company, tax/VAT ID, billing address, payment method metadata, plan, subscription status, invoices, receipts, and payment history. We do not store full card numbers.
  • Support and communications: messages, attachments, screenshots, logs, call notes, contact details, feedback, survey responses, and other information you provide when contacting us.
  • Preferences: notification settings, marketing preferences, cookie choices, language, and product preferences.
  • Verification and compliance data: information used to verify account ownership, prevent abuse, screen for sanctions, investigate fraud, enforce our Terms, or comply with law.

4.2 Data collected automatically

When you visit our website or use the Service, we may collect:

  • Device and browser data: IP address, device type, browser type and version, operating system, language, region, screen resolution, and user agent.
  • Usage data: pages viewed, referring and exit pages, timestamps, clicks, feature usage, workflow events, task status, exports, errors, performance metrics, and session information.
  • Security and log data: authentication logs, API usage, IP logs, access events, audit logs, fraud signals, abuse indicators, crash logs, and diagnostic data.
  • Cookies and similar technologies: session cookies, authentication cookies, preference cookies, analytics cookies, local storage, pixels, and similar technologies. See the Cookie Policy.

4.3 Customer Content processed under customer instructions

Customers may submit, upload, configure, or instruct the Service to process:

  • URLs, domains, keywords, search queries, lists, files, prompts, filters, and task instructions;
  • publicly available business contact data, such as business email addresses, business names, company names, job titles, business profiles, public social links, public website information, and related metadata;
  • validation, enrichment, de-duplication, export, and workflow results;
  • workspace data, task logs, usage records, and exports.

Where we process this data solely to provide the Service under a customer's instructions, the customer is responsible for determining whether it has the necessary rights, notices, lawful bases, consents, and permissions to process and use the data.

4.4 Data from third parties

We may receive personal data from:

  • payment providers such as Stripe or Paddle;
  • identity, authentication, or login providers;
  • analytics, support, security, hosting, and infrastructure providers;
  • business contact forms, referrals, partners, or resellers;
  • public sources where you or your organization instruct the Service to process public business information;
  • fraud prevention, sanctions screening, or compliance providers; and
  • public databases, government records, or business registries where relevant to compliance or business operations.

5. Sensitive data and children's data

The Service is not designed to collect or process sensitive personal data, special category data, protected-class data, government identifiers, financial account data, health data, biometric data, precise geolocation, or data about children.

Customers must not submit, request, or instruct the Service to collect or process such data.

The Service is not directed to children under 13. We do not knowingly collect personal data from children under 13. Where local law sets a higher minimum age, we comply with that higher age where required. If you believe a child has provided personal data to us, contact [email protected].

6. Sources and public business data

For features where customers instruct the Service to discover or validate business contact information, the Service is designed to interact only with public, non-password-protected, non-gated sources and publicly displayed business information.

We do not intend for the Service to access private accounts, login-only areas, paywalled pages, restricted APIs, internal systems, or sources protected by access controls. Customers must not instruct the Service to bypass technical restrictions, CAPTCHA, paywalls, rate limits, access controls, or platform restrictions.

Availability of public business data depends on third-party websites, technical restrictions, source availability, user inputs, platform policies, and applicable law. Customers are responsible for ensuring their use of discovered or exported data is lawful.

7. How we use personal data as controller

When we act as controller, we use personal data to:

  1. provide, operate, maintain, secure, and improve the Service;
  2. create, authenticate, and manage accounts and workspaces;
  3. process payments, manage subscriptions, issue receipts, handle billing support, and prevent payment fraud;
  4. provide customer support, respond to inquiries, and troubleshoot issues;
  5. send administrative, security, transactional, legal, and service-related notices;
  6. send marketing communications where permitted by law or with consent, and honor opt-outs;
  7. analyze usage, measure performance, debug errors, and improve user experience;
  8. detect, prevent, and investigate fraud, abuse, spam, unauthorized access, security incidents, policy violations, and unlawful activity;
  9. enforce our Terms, DPA, policies, and legal rights;
  10. comply with legal obligations, sanctions, export controls, tax and accounting requirements, and lawful requests;
  11. protect the rights, property, safety, and security of Scravio, users, data subjects, third parties, target sites, and the public; and
  12. conduct corporate transactions, audits, reporting, and internal business operations.

