Privacy Policy

ScopeCraft (“we”, “us”, “our”) operates the ScopeCraft service available at scopecraft.work. ScopeCraft is an AI-assisted project scoping and estimation tool for freelancers and small agencies.

We are the data controller for personal data collected through the Service. For any privacy-related questions or requests, contact us at support@scopecraft.work.

We collect the following categories of personal data:

• Account data — your email address, and optionally your display name, collected when you register or sign in via magic link or password.
• Usage data — project descriptions, inputs, and preferences you submit to generate estimates; the estimates themselves; and metadata about how you use the Service (e.g. feature usage counts, monthly AI call count).
• Billing data — your subscription plan, status, and billing period. Payment card details are handled exclusively by Lemon Squeezy and are never transmitted to or stored on our servers.
• Technical data — IP address, browser type, and server log data collected automatically for security, debugging, and performance monitoring. We do not currently use third-party analytics or advertising tracking.
• Communications — email address used to send transactional messages such as sign-in magic links, billing receipts forwarded from Lemon Squeezy, and support replies.

We use your personal data only as necessary to:

• Provide, operate, and improve the Service.
• Authenticate you and maintain your session securely.
• Process your subscription and enforce your plan entitlements.
• Send transactional emails — sign-in links, billing notifications, and support responses. We do not send unsolicited marketing email.
• Detect and prevent abuse, fraud, and security incidents.
• Comply with applicable legal obligations.

We do not sell, rent, or trade your personal data to any third party. We do not use the project descriptions or inputs you submit to train AI models.

Where the EU General Data Protection Regulation (GDPR) applies, we rely on the following lawful bases:

• Performance of a contract — processing necessary to provide the Service you have signed up for (account management, subscription billing, feature delivery).
• Legitimate interests — security monitoring, fraud prevention, service debugging, and product improvement, where these interests are not overridden by your privacy rights.
• Legal obligation — retaining financial records and responding to lawful requests from competent authorities.

We share personal data with the following third parties only to the extent necessary to operate the Service:

• Lemon Squeezy — payment and subscription processing. Your email address and purchase information are shared with Lemon Squeezy to create your customer record and process billing. Governed by the Lemon Squeezy Privacy Policy.
• OpenAI — AI-powered estimate generation. Project descriptions and inputs you submit are sent to the OpenAI API to produce scoping outputs. OpenAI processes this data in accordance with its Privacy Policy. We use the API in a way that opts out of training by default per OpenAI's API usage policies.
• Resend — transactional email delivery (magic-link sign-ins, billing notifications). Your email address is passed to Resend solely for the purpose of sending requested emails.
• Neon / PostgreSQL — managed database hosting for your account, estimates, and subscription data. Data is stored in encrypted, access-controlled infrastructure.
• Vercel / hosting provider — infrastructure for running the application. Server logs may contain IP addresses for a limited retention period.

We use a single session cookie to keep you authenticated between page loads. This cookie is strictly necessary for the Service to function and does not track you across other websites.

We do not currently use third-party analytics, advertising, or behavioural tracking cookies. If this changes in the future, we will update this policy and, where required by law, request your consent.

We retain your account and estimate data for as long as your account is active. If you request deletion of your account, we will delete your personal data within 30 days of the request, except where retention is required by applicable law (for example, financial transaction records that we are obliged to keep for a defined period).

Server logs containing technical data are retained for a maximum of 90 days and then automatically purged.

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Rectification of inaccurate or incomplete data.
• Erasure (“right to be forgotten”) where processing is no longer necessary.
• Restriction of processing in certain circumstances.
• Portability of the data you provided to us.
• Objection to processing based on legitimate interests.

To exercise any of these rights, email support@scopecraft.work. We will acknowledge your request within 72 hours and respond in full within 30 days. You also have the right to lodge a complaint with your local data protection authority.

We implement industry-standard security measures including HTTPS encryption for all data in transit, hashed and salted credentials, access-controlled database infrastructure, and the principle of least privilege for internal system access. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security, but we will notify you promptly in the event of a data breach affecting your personal data as required by applicable law.

Our third-party service providers (OpenAI, Resend, Lemon Squeezy, Neon) may process data in the United States or other jurisdictions outside the European Economic Area. Where applicable, we rely on standard contractual clauses or other appropriate safeguards to ensure adequate protection of your personal data.

We may update this Privacy Policy from time to time. We will notify you of material changes by email to your registered address or by a prominent notice in the app at least 14 days before the change takes effect. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the Service after any change constitutes acceptance of the revised policy.

For privacy enquiries, data requests, or complaints, contact us at:
support@scopecraft.work