Privacy Policy

How Scopebase collects, uses, shares, retains, and protects account, property, billing, upload, analytics, and AI-processing data.

This Privacy Policy describes the data practices behind Scopebase: authenticated dashboards, Supabase-backed records, Stripe billing, credit usage, AI-assisted estimates, uploaded files, property-analysis workflows, analytics, observability, support, and security controls. It is written to be specific to the current product behavior instead of generic privacy boilerplate.

Primary Use

Operate repair-estimate, report, billing, account, and underwriting workflows.

AI Processing

Inputs and uploads may be processed by external model and retrieval providers.

Ads

No third-party behavioral advertising sale is described by the current codebase.

01

Introduction

This policy explains Scopebase data practices and user choices.

Scopebase provides software for real estate repair-cost estimating, underwriting support, dashboards, reports, share links, billing, credits, and related workflows. This policy applies when you visit the website, create an account, sign in, submit property data, upload materials, run estimates, view reports, use paid features, contact support, receive emails, or otherwise interact with the service.

This is a detailed production draft, not legal advice. Counsel should review it against the final company entity, launch jurisdictions, cookie banner, vendor contracts, and actual production settings.
02

Who Operates the Service

Scopebase is operated by the legal entity identified below.

Scopebase is operated by Scopebase, scopebase.org. For privacy requests, data deletion, or legal notices, contact support@scopebase.org.

03

Information We Collect

We collect information you provide, information generated by workflows, and technical information from service use.

Account, authentication, and profile information

  • Identifiers: Name, email address, account ID, authentication identifiers, login activity, session metadata, and profile details.
  • Team and admin data: Team invitations, seats, roles, organization metadata, member status, and account-administration actions if team features are used.
  • Security data: Account events, access logs, suspicious activity flags, abuse-detection signals, and request-control metadata.

Property, deal, and underwriting information

  • Property inputs: Addresses, property characteristics, square footage, year built, condition notes, room or system details, photos, repair descriptions, inspection notes, and location context.
  • Deal assumptions: ARV, rent, purchase price, budgets, MAO assumptions, financing assumptions, exit strategy, risk preferences, and related underwriting inputs.
  • Generated outputs: Estimates, line items, repair categories, confidence scores, risk flags, missed-item warnings, market notes, report text, actual-cost comparisons, share-link metadata, and export history.

Uploaded content and files

If you upload files, we may collect and process inspection reports, PDFs, photos, contractor bids, invoices, actual-cost records, property documents, notes, images, and related materials. File metadata may include filename, size, type, upload time, extraction status, parsing results, and derived text.

Billing, subscription, and credit information

We may collect subscription tier, Stripe customer ID, checkout session ID, billing portal activity, invoice metadata, payment status, renewal date, cancellation state, credit balance, credit usage, plan limits, and webhook event records. Payment card details are handled by Stripe or the payment processor; Scopebase should not store full card numbers.

Usage, device, log, and analytics data

We may collect IP address, browser type, device information, operating system, referrer, pages viewed, buttons clicked, estimate runs started, API requests, timestamps, errors, performance data, rate-limit events, feature usage, route activity, and product analytics events.

Communications

We may collect support emails, feedback submissions, referral invites, newsletter entries, transactional email records, billing support requests, security reports, and other communications you send or receive through the service.

04

Sources of Information

Data can come from you, your account activity, team members, providers, and public or licensed data sources.

  • You: Information you enter, upload, import, generate, share, or send to support.
  • Authorized users: Team members, account administrators, invitees, or collaborators may provide information connected to your account or organization.
  • Service operation: Technical logs, analytics events, billing events, security events, and generated outputs are created as you use the service.
  • Third-party providers: Authentication, payments, hosting, database, analytics, observability, AI/model, retrieval, property-data, geocoding, market-data, and email providers may return data needed to provide features.
  • Public or licensed sources: Property, market, regional-cost, permit, geocoding, contractor, census, HUD-related, or similar data may come from public records, licensed datasets, or external APIs.
05

How We Use Information

Data is used to run the product, secure accounts, process billing, generate outputs, and improve quality.

