Scope Tracker

Privacy Policy

Effective / last updated: 19 March 2026

Privacy Policy

This Privacy Policy describes how ScopeTracker (“we”, “us”) collects, uses, stores, and shares personal data when you use our ScopeTracker-style contract management Service (websites, apps, APIs). It should be read together with our Terms of Service.

Contact the operator using the support channel published on this website (e.g. footer or contact page).

Share on XShare on LinkedIn

1. Data controller

For personal data described here, the controller is: ScopeTracker (operator of this Service). If you access the Service through an employer or client, that project may also act as a separate controller for employee or project data.

2. Categories of personal data

Depending on how you use the Service, we may process:

  • Account and identity data: name, email address, authentication identifiers from your sign-in method (including social or corporate login where offered), profile metadata, and internal user IDs.
  • Contract and workflow data: contract titles, snapshots, scope line items, amendments, scope requests, issues, payment status fields you enter, client email addresses you provide, magic-link tokens where used, and similar business records.
  • Signing and security data: OTP-related records (e.g. codes or verification status within retention limits), signature metadata (e.g. timestamps, IP addresses where collected), and audit log entries tied to actions in the Service.
  • Technical and usage data: server logs, device/browser type, approximate location derived from IP, and diagnostic data needed to secure and operate the Service.
  • Communications: messages you send us (e.g. support), and transactional emails we send (invites, OTP, notifications) processed via our email provider.

3. Purposes and legal bases (EEA/UK reference)

We use personal data to:

  • Provide the Service (contractual necessity): authentication, storing and displaying your workspace data, signing flows, exports.
  • Secure and improve the Service (legitimate interests / contractual necessity): fraud prevention, abuse detection, debugging, analytics in aggregated form where used.
  • Comply with law (legal obligation): responding to lawful requests, tax/accounting where applicable.
  • Marketing (consent or legitimate interests, as applicable): only if your deployment enables marketing and you have opted in where required.

If you are in the EEA/UK, you may have rights listed in Section 9. Legal bases depend on context; contact us if you need more detail about a specific processing activity.

4. Subprocessors and recipients

We use service providers who process personal data on our instructions. They typically fall into these categories:

  • Authentication: identity and session services that verify who you are when you log in.
  • Database and hosting: systems that store and run the Service (including cloud infrastructure).
  • Email delivery: providers that send transactional messages such as sign-in codes and notifications.
  • File storage: storage for exports, attachments, or evidence packages where the product supports uploads or downloads.

We may also disclose information if required by law, to protect rights and safety, or in connection with a business transfer (merger, acquisition) subject to appropriate safeguards.

5. International transfers

Your data may be processed in countries other than where you live. Where we transfer personal data from the EEA/UK to countries not deemed adequate, we use appropriate safeguards such as Standard Contractual Clauses where required, unless another lawful mechanism applies.

6. Retention

We retain personal data for as long as your account is active and as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Contract snapshots, audit logs, and signing metadata may be retained longer where necessary for legal, accounting, or evidentiary purposes. OTP artefacts should be retained only for limited periods consistent with security policies. Specific retention schedules may vary by deployment—contact us for details relevant to your workspace.

7. Security

We implement technical and projectal measures appropriate to the risk, including encryption in transit (HTTPS/TLS) for browser and API traffic where configured, access controls, and secure handling of secrets. No method of transmission or storage is 100% secure; you use the Service at your own risk beyond what reasonable security requires.

8. Cookies and similar technologies

The Service may use cookies or local storage for session management, authentication state, and essential functionality. Analytics or non-essential cookies, if any, will be described in a cookie notice where your operator enables them.

9. Your rights

Depending on your location, you may have rights to access, rectify, erase, restrict processing, object, data portability, and withdraw consent where processing is consent-based. You may lodge a complaint with a supervisory authority. To exercise rights, contact us using the details below. We may need to verify your identity before responding.

10. Children

The Service is not directed to children under 16 (or the digital age of consent in your region). We do not knowingly collect personal data from children. If you believe we have, contact us and we will take appropriate steps to delete it.

11. Automated decision-making

We do not use automated decision-making that produces legal or similarly significant effects solely by automated means.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version and update the “last updated” date. Where required by law, we will notify you of material changes.

13. Contact

Contact the operator using the support channel published on this website (e.g. footer or contact page).

For EU/UK data subjects: you may also contact your local data protection authority. The lead supervisory authority may depend on where ScopeTracker is established—confirm with us if unsure.