Legal

Privacy Policy

Last updated: June 14, 2026

This Privacy Policy explains how AND AI (“AND AI”, “we”, “us”, or “our”) collects, uses, shares, and protects information when you use Scopeyard (the “Service”) — including our website, agency workspaces, client approval views, and related apps.

1. Overview

Scopeyard is a delivery workspace for agencies: it helps agency teams plan milestones, run client projects, collect client approvals, and turn accepted work into billing-ready summaries. This policy covers personal data we process about agency team members (“Members”), the organizations they work for (“Organizations”), and the clients those organizations invite as guests (“Client Guests”).

If you are a Client Guest, the agency Organization that invited you is typically responsible for the project and client data it submits to Scopeyard. AND AI processes that data on the Organization’s behalf as described in this policy and, where applicable, in our Data Processing Addendum.

2. Information we collect

Account data

  • Identity & contact details: name and email address, used to create your account, send magic-link sign-in codes, and identify you within an Organization.
  • Organization data: Organization name, slug, role (owner, admin, member) within an Organization, and team membership.
  • Preferences: settings such as your theme preference (light/dark/system).

Project & client data

  • Project, milestone, deliverable, and task information your Organization creates (titles, descriptions, statuses, dates, stage on the delivery board).
  • Client approvals, comments, and approval history submitted by Client Guests through client views.
  • Files and other content your Organization or its Client Guests upload or attach to projects and deliverables.
  • Billing summaries derived from accepted work (e.g. which deliverables are ready to bill), used to produce project billing views.

Cookies & session data

We use a signed session cookie to keep you signed in, and a small number of cookies to remember preferences such as theme. See Section 4 for details.

Payment data

When your Organization subscribes to a paid plan, billing is handled by Stripe. We do not collect or store full card numbers. See Section 5.

Technical data

Like most web services, our infrastructure and hosting provider may log standard technical information (such as IP address, browser type, and request timestamps) for security, abuse prevention, and reliability.

3. How we use information

  • To provide, operate, and maintain the Service, including authentication via magic-link email codes and session cookies.
  • To let your Organization manage projects, deliverables, client approvals, and billing-ready summaries.
  • To send transactional emails — such as sign-in codes, invitations, approval notifications, and billing receipts.
  • To process subscription payments and manage billing through Stripe.
  • To maintain the security and integrity of the Service, including detecting and preventing fraud or abuse.
  • To respond to support requests sent to legal@scopeyard.io.
  • To comply with legal obligations and enforce our Terms of Service.

We do not sell personal data, and we do not use Organization or client project data to train third-party advertising or AI models.

4. Cookies & sessions

Scopeyard uses a small number of cookies, all of which are necessary for the Service to function:

  • Session cookie: a signed, HTTP-only cookie that identifies your authenticated session after you sign in with a magic-link email code. It does not contain your password (Scopeyard has no passwords).
  • Theme preference cookie: remembers whether you prefer light, dark, or system appearance for the app. Marketing pages (like this one) always use the light theme.

We do not use third-party advertising or cross-site tracking cookies.

5. Payments & billing

Paid Scopeyard plans (Starter, Studio, and Company) are billed as monthly subscriptions through Stripe. New Organizations typically start with a 30-day trial.

  • When your Organization starts a subscription or trial, Stripe collects and stores payment details (such as card information) directly. AND AI does not receive or store full card numbers.
  • We store limited billing-related identifiers — such as your Organization’s Stripe customer ID, subscription status, and selected plan — so we can show billing status and manage your subscription.
  • Stripe processes this data under its own privacy policy and is a subprocessor as described in Section 6.

6. Subprocessors

We rely on a small number of trusted third-party providers (“subprocessors”) to operate Scopeyard. Each is bound by contractual obligations to protect your data and use it only to provide services to us.

  • Stripe — payment processing, subscription billing, and invoicing.
  • Brevo — transactional email delivery (sign-in codes, invitations, notifications, receipts).
  • Hosting & infrastructure — our application is hosted on cloud infrastructure, and project data is stored in a managed Postgres database, both operated by reputable cloud providers.

During development, transactional email may instead be sent through a test provider (such as Ethereal) or logged to the console; no production customer data is sent to these development-only tools.

We may update this list as our subprocessors change. Material changes will be reflected here with an updated “Last updated” date.

7. Data retention

  • We retain account, Organization, and project data for as long as your Organization’s account remains active, so the Service continues to work as expected.
  • If you close your account or your Organization’s subscription ends, we retain data for a limited period to allow for reactivation, billing reconciliation, and legal or accounting requirements, after which it is deleted or anonymized.
  • You can request earlier deletion of your account or Organization data by contacting legal@scopeyard.io, subject to any records we must keep for legal, tax, or accounting purposes.

8. International transfers

AND AI and our subprocessors may process and store data in countries other than your own, including Singapore and the countries where our hosting, database, email, and payment providers operate. Where we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to a country that does not have an adequacy decision, we rely on appropriate safeguards (such as Standard Contractual Clauses) with our subprocessors to protect that data.

9. Your rights (GDPR & similar laws)

If you are located in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with similar data protection laws, you have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your personal data, subject to legal retention requirements.
  • Restriction — ask us to limit how we use your data in certain circumstances.
  • Portability — request your data in a structured, machine-readable format.
  • Objection — object to certain processing of your data.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.
  • Complain — lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at legal@scopeyard.io. If you are a Client Guest, we may direct certain requests to the Organization that invited you, as they are typically the data controller for project and client content.

10. Security

We use industry-standard measures to protect your data, including encrypted connections (HTTPS), signed and HTTP-only session cookies, and access controls that scope Members and Client Guests to the Organizations and projects they belong to. No method of transmission or storage is completely secure, but we work to protect your information and to respond promptly to any issues.

11. Children’s privacy

Scopeyard is a business tool intended for use by agencies, their team members, and their clients in a professional capacity. It is not directed to children, and we do not knowingly collect personal data from children under 16.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes to the Service, our subprocessors, or applicable law. We will update the “Last updated” date above, and where changes are material we will provide additional notice (such as an in-app notice or email to Organization admins).

13. Contact us

If you have questions about this Privacy Policy or how we handle your data, contact us at legal@scopeyard.io.

For information about how AND AI processes personal data on behalf of agency Organizations under GDPR, see our Data Processing Addendum.

Scopeyard

Focus work.Get approval.Get paid.

Start 30-day trial →Book a walkthrough
Scopeyard© 2026 · made for agencies