Privacy Policy

ScopeHold provides the ScopeHold service. In this policy, "ScopeHold", "we", "us", and "our" refer to ScopeHold.

For privacy questions or requests, contact us at privacy@scopehold.com. Our business address is available upon request.

This policy covers personal information we process for our own purposes, such as account, billing, security, support, product, and website information.

Where UK or EU data protection law applies, we act as controller for that account and service administration information. For customer-controlled workspace content, we generally act as a processor or service provider on the customer's instructions.

ScopeHold also processes customer-controlled workspace content, including secret metadata, access grants, audit records, agent records, and encrypted secret values. Customers decide what they place in ScopeHold and who they grant access to.

• Account information, such as name, email address, profile details, and authentication identifiers.
• Workspace information, such as workspace names, project names, member and agent records, roles, and invitations.
• Secret management information, such as provider names, secret names, descriptions, access grants, audit events, and encrypted secret values.
• Billing information, such as plan, subscription status, Stripe customer references, invoices, and payment status. We do not store full card details.
• Security and usage information, such as log-in events, reveal events, resolve events, IP address, device and browser data, timestamps, and diagnostic logs.
• Communications, such as support messages, product feedback, and email preferences.

• Provide, secure, monitor, and improve ScopeHold.
• Authenticate users and manage accounts, workspaces, projects, members, agents, and access grants.
• Store, encrypt, resolve, rotate, reveal, audit, and protect customer secrets according to product settings and access controls.
• Process billing, plan limits, trials, subscriptions, taxes, invoices, and account administration.
• Send service emails, including invitations, security notices, agent key expiry notices, and important product updates.
• Detect, prevent, and investigate abuse, security incidents, fraud, service misuse, and policy violations.
• Comply with legal, tax, accounting, regulatory, and dispute-resolution obligations.

Where UK or EU data protection law applies, we rely on the following legal bases:

• Contract, when processing is needed to provide ScopeHold or administer an account.
• Legitimate interests, including security, fraud prevention, service improvement, support, and business operations.
• Legal obligation, when we must keep records or respond to lawful requests.
• Consent, where required for optional communications or similar activities.

We do not sell personal information. We share information only where needed to operate ScopeHold or where legally required.

• Service providers that help us host, secure, authenticate, email, bill, monitor, and operate the service.
• Payment processors, such as Stripe, for subscription billing and payment administration.
• Authentication and infrastructure providers, such as Supabase, Google, Vercel, Resend, and Google Cloud services.
• Professional advisers, regulators, law enforcement, courts, or other parties where required or permitted by law.
• Successors or counterparties in a merger, acquisition, financing, reorganisation, or sale of business assets, subject to appropriate safeguards.

ScopeHold is operated from New Zealand and uses service providers that may process information in other countries, including the United States, the United Kingdom, the European Economic Area, and other locations where our providers operate.

Where transfer safeguards are required, we use appropriate contractual, technical, and organisational measures designed to protect personal information.

ScopeHold is designed as a security product. We use safeguards such as encryption in transit, encrypted secret storage, key wrapping, access controls, audit logging, rate limiting, and operational monitoring. No service can guarantee perfect security, and customers remain responsible for configuring access grants carefully and protecting their own accounts, devices, agent keys, and provisioning prompts.

We keep personal information for as long as needed to provide ScopeHold, meet legal obligations, resolve disputes, enforce agreements, and maintain security. Audit retention may depend on the plan, workspace settings, and product limits.

Archived or destroyed secret records may retain metadata where needed for security, integrity, billing, audit, or legal reasons, but destroyed secret values should no longer be available for normal use.

Depending on where you live, you may have rights to access, correct, delete, export, restrict, or object to certain processing of your personal information. UK and EU users may also have the right to withdraw consent, object to processing based on legitimate interests, and complain to a data protection authority.

New Zealand users may contact the Office of the Privacy Commissioner if they have concerns about how we handle personal information. You can make a request by emailing privacy@scopehold.com.

ScopeHold is designed for business and professional use. It is not intended for children, and we do not knowingly collect personal information from children.

We may update this policy from time to time. If changes are material, we will take reasonable steps to notify users, such as by updating this page, emailing account administrators, or displaying an in-product notice.