  • Provide the service: Authenticate users, run estimates, save history, display dashboards, generate reports, process files, create share links, and support account workflows.
  • Estimate and report generation: Analyze property inputs, repair notes, uploaded files, photos, regional context, cost data, model outputs, and validation signals to produce requested results.
  • Billing and credits: Manage plans, subscriptions, invoices, credit balances, credit deductions, paid features, cancellations, failed payments, and billing support.
  • Security and abuse prevention: Detect fraud, abuse, scraping, unsafe files, suspicious requests, unauthorized access, prompt-injection attempts, excessive usage, and attacks on the service.
  • Personalization: When you enable personalization in Privacy & Data settings, Scopebase may use your saved preferences, usage patterns, investor profile, and feedback to tailor repair estimates, risk flags, and scope assumptions to your deal context. You can disable this at any time in your account settings.
  • Product improvement: When you enable improvement data sharing in Privacy & Data settings, anonymized and de-identified usage patterns (not raw property addresses or uploaded documents) may be used to improve agent quality, pricing accuracy, and product decisions. Raw user documents are never used for training without explicit consent and additional controls.
  • Analytics: Debug errors, measure feature usage, improve UX, and prioritize roadmap work using product analytics (PostHog, Vercel Analytics) and observability tools.
  • Communications: Send transactional emails, billing notices, account notices, security alerts, support replies, referral messages, and service updates.
  • Legal and business operations: Comply with law, enforce terms, resolve disputes, maintain records, perform audits, support business transfers, and protect rights.
06

AI and Automated Processing

AI workflows may send user inputs and uploaded content to external model or retrieval providers.

When you use estimate, parsing, photo, PDF, market-research, RAG, lender-package, report, validation, or underwriting features, the service may process your prompts, uploaded materials, extracted text, property context, intermediate outputs, and generated results through automated systems.

Providers and infrastructure

Based on the current codebase, AI-related or data-processing providers may include Anthropic, OpenAI, Google/Gemini, Pinecone, Tavily, Perplexity, Langfuse, Supabase vector storage, and related data APIs.

No overclaim about training

We do not claim that provider-side data is never used for training, evaluation, safety, or service improvement unless that is confirmed by the applicable provider contract, account setting, or data-processing agreement.

Business logic

AI outputs may inform estimates, risk labels, line items, recommendations, and report language, but they should be independently reviewed. Scopebase does not make final investment, lending, construction, tax, legal, insurance, or purchase decisions for you.

07

Personalization and Improvement Data

You control whether your data is used to personalize estimates or improve Scopebase agents.

Scopebase offers two optional data uses you can manage in your account Privacy & Data settings at any time:

  • Personalization (default: on): When enabled, Scopebase uses your saved investor profile, preferences, risk tolerance, and usage history to tailor repair estimates, risk assumptions, and scope outputs to your deal context. When disabled, the product uses generic defaults for all estimates. You can reset your stored personalization memory at any time from account settings.
  • Improvement data (default: on): When enabled, anonymized and de-identified patterns from your usage (such as aggregate cost variance, category distributions, and model performance signals) may be used to improve Scopebase's agents, pricing calibration, and product quality. Your property addresses, uploaded documents, raw repair descriptions, and personally identifiable information are never included in improvement data. When disabled, your usage is excluded from these aggregate analyses.
  • How to manage these settings: Log in to your account, navigate to the Privacy & Data tab, and use the toggle controls. Changes take effect immediately. Disabling a setting does not delete previously derived aggregates but does stop new data from being processed for that purpose.
  • No training on raw documents: Scopebase does not use uploaded inspection reports, PDFs, photos, or verbatim property descriptions to train AI models without additional explicit consent, contractual controls, and technical safeguards. Uploaded PDFs used for inspection report parsing are deleted from storage after the parse job completes.
08

IP Address and Session Data

We collect IP addresses and session identifiers for security, abuse prevention, and authentication.

Every API request to Scopebase captures the client IP address from the request headers. IP addresses are stored in security audit logs for a retention period of approximately 90 days for purposes including rate limiting, abuse detection, fraud prevention, suspicious activity analysis, and authentication event logging. Session identifiers are stored in HttpOnly cookies and are not accessible to JavaScript running in the browser. In production, all session cookies use the Secure flag and SameSite=Lax or Strict to prevent cross-site use. IP addresses are not sold, shared with advertisers, or used for behavioral profiling.

