Legal
Last updated: 13 May 2026
Registered with the UK Information Commissioner's Office
Organisation: Personal Studio Ltd (trading as DataGrave)
ICO Registration Reference: ZC143539
Data Controller: Md Sarwar Matin
Personal Studio Ltd (trading as DataGrave) acts as a Data Controller for the personal data you provide to us. We process your data solely to provide the DataGrave privacy scanning service. Where we use third-party services to process data on our behalf, those providers act as Data Processors under written agreements.
Processing your name, address, email and other details is necessary to perform the broker scanning service you have requested.
Gmail Inbox Scanning is an optional paid feature. We process your Gmail sender metadata only after you explicitly grant OAuth authorisation. You may withdraw consent at any time by revoking access via Google Account Permissions.
We maintain scan logs and audit trails to provide you with historical results and improve the service.
We may retain certain records as required by UK law, including financial records for HMRC compliance (7 years).
| Data Type | Purpose | Retention |
|---|---|---|
| Name | Broker scanning | Until account deleted |
| Authentication, notifications | Until account deleted | |
| Phone | Broker scanning (optional) | Until account deleted |
| Address | Broker scanning (optional) | Until account deleted |
| Date of Birth | Broker scanning (optional) | Until account deleted |
| Scan Results | Service delivery, history | 12 months |
| Payment Records | HMRC compliance | 7 years |
| Gmail Sender Metadata | Gmail Inbox Scan — sender name, email, subject, timestamp only. No email body or attachments. | 90 days or until access revoked |
Right to Access
Request a copy of all data we hold about you.
Right to Erasure
Request deletion of your account and all associated data.
Right to Rectification
Correct any inaccurate data we hold about you.
Right to Portability
Receive your data in a machine-readable format.
Right to Object
Object to processing based on legitimate interest.
Right to Restrict
Request we limit how we process your data.
Right to Withdraw Consent
Withdraw Gmail OAuth authorisation at any time without affecting other services.
To exercise any of these rights, email privacy@datagrave.co.uk. We will respond within 30 days.
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | EU |
| Stripe | Payment processing | USA (SCCs applied) |
| Vercel | Frontend hosting | USA (SCCs applied) |
| Railway | Backend hosting | USA (SCCs applied) |
| SendGrid | Email delivery | USA (SCCs applied) |
| Gmail OAuth — read-only inbox access for Gmail Inbox Scan feature | USA (SCCs applied) | |
| DeepSeek | AI classification of email sender names and addresses only (no email content). Used for Gmail Inbox Scan. | China (sender metadata only — no personal content transmitted) |
⚠️ Note on DeepSeek (AI Processing)
DeepSeek is based in China. Only email sender names and email addresses are transmitted — never email body content, attachments, or any other personal information. We transmit the minimum data necessary for classification. If you have concerns about this, you may choose not to use the Gmail Inbox Scan feature.
If you believe we have mishandled your data, please contact us first at privacy@datagrave.co.uk and we will aim to resolve your concern within 30 days. You also have the right to lodge a complaint directly with the ICO:
Information Commissioner's Office (ICO)
Website: ico.org.uk/make-a-complaint
Phone: 0303 123 1113
Our ICO Registration Reference: ZC143539
As a small business, we are not required to appoint a formal DPO under UK GDPR Article 37. All data protection queries are handled directly by our founder.
Contact: privacy@datagrave.co.uk