Privacy Policy

1. Scope and Applicability

This Privacy Policy describes how ScopeLock ("we," "us," or "our") collects, uses, and shares information about you when you use our services, website, and applications (collectively, the "Services").

This Policy applies to information we collect when you visit our website at scopelock.app or use our platform. It does not apply to information collected by third parties through links on our Services or third-party services you may access through our platform.

ScopeLock is operated from Ljubljana, Slovenia, in the European Union. For information about how we process data on behalf of our business customers, please see our Data Processing Agreement.

2. Information We Collect

2.1 Information You Provide to Us

Account Information: When you create an account, we collect your email address, name, and authentication credentials (if using email/password login).

Payment Information: When you purchase credits or subscriptions, our payment processor (Stripe) collects your payment details, including credit card information, billing address, and transaction history. We store only the last four digits of your card, card type, and expiration date.

Project and Scope Data: We collect the project information you submit, including project descriptions, client communications, generated scope documents, edits, and any other content you create using the Services.

Support and Communications: When you contact us for support or otherwise communicate with us, we collect information about your inquiry and our responses.

2.2 Information We Collect Automatically

Usage Data: We automatically collect information about how you use the Services, including:

• Pages viewed and features used
• Time spent on pages
• Number of scope generations
• Interaction patterns and click events
• Error logs and diagnostic information

Device and Browser Information: We collect information about the device and browser you use to access the Services, including:

• IP address and approximate location (city/country level)
• Browser type and version
• Operating system
• Device identifiers
• Screen resolution and viewport size

Cookies and Similar Technologies: We use cookies, local storage, and similar technologies to maintain your session, remember your preferences, and analyze usage patterns. See Section 5 for more details.

2.3 Information from Third Parties

If you log in using Google authentication, we receive your name, email address, and profile picture from Google in accordance with their OAuth policies.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide the Services: To create and manage your account, process your scope generations, save your projects, and enable all features of the platform.
• Process Payments: To charge your payment method, manage subscriptions, and handle billing inquiries.
• Improve the Services: To analyze usage patterns, identify bugs, develop new features, and enhance user experience.
• AI Model Training: To improve our AI models, we may use aggregated and anonymized scope data. We never use your specific Customer Data to train models accessible to other users without your explicit consent.
• Communications: To send you service-related emails, respond to your inquiries, and notify you of important changes or updates.
• Security and Fraud Prevention: To detect and prevent fraud, abuse, security incidents, and other harmful activities.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests.

4. How We Share Your Information

We do not sell your personal information. We share information only in the following circumstances:

4.1 Service Providers

We share information with third-party service providers who perform services on our behalf, including:

• Stripe: Payment processing
• Google Cloud Platform / Firebase: Hosting, database, and authentication
• Google AI (Gemini): AI-powered scope generation
• Vercel: Application hosting and deployment

These service providers are contractually obligated to use your information only to provide services to us and in accordance with this Privacy Policy.

4.2 Legal Requirements

We may disclose information if required by law, legal process, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

4.4 With Your Consent

We may share information for any other purpose with your explicit consent.

5. Cookies and Tracking Technologies

We use cookies and similar technologies to maintain your login session, remember your preferences, and analyze how you use the Services.

Types of Cookies We Use:

• Essential Cookies: Required for authentication and basic functionality.
• Analytics Cookies: Help us understand usage patterns and improve the Services.
• Preference Cookies: Remember your settings and preferences.

You can control cookies through your browser settings. However, disabling cookies may limit your ability to use certain features of the Services.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide you the Services. Specifically:

• Account Data: Retained until you delete your account, plus 30 days to allow for recovery.
• Project and Scope Data: Retained until you delete the project or your account.
• Payment Records: Retained for 7 years for tax and accounting purposes.
• Usage Logs: Retained for up to 90 days for security and analytics purposes.

After the retention period, we will delete or anonymize your information. Some information may be retained in backups for up to 90 additional days.

7. Security Measures

We implement commercially reasonable technical and organizational measures to protect your information from unauthorized access, disclosure, alteration, or destruction, including:

• Encryption in transit (HTTPS/TLS)
• Encryption at rest for sensitive data
• Secure authentication (Firebase Auth with OAuth)
• Regular security assessments and updates
• Access controls and audit logs
• Secure payment processing through PCI-compliant providers

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

8. Your Rights and Choices

Depending on your location, you may have the following rights:

8.1 Access and Portability

You have the right to request access to the personal information we hold about you and, in some cases, to receive that information in a portable format.

8.2 Correction

You can update your account information at any time through your account settings. If you need assistance, contact us at scopelockapp@gmail.com.

8.3 Deletion

You have the right to request deletion of your personal information. You can delete your account and all associated data through the account settings page.

8.4 Objection and Restriction

You may object to or request restriction of certain processing activities. Contact us to exercise these rights.

8.5 Opt-Out of Communications

You can opt out of non-essential communications by following the unsubscribe link in our emails or updating your preferences in account settings.

9. Region-Specific Disclosures

9.1 For European Residents (GDPR)

If you are located in the European Economic Area (EEA), UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

• The legal basis for processing your data is typically your consent or our legitimate interests in providing and improving the Services.
• You have the right to lodge a complaint with your local data protection authority.
• We may transfer your data outside the EEA to the United States and other countries. We use Standard Contractual Clauses and other safeguards to protect your data.
• See our Data Processing Agreement for more details.

9.2 For California Residents (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information we collect, use, and share
• Right to request deletion of your personal information
• Right to opt-out of the "sale" of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your CCPA rights

To exercise these rights, contact us at scopelockapp@gmail.com.

9.3 International Data Transfers

ScopeLock is based in Ljubljana, Slovenia (EU). However, some of our service providers (Google Cloud, Stripe, Vercel) may process data in the United States and other countries. We use Standard Contractual Clauses and other appropriate safeguards to ensure your data is protected regardless of where it is processed.

10. Children's Privacy

Our Services are not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately so we can delete it.

11. Third-Party Services and Links

The Services may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing them with any information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. We will notify you of material changes by:

• Posting the updated Policy on this page with a new "Last Updated" date
• Sending you an email notification (for significant changes)
• Displaying a notice within the Services

Your continued use of the Services after changes become effective constitutes your acceptance of the revised Privacy Policy.