10

Cookies, Local Storage, and Tracking

Cookies and similar technologies support auth, security, preferences, analytics, and product operation.

The service may use cookies, local storage, browser storage, pixels, server logs, and similar technologies. Some are necessary for authentication, session handling, CSRF or abuse protection, billing flows, preferences, and secure operation. Others may support analytics, performance measurement, product telemetry, and troubleshooting.

  • Essential technologies: Required for login, security, account sessions, routing, rate limits, fraud prevention, and core app functionality.
  • Analytics technologies: May collect page views, feature usage, referrer, device/browser information, and event metadata through tools such as PostHog, Vercel Analytics, or similar providers.
  • Payment and auth technologies: Stripe, Supabase, and related providers may set cookies or process browser data for checkout, portal, authentication, fraud prevention, and session continuity.
  • Browser controls: You can block or delete cookies in your browser, but parts of the service may stop working, including login, billing, saved preferences, or dashboard access.
Scopebase shows a cookie disclosure notice on first visit informing users of essential and analytics cookies. If you are in a jurisdiction requiring opt-in consent for analytics cookies (e.g., EEA under ePrivacy), a full consent management platform should replace this notice. [ATTORNEY REVIEW NEEDED for jurisdiction-specific requirements]
11

How We Share Information

We share data with providers only as needed for product, security, legal, or business operations.

Service providers

  • Hosting and deployment: Vercel or similar infrastructure providers.
  • Database, auth, and storage: Supabase or similar backend providers.
  • Payments: Stripe or another payment processor for checkout, invoices, billing portal, customer IDs, tax, disputes, and payment status.
  • Email: Resend or similar email providers for transactional, support, referral, and account communications.
  • Analytics and observability: PostHog, Vercel Analytics, Sentry, Langfuse, or similar providers for product analytics, error tracking, traces, and model observability.
  • AI and data APIs: Anthropic, OpenAI, Google/Gemini, Pinecone, Tavily, Perplexity, RentCast, Radar, HUD-related APIs, and similar providers used to complete requested workflows.

User-directed sharing

If you create share links, invite team members, export reports, send lender packages, or otherwise share outputs, recipients may access the information you choose to share.

Legal, safety, and rights

We may disclose information to comply with law, respond to lawful requests, enforce terms, investigate abuse, protect rights, prevent harm, address security incidents, or defend against claims.

Business transfers

Information may be disclosed or transferred in connection with a merger, acquisition, financing, restructuring, bankruptcy, sale of assets, or similar business transaction.

12

Selling Personal Information and Targeted Advertising

The current codebase does not show third-party behavioral advertising sales.

Based on the inspected codebase, Scopebase uses product analytics and operational providers, not third-party behavioral advertising networks that buy or sell personal information for cross-context advertising. We do not knowingly sell personal information as that term is commonly used in U.S. privacy laws. If production marketing pixels, retargeting, lead enrichment, or advertising integrations are added, this policy and consent controls must be updated before launch.

13

Data Retention

We retain data for service operation, records, security, and legal needs.

We retain information for as long as reasonably needed to provide the service, keep estimate and report history, manage subscriptions and credits, process invoices, support users, improve quality, secure the platform, investigate abuse, resolve disputes, comply with legal obligations, and run the business.

  • Account data: Retained while the account is active and for a reasonable period afterward for support, security, tax, billing, and legal purposes.
  • Estimates and uploads: Retained while needed for saved history, reports, share links, team access, support, product quality, and business records, unless deleted or restricted according to product controls and legal requirements.
  • Billing data: Retained as needed for accounting, tax, payment disputes, fraud prevention, and subscription administration.
  • Logs and security data: Retained for operational, security, debugging, abuse-prevention, and compliance purposes, usually for shorter operational windows unless needed for an investigation.
  • Backups: Deleted data may persist in backups for a limited period until backups rotate or are securely overwritten.
  • Aggregated data: Aggregated, anonymized, or de-identified data may be retained where permitted by law and not reasonably linked to you.
14

Data Security

We use reasonable safeguards but no internet service is risk-free.

