Privacy Policy

This Privacy Policy describes how Scrubbe (legal entity: Scrubbe Limited, registered at 456 Innovation Avenue, Lagos, Nigeria) collects, uses, discloses, and protects personal data in connection with the Scrubbe Incident Management System ("Scrubbe IMS"), "we," "us," or "our".

If you are a customer (an organization using Scrubbe IMS), the relationship between you and Scrubbe regarding personal data is primarily governed by the Master Service Agreement and Data Processing Agreement (DPA) we execute with you. In many cases, customer determines the purposes and means for processing the content they upload; in those cases, the customer is the "data controller" and Scrubbe is the "data processor." Where Scrubbe collects personal data directly (e.g., user account sign-up), Scrubbe acts as the controller.

For questions or to exercise your rights, contact: support@scrubbe.com.

▲ 1.1 Policy Applies To

• Individuals who visit our corporate website (incidents.scrubbe.com and related domains).
• Users, admins, and other persons who use or access Scrubbe IMS (customers' employees, contractors, MSP staff, third-party integrators).
• Prospective customers, trial users, interview candidates, and other contacts.

It covers personal data collected via web forms, API requests, integrations, support requests, and other channels.

In plain language, here's what you need to know:

• We use personal data to manage and authenticate access to Scrubbe IMS and process incident data to help your teams detect, manage, and resolve incidents.
• Customers typically control the content of incidents; Scrubbe processes that content to provide the Service.
• We use industry-standard security (TLS in transit, encryption at rest) and access controls.
• We share data with third-party service providers and subprocessors necessary to run the product, with contractual safeguards.
• You can request access, correction, deletion, or portability of your personal data. Contact support@scrubbe.com.
• We do not sell personal data.
• We operate across international borders (e.g., between Africa and the U.S.); we use legal safeguards like EU Standard Contractual Clauses.
• We comply with accessibility standards to ensure our services are usable by all, including those with disabilities.

▲ 3.1 Account & Registration Data

Name, business email, business phone number, job title, business name, business address, country. User credentials (securely stored; passwords hashed). Billing Information: company billing address, federal tax ID, and limited payment card data is processed by Stripe and is not stored on Scrubbe systems except as tokens.

▲ 3.2 Workspace & Team Data

Workspace name, domain, number of users, user roles, invited users, workspace settings (e.g., idle timeout, SSO settings).

▲ 3.3 Incident & Operational Data

Incident titles, descriptions, logs, attachments (screenshots, logs), timeline entries, incident owner, assignees, postmortem reports, comments, and messages posted as part of incident response. This content may include personal data (names, phone numbers, emails, or other identifiers) entered by customers or other users.

▲ 3.4 Integration Data & Event Data

Data obtained via integrations you enable (GitHub/GitLab events, cloud provider alerts from AWS/Azure/GCP, Slack messages posted in incident channels, monitoring alerts). The specific scope depends on the integration and permissions you grant. Customers are responsible for ensuring that third-party integrations comply with applicable data protection laws; Scrubbe provides tools (e.g., permission controls) to manage data shared with these integrations.

▲ 3.5 Usage, Telemetry & Technical Data

IP address, device/browser type, operating system, login timestamps, API call logs, crash reports, feature usage metrics, cookies, and similar technologies.

▲ 3.6 Communications

Information you provide via support tickets, chat, email, or during sales conversations. These may include personal identifiers, business context, and troubleshooting logs.

▲ 3.7 Payment & Merchant Data

We use Stripe to process payments. We may store payment metadata (invoices, transaction IDs, billing history). Card data is handled by Stripe under its security and privacy practices.

▲ 3.8 Data from Third Parties

Information received from third-party integrations and partners, and data available from public sources when you connect those services.

▲ 3.9 Special Categories of Data

We do not intentionally collect special category personal data (racial origin, health information, religious beliefs, etc.). However, incident content may occasionally include such data uploaded by customers. If such data is processed, we do so only under customer instructions and applicable legal requirements.

▲ 3.10 Data Minimization and Purpose Limitation

We collect only the personal data necessary to provide Scrubbe IMS and fulfill the purposes outlined in this policy. We do not use personal data for purposes other than those specified, unless required by law or with your explicit consent.

