Scopeslab β€” Privacy Policy

Last Updated: April 28, 2026

Effective Date: April 28, 2026

1. Who We Are

Scopeslab PTE. LTD. ("we", "us", "our"), located at 2 Shenton Way, #15-04, SGX Centre I, Singapore 068804, operates the AI-driven project estimation Platform available at https://scopeslab.com (the "Platform").

Data Controller:

Scopeslab PTE. LTD. 2 Shenton Way, #15-04, SGX Centre I, Singapore 068804

Contact for privacy inquiries: contact@scopeslab.com

2. Scope of This Policy

This Privacy Policy applies to:

  • All Users of the Platform, including Guest Users (visitors), Registered Users, and Subscribed Users.
  • All personal data collected through the Platform, including via web forms, document uploads, API interactions, single sign-on (SSO) providers, and automated collection methods.
  • Third-party integrations used by the Platform (Google, LinkedIn, GitHub SSO; Stripe payments; AI analysis providers; email delivery services; and error monitoring).

This policy does not apply to third-party websites or services that may be linked from the Platform. We encourage you to review the privacy policies of any third-party services you access.

3. Information We Collect

3.1 Authentication Data

We use a passwordless authentication system. We do not collect or store passwords.

Data Category Specific Data Purpose Legal Basis (GDPR)
Email Address Collected via one-time password (OTP) or SSO Account creation, authentication, and identification Contractual necessity (Art. 6(1)(b))
OAuth Profile Information Name, email address, avatar URL β€” received from Google, LinkedIn, or GitHub Account creation and profile population via SSO Contractual necessity (Art. 6(1)(b))
OAuth Tokens Tokens received from Google, LinkedIn, or GitHub Maintain authenticated session with SSO provider Contractual necessity (Art. 6(1)(b))
JWT Tokens Access tokens (24-hour expiry) and refresh tokens (7-day expiry) Session management and authentication Contractual necessity (Art. 6(1)(b))

Note: No passwords are stored at any time. Authentication is exclusively passwordless via OTP or SSO.

3.2 User-Provided Content

Data Category Specific Data Purpose Legal Basis (GDPR)
Uploaded Documents PDF, DOCX, TXT, MD files containing project requirements AI analysis and COSMIC estimation processing Contractual necessity (Art. 6(1)(b))
Text Descriptions Free-text project descriptions Define project scope for analysis Contractual necessity (Art. 6(1)(b))
Selections Industry, platform, and technology stack selections Configure analysis parameters Contractual necessity (Art. 6(1)(b))
Clarification Answers Responses to AI-generated clarification questions Refine analysis accuracy Contractual necessity (Art. 6(1)(b))
Edits and Approvals Persona edits, journey edits, user story edits, business logic edits and approvals User validation of AI-generated outputs Contractual necessity (Art. 6(1)(b))
Scope Sign-Off Signer name, signer role, confirmation of project scope Record formal user sign-off on project scope Contractual necessity (Art. 6(1)(b))
Technical Stack Selection Frontend, backend, database, and server technology choices Generate technical recommendations and estimates Contractual necessity (Art. 6(1)(b))
Feedback on Technical Artifacts User feedback on architecture diagrams, ERD, API specifications Refine technical deliverables Contractual necessity (Art. 6(1)(b))
Team Configuration Team composition and role assignments Calculate effort estimation by role Contractual necessity (Art. 6(1)(b))
Vibe Coding Assessment Answers to Vibe Coding proficiency assessment questions Apply AI-proficiency multiplier to estimates Contractual necessity (Art. 6(1)(b))
Guest Email (Optional) Email address captured during Step 2 analysis waiting screen Notify guest when analysis is complete; facilitate account conversion Legitimate interest (Art. 6(1)(f)) / Consent (Art. 6(1)(a))

3.3 AI-Generated Content

The Platform generates the following AI-produced content based on your inputs. This content is associated with your account or guest session:

