Privacy Policy - Scope Catch

Scope Catch ("we," "our," or "us") operates the Scope Catch application (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using Scope Catch, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Information You Provide Directly

When you use Scope Catch, we collect:

Workspace Information: Slack workspace ID, workspace name, team domain
User Information: Slack user ID, username, email address, display name
Project Data: Project names, scope definitions, budget information, timeline
Message Content: Messages from Slack channels where Scope Catch is invited (used solely for scope creep detection)
Feedback Data: Your responses to alerts (Correct/Incorrect/Dismiss/Absorb)
Billing Information: Payment details (processed by Stripe; we do not store credit card numbers)

1.2 Information Collected Automatically

Usage Data: Features used, commands run, alert interactions
Device Information: IP address, browser type, operating system
Log Data: Timestamps, error logs, performance metrics

1.3 Information from Third Parties

Slack: Workspace and user data via Slack OAuth
Stripe: Payment status, subscription information

2. How We Use Your Information

We use collected information to:

Provide the Service: Detect scope creep in your Slack conversations
Improve Detection: Train and calibrate AI models based on your feedback
Process Payments: Handle subscriptions via Stripe
Send Notifications: Alert you about scope creep, billing issues, product updates
Provide Support: Respond to your questions and troubleshoot issues
Analyze Usage: Understand how users interact with Scope Catch to improve features
Ensure Security: Detect and prevent fraud, abuse, or security incidents

Important: We DO NOT Train AI Models on Your Messages

Your Slack messages are used ONLY for scope creep detection for your workspace. We never use your messages to train AI models or share them with third parties (except as required to provide the Service, e.g., Gemini API for detection).

3. How We Store and Secure Your Information

3.1 Data Storage

Location: United States (AWS or Railway infrastructure)
Duration:
- Active data: Retained while you use the Service
- Deleted projects: Purged within 30 days
- Account deletion: All data deleted within 30 days

3.2 Security Measures

Encryption at Rest: AES-256 encryption for stored data
Encryption in Transit: TLS 1.2+ for all data transmission
Access Controls: Role-based access, minimal access principle
Authentication: OAuth 2.0 with Slack, secure API keys
Monitoring: 24/7 security monitoring and intrusion detection
Backups: Daily encrypted backups with 30-day retention

3.3 Third-Party Services

Service	Purpose	Data Shared
Slack	Platform integration	Workspace ID, messages
Google (Gemini)	AI detection	Message content (encrypted)
Stripe	Payment processing	Billing info, email
Supabase/PostgreSQL	Database hosting	All app data
Railway	Infrastructure hosting	All app data

All third-party services are GDPR compliant and have signed Data Processing Agreements (DPAs) where applicable.

4. How We Share Your Information

We do NOT sell, rent, or trade your personal information.

We share information only in these limited circumstances:

4.1 Service Providers

We share data with third-party vendors (listed above) who help us provide the Service.

4.2 Legal Requirements

We may disclose information if required by law, court order, or government request, or to protect our rights, safety, or property.

4.3 Business Transfers

If Scope Catch is acquired or merged, your information may be transferred to the new entity. You will be notified via email.

4.4 With Your Consent

We may share information with your explicit consent.

5. Your Rights (GDPR & CCPA)

You have the following rights regarding your data:

5.1 Access

Request a copy of all personal data we hold about you.

How: Email support@scopecatch.com with subject "Data Access Request"

5.2 Deletion (Right to be Forgotten)

Request deletion of all your personal data.

How:

In Slack: Run /scopecatch delete-data command
Via email: support@scopecatch.com with subject "Delete My Data"

Timeline: Data deleted within 30 days. Backups purged within 90 days.

5.3 Export (Data Portability)

Request an export of your data in machine-readable format (JSON/CSV).

How: Run /scopecatch export-data or email support@scopecatch.com

5.4 Correction

Request corrections to inaccurate personal data.

How: Email support@scopecatch.com

5.5 Restriction

Request we stop processing your data (but not delete it).

How: Email support@scopecatch.com

5.6 Objection

Object to processing of your data for direct marketing or other purposes.

How: Email support@scopecatch.com or unsubscribe from emails

5.7 Withdraw Consent

Withdraw consent for data processing at any time.

How: Uninstall Scope Catch from your Slack workspace

Response Time: We respond to all requests within 30 days (as required by GDPR).

6. Cookies and Tracking

6.1 Cookies We Use

Cookie Name	Purpose	Duration	Essential
session_id	Keep you logged in	30 days	✅ Yes
workspace_id	Remember your workspace	30 days	✅ Yes
analytics_id	Track usage (anonymized)	1 year	❌ No

6.2 Cookie Controls

You can control cookies via your browser settings:

Chrome: Settings → Privacy → Cookies
Firefox: Settings → Privacy → Cookies
Safari: Preferences → Privacy → Cookies

Note: Disabling essential cookies may prevent Scope Catch from functioning.

6.3 Third-Party Cookies

We do NOT use third-party advertising cookies. Analytics cookies (if enabled) are first-party only.

7. Data Retention

Data Type	Retention Period
Active projects	While in use
Deleted projects	30 days, then purged
User accounts	While workspace is active
Deleted accounts	30 days, then purged
Billing records	7 years (tax/legal requirement)
Support emails	2 years
System logs	90 days

8. Children's Privacy

Scope Catch is not intended for users under 13 years old. We do not knowingly collect data from children under 13. If you believe we have collected data from a child, contact us immediately at support@scopecatch.com.

9. International Data Transfers

Scope Catch is based in the United States and stores data in the United States.

If you are located in the European Union (EU) or United Kingdom (UK), your data may be transferred outside the EU/UK. We ensure adequate protection through:

Standard Contractual Clauses (SCCs) with service providers
GDPR-compliant Data Processing Agreements (DPAs)
Adherence to EU-U.S. Data Privacy Framework (if applicable)

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to Know: What personal information we collect and how we use it
Right to Delete: Request deletion of your personal information
Right to Opt-Out: Opt out of sale of personal information (Note: We do NOT sell data)
Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise your rights: Email support@scopecatch.com with subject "CCPA Request"

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted at scopecatch.com/privacy with a new "Last Updated" date.

Minor changes: Posted on website
Material changes: Email notification to all users

Your continued use of Scope Catch after changes constitutes acceptance.

12. Contact Us

Questions about this Privacy Policy?

📧 Email: support@scopecatch.com

13. Compliance & Certifications

Scope Catch complies with:

✅ General Data Protection Regulation (GDPR) - EU
✅ California Consumer Privacy Act (CCPA) - USA
✅ UK Data Protection Act 2018 (UK GDPR)
✅ Slack Platform Security Standards

Independent Audits:

SOC 2 Type II (In Progress / Planned)
ISO 27001 (Planned)