Privacy Policy

ScopeMSP (“we”, “us”, or “our”) operates the SaaS platform accessible at scopemsp.com (the “Service”). We are committed to protecting your personal data and to processing it transparently and lawfully in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”) and applicable Finnish data protection law.

This Privacy Policy describes what personal data we collect, how we use it, with whom we share it, and what rights you have over it.

1. Data We Collect

1.1 Account Information

When you create an account we collect your name, email address, and (where you provide it) your company name. We also store the hashed password you set, the date your account was created, and your subscription status.

1.2 Proposal Content

When you use the Service to generate proposals, we store the discovery notes and other text you submit (“Input Content”), the AI-generated proposal output, proposal metadata (service type, audience type, target pricing), and your win/loss marking for proposals. This content is stored to allow you to access, edit, and share your proposals.

1.3 Branding Data

If you upload a logo or configure brand colours, we store those assets in order to apply them to your proposal outputs and shared links.

1.4 Billing Information

Payment card details are collected and held exclusively by our payment processor, Stripe, Inc. We do not store raw card numbers. We do store your Stripe Customer ID, subscription status, and transaction records for accounting and support purposes.

1.5 Usage Data

We collect technical log data generated by your use of the Service, including IP address, browser type, operating system, pages visited, and timestamp. We also collect proposal engagement data for shared links (views, time spent per section) to provide the view-tracking feature.

2. How We Use Your Data

We process your personal data for the following purposes:

• Service delivery — to authenticate your account, generate proposals, store your content, and provide all features included in your subscription.
• Billing and subscription management — to charge your payment method, issue receipts, process cancellations, and handle billing disputes through Stripe.
• Transactional email — to send account confirmations, password resets, billing notifications, and material service updates via Resend.
• Support — to respond to enquiries you direct to hello@scopemsp.com and diagnose technical issues.
• Security and fraud prevention — to detect and investigate suspicious activity, enforce our Terms of Service, and protect the integrity of the platform.
• Legal compliance — to fulfil our obligations under applicable law, including tax, accounting, and regulatory requirements.

We do not sell your personal data. We do not use your Input Content or generated proposals for advertising purposes or to train AI models without your explicit consent.

3. Legal Basis for Processing (GDPR)

Where the GDPR applies, we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b)) — for processing your account data and proposal content to provide the Service you have subscribed to.
• Legitimate interests (Art. 6(1)(f)) — for usage logging, security monitoring, and service improvement, where these interests are not overridden by your privacy rights.
• Legal obligation (Art. 6(1)(c)) — for retaining billing and transaction records as required by Finnish accounting law.
• Consent (Art. 6(1)(a)) — for any optional marketing communications, which you may withdraw at any time.

4. Third-Party Processors

We share your data with the following trusted sub-processors to operate the Service. Each processor is bound by a data processing agreement and appropriate safeguards.

5. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

• Account and proposal data is retained for the duration of your subscription and deleted within 90 days of account closure, unless you request earlier deletion.
• Billing and transaction records are retained for seven years to comply with Finnish accounting law (Kirjanpitolaki 1336/1997).
• Technical logs (IP addresses, request records) are retained for up to 90 days for security and diagnostic purposes.
• Email delivery records are retained for up to 12 months.

After the applicable retention period, data is securely deleted or anonymised.

6. Your Rights Under GDPR

If you are located in the European Union or European Economic Area, you have the following rights regarding your personal data:

• Right of access — You may request a copy of the personal data we hold about you.
• Right to rectification — You may ask us to correct inaccurate or incomplete personal data.
• Right to erasure — You may request deletion of your personal data where there is no overriding legal basis to retain it (such as our statutory accounting obligations).
• Right to data portability — You may request an export of your account data and proposals in a structured, machine-readable format (JSON or CSV).
• Right to restriction of processing — You may ask us to restrict processing in certain circumstances, for example while a rectification request is being resolved.
• Right to object — You may object to processing based on our legitimate interests; we will comply unless we have compelling grounds that override your interests.
• Right to withdraw consent — Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at hello@scopemsp.com with the subject line “Data Subject Request”. We will respond within 30 days. You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi) or the supervisory authority in your EU member state of residence.

7. Cookies and Local Storage

ScopeMSP uses a minimal set of cookies and browser storage solely to operate the Service. We do not use advertising cookies, third-party tracking pixels, or cross-site tracking technologies.

• Session cookie — A secure, HttpOnly session cookie issued by Supabase Auth to maintain your authenticated session. This cookie is essential for the Service to function and is deleted when you log out or when the session expires.
• CSRF token — A short-lived token used to protect form submissions from cross-site request forgery attacks.

No consent banner is required for these cookies because they are strictly necessary for service delivery and security under the ePrivacy Directive. You can block cookies at the browser level, but doing so will prevent you from logging in.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encrypted data storage (AES-256 at rest via Supabase/AWS), TLS 1.2+ encryption in transit, row-level security policies in our database, and restricted access to production systems.

No method of transmission over the internet is 100% secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with GDPR Article 33 and 34.

9. International Data Transfers

Our primary data storage is within the EU (Supabase on AWS eu-central-1). However, some sub-processors (Anthropic, Stripe, Vercel, Resend) are based in the United States and may process data there. Where such transfers occur, we rely on the European Commission’s Standard Contractual Clauses (SCCs) as the transfer mechanism, supplemented by the sub-processor’s applicable certifications and safeguards. You may request copies of the relevant transfer safeguards by emailing hello@scopemsp.com.

10. Children's Privacy

The Service is intended for business users and is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the law, our data practices, or the sub-processors we use. When we make material changes we will notify you by email at least 14 days before the changes take effect. The current version is always available at scopemsp.com/privacy.

12. Contact and Data Requests

For any privacy-related enquiries, data subject requests, or to contact our data protection point of contact, please reach us at:

You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman: tietosuoja.fi.