We use personal data for the following purposes, with lawful bases under GDPR where applicable:

▲ 4.1 Core Service Purposes

• Create and administer user accounts and workspaces; authenticate and provide the service — Legal basis: **performance of contract.**
• Process incidents, attach timelines, assign owners, and execute integrations to deliver the IMS functionality — Legal basis: **performance of contract.**
• Billing, payment collection, invoicing, and fraud prevention — Legal basis: **performance of contract/legal obligation.**

▲ 4.2 Operational & Improvement Purposes

• Monitor service performance, usage, analytics, and feature development; detect and prevent abuse and operational incidents — Legal basis: **legitimate interests** (improving service/security).
• Securing the service, investigating security incidents, and preventing fraud — Legal basis: **legitimate interests** (security).

▲ 4.3 Marketing & Communications

• Sending product updates, marketing emails, newsletters — Legal basis: **consent** where required; otherwise **legitimate interests** (opt-out).
• Trial follow-up and onboarding communications — Legal basis: **performance of contract** or **legitimate interest** for prospective customers.

▲ 4.4 Legal & Compliance

• Respond to lawful requests from law enforcement or legal process, enforce terms of service; maintain records for tax and regulatory compliance — Legal basis: **legal obligations; legitimate interests.**

▲ 4.5 Aggregation & Anonymization

Use de-identified or aggregated metrics for research and business analytics. Aggregated data cannot reasonably be used to re-identify individuals.

We disclose personal data only as described below and only to the extent necessary:

▲ 5.1 Subprocessors & Service Providers

Examples include:

• Cloud hosting & infrastructure: AWS, Azure, Google Cloud.
• Payment processing: Stripe.
• Email communications: Customer.io, SendGrid.
• SMS providers: Twilio (for SMS alerts).
• Customer support: Intercom, Zendesk.
• Analytics & monitoring: Google Analytics, Sentry (telemetry and error tracking).
• CI/CD/marketplace connectors: GitHub, GitLab.

We maintain an up-to-date list of subprocessors at incidents.scrubbe.com/subprocessors. We require subprocessors to maintain the same level of protection as described in this Privacy Policy and the Data Processing Agreement.

▲ 5.2 Customers & Other Users

Incident content and workspace data are visible to other users in the same workspace and to the admin(s) of the customer organization. The customer controls who has access.

▲ 5.3 Legal Requests

We may disclose data in response to valid legal process (court order, subpoena), to comply with laws, to enforce our terms, or to protect our rights, privacy, security, or property. We will notify customers of requests relating to their data unless prohibited.

▲ 5.4 Business Transfers

If Scrubbe is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected customers and provide choices as required by law.

▲ 5.5 Customer Responsibilities

Customer remains responsible for ensuring that incident data they upload does not include unnecessary personal data or special categories of data unless strictly required. Customers must configure third-party integrations responsibly (e.g., reviewing the data that each service provider provides, permission settings, data retention controls) to support compliance.

Scrubbe operates globally: personal data may be transferred to, and stored in, countries outside your country of residence (including the United States and countries without an adequacy decision).

When transferring personal data from the EEA/UK to jurisdictions without an adequacy decision, we use appropriate safeguards such as:

• Standard Contractual Clauses (SCCs) adopted by the European Commission or other recognized bodies, as required.
• Binding corporate rules where applicable.
• Other lawful transfer mechanisms as required.
• We will provide copies or summaries of safeguards on request (contact support@scrubbe.com).

We retain personal data only as long as necessary to provide the service, comply with legal obligations, resolve disputes, and enforce agreements. Typical retention windows (configurable per enterprise contract) are:

• Account & billing records: retained for tax & accounting purposes — typically 7 years (or as required by local law).
• Incident logs & timelines: default retention 3 years; configurable by customers (enterprise plans can specify longer or shorter). Post-termination deletion of incident content; deletion requests subject to contractual obligations and legal requirements.
• Support tickets & communications: 2–5 years depending on legal needs.
• Backups: retained for disaster recovery for up to 90 days in encrypted backups; backups are overwritten per schedule.

When an account is deleted, we will remove active data within 30-90 days, subject to legal holds, billing obligations, and residual backups. Please consult your DPA for exact retention commitments for enterprise customers.

▲ 8.1 For EU & UK Residents (GDPR)

You have the right to:

• Right of access (Article 15) — request a copy of personal data.
• Right to rectification (Article 16).
• Right to erasure (Article 17) — subject to exceptions (e.g., legal retention obligations).
• Right to restriction of processing (Article 18).
• Right to object to processing (Article 21).
• Right to data portability (Article 20).
• Right to withdraw consent (where processing is based on consent).