Data Category Specific Data Purpose Legal Basis (GDPR)
Analysis Results Personas, user journeys, user stories, business logic, technical recommendations Deliver core analysis service Contractual necessity (Art. 6(1)(b))
COSMIC Estimation Results CFP (Cosmic Function Points) analysis, effort breakdown by role Deliver estimation service Contractual necessity (Art. 6(1)(b))
Technical Artifact Drafts Architecture diagrams, entity-relationship diagrams (ERD), API specifications Provide technical planning deliverables Contractual necessity (Art. 6(1)(b))
Sprint Estimation Sprint-level estimation based on AUTH module anchoring Provide sprint planning output Contractual necessity (Art. 6(1)(b))

3.4 Guest / Visitor Data

Guest Users who use the Platform without registering have the following data collected:

Data Category Specific Data Purpose Legal Basis (GDPR)
Session ID UUID-generated session identifier Track guest activity across Steps 1–8 Legitimate interest (Art. 6(1)(f))
Analysis Data Steps 1–8 analysis inputs and results, stored under session_id Deliver analysis service to guest users Legitimate interest (Art. 6(1)(f))
Guest Project Records Project data stored in the guest_projects database table Persist guest session work Legitimate interest (Art. 6(1)(f))

Guest session data expires after 7 days. Expired records are deleted via a daily automated cleanup process. If a guest registers for an account, their guest session data is converted to a user-owned project and retained under the standard user data retention policy.

3.5 Financial Data

Data Category Specific Data Purpose Legal Basis (GDPR)
Payment Records Transaction records via Stripe (card details handled exclusively by Stripe) Process and verify payments Contractual necessity (Art. 6(1)(b))
Subscription Status Current plan, subscription history Manage subscription lifecycle Contractual necessity (Art. 6(1)(b))
Invoice Records Invoice documents and billing history Fulfill tax and accounting obligations Legal obligation (Art. 6(1)(c))
Pro Credit Token Usage History of Pro credit token consumption Track usage of prepaid analysis credits Contractual necessity (Art. 6(1)(b))

Important: Card details are processed directly by Stripe and are never stored on our servers. Stripe is PCI DSS compliant. We receive only a payment confirmation token and subscription status information.

3.6 Technical and Usage Data

Data Category Specific Data Purpose Legal Basis (GDPR)
API Rate Limit Counters Daily API call counts (5/day free tier; 50/day paid tier) Enforce usage quotas Legitimate interest (Art. 6(1)(f))
Project Status Tracking Status progression: draft, analyzing, analyzed, estimating, completed Manage project lifecycle Legitimate interest (Art. 6(1)(f))
Analysis Retry Counts Retry attempts (maximum 3 per analysis) Monitor and limit retry usage Legitimate interest (Art. 6(1)(f))
Feedback Round Counts Feedback rounds per project (maximum 3) Enforce feedback round limits Legitimate interest (Art. 6(1)(f))
Revision Counts Revision attempts per project (maximum 3) Enforce revision limits Legitimate interest (Art. 6(1)(f))
Log Data IP address, browser type, operating system, access timestamps, pages visited, API calls Platform security, debugging, and analytics Legitimate interest (Art. 6(1)(f))
Device Information Screen resolution, device type Optimize Platform display Legitimate interest (Art. 6(1)(f))

3.7 Information from Third Parties

Source Data Received Purpose Legal Basis (GDPR)
Google (SSO) Email address, name, avatar URL Account creation and login via Google OAuth Contractual necessity (Art. 6(1)(b))
LinkedIn (SSO) Email address, name, avatar URL Account creation and login via LinkedIn OAuth Contractual necessity (Art. 6(1)(b))
GitHub (SSO) Email address, name, avatar URL Account creation and login via GitHub OAuth Contractual necessity (Art. 6(1)(b))
Stripe Payment confirmation, subscription status, invoice data Verify payment, manage subscriptions Contractual necessity (Art. 6(1)(b))

