Privacy Policy

This Privacy Policy describes how ScopePilot (“we,” “us,” or “our”) collects, uses, and protects personal data when you use our platform and services. We are committed to protecting your privacy in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

ScopePilot is the data controller for the personal data we collect from registered users. For personal data collected from your clients through the client portal, you (the freelancer) are the data controller and we act as a data processor on your behalf.

Contact: scopesupport@pm.me

2. What Data We Collect

From registered users (freelancers): email address, full name, business name, payment information (processed by Stripe — we do not store card details), and usage data (pages visited, features used).

From clients (via the portal): full name, email address, IP address, browser user-agent string, and timestamp — collected when a client signs a scope document, approves a change order, or accepts a delivery.

Automatically collected: cookies necessary for authentication (Supabase session cookies), server logs, and basic analytics.

3. Legal Basis for Processing (GDPR Art. 6)

We process personal data on the following legal bases:

Contract performance (Art. 6(1)(b)): processing necessary to provide the Service you subscribed to.

Legitimate interest (Art. 6(1)(f)): improving the Service, preventing fraud, and ensuring security.

Legal obligation (Art. 6(1)(c)): compliance with tax, accounting, and legal requirements.

Consent (Art. 6(1)(a)): where applicable, such as for optional marketing communications (which we do not currently send).

4. How We Use Your Data

To provide and maintain the Service, to process payments via Stripe, to generate audit trails for scope approvals and change orders, to communicate with you about your account, to improve and optimize the Service, and to comply with legal obligations.

We do not sell your personal data. We do not use your data for advertising. We do not share your data with third parties for their marketing purposes.

5. Third-Party Processors

We use the following third-party services to operate the platform:

Supabase (database, authentication) — processes and stores account data and project data.

Stripe (payments) — processes payment information. Stripe’s privacy policy applies to payment data.

Vercel (hosting) — serves the application. Server logs may include IP addresses.

All processors are bound by data processing agreements and comply with GDPR requirements.

6. Data Retention

Account data is retained for the duration of your subscription and deleted upon account deletion, subject to legal retention requirements. Audit trail data (client signatures, approvals) is retained for the duration of your account to serve its purpose as an evidence record. Payment records are retained as required by tax and accounting laws (typically 5–7 years).

7. Your Rights Under GDPR

If you are in the European Economic Area, you have the right to:

Access your personal data. Rectify inaccurate data. Erase your data (“right to be forgotten”) — use the account deletion feature or contact us. Restrict processing of your data. Port your data to another service. Object to processing based on legitimate interest. Lodge a complaint with your local Data Protection Authority.

To exercise any of these rights, contact us at scopesupport@pm.me. We will respond within 30 days.

8. Data Transfers

Your data may be processed in countries outside the EEA. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on the processor’s adequacy decision or certification under applicable frameworks.

9. Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS), encryption at rest, row-level security policies in our database, and regular access reviews. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

10. Cookies

We use only essential cookies required for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie consent banner is required as our cookies are strictly necessary for the Service to function (GDPR Recital 30, ePrivacy Directive Art. 5(3) exemption).

11. Children

The Service is not directed to individuals under 18. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 14 days before taking effect.

13. Contact

For any privacy-related questions, data requests, or complaints, contact us at scopesupport@pm.me.