Scravio

Privacy Policy

Last updated: October 7, 2025

Scravio (Zorix, LLC trading as Scravio; Scravio, we, us, or our) provides a cloud-based software-as-a-service platform available at scravio.com (the Service) that allows customers to discover publicly available business contacts from social media and the web, validate them, and export results.

This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you visit our website, create an account, or use the Service. It also explains your choices and rights.

Important role clarification

  • For personal data that you upload to or collect through the Service (e.g., business contacts), you are the data controller and we act as your data processor under applicable data protection laws. We process that data only on your instructions and our Data Processing Addendum (DPA) applies.
  • For personal data we collect about your use of our website and Service (e.g., your account details, billing, logs), we are the data controller.

If you do not agree with this Policy, please do not use the Service.

1) Who we are & contact

Controller: Zorix, LLC (trading as Scravio)
Company address: 1111B S Governors Ave STE 40623, Dover, DE 19904, United States
Phone: +13024402968
Website: https://scravio.com
Email: [email protected]

If you are in the EEA/UK and wish to contact our EU/UK representative or Data Protection Officer (if appointed), please email [email protected] and we will route your request appropriately.

2) Data we collect

a) Data you provide directly

  • Account & profile: name, email address, password (hashed), workspace/account identifiers, role.
  • Billing & payments: billing name, company, VAT/tax ID, billing address, payment method details (processed by our payment processors such as Stripe or Paddle; we do not store full card numbers).
  • Support & communications: messages, attachments, and contact details when you reach out to support or complete forms.
  • Preferences: notification and marketing preferences.

b) Data collected automatically

  • Usage & device data: IP address, device and browser type/version, operating system, language, referring/exit pages, timestamps, clickstream data, feature usage, error logs, performance data.
  • Cookies & similar technologies: session cookies (authentication), preference cookies, and analytics cookies. See § 10 Cookies.

c) Customer content processed on your behalf (processor role)

Customer-provided/discovered data: business contact details (e.g., email addresses) and related metadata that you instruct the Service to find, validate, de-duplicate, or export (for example, from public social media pages, websites, or lists you provide). You must ensure you have a lawful basis to process such data and that your use complies with applicable laws and the terms/policies of the platforms you target (see § 11 Fair & lawful use).

We do not intentionally collect special categories of personal data (e.g., health, biometric) or data about children via the Service.

Sources. For features where customers instruct the Service to discover contact details displayed on web pages, the Service interacts only with public, non-password-protected pages and publicly displayed contact details on those pages. We do not circumvent technical measures, paywalls, or access controls, and we do not authenticate into third-party accounts to obtain data. We honour site-owner instructions published via robots.txt.

3) How we use personal data (controller role)

  • Provide, operate, maintain, secure, and improve the Service.
  • Create and manage accounts; authenticate users; provide customer support.
  • Process payments, prevent fraud, and manage subscriptions.
  • Measure and analyze Service performance and usage.
  • Send administrative notices (service, security, updates). With your consent or where permitted by law, send marketing communications (you can opt out anytime).
  • Comply with legal obligations and enforce our Terms.

Legal bases (EEA/UK)

Where GDPR/UK GDPR applies, we rely on: performance of a contract, legitimate interests (e.g., to secure and improve the Service), consent (e.g., non-essential cookies/marketing), and legal obligation.

California (CPRA). We do not “sell” or “share” personal information as defined by Cal. Civ. Code §1798.140. If this changes, we will update this Policy and provide “Do Not Sell or Share” options. We also process the Global Privacy Control (GPC) as a valid opt-out preference signal and apply it to the browser, device, and any known profiles as required.

4) Processing customer content (processor role)

When you use the Service to find or discover, validate, or de-duplicate business contacts, we process that personal data solely to provide the Service according to your instructions, our Terms, and the DPA. We do not sell, share, or use such data for our own marketing.

We will notify you without undue delay upon becoming aware of a personal-data breach affecting Customer Content and assist you with data-subject requests and impact assessments as set out in our DPA.

Retention (customer content): By default, task data and exported results are retained per your workspace settings and then deleted or anonymized. Backups containing Customer Content are overwritten on a rolling schedule per §8.

Subprocessors: We use vetted cloud providers and tools to host and operate the Service (e.g., infrastructure, storage, logging, analytics strictly for operations). A current list of subprocessors is available upon request or published on our website. We enter into data processing agreements with all subprocessors.

5) International transfers

We and our subprocessors may process personal data in countries other than your own. Where required, we implement appropriate safeguards, such as the EU Standard Contractual Clauses (SCCs) or the UK International Data Transfer Addendum, and conduct transfer impact assessments. By using the Service, you understand that your data may be transferred to jurisdictions with different data protection laws. We will take steps reasonably necessary to ensure your data is treated securely and in accordance with this Policy.

6) Disclosure of personal data

We may disclose personal data to:

  • Service providers/subprocessors who help us deliver the Service (hosting, storage, email delivery, support, analytics, payments). They may only use personal data to provide services to us and must protect it.
  • Business transfers: If we are involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred. We will notify you of material changes affecting your personal data.
  • Legal & safety: To comply with law, lawful requests, and legal process; to protect our rights, users, or the public; to enforce our agreements; to detect, prevent, or address fraud, security, or technical issues.

