Registered with the UK Information Commissioner's Office
Organisation: Personal Studio Ltd (trading as DataGrave)
ICO Registration Reference: ZC143539
Data Controller: Md Sarwar Matin
1. Who We Are
DataGrave is a UK privacy tool that helps individuals find, track, and remove their personal data from data broker websites. The service is operated by Personal Studio Ltd, a company registered in England and Wales, trading under the name DataGrave.
For the purposes of UK GDPR and the Data Protection Act 2018, the data controller is Md Sarwar Matin.
Contact us at: hello@datagrave.co.uk
2. Data We Collect
We collect and process the following categories of personal data:
| Data | Why |
|---|---|
| Full name | Required to search data broker sites |
| Email address | Account creation, scan results, GDPR requests |
| Phone number | Optional — used to search broker records |
| Home address | Optional — used to search broker records |
| Date of birth | Optional — used to identify you on broker sites |
| IP address | Security, fraud prevention, and rate limiting |
| Usage data | Improving the service (pages visited, scan actions) |
| Payment data | Processed by Stripe — we never store card details |
3. Gmail Inbox Scanning
⚠️ Gmail Access — What We Do and Do Not Access
Gmail scanning is an optional paid feature. We request only the minimum permissions required.
What we access:
- Sender email addresses from your inbox (e.g.
newsletter@company.com) - Email subject lines — used to assist sender classification
- Sender name as displayed in your inbox
- Message timestamps — to understand recency and frequency
What we never access:
- Email body content — we do not read, store, or transmit the text inside your emails
- Attachments of any kind
- Contacts, calendar, or any other Google data
- Emails in folders other than your primary inbox
- Drafts, sent items, or deleted messages
How Gmail data is stored:
- Sender metadata (name, email, classification) is stored in our secure Supabase database linked to your account
- Your Gmail OAuth token is stored securely and used only to fetch the scan you requested
- You can revoke our Gmail access at any time via Google Account Permissions
- Revoking access also triggers deletion of your Gmail scan data from our systems within 30 days
Google API Services disclosure:
DataGrave's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use Gmail data solely to provide the inbox scanning service you requested and for no other purpose.
4. AI Processing
DataGrave uses an AI language model (DeepSeek) to classify email senders identified during your Gmail scan into categories: Danger, Data Broker, Marketing, or Legitimate.
What is sent to the AI: Only the sender's email address and display name. No email body content, no attachments, and no other personal information is transmitted.
Where AI processing happens: Classification requests are sent to DeepSeek's API and are subject to DeepSeek's Privacy Policy. We do not use your data to train AI models.
Automated decision-making: Sender classification is used only for informational purposes. No automated decisions with legal or significant effects are made based solely on AI classification.
5. Data Broker Scanning
When you initiate a broker scan, DataGrave uses the personal information you provide (name, email, phone, address, DOB) to query publicly accessible data broker websites. This is the core purpose of the service.
We do not sell, share, or transmit your personal data to any data broker. We query those sites on your behalf to detect whether your information is publicly listed — so you can request its removal under your rights under UK GDPR Article 17.
Scan results (which brokers found your data) are stored in your account so you can track removal requests and compliance deadlines.
6. Payments
All payments are processed by Stripe, Inc. We do not store your card number, CVV, or banking details on our systems at any time.
Stripe may store payment data in accordance with their own privacy policy, available at stripe.com/gb/privacy. Stripe is PCI-DSS compliant.
We retain a record of your transaction (amount, date, product purchased) for accounting and fraud prevention purposes in line with HMRC requirements (7 years).
7. Legal Basis for Processing
| Processing activity | Legal basis |
|---|---|
| Account creation and management | Contract (Article 6(1)(b)) |
| Data broker scanning | Contract (Article 6(1)(b)) |
| Gmail inbox scanning | Consent (Article 6(1)(a)) |
| Sending GDPR removal requests | Contract (Article 6(1)(b)) |
| Payment processing | Contract (Article 6(1)(b)) |
| Security and fraud prevention | Legitimate interests (Article 6(1)(f)) |
| Service improvement analytics | Legitimate interests (Article 6(1)(f)) |
| Legal obligations (HMRC records) | Legal obligation (Article 6(1)(c)) |
8. Data Retention
- Account data: Retained for as long as your account is active. Deleted within 30 days of an account deletion request.
- Scan results: Retained for 12 months to allow you to track broker compliance deadlines. You can delete scan data at any time from your dashboard.
- Gmail scan data: Retained for 90 days after the scan date, or until you revoke Gmail access or delete your account — whichever comes first.
- Payment records: Retained for 7 years in accordance with HMRC accounting requirements.
- Server/access logs: Retained for 30 days for security purposes then automatically deleted.
10. Your Rights Under UK GDPR
As a UK resident, you have the following rights regarding your personal data:
Right to access
Request a copy of all personal data we hold about you.
Right to rectification
Request correction of inaccurate or incomplete data.
Right to erasure
Request deletion of your personal data ("right to be forgotten"). We will action this within 30 days.
Right to restriction
Request that we limit how we use your data while a dispute is resolved.
Right to data portability
Receive your personal data in a structured, machine-readable format.
Right to object
Object to processing based on legitimate interests. You may also withdraw consent for Gmail scanning at any time.
Rights related to automated decision-making
We do not make solely automated decisions with legal effects about you.
To exercise any of these rights, email us at hello@datagrave.co.uk with the subject line "Data Rights Request". We will respond within 30 days.
12. Security
We take reasonable technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS/HTTPS)
- Encryption of data at rest (Supabase AES-256)
- Row-Level Security (RLS) policies on all database tables
- API authentication on all backend endpoints
- OAuth 2.0 for Gmail access (no password storage)
- Stripe for payment processing (no card data on our servers)
In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the ICO within 72 hours as required by UK GDPR Article 33.
13. Changes to This Policy
We may update this privacy policy from time to time. Where changes are material, we will notify you by email at least 14 days before they take effect. The "Last updated" date at the top of this page will always reflect the most recent version.
Continued use of DataGrave after a policy update constitutes acceptance of the revised terms. If you do not agree, you may delete your account at any time.
14. Contact & Complaints
For any privacy-related queries, data rights requests, or concerns, contact us at:
If you are not satisfied with our response, you have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner's Office (ICO)
Website: ico.org.uk/make-a-complaint
Helpline: 0303 123 1113
Our ICO Registration Reference: ZC143539