Privacy Policy
Last updated: March 2026
This policy explains what data Scriova collects, why, and what happens to it. We've written this in plain English, not legalese.
What we collect
- Account data — your email address and a hashed (bcrypt) password when you create an account. We never store your password in plain text.
- Your CSV lead data — names, companies, job titles, websites, and any other columns you upload. This is held in server memory for your session only (up to 1 hour) and is never written to a database.
- Job history — metadata about jobs you've run (filename, row count, date). Not the actual lead content.
- Website content — when you include a website column, we fetch that URL server-side to extract a brief summary for the AI. The fetched content is not stored.
- Payment and billing data — handled entirely by Stripe. We store only your Stripe Customer ID and subscription status. We never see or store card numbers.
- Security and audit logs — records of sensitive actions (password changes, email changes, account deletion) including timestamps and IP addresses. Retained for 90 days.
- Server logs — standard request logs (IP address, user agent, endpoint, timestamp). Not linked to your CSV data.
What we don't collect
- Analytics or tracking cookies (no Google Analytics, Mixpanel, etc.).
- The generated email lines after they're sent to your browser.
- The content of your uploaded CSVs — only metadata (filename, row count).
Sub-processors (who we share data with)
These are the third-party services that may process your data as part of delivering the service:
| Service | Purpose | Data sent |
|---|---|---|
| AI provider | AI generation of email openers | Lead name, company, title, and website summary. Not your full CSV. |
| Stripe | Payment processing and subscription management | Email address, subscription events |
| Your SMTP relay (Resend, Postmark, etc.) | Sending transactional emails | Your email address and the email content |
| Railway | Hosting and infrastructure | All application data (hosted on their servers) |
We don't sell your data, share it with advertisers, or pass it to any other third parties. Our AI provider does not use API inputs to train their models by default.
Cookies
We use only strictly necessary cookies — no tracking or advertising cookies:
- ep_session — a secure, HTTP-only session cookie that keeps you logged in. Contains only a random session ID, no personal data. Expires after 30 days.
- _csrf_anon — a short-lived cookie used to protect forms from cross-site request forgery on pages where you're not logged in. Expires after 24 hours.
Data retention
- CSV / lead content — deleted from memory when your session ends (max 1 hour). Never persisted to disk.
- Account data — retained while your account is active. Deleted immediately on account deletion.
- Job history metadata — retained while your account is active. Deleted on account deletion.
- Audit logs — retained for 90 days, then purged.
- Billing data (Stripe) — governed by Stripe's own retention policies. We hold only a reference ID.
Your rights
Under GDPR, CCPA, and similar laws, you have the right to:
- Access your data — use the "Download my data" button in Account Settings to get a machine-readable copy of everything we hold.
- Delete your data — use the "Delete account" option in Account Settings. This immediately removes your account, job history, and all associated data.
- Correct your data — update your email or other details in Account Settings.
- Object — contact us to object to any processing we do.
Note: data sent to our AI provider cannot be retrieved or deleted from their systems after it has been processed, per their API usage policy.
Security
Passwords are hashed with bcrypt (cost factor 12). Sessions use cryptographically random 32-byte tokens. All connections are encrypted via TLS. We use CSRF protection, rate limiting, and security headers on all endpoints.
Contact
Questions or data requests? Email us at hello@scriova.com. We aim to respond within 5 business days.