Where GDPR, UK GDPR, or similar laws apply, we rely on one or more of the following legal bases:

  • Contract: to provide the Service, manage accounts, process subscriptions, and deliver support.
  • Legitimate interests: to secure and improve the Service, prevent fraud and abuse, understand usage, enforce terms, protect rights, and operate our business, where those interests are not overridden by your rights.
  • Consent: for non-essential cookies, certain marketing communications, or other processing where consent is required.
  • Legal obligation: to comply with tax, accounting, sanctions, export control, consumer protection, data protection, corporate, or other legal obligations.
  • Vital interests or public interest: where necessary in rare circumstances to protect safety or comply with public authority requests.

If we process Customer Content as processor, the customer is responsible for identifying the applicable legal basis for its own processing.

9. Processing Customer Content as processor

When a customer uses the Service to discover, validate, de-duplicate, enrich, organize, or export business contact data under that customer's instructions, we process Customer Content as processor, service provider, or contractor.

In that role, we process Customer Content to:

  1. provide the Service;
  2. perform tasks and workflows requested by the customer;
  3. generate, store, display, and export Outputs;
  4. maintain, secure, troubleshoot, and support the Service;
  5. prevent abuse, fraud, security incidents, and unlawful use;
  6. comply with law and enforce our Terms; and
  7. perform other processing described in the DPA or customer's documented instructions.

We do not sell Customer Content. We do not use Customer Content for our own marketing. We do not share Customer Content for cross-context behavioral advertising.

If we receive a data subject request relating to Customer Content for which a customer is the controller, we may direct the requester to the relevant customer or workspace owner and will support the customer as described in the DPA.

10. How we disclose personal data

We may disclose personal data to:

10.1 Service providers and subprocessors

We use service providers and subprocessors to provide hosting, storage, infrastructure, logging, analytics, security, support, communications, payments, billing, fraud prevention, and other operational services.

These providers may process personal data only as needed to provide services to us and must protect personal data under appropriate contractual obligations.

A current subprocessor list is available on the Subprocessor Page or upon request.

10.2 Payment providers and merchants of record

Payment data may be processed by Stripe, Paddle, banks, card networks, tax providers, and other payment providers. These providers may act as independent controllers, processors, merchants of record, or service providers depending on the payment flow and provider terms.

10.3 Customers and workspace administrators

If you use the Service through a Workspace, the Workspace owner, administrators, and authorized users may access your account data, Customer Content, Outputs, task history, exports, audit logs, and usage information associated with that Workspace.

We may disclose personal data where we believe disclosure is necessary to comply with law, legal process, regulatory requests, sanctions, export controls, tax obligations, court orders, or law enforcement requests; enforce our Terms; prevent fraud or abuse; protect rights, safety, and security; or respond to emergencies.

10.5 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or similar transaction, personal data may be disclosed or transferred as part of that transaction. We will use reasonable efforts to require the recipient to protect personal data consistently with this Privacy Policy.

We may disclose personal data with your consent, at your direction, or as otherwise described at the time of collection.

11. International transfers

We are based in the United States. We and our service providers may process personal data in the United States and other countries where data protection laws may differ from those in your jurisdiction.

Where required by applicable law, we use appropriate transfer safeguards, such as the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, Swiss transfer safeguards, data processing agreements, transfer impact assessments, and other lawful transfer mechanisms.

12. Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Typical retention periods are:

CategoryTypical retention period
Account and profile dataLife of the account, then up to 3 years after closure unless needed longer for legal, security, billing, or dispute purposes
Billing, invoice, tax, and transaction recordsUp to 7 years or longer if required by tax, accounting, payment, or legal rules
Support communicationsUp to 3 years after resolution unless needed longer for legal, security, or operational purposes
Security logs, authentication logs, and abuse-prevention recordsTypically 30 to 180 days, but longer if needed for security, fraud, legal, or dispute purposes
Usage analytics and product telemetryTypically 30 to 180 days in identifiable form, then aggregated or deleted where feasible
Customer task inputs, Outputs, and exportsDefault retention is up to 90 days after task completion unless workspace settings, plan settings, the DPA, or legal requirements specify another period
BackupsOverwritten on a rolling basis, typically within 30 to 60 days, unless isolated for security, legal, or continuity purposes
Marketing records and consent/opt-out recordsUntil you opt out or as long as needed to honor preferences and comply with law

We may anonymize, aggregate, or de-identify data and retain it in non-identifiable form.

13. Security

We use administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit, access controls, least-privilege practices, monitoring, backups, vulnerability management, and incident response procedures.

No method of transmission or storage is completely secure. We cannot guarantee absolute security.

You are responsible for securing your account credentials, devices, API keys, access tokens, integrations, exports, and downstream systems.

More information is available on the Security Page.