Submit requests to support@scrubbe.com. We may require identity verification. We will respond within 30 days or extended 90 days where permitted. We will inform you if we need more time.

▲ 8.2 For California Residents (CCPA/CPRA)

California residents have the:

• Right to know what personal data is collected, disclosed, and sold.
• Right to request deletion of personal data.
• Right to opt out of sale of personal data (we do not sell personal data).
• Right to non-discrimination for exercising privacy rights.

To submit a verifiable request, contact support@scrubbe.com with "CCPA Request" in the subject line.

▲ 8.3 For Other Jurisdictions (Nigeria NDPR, Kenya DPA, South Africa POPIA)

We will comply with local data protection obligations. Data subject rights vary by jurisdiction; contact support@scrubbe.com for assistance.

To exercise your rights, use the form below or send your request to support@scrubbe.com with:

• Request in the subject line: "Data Request" in the subject.
• A clear description of the request: (access, deletion, portability, correction).
• Verification: Include full name, email, workspace name, description of request, preferred outcome, and request for identity verification (photo ID, verification code sent to admin email to prevent fraudulent requests).

We will acknowledge receipt within 5 business days and provide a decision within the legal timeframe.

We will comply with local data protection obligations. Data subject rights vary by jurisdiction; contact support@scrubbe.com for assistance.

We use cookies and similar technologies on our website. Categories:

• Essential cookies (required): session cookies, authentication tokens, security cookies (cannot be disabled as they are necessary for the service).
• Functional cookies: preferences, UI settings.
• Analytics: Google Analytics, Sentry — used to understand site usage. Opt-out options provided.
• Marketing cookies: used for remarketing, advertising (if used). You can opt out via cookie settings.

Cookie list & management: see our Cookie Policy. Users can manage cookie preferences through the cookie banner and browser settings.

We implement appropriate technical and organizational measures to protect personal data:

• Encryption: TLS 1.2+ in transit; AES-256 encryption at rest.
• Access Controls: Role-based access control (RBAC), least privilege, strong password policies, support for MFA/SAML/SSO.
• Authentication: Support for Multi-factor authentication (MFA) for admin users.
• Logging & Monitoring: Session timeouts (default: 5 minutes, configurable), logs for security monitoring.
• Backup & disaster recovery: Encrypted backups, routine restore testing.
• Vulnerability Management: Regular vulnerability scanning, patch management, periodic penetration testing by third-party security firms.
• Confidentiality: Employees are subject to specific privacy and security obligations.
• Subprocessor controls: Contractual security obligations and right to audit for critical subprocessors.
• Certifications: We pursue certifications such as **SOC 2 Type II, ISO 27001**, and **ISO 27017**.
• Vendor Compliance: We conduct regular third-party audits to ensure compliance with security best practices.

We cannot guarantee 100% security; if you have specific compliance requirements (PCI, HIPAA, etc.), contact support@scrubbe.com to discuss compliant deployment options and contractual terms.

If Scrubbe becomes aware of a security incident that materially affects personal data, we will:

• Contain and remediate the incident.
• **Notify affected customers and data subjects without undue delay** and, where required by law, within applicable regulatory timelines (e.g., within 72 hours for GDPR significant breaches).
• Provide reasonable details about the nature of the incident, measured taken, and recommended next steps.

Customers must notify us promptly at support@scrubbe.com if they suspect a security incident relating to their workspace.

We may disclose information in response to lawful requests by public authorities (e.g., court orders, subpoenas) to the extent required by law. Where permitted, we will attempt to notify the affected customer prior to disclosure to allow them to object to the request.

For subpoenas and law enforcement requests, please forward to support@scrubbe.com.

▲ 13.1 Transparency Reports

We are committed to transparency regarding government requests for data. Where permitted by law, we publish annual transparency reports summarizing the number and type of requests received, available at incidents.scrubbe.com/transparency.

Scrubbe IMS is not intended for persons under 16. We do not knowingly collect personal data from children under 16. If we learn we have collected such data, we will delete it as required.

We do not perform automated decision-making that produces legal effects concerning individuals or similarly significantly affects individuals. We may use aggregated telemetry and machine learning to improve service performance, detect fraud, and prioritize support tickets, but all individual actions and decisions are based on anonymized or aggregated data. ML models are regularly audited to ensure compliance with our data protection policies and provide human control over all automated decisions.

