trust overview

effective 7 may 2026 · version 1.1

we built scrubbr.ai so you don't have to choose between a faster inbox and your data privacy. this page explains where your data lives, who can see it, and how we protect it.

what scrubbr.ai does

scrubbr.ai connects to gmail, google calendar, and slack with your permission, reads message and event content, and produces priority tiers, summaries, and drafted replies. you confirm any action that writes back to those services.

where customer data lives

application data and customer data are stored in supabase (managed postgres on aws) in a us region. application servers run on aws in a us region. backups are encrypted and rotated.

data is encrypted in transit (tls 1.2 or higher) and at rest (aes-256 with provider-managed and aws kms-backed keys). access to production systems is restricted to a small set of authorized personnel and is audited.

what scrubbr.ai processes (and what it does not)

gmail

message metadata (sender, recipient, subject, timestamps, labels) and message body content. processed for prioritization, summarization, and drafting. retained on a 90-day rolling window for active accounts.

slack

message metadata and message body content from channels and direct messages your account has access to. processed for prioritization, summarization, and drafting. scrubbr.ai uses your personal slack user token, not a bot token. this means messages you send through scrubbr.ai appear in slack under your name, indistinguishable from a message you typed in slack itself. there is no scrubbr-bot installed in your channels.

google calendar

event metadata (titles, attendees, times, locations, descriptions). processed for triage context and meeting prep. retained per the same 90-day rolling window.

attachments

never ingested. never stored. scrubbr.ai does not download or process file attachments from email, slack, or calendar links. file content stays in google drive, dropbox, or wherever it lives.

card data

scrubbr.ai never sees your card. payment is handled directly by stripe; we receive only a customer id and subscription status.

sub-processors

the providers below help us run scrubbr.ai. each is contracted to handle data only on our instructions and only for the purposes of running scrubbr.ai.

• amazon web services (us): application hosting, compute, queues, kms.
• supabase (us): managed postgres, auth.
• openrouter (us): AI model gateway. routes to anthropic and openai.
• anthropic (us): large language model provider (claude family). does not retain content for training.
• openai (us): embedding model provider. does not retain content for training.
• stripe (us): billing. card data goes directly to stripe.
• sendgrid / twilio (us): transactional email delivery.
• google (gmail and calendar apis): your data source.
• slack technologies: your data source.

this list updates when sub-processors change. material changes are communicated to active customers in advance.

identity and access

• employee access to production systems is granted by role, scoped to the smallest surface needed, and reviewed quarterly.
• access to systems that hold customer data is mfa-enforced and logged.
• raw email and slack message content is invisible to scrubbr.ai employees. internal tooling shows AI summaries, counts, and metadata only. there is no employee-facing view that decrypts and renders the contents of a customer's message.

software development

• code is reviewed before merge. security-sensitive changes get a second reviewer.
• dependencies are scanned for known vulnerabilities.
• secrets are stored in a managed secret store and rotated on at most a 90-day cadence, plus on detected leak.
• changes ship with a documented revert plan; rollback is rehearsed.

logging, monitoring, and backups

• application and infrastructure events are logged to a central system. message content is excluded from logs by design.
• backups are encrypted, taken daily, and retained per a published schedule.
• error and uptime monitoring runs continuously; on-call receives alerts for production incidents.

incident response

if we discover a security incident affecting customer data, we contain it, investigate, and notify affected customers without undue delay and in any event within 72 hours of confirmation. report a suspected incident to security@scrubbr.ai.

privacy posture

see the privacy notice for the full picture, including your rights, retention, and contact for privacy requests. highlights:

• we do not sell personal information.
• we do not use customer data to train AI models.
• we do not use third-party advertising trackers on the marketing site.
• account data is deleted within 30 days of cancellation, except where retention is required by law.

compliance posture

scrubbr.ai's security program is aligned to nist sp 800-171 rev. 2 and structured to support a soc 2 type II audit. scrubbr.ai is not currently soc 2-attested. the policy library, control set, and evidence collection are designed to support an audit when the company elects to undergo one. when attestation is complete, this page will be updated and the report will be available under nda.

contact & requests

security: security@scrubbr.ai. privacy: privacy@scrubbr.ai. for questionnaires or vendor reviews from your infosec team, send to security@scrubbr.ai with your due-diligence document and we'll respond promptly.