Legal
Privacy Policy
Last updated: 16 February 2026
1. Who we are
ScopeGrid ("we", "us", "our") is a UK-based software company that provides a multi-tenant SaaS dashboard for managed service providers (MSPs). Our website is scopegrid.app.
For GDPR purposes, we act as a data processor when handling your integration data on your instructions, and as a data controller for account and billing data.
2. Data we collect
| Category | Examples | Basis |
|---|---|---|
| Account data | Name, email, organisation, Azure AD tenant ID | Contract |
| Integration credentials | API keys, tokens, base URLs (encrypted with AES-256-GCM) | Contract |
| Integration data | Device inventories, backup statuses, agent counts, ticket data, call records — fetched from your connected tools | Legitimate interest / Contract |
| Usage data | Pages visited, feature usage, error logs | Legitimate interest |
| Billing data | Processed by Stripe — we do not store card numbers | Contract |
3. How we use your data
- Provide and operate the ScopeGrid service
- Power dashboards, smart alerts, and scheduled reports using data from your connected integrations
- Authenticate you securely via Azure AD / Auth0 (SSO)
- Process payments via Stripe
- Send transactional emails (account, alerts, reports) via Resend
- Improve the service and fix bugs
We never sell your data or share it with third parties for marketing purposes.
4. Where data is stored
Application & database: UK region (Vercel UK, Neon Postgres London). All data encrypted in transit (TLS 1.2+) and at rest (AES-256).
Authentication: EU region (Azure AD / Auth0).
Email delivery: Resend (US-based; transactional emails only — alert notifications, report delivery, magic links).
Payments: Stripe (certified PCI DSS Level 1).
5. Data retention
- Account data: Retained while your account is active, plus 30 days after cancellation.
- Integration data: Fetched on demand or via scheduled syncs. Cached data is refreshed regularly and not retained beyond what is needed for alerting and reporting.
- Integration credentials: Deleted immediately when you disconnect an integration.
- Billing data: Retained as required by tax and accounting law (typically 6 years).
6. Your rights
Under UK GDPR and the Data Protection Act 2018, you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict or object to processing
- Data portability — receive your data in a structured format
- Withdraw consent at any time (where consent is the basis)
To exercise any of these rights, email us at privacy@scopegrid.app. We will respond within 30 days.
7. Cookies
We use essential cookies only — session authentication and CSRF protection. We do not use advertising or tracking cookies. No cookie banner is required because we only use strictly necessary cookies.
8. Sub-processors
| Provider | Purpose | Location |
|---|---|---|
| Vercel | Application hosting | UK |
| Neon | PostgreSQL database | UK (London) |
| Microsoft Azure AD | Authentication (SSO) | EU |
| Stripe | Payment processing | US (PCI DSS L1) |
| Resend | Transactional email | US |
| Vercel | Background job orchestration (Cron) | US |
9. Security
- All integration credentials encrypted at rest (AES-256-GCM)
- TLS 1.2+ on all connections
- Multi-tenant data isolation — strict tenant-scoped queries
- SSO with Azure AD / Auth0 (no password storage)
- Microsoft GDAP ready — least-privilege, explicit consent
- ISO 27001 on our roadmap
10. Breach notification
In the event of a personal data breach, we will notify affected customers within 72 hours of becoming aware of the breach, in accordance with UK GDPR Article 33. We will also notify the ICO where required.
11. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email or an in-app notice. The "Last updated" date at the top reflects the most recent revision.
12. Contact
For privacy-related questions or to exercise your rights:
Email: privacy@scopegrid.app
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).