PRIVACY POLICY

Processing is necessary to perform the contract you have with us. This includes providing the Skrub platform services you signed up for, managing your account, processing subscription payments, delivering scan results, generating AI-powered analysis, and providing customer support.

Processing is necessary for our legitimate interests or those of a third party, where those interests are not overridden by your rights. Our legitimate interests include:

• Improving and optimizing our Service and user experience
• Fraud prevention and security measures
• Analyzing public review data to detect spam and fraudulent content
• Defending your business reputation against malicious reviews
• Internal analytics and business intelligence

Where we rely on your consent, you have the right to withdraw it at any time. We seek consent for:

• Marketing emails and promotional communications
• SMS notifications (optional feature)
• Optional product features and beta testing
• Non-essential cookies and analytics

To withdraw consent, contact us at privacy@skrub.io or use the unsubscribe link in any marketing email.

Processing is necessary to comply with our legal obligations. This includes:

• Maintaining tax and accounting records as required by law
• Responding to lawful requests from law enforcement or regulatory bodies
• Complying with court orders and legal proceedings
• Meeting anti-money laundering and fraud prevention obligations

Purpose: Text generation, sentiment analysis, spam detection scoring, response drafting, and AI chat assistant functionality.

Data Shared: Review text content, business context, and chat messages for analysis.

Purpose: Retrieving publicly available review data from Google Maps and other platforms.

Data Shared: Business URLs you provide for scanning.

Purpose: Subscription billing and payment processing.

Data Shared: Email address for receipts and payment identifiers. Payment card details are sent directly to Stripe and never touch our servers.

Purpose: Sending SMS alert notifications for high-risk reviews (if enabled).

Data Shared: Phone number and notification message content.

Purpose: Customer relationship management, marketing automation, email nurturing sequences, and customer support tracking.

Data Shared: Email address, name, company information, subscription status, and service usage activity.

Purpose: Sending transactional emails including account verification, password reset, and service notifications.

Data Shared: Email address and email content.

Your personal data may be processed in the United States and other countries where our service providers operate. The US may not have data protection laws equivalent to those in your jurisdiction.

For transfers of personal data from the EEA/UK to our sub-processors located outside of adequacy regions, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the legal mechanism for such transfers. Our key sub-processors (Google, Stripe, Twilio, HubSpot, Resend) maintain their own GDPR compliance programs and have committed to SCCs or equivalent safeguards.

You have the right to request information about the specific safeguards we have in place for international data transfers. To request a copy of the SCCs or information about the safeguards applied to your data, please contact us at privacy@skrub.io.

Encryption & Transport Security

• All data transmitted over HTTPS/TLS encryption
• HTTP Strict Transport Security (HSTS) enforced
• Passwords hashed using industry-standard algorithms (never stored in plain text)

Application Security

• Content Security Policy (CSP) headers to prevent XSS attacks
• Cross-Site Request Forgery (CSRF) protection on all forms
• Secure session cookies (HttpOnly, SameSite, Secure flags)
• Rate limiting on authentication endpoints
• Password strength requirements enforced

Access & Monitoring

• Database access restricted to authorized personnel
• Error monitoring and alerting with Sentry
• Regular security reviews and updates

You have the right to obtain confirmation as to whether we are processing your personal data, and if so, to request access to that data along with information about how it is processed. You may request a copy of your personal data free of charge.

You have the right to request correction of inaccurate personal data we hold about you. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed.

You have the right to request deletion of your personal data where: the data is no longer necessary for its original purpose; you withdraw consent; you object to processing; the data was unlawfully processed; or deletion is required by law. We will process erasure requests within 30 days.

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV). You also have the right to request that we transmit this data directly to another controller where technically feasible.

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will stop processing your data for that purpose immediately.

If you believe that our processing of your personal data infringes data protection laws, you have the right to lodge a complaint with a supervisory authority. In the EU, you may contact your local Data Protection Authority. In the UK, you may contact the Information Commissioner's Office (ICO).