Privacy Policy
1. What we collect
- Account data: name, email, password hash, plan, billing identifiers (via Stripe — we don't store card numbers).
- Property + tenant data: addresses, tenancy dates, rent, deposit amounts, tenant names you enter into TurnScore™.
- Photos: move-in / move-out photos you upload, stored in Supabase Storage with operator-only access.
- Usage telemetry: AI feature usage, error logs, performance metrics. No third-party analytics tracking pixels (yet).
2. How we use it
We use your data to operate the Service: run AI scoping, render reports, dispatch vendors, bill subscriptions, send transactional email. We do not sell personal information. We do not share with advertisers.
3. AI processing
When you use AI features, the relevant inputs (text, photos) are sent to Anthropic's Claude API for inference. Anthropic processes the data per its own privacy policy. We do not use your inputs to train any model.
4. Tenant photos
Tenant photos are stored encrypted at rest and accessible only to the operator's account. When an operator generates a tenant-facing TurnScore™ link, that link grants read-only access to the report (not the raw photo archive) for the tenant named on the report. Operators are responsible for ensuring they have a lawful basis (lease terms, jurisdictional consent rules) to photograph rented units and use those photos for deposit-attribution purposes.
5. Data retention
Account data: retained while the account is active and for 90 days after cancellation, then deleted (except billing records required by law for 7 years). TurnScore™ reports: retained 7 years to support deposit-dispute defense. Photos: deleted on operator request or 7 years after the last associated tenancy.
6. Your rights
Everyone — including California residents under the CCPA / CPRA and EU/UK residents under the GDPR — may exercise the following rights with respect to personal information we hold about them:
- Access / Know: request a copy of the data we hold about you, the categories collected, the categories of sources, the business or commercial purpose, and the categories of third parties we share with.
- Correction: update inaccurate information.
- Deletion / Erasure: request deletion of your data (subject to retention obligations described in § 5 and to bona-fide business needs that override your request, e.g. fraud prevention or pending legal claims).
- Portability: receive your data in a structured, commonly used, machine-readable format (JSON / CSV).
- Opt-out of sale or sharing: we do not sell personal information and we do not share it for cross-context behavioral advertising, so there is nothing to opt out of, but you may submit a request to confirm.
- Restriction: ask us to limit how we process your data while a request is under review.
- Objection: object to processing based on our legitimate interests.
- Withdraw consent: if processing relies on consent (e.g. SMS opt-in), you may withdraw it at any time without affecting prior lawful processing.
- Non-discrimination: we will not retaliate against you for exercising any of these rights.
- Authorized agent: California residents may designate an agent to exercise these rights on their behalf; we will verify the agent's authorization before processing.
- Complaint: EU/UK residents have the right to lodge a complaint with a supervisory authority (in the U.S., contact your state attorney general).
Contact privacy@scopeiq.tech to exercise any of these. We will respond within 45 days (CCPA) or one month (GDPR), and will verify identity before disclosing data.
7. Security
Data in transit: TLS 1.2+. Data at rest: AES-256 (Supabase + Stripe). Authentication: per-account scoped session tokens; admin access logged. We are not SOC 2 audited yet — that is on the roadmap.
8. Subprocessors
Anthropic (AI inference) · Stripe (billing) · Supabase (storage + database) · Vercel (hosting) · Resend (transactional email) · SMS infrastructure provider. Subprocessor list updated as the stack evolves.
9. SMS and text messaging
When you provide a mobile phone number to ScopeIQ — at signup, in the vendor application, or via your account settings — you consent to receive transactional SMS messages from us related to job dispatch, vendor responses, status updates, payment notifications, and account security. Message and data rates may apply per your mobile carrier's plan; ScopeIQ does not charge for these messages. Message frequency varies based on your workspace activity and dispatch volume. Reply STOP to any ScopeIQ text to opt out of further messages, or HELP for assistance. We do not sell or share mobile numbers with third parties for marketing or advertising; SMS data is processed by our SMS infrastructure provider (see Subprocessors) solely to deliver the messages we send on your behalf.
10. Payment data (where applicable)
When you use ScopeIQ's Payment Facilitation Service (see Section 12 of our Terms of Service):
What we collect:Payment metadata only — transaction amount, date, status, Stripe reference IDs, the Renter's name, the property the payment is associated with, and the PM's account ID. We do not collect, see, or store full card numbers, bank account numbers, or any other primary payment credentials. All such data is collected and stored exclusively by Stripe, who handles all PCI-DSS compliance.
Why we collect it: To display payment status in your workspace, to associate payments with properties and tenants for reporting, to handle disputes when they arise, and to comply with tax recordkeeping obligations.
Retention: Seven (7) years from the date of the transaction, consistent with IRS recordkeeping requirements for businesses.
Sharing: Stripe (the processor of record), your PM or workspace operator, and as required by law or court order. We do not sell payment data to third parties.
Your rights: Renters can request payment records from their PM. PMs can export full payment history from their workspace at any time. Both can request deletion subject to our retention obligations under tax law.