Back to Home
ScopeSage

Privacy Policy

Last updated: 9/11/2025

1. Introduction

ScopeSage is committed to protecting your privacy and data. This Privacy Policy explains how we collect, use, and protect your information when you use our change order management platform.

GDPR Compliance: This policy is designed to comply with the General Data Protection Regulation (GDPR) and other applicable privacy laws. We act as a data processor for the business data you create, and as a data controller for your account information.

2. Information We Collect

Account Information

  • Name and email address
  • Company name and business address
  • Password (encrypted and never stored in plain text)
  • Currency and VAT preferences
  • Timezone and localization settings

Business Data

  • Project information and details
  • Client contact information
  • Change order content and specifications
  • Pricing and financial information
  • Legal terms and custom templates

Usage Information

  • Login times and session data
  • Feature usage and interaction patterns
  • IP addresses and browser information
  • Device and operating system details

Digital Signature Data

  • Client approval decisions and timestamps
  • IP addresses for audit trails
  • Digital signature metadata
  • Legal compliance information
  • E-signature consent records and timestamps
  • Multi-factor authentication data (OTP verification)
  • Browser and device information for verification
  • Comprehensive audit trails with metadata
  • Document integrity verification hashes
  • Jurisdiction-specific compliance records

3. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contract Performance: To provide our services and fulfill our obligations
  • Legitimate Interest: To improve our services and ensure security
  • Consent: For marketing communications (where applicable) and electronic signature consent
  • Legal Obligation: To comply with applicable laws and regulations
  • Electronic Signature Compliance: To maintain legally compliant e-signature records and audit trails

4. How We Use Your Information

Core Service Delivery

  • Creating and managing change orders
  • Facilitating client approvals and communication
  • Generating PDFs and legal documents
  • Processing payments and financial calculations
  • Maintaining audit trails for compliance
  • Processing electronic signature consent and approvals
  • Maintaining e-signature verification records

Service Improvement

  • Analytics to improve user experience
  • Performance monitoring and optimization
  • Feature development and enhancement
  • Security monitoring and threat detection

Communication

  • Service notifications and updates
  • Security alerts and important notices
  • Customer support and assistance
  • Product updates and new features

5. Information Sharing

We do not sell, trade, or rent your personal information. We may share information only in these limited circumstances:

With Your Clients

  • Change order information you choose to send
  • Company information for professional presentation
  • Project details relevant to the change order

Service Providers

  • Cloud hosting and infrastructure providers
  • Email delivery services for notifications
  • Payment processors for subscription billing
  • Analytics and monitoring services

Legal Requirements

  • Compliance with valid legal requests
  • Protection of our rights and property
  • Prevention of fraud or illegal activity
  • Public safety and security concerns

6. Data Security

We implement enterprise-grade security measures:

Technical Safeguards

  • 256-bit SSL encryption for all data transmission
  • AES encryption for data at rest
  • Multi-factor authentication support
  • Regular security audits and penetration testing
  • Automated backup and disaster recovery

Access Controls

  • Role-based access to systems and data
  • Regular access reviews and updates
  • Employee background checks and training
  • Monitoring and logging of all access

7. Data Retention

Active Accounts

  • Account data retained while account is active
  • Business data retained as long as needed for service
  • Audit trails maintained for legal compliance

Closed Accounts

  • Account data deleted within 90 days
  • Business data available for export before deletion
  • Legal compliance data retained as required by law
  • Anonymized analytics data may be retained

8. Your Rights

Access and Control

  • View and download all your data
  • Update account and business information
  • Delete specific projects or clients
  • Export change orders and documents

Privacy Rights

  • Request deletion of your account and data
  • Restrict processing of your information
  • Correct inaccurate or incomplete data
  • Object to certain types of processing

9. International Data Transfers

ScopeSage is hosted in secure data centers. If you're located outside our primary hosting region, your data may be transferred internationally. We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs): EU-approved data transfer mechanisms
  • UK International Data Transfer Agreement (IDTA): For UK data transfers
  • Adequacy decisions: From regulatory authorities for approved countries
  • Binding Corporate Rules: Where applicable for corporate transfers
  • Other approved mechanisms: As recognized by relevant authorities

GDPR Article 46: We implement appropriate safeguards for international transfers as required by GDPR Article 46 and equivalent provisions in other privacy laws.

10. Children's Privacy

ScopeSage is designed for professional business use and is not intended for children under 16. We do not knowingly collect information from children.

11. Cookies and Tracking

Essential Cookies

  • Authentication and session management
  • Security and fraud prevention
  • Core functionality and user preferences

Analytics Cookies

  • Usage patterns and feature adoption
  • Performance monitoring and optimization
  • Error tracking and debugging

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of significant changes through:

  • Email notifications
  • In-app announcements
  • Website updates

13. Data Processing Addendum (DPA)

For users who process personal data of EU/UK residents, we provide a Data Processing Addendum (DPA) that outlines our roles and responsibilities as a data processor. The DPA includes:

  • Data Processing Roles: Clear definition of controller vs. processor responsibilities
  • Security Measures: Technical and organizational security requirements
  • Sub-processors: List of authorized third-party service providers
  • Data Breach Procedures: Notification requirements and response protocols
  • Data Subject Rights: Support for user rights requests

Sub-processors: We use the following services that may process your data:

  • Stripe: Payment processing and billing
  • Resend: Email delivery and transactional communications
  • OpenAI: AI-powered content extraction and generation
  • MongoDB Atlas: Database hosting and management

14. Contact Information

For privacy-related questions or requests, please contact us at:

  • Email: privacy@scopesage.app
  • Address: ScopeSage Privacy Officer, Dublin, Ireland

Your Data, Your Control: ScopeSage gives you complete control over your business data. You can export, update, or delete your information at any time through your account settings.

Business Focus: We understand the sensitive nature of business data. Our privacy practices are designed to support professional use while maintaining the highest standards of data protection.

GDPR Compliance: ScopeSage is designed to support GDPR compliance requirements. We implement appropriate technical and organizational measures, provide data processing addendums, and support data subject rights. However, users remain responsible for ensuring their own compliance with applicable privacy laws.

ScopeSage