← Back to home

Privacy Policy

Last updated: March 1, 2026

This Privacy Policy explains how Scoped (“we”, “us”, “our”) collects, uses, stores, and protects personal data when you use getscoped.app.

This policy is designed to comply with:

  • The Brazilian General Data Protection Law (LGPD — Lei nº 13.709/2018)
  • The European Union General Data Protection Regulation (GDPR)
  • Applicable US state privacy laws

We are committed to transparency. If anything here is unclear, contact us at hello@getscoped.app.

1. Who We Are (Data Controller)

Scoped

Website: getscoped.app

Contact: hello@getscoped.app

Headquarters: São Paulo, SP, Brazil

Under the LGPD, we are the data controller for studio owner and team member data. For client intake data submitted through your studio's forms, you (the studio) are the data controller and Scoped acts as the data processor.

2. What Data We Collect

2.1 Account and Studio Data

Collected when you sign up:

  • Full name and email address
  • Studio name and logo
  • Brand color preferences
  • Custom subdomain (if configured)
  • Role within the studio (owner or member)

2.2 Billing Data

Collected when you subscribe to a paid plan:

  • Billing email address
  • Payment method details — processed directly by Stripe. Scoped never stores raw card numbers or full payment data.
  • Subscription history and invoice records

2.3 Usage Data

Collected automatically:

  • Brief creation dates and counts
  • Brief status transitions
  • Login timestamps
  • IP address (for security and fraud prevention)
  • Browser type and device type

2.4 Client Intake Data

Collected when your clients fill your forms:

  • Client name and email address
  • All form responses submitted by the client
  • E-signature confirmation and timestamp
  • IP address of the client at time of submission (for legal validity of e-signatures)

2.5 Communications Data

  • Emails you send us
  • Support requests and their content

3. Why We Collect This Data (Legal Basis)

Under the LGPD and GDPR, we are required to identify a legal basis for each type of data processing.

Data TypeLegal Basis
Account and studio dataPerformance of contract (your use of the Service)
Billing dataPerformance of contract, legal obligation
Usage dataLegitimate interest (service improvement, security)
Client intake dataPerformance of contract (processing on your behalf)
Communications dataLegitimate interest (support and communications)

We do not process sensitive personal data as defined under the LGPD (Article 5, II) or GDPR (Article 9) unless explicitly required and consented to.

4. How We Use Your Data

We use your data only for the following purposes:

  • To provide and operate the Scoped service
  • To process payments and manage your subscription
  • To send transactional emails (brief notifications, approval requests, payment receipts)
  • To send onboarding and product update emails (you can unsubscribe at any time)
  • To detect and prevent fraud or abuse
  • To comply with legal obligations
  • To improve the service based on aggregated, anonymized usage patterns

We do not:

  • Sell your personal data to any third party
  • Use your brief content or client data to train AI models
  • Send marketing emails to your clients
  • Use data for purposes incompatible with those listed above

5. Who We Share Data With

We share data only with the following third-party services, which are necessary to operate Scoped:

ServicePurposeData SharedLocation
SupabaseDatabase, auth, file storageAll platform dataUS (AWS us-east-1)
StripePayment processingBilling dataUS
AnthropicAI brief generationBrief form data (to generate output)US
ResendTransactional emailEmail addresses, brief metadataUS
VercelHosting and deliveryRequest logs, IP addressesUS/Global CDN

All third-party processors are bound by data processing agreements and comply with GDPR, LGPD, and applicable US law.

For EU users: data transfers to the US are covered by Standard Contractual Clauses (SCCs) where required under GDPR Article 46.

6. Data Retention

Data TypeRetention Period
Account and studio dataRetained while your account is active + 90 days after deletion
Brief dataRetained while your account is active + 90 days after deletion
Client intake dataRetained while your account is active + 90 days after deletion
Billing records5 years (legal and tax obligation)
Server logs30 days
Waitlist emailsUntil you are onboarded or request deletion

When you delete your studio from the Settings page, all associated data (briefs, client data, team members) is permanently deleted within 90 days. Billing records are retained as required by law.

7. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

7.1 Rights Under GDPR (EU Users) and LGPD (Brazilian Users)

  • Right to access: request a copy of the data we hold about you
  • Right to correction: request that inaccurate data be corrected
  • Right to deletion: request that your data be deleted (“right to be forgotten”)
  • Right to restriction: request that we limit processing of your data
  • Right to portability: receive your data in a structured, machine-readable format
  • Right to object: object to processing based on legitimate interest
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time

7.2 Additional Rights Under LGPD (Brazilian Users)

  • Right to information about the consequences of not providing data
  • Right to petition the ANPD (Autoridade Nacional de Proteção de Dados) regarding the processing of your data
  • Right to know which public and private entities your data was shared with

7.3 Rights Under Applicable US State Laws

If you are a resident of a US state with applicable privacy laws (including California, Virginia, Colorado, and others), you have the right to access, correct, delete, and opt out of the sale of your personal data. Scoped does not sell personal data.

7.4 How to Exercise Your Rights

Email us at hello@getscoped.app with the subject line “Privacy Request.” We will respond within 15 business days. We may ask you to verify your identity before processing the request.

8. Cookies

Scoped uses the following cookies:

CookiePurposeDuration
Supabase auth sessionKeeps you logged inSession / 1 week
CSRF tokenSecurity protectionSession

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not use Google Analytics or similar tools.

9. Data Security

We implement the following measures to protect your data:

  • All data in transit is encrypted with TLS 1.2 or higher
  • All data at rest is encrypted by Supabase (AES-256)
  • Row Level Security (RLS) is enforced at the database level — studios can never access each other's data
  • Access to production systems is restricted to authorized personnel
  • Stripe handles all payment card data — we never store raw card numbers
  • Passwords are never stored in plain text

In the event of a data breach that affects your personal data, we will notify you within 72 hours as required under GDPR Article 33, and within the timeframe required by the LGPD and applicable US state laws.

10. Children's Privacy

Scoped is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at hello@getscoped.app and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at least 14 days before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision.

12. Contact and DPO

For any privacy-related questions, requests, or complaints:

Email: hello@getscoped.app

Subject line: “Privacy Request”

Website: getscoped.app

For complaints that we have not resolved to your satisfaction:

  • EU users: contact your local Data Protection Authority
  • Brazilian users: contact the ANPD at gov.br/anpd
  • US users: contact your state Attorney General's office
← HomeTerms of Service →