Privacy Policy | ScopeShield

1. Introduction

ScopeShield ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our scope change impact analysis platform.

By using ScopeShield, you consent to the data practices described in this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

Email address
Name
Profile picture (if provided via OAuth)
Organization name
Payment information (processed securely by Stripe)

2.2 Project Data

To provide our service, we collect:

Project names and descriptions
Client names and contact information
Scope items (deliverables and exclusions)
Contract documents you upload

2.3 Email Data

When you connect your email account (Gmail or Outlook), we access:

Emails from contacts you designate for monitoring
Email metadata (sender, subject, date)
Email content for scope creep analysis

Important: We only access emails related to your specified project contacts. We do not access your entire inbox or personal emails.

2.4 Usage Data

We automatically collect:

Browser type and version
Pages visited and features used
Time and date of visits
Time spent on pages
Device information

3. How We Use Your Information

We use the collected information to:

Provide and maintain the Service
Analyze emails for scope creep detection using AI
Generate impact analysis and cost estimates
Send alerts when potential scope creep is detected
Process payments and manage subscriptions
Send important service notifications
Improve and personalize the Service
Respond to customer support requests
Comply with legal obligations

4. AI Processing

ScopeShield uses artificial intelligence (Claude by Anthropic) to analyze email content and detect scope-related requests. When processing your data:

Email content is sent to our AI provider for analysis
AI outputs are stored only as necessary for the Service
We do not use your data to train AI models
AI providers are contractually bound to protect your data

5. Data Sharing and Disclosure

We may share your information with:

5.1 Service Providers

Supabase: Database and authentication
Anthropic: AI analysis processing
OpenAI: Embedding generation for semantic search
Stripe: Payment processing
Vercel: Hosting and infrastructure
Google/Microsoft: Email integration via OAuth

5.2 Legal Requirements

We may disclose information if required to:

Comply with a legal obligation
Protect and defend our rights or property
Prevent or investigate possible wrongdoing
Protect the personal safety of users or the public

We do not sell your personal information to third parties.

6. Data Security

We implement appropriate security measures including:

Encryption of data in transit (TLS/SSL)
Encryption of sensitive data at rest
OAuth tokens encrypted with AES-256-GCM
Regular security audits
Access controls and authentication requirements
Row-level security in our database

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your data as follows:

Account data: Until you delete your account
Project data: Until you delete it or your account
Processed email IDs: To prevent duplicate processing (minimal data)
Alerts: Until resolved or 1 year, whichever is longer
Usage logs: 90 days

When you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it by law.

8. Your Rights

Depending on your location, you may have the right to:

Access the personal data we hold about you
Correct inaccurate or incomplete data
Delete your personal data
Export your data in a portable format
Withdraw consent for data processing
Object to certain data processing
Lodge a complaint with a supervisory authority

To exercise these rights, contact us at privacy@scopeshield.io or use the settings in your account dashboard.

9. Email Integration Permissions

9.1 Gmail

When you connect Gmail, we request the following permissions through Google OAuth:

gmail.readonly - Read email messages and metadata
gmail.send - Send responses on your behalf (optional)
gmail.metadata - Access email metadata

Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

9.2 Microsoft Outlook

When you connect Outlook, we request similar read and send permissions through Microsoft OAuth.

9.3 Revoking Access

You can disconnect your email account at any time from Settings. You can also revoke access directly from:

Google: Google Account Permissions
Microsoft: Microsoft Account Permissions

10. Cookies and Tracking

We use cookies and similar technologies for:

Essential cookies: Authentication and security
Analytics cookies: Understanding usage patterns (PostHog)
Preference cookies: Remembering your settings

You can control cookies through your browser settings, but disabling essential cookies may affect Service functionality.

11. Children's Privacy

ScopeShield is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we learn we have collected information from a child, we will delete it promptly.

12. International Data Transfers

Your information may be transferred to and processed in countries other than your own. These countries may have different data protection laws. We ensure appropriate safeguards are in place, including standard contractual clauses where required.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. Your continued use after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us:

Email: privacy@scopeshield.io

For data subject requests: privacy@scopeshield.io