01What we collect
We collect three categories of information — only what's needed to deliver the product, only when you give it to us.
Account data
When you sign up: name, work email, password (hashed via Clerk), authentication provider tokens if you use Google or LinkedIn SSO. If you upgrade to a paid plan: company name and billing address (handled by Stripe — we never see your card number).
Product data
To deliver the daily brief, we process: your business URL, voice samples you paste during onboarding, the competitor list you build, any briefs we generate for you, and any content you approve or edit. This is the substance of the service.
Usage data
Standard product telemetry — which features you use, error logs, performance metrics, anonymous page-view counts. We use this to keep ScoutRival fast and to know which features matter. We do not sell, share, or rent any usage data.
Browsing history outside ScoutRival. Location data beyond country (from IP). Camera, microphone, or contact list. Anything we don't actively need to run your account.
02How we use it
Each piece of data serves a specific purpose. Here's the full list — there is no "other":
- Account data — authentication, account recovery, billing, support replies
- Business URL + voice samples — generating the daily brief and brand-voice-matched drafts
- Competitor list — running the daily crawl across the sources you've authorized
- Briefs + content — displaying them back to you and (with your approval) publishing to your connected channels
- Usage telemetry — improving the product · debugging · capacity planning
- Marketing emails — only if you opt in. Unsubscribe link in every email.
We do not use your data to train shared AI models. Your content does not improve other customers' results.
03Third-party services
We use a small, deliberate set of sub-processors. Each one has a specific job:
- // CLERK
- Authentication and session management. Holds account credentials. SOC 2 Type II certified. clerk.com/privacy
- // STRIPE
- Billing, subscription management, payment processing. PCI-DSS Level 1. We never see your card number. stripe.com/privacy
- // SUPABASE
- Database, file storage, row-level security. Postgres-based, US-East by default, EU + APAC regions on Operator+ tiers. SOC 2. supabase.com/privacy
- // ANTHROPIC · OPENAI
- LLM providers for content generation. Their zero-retention APIs — your prompts are not stored or used for training. anthropic.com/privacy · openai.com/privacy
- // APIFY · BRIGHT DATA · VISUALPING
- Crawling partners. Used to collect publicly-accessible competitor signals. We supply URLs, they return public data. No personal information passes through.
- // RESEND
- Transactional email delivery (sign-up verification, billing receipts, daily brief notifications). resend.com/privacy
- // CLOUDFLARE
- CDN + DDoS protection. Standard request metadata only (IP, user-agent, timestamp). cloudflare.com/privacy
- // PLAUSIBLE · POSTHOG
- Privacy-respecting analytics. No personal identifiers. Cookie-free traffic analytics. plausible.io/privacy
04Cookies & tracking
We use the fewest cookies we can get away with. Specifically:
- Session cookies — required to keep you logged in (set by Clerk). Strictly necessary.
- Preferences — a small cookie storing your monthly/annual pricing toggle, theme preference, dismissed banners. No personal data.
- Stripe checkout — Stripe sets cookies during paid checkout. Required for fraud prevention.
We do not use third-party advertising cookies, retargeting pixels, or cross-site trackers. There is no cookie banner because there is nothing to consent to beyond what's strictly necessary.
05Data retention
We hold data only as long as it's useful. Specifically:
- Active account data — kept for as long as your account is active
- After cancellation — your data is retained for 30 days so you can change your mind, then deleted
- Briefs + content you've shipped — kept for 90 days after cancellation in case you need to re-export, then deleted
- Billing records — retained for 7 years per tax/accounting requirements (kept by Stripe)
- Usage logs — anonymized after 90 days, fully deleted after 13 months
You can request immediate deletion at any point — see Your Rights below.
06Your rights · GDPR + CCPA
If you're in the EU, UK, Switzerland (GDPR), or California (CCPA), you have these rights — and they apply to everyone equally because the easier path is to honor them globally:
- Access — request a full copy of everything we hold about you, in machine-readable format (JSON or CSV)
- Rectification — fix any inaccurate data we hold
- Erasure ("right to be forgotten") — delete your data permanently
- Portability — get your data in a format you can take elsewhere
- Restriction — pause processing while you decide what you want done
- Objection — opt out of marketing emails (do this from the email footer or in account settings)
- Withdrawal — revoke consent at any time
To exercise any of these: email privacy@scoutrival.com. We respond within 30 days, usually within 24 hours. No paperwork, no friction.
You also have the right to know what categories of personal information we collect, opt-out of "sale" (we don't sell), and not be discriminated against for exercising your rights. We honor all of these.
07Children's privacy
ScoutRival is a B2B product for businesses. We do not knowingly collect data from anyone under 16. If you believe a minor has provided us data, email privacy@scoutrival.com and we'll delete it immediately.
08How we keep data safe
- Encryption at rest — AES-256 via Supabase + Cloudflare R2
- Encryption in transit — TLS 1.3 on every endpoint
- Row-level security — Postgres RLS, every query scoped to the requesting user
- Access control — least-privilege internal access, audit logged
- SOC 2 audit — Type I in progress (Q3 2026), Type II target Q1 2027
- Incident notification — within 72 hours per GDPR Article 33
09Updates to this policy
We update this policy when something changes — a new sub-processor, a new feature that processes data differently, a legal requirement. When we do:
- The "Last updated" date at the top changes
- Significant changes get an email notice to all account holders, sent at least 30 days before they take effect
- You can review past versions on request
10Contact
Anything privacy-related — questions, requests, complaints — goes to one inbox:
- // PRIVACY OFFICE
- privacy@scoutrival.com
- // MAILING ADDRESS
- ScoutRival · Dhaka, Bangladesh · (full registered address available on request)
- // DATA PROTECTION OFFICER
- Walid Hasan, Founder · walid@scoutrival.com
- // EU SUPERVISORY AUTHORITY
- You also have the right to lodge a complaint with your local supervisory authority — for example the Irish DPC, German BfDI, or French CNIL.
Walid reads every email.
Privacy questions, data requests, GDPR audits, or "I just want to make sure I understand this" — all welcome.