Privacy Policy

1. Data Controller

ScopeData, Inc. (d/b/a “ScopeAtlas”)
Website: atlas.scopedata.ai
Data Protection Contact: privacy@scopedata.ai
DPO Contact: dpo@scopedata.ai

2. Data We Collect

2.1 Account & Profile Data

When you create an account we collect your name, email address, and hashed password. We also record your IP address (masked), device information, and account creation date.

2.2 Health & Medical Data (Special Category — GDPR Art. 9)

Only with your explicit consent, we may process medical diagnoses, lab results, medications, clinical observations, and related health information. All health data is de-identified using the HIPAA Safe Harbor method (18 identifiers removed) before any third-party disclosure.

2.3 Usage Data

We automatically collect search queries, abstracts viewed, AI features used, session duration, and technical logs (errors, performance metrics) to improve service quality and detect security threats.

2.4 Communication Data

When you contact us we retain email correspondence and support tickets for up to 3 years after the last interaction.

3. Legal Bases for Processing

• Consent (Art. 6(1)(a) / Art. 9(2)(a)) — health data processing, marketing communications, personalized insights.
• Contract Performance (Art. 6(1)(b)) — providing ScopeAtlas services you requested.
• Legal Obligation (Art. 6(1)(c)) — tax compliance, HIPAA audit log retention.
• Legitimate Interests (Art. 6(1)(f)) — fraud prevention, security monitoring, service improvement.

4. Data Processors & International Transfers

We engage the following processors, all bound by Data Processing Agreements (DPAs):

Your data may be transferred to and processed in the United States. We use EU Standard Contractual Clauses (SCCs) with supplementary measures (AES-256 encryption at rest, TLS 1.3 in transit) to safeguard transfers.

5. Your Rights Under GDPR

Under GDPR Articles 15–22, you have the right to:

• Access (Art. 15) — request a copy of your personal data via Settings > Export My Data.
• Rectification (Art. 16) — correct inaccurate data in your profile settings.
• Erasure (Art. 17) — request deletion of your account and personal data.
• Restriction (Art. 18) — request we limit processing while disputes are resolved.
• Data Portability (Art. 20) — receive your data in a structured, machine-readable format (JSON).
• Object (Art. 21) — object to processing based on legitimate interests or direct marketing.
• Withdraw Consent (Art. 7(3)) — withdraw consent at any time in your account settings without affecting prior processing.

To exercise any right, email privacy@scopedata.ai. We will respond within 30 days.

6. Data Retention

7. Security Measures

We implement appropriate technical and organizational measures per GDPR Article 32:

• AES-256 encryption at rest (Supabase)
• TLS 1.3 encryption in transit (Vercel)
• Row-Level Security (RLS) on all user tables
• Role-based access control (RBAC)
• Immutable audit trails with 7-year retention
• HIPAA Safe Harbor de-identification for health data
• Vulnerability scanning and penetration testing

8. Cookies

We use essential cookies for authentication and session management. Non-essential cookies (analytics, personalization) are only set with your consent via our cookie banner. You can update your cookie preferences at any time.

9. Children's Data

We do not knowingly collect personal data from children under 16 without parental consent (GDPR Art. 8). If you believe a child has provided data without consent, contact us immediately at privacy@scopedata.ai.

10. Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email and in-app notification at least 30 days before taking effect. Continued use after the effective date constitutes acceptance.

11. Supervisory Authority

If you believe we have violated GDPR, you have the right to lodge a complaint with your national data protection authority. A list of EU DPAs is available at edpb.europa.eu.