Privacy Policy

Last updated: July 29, 2025

1. Introduction

ScopeSketch ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service located at scopesketch.com (the "Service").

This policy complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable privacy laws.

2. Information We Collect

2.1 Information You Provide

We collect information you directly provide to us, including:

  • Account Information: Name, email address, and profile picture (from OAuth providers)
  • Project Content: Project ideas, descriptions, and generated scopes you create
  • Payment Information: Billing details processed securely through Stripe (we do not store payment card data)
  • Communications: Messages you send to our support team

2.2 Automatically Collected Information

When you use our Service, we automatically collect:

  • Usage Data: Feature usage, generation counts, login times, and session duration
  • Device Information: IP address, browser type, operating system, and device identifiers
  • Log Data: Server logs including access times, pages viewed, and system errors
  • Analytics Data: Aggregated usage patterns and performance metrics

2.3 Third-Party Information

We receive information from third-party services:

  • OAuth Providers: Google and GitHub provide basic profile information when you sign up
  • Payment Processor: Stripe provides transaction status and payment confirmation data
  • AI Service: Google Gemini API processes your project descriptions to generate scopes

3. How We Use Your Information

We use your information for the following purposes:

3.1 Service Provision

  • Create and manage your account
  • Generate AI-powered project scopes
  • Store and organize your projects
  • Process payments and manage subscriptions
  • Track usage limits and plan features

3.2 Communication

  • Send service-related notifications (welcome, payment confirmations, usage alerts)
  • Provide customer support and respond to inquiries
  • Send account recovery information when requested

3.3 Service Improvement

  • Analyze usage patterns to improve features
  • Monitor service performance and reliability
  • Prevent fraud and abuse
  • Ensure service security and compliance

3.4 Legal Compliance

  • Comply with applicable laws and regulations
  • Respond to legal requests and court orders
  • Protect our rights and the rights of others
  • Investigate and prevent illegal activities

4. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide the Service
  • Legitimate Interest: Service improvement, security, and business operations
  • Consent: Optional features and marketing communications (where applicable)
  • Legal Obligation: Compliance with applicable laws and regulations

5. Information Sharing and Disclosure

5.1 Third-Party Service Providers

We share information with trusted service providers who assist in operating our Service:

  • Stripe: Payment processing and billing management
  • Google Gemini: AI-powered scope generation (project descriptions only)
  • Resend: Email delivery for service notifications
  • MongoDB Atlas: Secure cloud database hosting
  • Vercel: Application hosting and content delivery

5.2 Business Transfers

If we undergo a merger, acquisition, or sale of assets, your information may be transferred to the new entity, subject to the same privacy protections.

5.3 Legal Requirements

We may disclose your information when required by law or to:

  • Comply with legal processes and court orders
  • Protect our rights, property, or safety
  • Investigate fraud or security issues
  • Protect the rights and safety of other users

5.4 Consent

We may share your information for other purposes with your explicit consent.

6. Data Security

We implement comprehensive security measures to protect your information:

6.1 Technical Safeguards

  • Encryption in transit (HTTPS/TLS) and at rest
  • Secure authentication with OAuth providers
  • Regular security audits and vulnerability assessments
  • Access controls and principle of least privilege

6.2 Organizational Safeguards

  • Employee training on data protection practices
  • Data breach response procedures
  • Regular backup and disaster recovery protocols
  • Vendor security assessments and agreements

7. Data Retention

We retain your information for the following periods:

  • Account Data: Until account deletion, then 30 days for recovery
  • Project Content: Until manually deleted or account termination
  • Usage Logs: 12 months for analytics and service improvement
  • Payment Records: 7 years for tax and legal compliance
  • Support Communications: 3 years for quality assurance

Data may be retained longer if required by law or for legitimate business purposes.

8. Your Privacy Rights

8.1 GDPR Rights (EU Residents)

You have the following rights under GDPR:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your personal data
  • Portability: Receive your data in a machine-readable format
  • Restriction: Limit how we process your data
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Revoke consent for consent-based processing

8.2 CCPA Rights (California Residents)

California residents have additional rights:

  • Know: Request information about data collection and sharing
  • Delete: Request deletion of personal information
  • Opt-Out: Opt out of the sale of personal information (we do not sell data)
  • Non-Discrimination: Equal service regardless of privacy choices

8.3 Exercising Your Rights

To exercise your privacy rights:

  • Use the data export feature in your profile settings
  • Delete your account through profile settings
  • Contact us at info@scopesketch.com

We will respond to requests within 30 days (GDPR) or 45 days (CCPA), and may require identity verification for security purposes.

9. International Data Transfers

Our Service operates globally, and your data may be transferred to and processed in countries outside your residence. We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) with service providers
  • Adequacy decisions by relevant data protection authorities
  • Other appropriate safeguards as required by law

10. Cookies and Tracking

We use cookies and similar technologies to:

  • Essential Cookies: Authentication and security (necessary for service operation)
  • Analytics Cookies: Usage statistics and performance monitoring
  • Functional Cookies: User preferences and settings

You can control cookies through your browser settings, but disabling essential cookies may affect service functionality.

11. Children's Privacy

Our Service is not intended for children under 13 (or 16 in the EU). We do not knowingly collect personal information from children. If we become aware of such collection, we will delete the information immediately and terminate the account.

12. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify relevant authorities within 72 hours (where required)
  • Inform affected users without undue delay
  • Provide clear information about the breach and our response
  • Take immediate steps to contain and remediate the issue

13. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these sites. We encourage you to review their privacy policies before providing any personal information.

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or applicable laws. We will:

  • Post the updated policy on our website
  • Update the "Last updated" date
  • Notify users of material changes via email or service notification
  • Provide 30 days advance notice for significant changes

15. Contact Information

For privacy-related questions, requests, or concerns, please contact us:

16. Supervisory Authority

If you are located in the EU and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority.

Your Privacy Matters: We are committed to transparency and protecting your personal information. If you have any questions about this Privacy Policy or our data practices, please don't hesitate to contact us.