4. How We Use Your Information

4.1 Primary Purposes

We use collected information to:

  1. Provide the Services β€” Process your uploaded documents, run AI-powered analysis, generate COSMIC function point estimations, produce technical artifacts, and deliver reports.
  2. Manage Your Account β€” Authenticate your identity via passwordless OTP or SSO, manage sessions with JWT tokens, and maintain account security.
  3. Process Payments β€” Handle subscription payments through Stripe, generate invoices, and track Pro credit token usage.
  4. Manage Guest Sessions β€” Provide limited analysis functionality to unregistered visitors, with 7-day session expiry and automatic cleanup.
  5. Communicate with You β€” Send service-related emails (OTP verification, analysis completion notifications, payment receipts, subscription updates).
  6. Enforce Usage Limits β€” Track and enforce rate limits (5/day free, 50/day paid), analysis retries (max 3), feedback rounds (max 3), and revisions (max 3).
  7. Maintain Platform Security β€” Detect and prevent unauthorized access, fraud, and abuse.

4.2 Secondary Purposes

With appropriate legal basis, we may also use information to:

  1. Improve the Platform β€” Analyze usage patterns to enhance features, performance, and user experience.
  2. Provide Support β€” Respond to your inquiries and troubleshoot issues.
  3. Comply with Legal Obligations β€” Fulfill regulatory requirements, respond to lawful requests, and retain records as mandated by law.
  4. Anonymized Analytics β€” Generate aggregated, non-personally identifiable statistics about Platform usage.

5. How We Share Your Information

5.1 Third-Party Service Providers (Data Processors)

We share data with the following categories of service providers who process data on our behalf under strict contractual obligations:

Provider Service Provided Data Shared Purpose Safeguards
Anthropic Claude AI model Document content, analysis configuration, project descriptions Generate system analysis, personas, stories, business logic, and estimations SCCs; DPA in place
OpenAI GPT-4 AI model Document content, analysis configuration, project descriptions Generate system analysis and technical recommendations SCCs; DPA in place
Stripe, Inc. Payment processing Payment method details, billing address Process payments, manage subscriptions PCI DSS Level 1 certified
Google OAuth 2.0 SSO authentication Authentication token Enable Google single sign-on login Google DPA; SCCs where applicable
LinkedIn OAuth 2.0 SSO authentication Authentication token Enable LinkedIn single sign-on login LinkedIn DPA
GitHub OAuth 2.0 SSO authentication Authentication token Enable GitHub single sign-on login GitHub DPA
SendGrid / Brevo Email delivery Email address, email content Send OTP codes, transactional notifications, and service emails DPA in place
Sentry Error monitoring Error logs, device information, stack traces Monitor, diagnose, and fix Platform issues DPA in place

All third-party processors are contractually bound by Data Processing Agreements (DPAs) that require them to process your data only as instructed by us and in compliance with applicable data protection laws.

5.2 Legal Requirements

We may disclose your information when required by law, court order, or governmental regulation, including:

  • To comply with legal obligations.
  • To protect our rights, property, or safety, or that of our Users.
  • To investigate or prevent suspected fraud or security violations.

5.3 No Sale of Personal Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

5.4 Data Transfers

  • AI processing providers (Anthropic, OpenAI) may process data in regions outside the European Economic Area (EEA). We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Stripe processes payment data in compliance with PCI DSS standards and under its own data processing agreements.
  • Google, LinkedIn, and GitHub process authentication data under their respective privacy policies and data processing agreements.

6. Data Storage and Security

6.1 Data Storage

Your data is stored using the following infrastructure:

Storage System Data Stored Security Measures
PostgreSQL Database Account data, project records, analysis results, estimation data, usage metadata Encrypted connections (TLS); access restricted to authorized personnel
MinIO S3-Compatible Object Storage Uploaded documents (PDF, DOCX, TXT, MD), generated reports (PDF, CSV), technical artifact files AES-256 encryption at rest; per-user file isolation
Guest Data Store Guest session data in guest_projects table Encrypted connections; 7-day expiry with daily cleanup

Files are stored with per-user isolation, meaning your uploaded documents and generated files are logically separated from those of other Users.

6.2 Security Measures

We implement industry-standard security measures to protect your data:

Measure Implementation
Encryption in Transit TLS for all API traffic and web communications
Encryption at Rest AES-256 encryption for file storage (MinIO)
Authentication Passwordless OTP and SSO; no passwords stored
JWT Tokens Access tokens with 24-hour expiry; refresh tokens with 7-day expiry
Database Security Encrypted database connections; role-based access for authorized personnel only
File Isolation Per-user file storage isolation in object storage
Key Management Cryptographic keys stored in environment variables, never in source code
Access Control Role-based access control for administrative functions
Audit Logging Comprehensive audit trail of user actions and system events

6.3 Security Incident Response

In the event of a personal data breach:

  • We will notify affected Users within 72 hours of becoming aware of the breach, in compliance with GDPR Article 33.
  • Notifications will include the nature of the breach, categories of data affected, and recommended protective actions.
  • We will notify the relevant supervisory authority as required by applicable law.

6.4 Limitations

While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security of your data. You are responsible for maintaining the confidentiality of your account credentials and promptly reporting any unauthorized access.

7. Cookies and Tracking Technologies

7.1 Cookies We Use

Cookie Type Purpose Legal Basis
Essential / Session Cookies Maintain session state, store JWT tokens, enable authentication Legitimate interest (Art. 6(1)(f)) / Contractual necessity (Art. 6(1)(b))
JWT Token Storage Store access and refresh tokens for authenticated sessions Contractual necessity (Art. 6(1)(b))

7.2 What We Do Not Use

  • We do not use third-party advertising cookies.
  • We do not use tracking cookies for targeted advertising.

7.3 Analytics

If we use Google Analytics or a similar analytics service, it operates under a data processing agreement and may use anonymized or pseudonymized data. You may opt out of analytics tracking through your browser settings or the Platform's cookie preferences.

For full details on cookie usage, please refer to our Cookie Policy.

8. Data Retention

8.1 Retention Periods

Data Type Retention Period Reason
Account Information Duration of account + 30 days after deletion request Account management
Analysis Data Permanent (regardless of plan) Core service delivery and project continuity
Estimation Results β€” Summary Permanent Project history continuity
Estimation Results β€” Full Details Requires active paid subscription Subscription entitlement management
Reports (PDF / CSV) Retained in storage; download requires active paid status Subscription entitlement management
Project History Permanent; read-only access Record-keeping and audit trail
Uploaded Documents Duration of account + 90 days after deletion request Service delivery; then permanently deleted
Guest Session Data 7 days from creation Automatic daily cleanup of expired records
Payment Records 7 years from transaction date Tax and financial legal requirements
Invoices 7 years from issuance date; retained per legal requirements Tax and financial legal requirements
Pro Credit Token Usage History Duration of account Usage tracking and entitlement management
Server Logs 90 days Security monitoring and debugging
Audit Logs 1 year Security monitoring and compliance
Support Communications 2 years from resolution Quality assurance and dispute resolution
Usage Analytics (anonymized) Indefinitely Platform improvement (non-personal)

8.2 Data Deletion Process

  • Upon account deletion request, your personal data (email, profile) is scheduled for deletion within 30 days, subject to legal retention requirements.
  • Project data and uploaded documents are scheduled for deletion within 90 days of account deletion.
  • Payment and invoice records are retained for 7 years as required by tax regulations.
  • Anonymized data that cannot be linked to you may be retained indefinitely for analytical purposes.

9. Your Rights

9.1 GDPR Rights (EEA / UK Users)

If you are a User in the European Economic Area or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

Right Article Description How to Exercise
Right of Access Art. 15 Request confirmation of whether we process your personal data and obtain a copy of such data. Contact contact@scopeslab.com
Right to Rectification Art. 16 Request correction of inaccurate or incomplete personal data. Edit your profile or contact contact@scopeslab.com
Right to Erasure ("Right to Be Deleted") Art. 17 Request deletion of your personal data. Note: Account deletion requires cancelling any active subscription first. Active analysis tasks will be automatically terminated upon deletion. Request account deletion via your dashboard or contact contact@scopeslab.com
Right to Restriction of Processing Art. 18 Request restriction of processing of your personal data in certain circumstances (e.g., accuracy contested, processing unlawful). Contact contact@scopeslab.com
Right to Data Portability Art. 20 Receive your personal data in a structured, commonly used, machine-readable format. Exports are available in CSV, JSON, and PDF formats. Contact contact@scopeslab.com or use the export feature in your dashboard
Right to Object Art. 21 Object to processing based on legitimate interests or for direct marketing purposes. Contact contact@scopeslab.com
Rights Related to Automated Decision-Making Art. 22 Request human review of significant automated decisions. Note: AI-generated estimates are provided as planning and decision-support tools β€” they do not constitute automated decisions with legal effects concerning you. All AI outputs require your review and confirmation before finalization. Contact contact@scopeslab.com

Response Time: We will respond to your request within 30 days. In complex cases, this may be extended to 60 days, and we will inform you of the extension and the reasons for the delay.

Verification: To protect your data, we may request verification of your identity before processing your request.

Right to Withdraw Consent: Where processing is based on your consent (Art. 6(1)(a)), you may withdraw consent at any time by contacting contact@scopeslab.com or adjusting settings in your account. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

9.2 CCPA Rights (California Users)

If you are a California resident, under the California Consumer Privacy Act (CCPA), you have the right to:

  • Know what personal information is collected about you.
  • Delete your personal information.
  • Opt out of the sale of your personal information (we do not sell personal information).
  • Non-discrimination for exercising your privacy rights.

To exercise these rights, contact us at contact@scopeslab.com.

9.3 Other Jurisdictions

Users in other jurisdictions may have additional rights under local data protection laws. We will honor applicable rights as required by law.

10. Automated Decision-Making and AI Processing

10.1 AI-Generated Outputs

The Platform uses artificial intelligence (AI) models (Claude by Anthropic, GPT-4 by OpenAI) to:

  • Analyze uploaded documents and extract project requirements.
  • Generate user personas, user journeys, and user stories.
  • Identify business logic and detect information gaps.
  • Calculate COSMIC ISO 19761 function point estimations (CFP analysis, effort by role).
  • Generate technical artifact drafts (architecture diagrams, ERD, API specifications).
  • Produce sprint estimations based on AUTH module anchoring.
  • Assess team AI proficiency via the Vibe Coding assessment.

10.2 Human Oversight and User Control

  • AI-generated outputs are provided as decision-support and planning tools, not final determinations.
  • Users retain full control over the validation and approval process across all analysis steps.
  • Users can edit, approve, or reject all AI-generated content before finalization.
  • Estimation parameters can be manually overridden.
  • Feedback rounds (maximum 3 per project) and revision cycles (maximum 3 per project) allow iterative refinement.

10.3 No Solely Automated Decisions with Legal Effects

Pursuant to GDPR Article 22, we do not use solely automated decision-making that produces legal effects concerning you or similarly significantly affects you. All AI-generated outputs β€” including estimations, technical recommendations, and analysis results β€” require your review and explicit confirmation before being finalized. They are advisory in nature and intended as planning tools.

11. Account Deletion and Data Erasure

11.1 How to Delete Your Account

  1. Cancel any active subscription through your billing dashboard. Account deletion cannot proceed while a subscription is active.
  2. Navigate to Account Settings and select "Delete Account".
  3. Confirm the deletion request.

11.2 What Happens When Your Account Is Deleted

  • All active analysis tasks are automatically terminated.
  • Your personal data (email, profile information) is scheduled for deletion within 30 days.
  • Your project data, uploaded documents, and analysis results are scheduled for deletion within 90 days.
  • Payment and invoice records are retained for 7 years as required by law.
  • Analysis data marked as permanent under the retention policy will be anonymized or deleted in accordance with applicable legal requirements.
  • Anonymized, aggregated data that cannot be linked to you is retained.

11.3 Pre-Deletion Data Export

Before account deletion, you may request an export of your personal data and project information. Exports are available in CSV, JSON, and PDF formats. Contact contact@scopeslab.com to request an export.

12. International Data Transfers

12.1 Transfer Mechanisms

Your data may be transferred to and processed in countries outside your country of residence, including countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): Where third-party processors operate outside the EEA, we rely on Standard Contractual Clauses approved by the European Commission.
  • Adequacy Decisions: Where applicable, we rely on adequacy decisions by the European Commission recognizing a country's data protection standards as equivalent.
  • Data Processing Agreements (DPAs): We maintain DPAs with all third-party processors, ensuring contractual obligations to protect your data.

12.2 Specific Transfer Contexts

  • AI Processing (Anthropic, OpenAI): Document content and analysis data may be transmitted to servers in the United States. SCCs and DPAs are in place.
  • Payment Processing (Stripe): Payment data is processed under Stripe's PCI DSS certification with appropriate transfer mechanisms.
  • SSO Providers (Google, LinkedIn, GitHub): Authentication tokens and profile data are processed under each provider's respective privacy policy and data processing terms.
  • Email Delivery (SendGrid / Brevo): Email addresses and email content may be transmitted to servers in the United States. DPAs are in place.
  • Error Monitoring (Sentry): Error data may be transmitted to servers in the United States. DPA is in place.

12.3 Your Consent

By using the Platform, you acknowledge that your data may be transferred to and processed in jurisdictions that may not provide the same level of data protection as your country of residence. Where required, we will obtain your explicit consent for such transfers.

13. Children's Privacy

The Platform is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16.

If we become aware that we have collected personal data from a child under 16, we will take steps to delete such information promptly. If you believe a child under 16 has provided us with personal information, please contact us at contact@scopeslab.com.

14. Email Communications

14.1 Transactional Emails

We will send you transactional emails related to your use of the Platform, including:

  • OTP verification codes (passwordless login)
  • Analysis completion notifications
  • Estimation completion notifications
  • Payment receipts and invoices
  • Subscription status changes
  • Account security alerts
  • Guest analysis completion notifications (if email was provided)

These emails are necessary for the service and cannot be opted out of.

14.2 Marketing Emails

With your consent, we may send you:

  • Product updates and feature announcements
  • Tips and best practices for using the Platform
  • Special offers and promotions

You may opt out of marketing emails at any time by clicking the "Unsubscribe" link in any marketing email or by contacting contact@scopeslab.com.

15. Changes to This Privacy Policy

15.1 Notification of Changes

We may update this Privacy Policy from time to time. Material changes will be communicated via:

  • Email notification to Registered Users (at least 30 days before the effective date).
  • A prominent notice on the Platform.
  • Updated "Last Updated" date at the top of this Policy.

15.2 Continued Use

Your continued use of the Platform after the effective date of any changes constitutes acceptance of the revised Privacy Policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

  • Data Controller: Scopeslab PTE. LTD., 2 Shenton Way, #15-04, SGX Centre I, Singapore 068804
  • Privacy Inquiries: contact@scopeslab.com
  • General Support: contact@scopeslab.com
  • Platform: https://scopeslab.com

16.1 Supervisory Authority

If you are in the EEA or UK and believe that our processing of your personal data violates GDPR, you have the right to lodge a complaint with your local data protection supervisory authority. You can find your local authority at https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.

This Privacy Policy was last updated on April 28, 2026.