GDPR Compliance

1. Company Information

Scrubby OÜ is the data controller responsible for your personal data. As a company registered in Estonia, a member state of the European Union, we are fully subject to and compliant with the General Data Protection Regulation (EU) 2016/679.

2. Data Collection & Purpose

We collect and process personal data for the following purposes:

• Account creation and management — Name, email address, company information, and account credentials
• Email marketing and communications — Email address and communication preferences
• Identity validation and service delivery — Business email verification and domain information

Data sources include:

• Google Analytics (website usage and behavior data)
• IP address information collected during website visits
• Information provided directly during signup and account registration
• Data submitted through contact forms and customer support interactions

3. Integration Partners

We work with trusted integration partners to enhance our services. These partners process data only as necessary to provide their services and do not share your personal data with unauthorized third parties.

4. Storage & Security

We employ advanced cloud services and industry-standard security measures to protect your data:

• Infrastructure: Amazon Web Services (AWS) for reliable and scalable cloud hosting
• Authentication: AWS Cognito for secure user authentication and identity management
• Database: AWS RDS for encrypted and managed database storage
• File Storage: AWS S3 for secure object storage with server-side encryption
• Payments: Stripe for PCI-DSS compliant payment processing

Security measures include encryption of data in transit and at rest, network firewalls, regular security audits, access controls, and continuous monitoring. We conduct periodic reviews to ensure our security posture meets or exceeds industry standards.

5. Data Retention

Personal data is stored and maintained for as long as your account is active and you continue to use our services. Data is retained until you request deletion. Upon receiving a valid deletion request, we will remove your personal data from our active systems within a reasonable timeframe, subject to any legal obligations that may require us to retain certain records.

6. Third-Country Transfers

Our primary data storage is located in the AWS US West region (Northern California, United States). While this constitutes a transfer of data outside the European Economic Area, we ensure GDPR compliance through the following safeguards:

• Standard Contractual Clauses (SCCs) as approved by the European Commission
• AWS's compliance with EU-US data transfer frameworks
• Additional technical and organizational measures to protect data during transfer and storage
• Regular assessment of the data protection landscape in recipient countries

7. User Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access — Request a copy of the personal data we hold about you
• Right to rectification — Request correction of inaccurate or incomplete data
• Right to erasure — Request deletion of your personal data
• Right to restrict processing — Request that we limit how we use your data
• Right to data portability — Request your data in a portable format via AWS S3 export

You can exercise these rights through the following channels:

• Your Scrubby account dashboard settings
• In-app support via Gleap
• Email request to info@scrubby.io
• Through our CRM system (Pipedrive)

8. Data Breach Protocol

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, Scrubby OÜ will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms
• Document the breach, its effects, and the remedial actions taken
• Take immediate steps to contain and mitigate the impact of the breach
• Conduct a post-incident review and implement improvements to prevent recurrence

9. Consent

We obtain explicit consent for data processing at the time of account signup. Our consent mechanism ensures that:

• Consent is freely given, specific, informed, and unambiguous
• Users are presented with clear information about what data is collected and how it will be used
• Users can withdraw consent at any time through their account settings in the application
• Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal

10. Contact the Data Protection Officer

If you have any questions, concerns, or requests regarding your personal data or this GDPR Compliance document, please contact our Data Protection Officer: