Privacy Policy
Effective date: March 2, 2026
ScopeGate ("we", "our", or "us") is committed to protecting your privacy. This policy explains what information we collect, how we use it, and the choices you have.
1. Information We Collect
Account information
When you register, we collect your email address and, optionally, a display name. Passwords are hashed with bcrypt and never stored in plain text.
OAuth tokens
When you connect external services (e.g., Google), we store the OAuth access and refresh tokens required to act on your behalf. These tokens are encrypted at rest and never exposed via the API.
Usage data
We collect anonymised analytics (page views, feature usage) via Plausible Analytics — a privacy-first, GDPR-compliant tool that does not use cookies and does not track individuals across sites.
Request logs
MCP endpoint requests are logged for audit and debugging purposes. Logs include timestamps, tool names, and status codes. Request payloads are not logged by default.
2. How We Use Your Information
Service operation
We use your account information to authenticate you, route MCP requests to the correct permissions context, and deliver the service.
Transactional emails
We may send you magic-link sign-in emails, security alerts, and billing receipts. We do not send marketing emails without your explicit consent.
Product improvement
Aggregated, anonymised usage statistics help us prioritise features and fix bugs.
3. Data Sharing
No sale of personal data
We do not sell, rent, or trade your personal information to any third party.
Sub-processors
We rely on a small number of sub-processors to operate the service: Vercel (hosting), Neon / Supabase (database), and Resend (transactional email). Each sub-processor is bound by a data processing agreement.
Legal requirements
We may disclose information if required by law or to protect the rights and safety of ScopeGate, its users, or the public.
4. Data Retention
Account data
We retain your account data for as long as your account is active. You may delete your account at any time from the Settings page; account data is permanently deleted within 30 days.
Audit logs
Request audit logs are retained for 90 days on the free plan and 365 days on paid plans.
5. Security
Encryption
All data is transmitted over TLS 1.2+. OAuth tokens and sensitive credentials are encrypted at rest using AES-256.
Access control
Production database access is restricted to our deployment pipeline. No engineer has standing access to production data.
Vulnerability disclosure
If you discover a security vulnerability, please report it to security@scopegate.dev. We follow a 90-day coordinated disclosure policy.
6. Your Rights
Access and portability
You may request a copy of all personal data we hold about you by emailing privacy@scopegate.dev.
Correction and deletion
You may update your profile at any time from the Settings page, or request deletion of your account and all associated data.
GDPR / CCPA
If you are a resident of the European Economic Area or California, you have additional rights under GDPR and CCPA respectively. Contact us at privacy@scopegate.dev to exercise these rights.
7. Cookies
Session cookies
We set a single session cookie (better-auth.session_token) that is strictly necessary for authentication. This cookie expires when you sign out or after 30 days of inactivity.
No tracking cookies
We do not use advertising or cross-site tracking cookies. Our analytics provider (Plausible) does not use cookies.
8. Changes to This Policy
Notification
We will notify registered users by email at least 14 days before any material change to this Privacy Policy takes effect.
9. Contact
Privacy inquiries
For any questions about this Privacy Policy or our data practices, please contact us at privacy@scopegate.dev.
Questions? privacy@scopegate.dev
Terms of Service →