UK GDPR • Data Protection Act 2018 • PECR
Privacy Policy
Last updated: 9 October 2025
1) Who we are
Scrux.io is operated by Jack Miller in the United Kingdom. We are the controller for player personal data. For privacy questions or rights requests, email support@scrux.io.
2) What data we collect
| Type | Examples | Why |
|---|
| Account | Username, password (bcrypt/Argon2 hashed), roles | Authenticate your account and keep progress |
| Contact (optional) | Email, support tickets | Respond to you; only the owner with database access can view emails |
| Verification | Phone number sent to ClickSend to deliver a one-time SMS | Unlock custom names/chat and deter ban evasion. Scrux never stores the phone number. |
| Technical & Security | Hashed IP address, country/ISP & risk flags from IPQualityScore, device fingerprint (browser, OS, language) | Detect fraud, block proxies/VPNs, investigate threats, protect game stability |
| Gameplay & Moderation | Stats, match history, chat messages, moderation actions, support notes | Provide gameplay features and keep the community safe |
Device fingerprinting is used solely to capture basic information (e.g., browser type, approximate device class) so we can detect suspicious behaviour without intrusive tracking.
3) How we use your data
- Operate accounts, matches, leaderboards, and cosmetic unlocks.
- Send one-time verification codes through ClickSend; the phone number is discarded immediately after the SMS is requested.
- Hash IP addresses and analyse IP/phone number risk signals with IPQualityScore to prevent fraud, bots, and ban evasion.
- Identify patterns of harmful activity (e.g., repeated attacks from the same country or ISP) so moderators can respond effectively.
- Review chat, reports, and support tickets to enforce our rules and resolve disputes.
- Improve security, diagnose outages, and protect our infrastructure.
4) Legal bases
- Contract: providing gameplay services, accounts, and purchases.
- Legitimate interests: protecting players from abuse, verifying that access attempts are genuine, combatting fraud, and ensuring network safety. We perform balancing tests for IPQualityScore and device fingerprinting to make sure your rights are respected.
- Legal obligations: responding to valid law-enforcement or regulatory requests under UK law.
- Consent: optional features such as marketing emails (if ever offered).
5) IP addresses, phone numbers & identifiers
- IP handling: raw IP addresses are immediately hashed before storage. We retain the hash plus IPQualityScore metadata such as country, region, ISP, and risk category to spot coordinated attacks. Hashing lets us recognise returning connections without keeping the exact IP.
- Phone handling: when you request verification, your number is transmitted securely to ClickSend Pty Ltd only to send the SMS. Scrux does not keep or reuse the number.
- Device fingerprinting: we collect limited browser and device attributes (e.g., user agent, screen size, language, time zone) to defend against automated abuse. We do not derive precise geolocation or track you across other sites.
- Email access: emails linked to your account are accessible only to Jack Miller. Moderators and helpers cannot view contact details.
6) Sharing & processors
| Service | Purpose | Location | Safeguards |
|---|
| ClickSend Pty Ltd | Send SMS verification codes | Australia | Standard Contractual Clauses (SCCs) + UK Addendum |
| IPQualityScore | Proxy/VPN & fraud screening for IPs and phone numbers | United States | SCCs, UK International Data Transfer Addendum, data minimisation |
| Hosting & infrastructure partners | Run game servers, databases, and anti-DDoS tooling | United Kingdom & EEA | Data processing agreements, access controls |
We do not sell or rent personal data. Third parties only process information to deliver the services above.
7) Retention
- Account information: kept while your account remains active.
- Moderation logs: normally retained for up to 90 days, longer if required for investigations.
- Hashed IP & IPQualityScore data: reviewed regularly and removed when no longer needed for security (typically within 12 months unless an active investigation is ongoing).
- Support tickets: retained for up to 12 months to resolve follow-up questions.
8) International transfers
When we send data outside the UK/EEA (for example to ClickSend or IPQualityScore), we rely on the UK GDPR’s international transfer mechanisms, including the European Commission’s Standard Contractual Clauses plus the UK International Data Transfer Addendum. These contracts require recipients to protect your information to UK standards.
9) Your rights
- Request access, correction, deletion, or portability of your data.
- Object to or restrict processing carried out on legitimate interests grounds.
- Withdraw consent where processing relies on consent.
- Lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk/make-a-complaint).
Contact support@scrux.io to exercise these rights. We respond within one month as required by the UK GDPR.
10) Security
- Passwords are encrypted using industry-standard hashing algorithms (
bcrypt or Argon2); plaintext passwords are never stored.
- Access to databases is restricted, monitored, and limited to the owner for personally identifiable information like emails.
- Network firewalls, rate limiting, and audit logging help prevent unauthorised access.
- Verification codes, raw IPs, and other transient data are purged once no longer needed.
11) Children
Scrux.io is designed for players aged 13+. If you are a parent or guardian and believe your child provided personal data without permission, please contact us so we can delete it.
12) Updates
We may update this Privacy Policy to reflect gameplay or legal changes. Significant updates will be announced in-game, on Discord, or via email where appropriate.