We do not sell personal information and we do not share personal information for cross‑context behavioral advertising as those terms are defined by applicable US state laws.

7) Security

We use administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit, logical access controls, network security, least‑privilege practices, and regular backups and monitoring. However, no method of transmission or storage is 100% secure; we cannot guarantee absolute security.

8) Retention

We retain personal data for as long as necessary to provide the Service, comply with our legal obligations, resolve disputes, and enforce agreements.

  • Account & billing data: kept for the life of the account and for a reasonable period thereafter (e.g., 6–7 years for tax/financial records, subject to applicable law).
  • Logs & telemetry: typically 30–180 days unless needed for security or troubleshooting.
  • Customer content (processor role): retained per your settings and the DPA; backups are overwritten on a rolling basis (e.g., 30–60 days).

Where feasible, we anonymize or aggregate data instead of retaining it in identifiable form.

9) Your rights & choices

Depending on your location, you may have rights to request access, correction, deletion, portability, objection, or restriction of processing of your personal data, and to withdraw consent where processing is based on consent.

  • Account self‑service: You can access and update certain information from your account settings.
  • Deletion: You may delete your account or request deletion of personal data we control (see § 12 How to contact us). For customer content where we are a processor, please contact the relevant controller (your workspace owner/admin) and we will support their request.
  • Marketing opt‑out: You can opt out of marketing emails via the link in the email or in your settings.
  • Appeals (US states where applicable): If we deny your request, you may appeal by replying to our decision notice.
  • Complaints: You may lodge a complaint with your local supervisory authority (EEA/UK) or regulator.

We will not discriminate against you for exercising your rights.

10) Cookies & similar technologies

We use cookies and similar technologies to operate and improve the Service:

  • Strictly necessary: authentication, security, load balancing.
  • Preferences: remember settings (e.g., language).
  • Analytics: understand usage and improve features (aggregate metrics). Analytics cookies are optional where required by law; we will ask for your consent.

In jurisdictions that require it (e.g., EU/UK), we seek consent before setting non-essential cookies (e.g., analytics) and provide granular controls via our cookie banner/Consent Management Platform (CMP).

You can control cookies via your browser settings. Rejecting cookies may affect functionality.
While we do not respond to Do Not Track (DNT) signals, we honor GPC signals as described above.

11) Fair & lawful use of the Service

You are responsible for ensuring that your use of the Service is lawful, including:

  • Having a lawful basis to process personal data (e.g., legitimate interests, consent where required).
  • Complying with applicable laws (e.g., GDPR/UK GDPR, CAN‑SPAM, PECR, e‑privacy, CCPA/CPRA) and with the terms/policies of any platforms you target.
  • Respecting individual preferences and honoring opt‑out/"do not contact" requests.
  • Not using the Service to collect sensitive data or data about children.

No eligibility determinations. The Service is not a consumer reporting agency and outputs must not be used to determine eligibility for employment, credit, housing, insurance, or similar purposes under the Fair Credit Reporting Act (FCRA).

We may suspend or terminate access for misuse or violations of law or our Terms.

11A) Direct marketing responsibilities (customer use)

Direct marketing (your responsibilities). If you use exported data for outreach, you must comply with applicable laws (e.g., CAN-SPAM in the US, PECR in the UK, and CASL in Canada), including providing required identification, lawful basis/consent where required, and easy unsubscribe. We do not control your campaigns; you are the sender/instigator under these rules.

12) Children’s privacy

Our Service is not directed to children under 13 and we do not knowingly collect personal data from children under 13. If you are a parent/guardian and believe your child provided us personal data, please contact us so we can take appropriate action. Where local law sets a higher age (e.g., 16 in parts of the EEA), we abide by that requirement.

13) Third‑party sites & services

The Service may link to third‑party sites or integrate with third‑party services (e.g., social media platforms, payment processors). We do not control their privacy practices. Please review their privacy policies.

14) Changes to this Policy

We may update this Policy from time to time. We will post the updated Policy on this page and revise the "Last updated" date above. For material changes, we will provide additional notice (e.g., email or in‑app notice) before they take effect. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy.

15) How to contact us

If you have questions or requests about this Privacy Policy or our data practices, please contact us at:

Email: [email protected]

Zorix, LLC (United States) is the data controller responsible for handling privacy-related inquiries.
Company address: 1111B S Governors Ave STE 40623, Dover, DE 19904, United States · Phone: +13024402968

If you are an EEA/UK resident and believe your rights have been violated, you may contact your local supervisory authority. We will cooperate with regulators to resolve complaints.

16) Data Processing Addendum (DPA)

For customers that require a DPA under GDPR/UK GDPR, we provide a DPA governing our processing of customer content, including Standard Contractual Clauses for international transfers where applicable. Please contact [email protected] to request a copy or visit our website if a self‑serve version is available.

Summary (non‑contractual)

  • We collect account, billing, usage, and support data as controller to run the Service.
  • We process customer content (e.g., publicly discovered contact data) only on your instructions as processor.
  • We don’t sell personal information or share it for cross‑context behavioral advertising.
  • You can access, correct, or delete your data; backups roll on a schedule.
  • International transfers are protected with SCCs/UK addendum where required.
  • Contact [email protected] for any privacy questions.
Privacy Policy | Scravio