We use technical and organizational safeguards designed to protect information, including authenticated access, server-side authorization checks, private data patterns, validation, rate limiting, logging, security monitoring, provider-level controls, and deployment safeguards. Sensitive operations should be protected by production environment configuration, secret management, Stripe webhook verification, Supabase policies, storage rules, and access controls.

No method of transmission, storage, model processing, file parsing, or internet operation is completely secure. You are responsible for securing your devices, credentials, team access, exports, and shared links.
15

Your Rights and Choices

You can request access, correction, deletion, export, and communication preferences subject to law and operational limits.

All users

  • Access: Request information about data associated with your account.
  • Correction: Request correction of inaccurate account or profile information.
  • Deletion: Request deletion of account data via the Privacy & Data tab in account settings (submits a deletion request reviewed within 30 days). Individual estimates, chats, and personalization memory can be deleted directly in the product. Billing records are retained per applicable law.
  • Personalization and improvement opt-out: Disable personalization or improvement data sharing at any time from the Privacy & Data tab in account settings. Reset your stored personalization memory from the same screen.
  • Export: Request export of available account, estimate, or report data where technically feasible and legally required.
  • Email preferences: Unsubscribe from non-transactional emails where available. Transactional, account, billing, and security messages may still be sent.

U.S. state privacy rights

Depending on your state and the company’s legal status, you may have rights to know, access, correct, delete, port, or opt out of certain processing. We will evaluate requests under applicable law.

EEA, UK, and similar rights

Depending on your location, you may have rights to access, rectify, erase, restrict, object to processing, data portability, withdraw consent, and lodge a complaint with a supervisory authority.

Business and team accounts

If your account is controlled by an organization, team owner, or administrator, some requests may need to go through that administrator, and the administrator may be able to access, export, restrict, or delete data connected to the team.

16

How to Make a Privacy Request

Send requests to the support email with enough detail to verify and process them.

To make a privacy request, contact support@scopebase.org. Include your account email, request type, relevant estimate/report/share-link/invoice identifiers if available, and enough detail for us to identify the records. We may verify your identity, ask for additional information, refuse or limit requests where permitted by law, and retain records of requests for compliance and security purposes.

17

International Data Transfers

Data may be processed in the United States and other provider locations.

Scopebase and its service providers may process information in the United States and other jurisdictions where providers operate. Those jurisdictions may have privacy laws different from your location. Where required, transfers should be supported by appropriate legal mechanisms, vendor contracts, data-processing terms, or other safeguards.

18

Children's Privacy

Scopebase is not intended for children.

Scopebase is not intended for children under 13 or the applicable minimum age in your jurisdiction. We do not knowingly collect personal information from children. If you believe a child provided information to the service, contact support@scopebase.org so we can review and delete it where required.

20

Sensitive Data

Avoid uploading regulated or unnecessary sensitive information.

Scopebase is not designed for health records, children's data, full financial account numbers, government IDs, social security numbers, consumer credit reports, tenant screening files, biometric data, or other highly regulated data unless a written agreement expressly authorizes that use. Redact unnecessary sensitive information before upload.

21

Automated Decisions

Scopebase generates decision-support outputs but does not make final investment decisions for you.

The service may use automated systems to generate estimates, ranges, risk labels, confidence indicators, and report text. These outputs are informational and should be reviewed by you and appropriate professionals. Scopebase does not independently decide whether you should buy, sell, finance, insure, renovate, rent, or invest in a property.

22

Data Breach and Security Notices

Security incidents will be handled according to law and operational realities.

If we determine that a security incident requires notice under applicable law, we will provide notice through email, in-product messaging, website notice, or another legally appropriate method. We may delay notice where law enforcement, investigation integrity, system protection, or legal requirements justify delay.

23

Changes to This Policy

The policy may change as Scopebase, providers, or legal requirements change.

We may update this policy when product features, data practices, providers, analytics tools, AI workflows, billing operations, security practices, or legal requirements change. The effective date and version number will be updated on this page. Material changes may be communicated through the product, email, website, or another reasonable method where appropriate.

24

Contact

Use the support email for privacy questions and data requests.

For privacy questions, access requests, correction requests, deletion requests, export requests, security concerns, or concerns about uploaded materials, contact support@scopebase.org. Include the email associated with your account and enough detail to identify the relevant data or workflow.

Privacy Policy | Scopebase