Last Updated: 5 April 2026
Scopit ("we", "us", "our") is the data controller responsible for your personal information.
This policy explains what personal data we collect, why we collect it, who we share it with, how long we keep it, and what rights you have. It applies to:
When you create an account and use Scopit, we collect the following personal data:
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Providing and operating the service (authentication, project management, change orders) | Art. 6(1)(b) — performance of a contract with you |
| Sending email and SMS notifications about your change orders | Art. 6(1)(b) — performance of a contract |
| Maintaining notification delivery logs for service reliability | Art. 6(1)(f) — our legitimate interest in operating a reliable service |
| Complying with legal obligations and resolving disputes | Art. 6(1)(c) — legal obligation / Art. 6(1)(f) — legitimate interest |
If a contractor has entered your contact details into Scopit and sent you a change order for approval, we hold data about you. We did not collect this data directly from you — your contractor provided it in the course of their business relationship with you.
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Sending you the change order approval link by email or SMS | Art. 6(1)(f) — legitimate interest of the contractor in managing their project; we act as facilitator |
| Recording your approval or rejection decision | Art. 6(1)(f) — legitimate interest in creating a reliable audit trail for contractual dispute protection |
| Recording your IP address and decision timestamp | Art. 6(1)(f) — legitimate interest in verifying the authenticity of approval decisions and preventing fraud |
Legitimate interest balancing: We have assessed that our legitimate interest in maintaining a verifiable audit trail does not override your interests or fundamental rights. The data collected is proportionate (limited to what is necessary for dispute protection), you would reasonably expect an approval link to generate a record of your response, and retaining IP addresses is limited to 2 years. You have the right to object — see Section 7.
If you signed up for our waitlist, we hold your name, email address, and trade. We process this on the basis of your consent (Art. 6(1)(a) GDPR) to receive updates about Scopit's launch. You can withdraw consent at any time by emailing support@scopit.co. Withdrawal does not affect the lawfulness of processing before withdrawal.
We do not sell your personal data. We share data only with the following processors, each under a Data Processing Agreement (DPA):
| Processor | Purpose | Data shared | Location | Transfer safeguard |
|---|---|---|---|---|
| Supabase | Database, authentication, file storage | All personal data described in this policy | EU / US (AWS) | DPA with Standard Contractual Clauses |
| Resend | Transactional email delivery | Email address, name, change order title, approval URL | US | DPA with Standard Contractual Clauses |
| Twilio | SMS delivery | Phone number, change order title, approval URL | US | DPA with Standard Contractual Clauses |
Where data is transferred outside the UK or EEA (e.g., to the US), we rely on the International Data Transfer Agreements (IDTAs) / Standard Contractual Clauses (SCCs) approved by the relevant supervisory authority. Copies of these agreements are available on request from our DPO.
| Data | Retention period | Reason |
|---|---|---|
| Contractor account & project data | Until account deletion is requested | Necessary for service provision |
| Approved/rejected change order records | 7 years from project completion | UK limitation period for contract disputes; tax/accounting records |
| Client IP address in approval records | 2 years from decision date, then permanently deleted | Dispute verification window; data minimisation after that |
| Unused/expired approval tokens | 90 days after expiry | No further purpose after expiry |
| Notification delivery logs | 1 year | Operational debugging; no long-term need |
| Waitlist signups | 12 months, or until consent is withdrawn | Consent-based; purpose expires at launch |
When a contractor deletes their account, we delete or anonymise all associated data. Where legal retention obligations apply (e.g., approved change order records), contractor identifying information is replaced with "[Deleted User]" and only the financial/approval record is retained.
Under the UK GDPR and EU GDPR, you have the following rights. To exercise any of them, contact our DPO at fabien@lerad-ai.com. We will respond within 30 days.
We use only strictly necessary cookies to manage your authenticated session. These cookies are required for the service to function and are exempt from consent requirements under the Privacy and Electronic Communications Regulations (PECR). We do not use analytics, advertising, or tracking cookies. No cookie consent banner is required.
We do not use automated decision-making or profiling that produces legal or similarly significant effects on you (Art. 22 GDPR).
We implement appropriate technical and organisational measures to protect your data, including:
We may update this policy from time to time. When we do, we will update the "Last Updated" date at the top of this page and, where changes are material, notify you by email.