14. Your rights and choices

Depending on your location and the context of processing, you may have rights to:

  1. access personal data;
  2. correct inaccurate personal data;
  3. delete personal data;
  4. receive a copy of personal data;
  5. object to processing;
  6. restrict processing;
  7. withdraw consent;
  8. opt out of marketing communications;
  9. opt out of certain targeted advertising, sale, or sharing where applicable;
  10. limit use of sensitive personal information where applicable; and
  11. appeal a denied privacy request where applicable.

To exercise rights relating to personal data for which Scravio is controller, contact [email protected].

For Customer Content where a customer is the controller, contact the relevant customer or Workspace administrator. If you contact us directly about Customer Content, we may route your request to the customer or ask you to contact them.

We may need to verify your identity and authority before processing a request. We will respond within the time required by applicable law.

We will not discriminate against you for exercising privacy rights.

15. California and U.S. state privacy notices

This section applies where U.S. state privacy laws, including the California Consumer Privacy Act as amended by the CPRA, apply to our processing.

15.1 Categories of personal information

We may collect the following categories of personal information:

  • identifiers, such as name, email, IP address, account ID, and billing identifiers;
  • commercial information, such as plan, subscription, invoice, and transaction records;
  • internet or electronic network activity, such as usage logs, device data, and Service interactions;
  • professional or employment-related information, such as company, role, job title, and public business profile data;
  • geolocation approximations derived from IP address;
  • audio, electronic, or visual information if you submit support attachments, screenshots, or recordings;
  • inferences derived from usage data to improve Service experience, security, or support; and
  • sensitive personal information only where necessary for account security, fraud prevention, authentication, or legal compliance, and not for inferring characteristics.

15.2 Purposes

We use these categories for the purposes described in Sections 7 to 10, including providing the Service, billing, support, analytics, security, fraud prevention, legal compliance, and enforcement.

15.3 Sale, sharing, and targeted advertising

As of the Last Updated date, we do not sell personal information or share personal information for cross-context behavioral advertising as those terms are defined under California law. We also do not process Customer Content for targeted advertising.

If this changes, we will update this Privacy Policy and provide required opt-out mechanisms.

15.4 Global Privacy Control

Where legally required and technically feasible, we treat Global Privacy Control signals as opt-out preference signals for the browser or device sending the signal and for any known profile we can reasonably associate with that signal.

15.5 Authorized agents

Authorized agents may submit requests where permitted by law. We may require proof of authorization and identity verification.

16. Marketing communications

You may opt out of marketing emails by using the unsubscribe link in the email or by contacting [email protected].

Even if you opt out of marketing, we may still send transactional, service, legal, billing, support, and security communications.

17. Cookies and similar technologies

We use cookies and similar technologies to operate, secure, analyze, and improve the Service.

Where required by law, we obtain consent before setting non-essential cookies and provide controls through our cookie banner, cookie settings, or similar mechanism.

You can also control cookies through your browser settings. Blocking cookies may affect Service functionality.

We do not respond to browser Do Not Track signals. We honor Global Privacy Control signals where legally required as described above.

For details, see the Cookie Policy.

18. Direct marketing responsibilities of customers

If a customer uses Outputs for outreach, direct marketing, lead generation, sales, enrichment, advertising, or similar purposes, the customer is responsible for compliance with applicable laws.

Customers must have the required lawful basis, consent, permission, notices, identification, unsubscribe mechanisms, suppression lists, and opt-out procedures. Customers are the sender or initiator of their own campaigns unless expressly agreed otherwise in writing.

We do not control customer campaigns and are not responsible for customer outreach content, frequency, targeting, suppression, or compliance.

19. Third-party sites and services

The Service may link to or integrate with third-party websites, platforms, APIs, payment providers, identity providers, analytics providers, support providers, and other services.

We do not control third-party privacy practices. Review the privacy policies of those third parties before using them.

20. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be posted with a new Last Updated date.

For material changes, we will provide additional notice where required by law or where reasonably appropriate, such as by email, in-app notice, or website notice.

Your continued use of the Service after the effective date of an updated Privacy Policy means you acknowledge the updated Privacy Policy.

21. Contact

Questions or requests about this Privacy Policy may be sent to:

Email: [email protected]
Company: Zorix, LLC, doing business as Scravio
Address: 1111B S Governors Ave STE 40623, Dover, DE 19904, United States
Phone: +13024402968

If you are located in the EEA, UK, or Switzerland, you may also have the right to lodge a complaint with your local data protection authority. We encourage you to contact us first so we can try to resolve your concern.