UK GDPR • Data Protection Act 2018 • PECR
Privacy Policy
Last updated: 14 March 2026
1) Who we are
Scrux.io is operated by Jack Miller in the United Kingdom. We are the controller for player personal data. For privacy questions or rights requests, email support@scrux.io.
2) What data we collect
| Type | Examples | Why |
|---|
| Account | Username, password (bcrypt/Argon2 hashed), roles | Authenticate your account and keep progress |
| Contact (optional) | Email, support tickets | Respond to you; only the owner with database access can view emails |
| Verification | Phone number sent to ClickSend to deliver a one-time SMS | Unlock custom names/chat and deter ban evasion. Scrux never stores the phone number. |
| Technical & Security | Hashed IP address, country/ISP & risk flags from ProxyCheck.io, device fingerprint (browser, OS, language), CAPTCHA challenge outcomes (Cloudflare Turnstile and Google reCAPTCHA) | Detect fraud, block proxies/VPNs, stop automated abuse, investigate threats, protect game stability |
| Gameplay & Moderation | Stats, match history, chat messages, moderation actions, support notes | Provide gameplay features and keep the community safe |
Device fingerprinting is used solely to capture basic information (e.g., browser type, approximate device class) so we can detect suspicious behaviour without intrusive tracking.
3) How we use your data
- Operate accounts, matches, leaderboards, and cosmetic unlocks.
- Send one-time verification codes through ClickSend; the phone number is discarded immediately after the SMS is requested.
- Hash IP addresses and analyse IP risk signals with ProxyCheck.io to prevent fraud, bots, and ban evasion.
- Use Cloudflare Turnstile and Google reCAPTCHA to distinguish real users from bots during sensitive actions (for example login, sign-up, and abuse prevention checks).
- Identify patterns of harmful activity (e.g., repeated attacks from the same country or ISP) so moderators can respond effectively.
- Review chat, reports, and support tickets to enforce our rules and resolve disputes.
- Improve security, diagnose outages, and protect our infrastructure.
4) Legal bases
- Contract: providing gameplay services, accounts, and purchases.
- Legitimate interests: protecting players from abuse, verifying that access attempts are genuine, combatting fraud, and ensuring network safety. We perform balancing tests for ProxyCheck.io, CAPTCHA checks, and device fingerprinting to make sure your rights are respected.
- Legal obligations: responding to valid law-enforcement or regulatory requests under UK law.
- Consent: optional features such as marketing emails (if ever offered).
5) IP addresses, phone numbers & identifiers
- IP handling: raw IP addresses are immediately hashed before storage. We retain the hash plus ProxyCheck.io metadata such as country, region, ISP, and risk category to spot coordinated attacks. Hashing lets us recognise returning connections without keeping the exact IP.
- CAPTCHA handling: when protected forms are submitted, CAPTCHA tokens and related risk signals are validated with Cloudflare Turnstile and/or Google reCAPTCHA. We use these checks only for abuse prevention and do not use them for advertising profiling.
- Phone handling: when you request verification, your number is transmitted securely to ClickSend Pty Ltd only to send the SMS. Scrux does not keep or reuse the number.
- Device fingerprinting: we collect limited browser and device attributes (e.g., user agent, screen size, language, time zone) to defend against automated abuse. We do not derive precise geolocation or track you across other sites.
- Email access: emails linked to your account are accessible only to Jack Miller. Moderators and helpers cannot view contact details.
6) Sharing & processors
| Service | Purpose | Location | Safeguards |
|---|
| ClickSend Pty Ltd | Send SMS verification codes | Australia | Standard Contractual Clauses (SCCs) + UK Addendum |
| ProxyCheck.io | Proxy/VPN & fraud screening for IP addresses | United Kingdom | Data minimisation, contractual safeguards, access controls |
| Cloudflare Turnstile | Bot and abuse prevention CAPTCHA checks | Global (including UK/EEA and United States) | SCCs/IDTA where applicable, data minimisation, security controls |
| Google reCAPTCHA | Bot and abuse prevention CAPTCHA checks | United States / Global | SCCs/IDTA where applicable, data minimisation, security controls |
| Hosting & infrastructure partners | Run game servers, databases, and anti-DDoS tooling | United Kingdom & EEA | Data processing agreements, access controls |
We do not sell or rent personal data. Third parties only process information to deliver the services above.
7) Retention
- Account information: kept while your account remains active.
- Moderation logs: normally retained for up to 90 days, longer if required for investigations.
- Hashed IP & ProxyCheck.io data: reviewed regularly and removed when no longer needed for security (typically within 12 months unless an active investigation is ongoing).
- CAPTCHA tokens and challenge responses: processed in real time and not retained by Scrux longer than necessary to validate requests and investigate abuse incidents.
- Support tickets: retained for up to 12 months to resolve follow-up questions.
8) International transfers
When we send data outside the UK/EEA (for example to ClickSend, Cloudflare Turnstile, or Google reCAPTCHA), we rely on the UK GDPR’s international transfer mechanisms, including the European Commission’s Standard Contractual Clauses plus the UK International Data Transfer Addendum. These contracts require recipients to protect your information to UK standards.
9) Your rights
- Request access, correction, deletion, or portability of your data.
- Object to or restrict processing carried out on legitimate interests grounds.
- Withdraw consent where processing relies on consent.
- Lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk/make-a-complaint).
Contact support@scrux.io to exercise these rights. We respond within one month as required by the UK GDPR.
10) Security
- Passwords are encrypted using industry-standard hashing algorithms (
bcrypt or Argon2); plaintext passwords are never stored.
- Access to databases is restricted, monitored, and limited to the owner for personally identifiable information like emails.
- Network firewalls, rate limiting, and audit logging help prevent unauthorised access.
- Verification codes, raw IPs, and other transient data are purged once no longer needed.
11) Children
Scrux.io is designed for players aged 13+. If you are a parent or guardian and believe your child provided personal data without permission, please contact us so we can delete it.
12) Updates
We may update this Privacy Policy to reflect gameplay or legal changes. Significant updates will be announced in-game, on Discord, or via email where appropriate.