We maintain and publish the current list of subprocessors at incidents.scrubbe.com/subprocessors.

Typical subprocessors include:

• Cloud hosting providers: AWS, Azure, Google Cloud.
• Payment processors: Stripe.
• Email services: SendGrid.
• SMS providers: Twilio.
• CDN: Cloudflare.
• Logging & Usage Analytics: Sentry.
• Customer support: Intercom.
• CI/CD/marketplace connectors: GitHub, GitLab.

We notify customers of new critical subprocessors in advance and provide an opportunity to object in accordance with contract terms.

For enterprise customers, Scrubbe offers a DPA that specifies:

• Roles and responsibilities (customer = controller; Scrubbe = processor).
• Data categories, processing details, and subprocessors.
• Scrubbe's processor obligations, data subject rights, international transfer mechanisms, retention periods, and deletion obligations.

Contact support@scrubbe.com to request a DPA or specific compliance documentation (e.g., certifications, audit reports).

Scrubbe aims to comply with applicable data protection laws, including GDPR (EU/EEA/UK), CCPA/CPRA (California), Nigeria's NDPR, Kenya's Data Protection Law, South Africa's POPIA, Brazil's LGPD, India's DPDP, and other relevant legal and regulatory requirements. We incorporate specific data protection requirements will be addressed in customer agreements. We continuously monitor evolving regulations to ensure ongoing compliance.

We may update this Privacy Policy to reflect changes in our processing activities or legal requirements. We will provide 30 days' prior notice for material changes, communicated via platform announcements, or by email or dashboard notification. Material changes will be communicated in advance where required by law.

If you have questions, complaints, or want to exercise your rights, contact:

• Email: support@scrubbe.com
• Mailing Address: Scrubbe Limited, 456 Innovation Avenue, Lagos, Nigeria

If you feel we have not fully addressed your concern or violated local data protection law have been violated, you may contact your local supervisory authority. We will cooperate with any lawful requests and respond to complaints.

▲ 21.1 General Legal Notices

• No sale of personal data: We do not sell personal data as defined under the CCPA.
• Third-party links: Our websites may link to third-party sites; we are not responsible for their privacy practices.
• Contact for legal requests: For subpoenas and law enforcement requests, please forward to support@scrubbe.com.

▲ 21.2 California Consumer Privacy Act (CCPA)

• No sale of personal data: We do not sell personal data as defined under the CCPA.
• Third-party links: Our websites may link to third-party sites; we are not responsible for their privacy practices.
• Contact for legal requests: For subpoenas and law enforcement requests, please forward to support@scrubbe.com.

▲ 22.1 Request Process

Use the form below or email support@scrubbe.com with **"Data Request"** in the subject.

• Include: full name, email, workspace name, description of request, preferred outcome.
• We may request identity verification (photo ID, verification code sent to admin email).
• We will acknowledge receipt within 5 business days and respond substantively within applicable legal timeframes (typically 30 calendar days).

These are sample defaults. Enterprise customers may set custom values in the contract.

• Incident content: 3 years (default) — configurable.
• Audit logs: 7 years (default), required for 3 years.
• Billing & invoices: 7 years.
• Backups: rolling, up to 90 days.
• Support tickets: 2 years.

Scrubbe is committed to ensuring our website and services, including this Privacy Policy and the data request form, comply with Web Content Accessibility Guidelines (WCAG) 2.1 to support users with disabilities. If you encounter accessibility issues, please contact support@scrubbe.com.

For Scrubbe founders and operators:

• Publish this Privacy Policy with replaced placeholders and a link in your site footer or at incidents.scrubbe.com.
• Publish a clear Cookie Policy and a Subprocessors list page.
• Create a Transparency Report page to summarize government data requests annually.
• Provide a simple portal (or email) for data subject requests; enterprise customers should be able to request and view all their data.
• Keep a living document (internal playbook) that explains how to handle delete requests, legal holds, and incident notifications.
• Have a lawyer on-call to ensure local compliance (Nigeria, South Africa, Kenya, UK, US, Brazil, India) and to produce a DPA template for customers.

This Privacy Policy is provided for informational purposes and is not legal advice. You should consult qualified legal counsel to tailor this policy to your jurisdiction and business operations and to ensure compliance with applicable laws.