Privacy Policy
Last updated: 2026-06-22
1. Who this covers
This Policy explains how Scouti ("we", "us") collects and uses personal data in two distinct contexts:
- Dashboard accounts. When you sign up for and use the Scouti dashboard, we are the "data controller" of your account information.
- Widget end-users. When a Scouti widget runs on a customer's site or product, the customer (the team that embedded the widget) is the data controller for the people who interact with it; we act as a "data processor" on the customer's behalf.
2. What we collect from dashboard accounts
- Identity. Your email address, display name, and (if you sign in with Google) your Google profile picture.
- Billing. Subscription status, plan, and payment events. Card numbers and other sensitive payment details are handled directly by our payment processor (Stripe) — we never see or store them.
- Project & team data. The organizations, projects, topics, and team members you create in the dashboard.
- Operational logs. IP address, browser, device, and basic usage events needed to deliver the dashboard, secure your account, and diagnose problems.
3. What the widget collects from end-users
When someone interacts with a Scouti widget, we process:
- Conversation content. The text the visitor types or speaks (after transcription) and the assistant's replies.
- Session & device metadata. An anonymous session identifier, a coarse (truncated) IP address, the browser user-agent, the language, and the screen size. We use this to make the chat work, protect it from abuse, and surface basic context to the dashboard team.
- Interaction & diagnostic events. Lightweight usage signals about how the chat is used — which prompts were shown, when the panel was opened or closed, whether input was text or voice, the length (not the content) of a message, and error events. We use these to keep the widget working, diagnose problems, and understand engagement. They never include the text of what a visitor typed or said.
- Voluntary identifiers. If the customer's site passes a user identifier into the widget (e.g. a logged-in user id), we store it against the conversation so the dashboard team can connect feedback to a user.
4. Voice recordings — never stored
When a visitor uses the voice input, the audio is sent to our speech-to-text provider — Groq or OpenAI — over an encrypted connection, transcribed to text, and the raw audio is then discarded. We do not retain the audio recording itself, and it is not written to any persistent storage on our side. Only the transcribed text is kept, alongside the rest of the conversation.
5. We do not train AI on your data
We do not use Customer Content or End-User Data to train any AI model. The third-party AI providers we rely on — Fireworks, Alibaba Cloud, Google Gemini, Groq, and OpenAI — are used under their API terms, which by default exclude API submissions from being used to train their models. Customer Content and End-User Data is sent to these providers only as needed to produce a response, and is processed under their commercial agreements rather than their consumer terms.
6. Other processors we use
Scouti uses the following third parties to deliver the Service. Each is bound to handle data only on our instructions and to apply appropriate safeguards:
- Supabase — application database, authentication, file storage
- Vercel — hosting of the dashboard and marketing site
- Cloudflare — DNS, CDN, and Turnstile bot protection on auth forms
- Stripe — payment processing and invoicing
- Fireworks, Alibaba Cloud, Google Gemini, Groq, OpenAI — AI providers behind reply generation and voice transcription
- Resend — transactional email (account verification, password reset, invitations)
- Google Identity Services — "Sign in with Google" flow
- Vercel Analytics — aggregate, privacy-friendly traffic analytics on the marketing site
7. Cookies and local storage
We use a small number of cookies and a local-storage entry to keep you signed in and to remember the active organization. On its own domain, the widget stores a few local-storage entries to keep the chat working across page loads — its session and panel state, one or more session identifiers, and any user identifier the embedding site passes in. See the Cookie Policy for the full list and instructions for managing them.
8. How long we keep data
Dashboard account data is retained while your account is active. If you delete your account, we will delete or anonymize the associated personal data within 30 days, except where we are required to keep records longer (for example, tax records related to your billing).
End-User Data is retained according to your customer's instructions. If a customer terminates their account or asks us to delete a project's conversations, we will do so within 30 days from our active systems.
9. Who can read the conversations — only your team
End-User Data collected through the widget is only accessible to:
- members of the customer organization that owns the project, through their Scouti dashboard;
- a small number of Scouti engineers, only when strictly necessary to investigate a support ticket, resolve a security incident, or enforce these Terms — and always under a confidentiality obligation; and
- the third-party processors listed above, only as needed to deliver the Service.
We do not sell or rent personal data, and we do not share it with advertisers.
10. Security
We protect data in transit with TLS 1.2 or higher. Data stored in our managed database and object-storage backends is encrypted at rest with AES-256 by our hosting provider (Supabase / AWS). Access to production systems is restricted to a small number of authorized Scouti engineers, authenticated with multi-factor authentication and logged. Customer Content is isolated per project using row-level security policies enforced at the database layer.
If we become aware of a personal-data breach that affects you, we will notify you without undue delay and, where required by Article 33 GDPR, no later than 72 hours after we have become aware of it. The notice will describe what happened, what data was involved, and the steps we are taking in response.
11. Your rights
Depending on where you live, you may have the right to access, correct, export, or delete the personal data we hold about you, to restrict or object to certain processing, or to withdraw consent. To exercise any of these rights, contact us at hello@scouti.chat from the email address on your account.
If you are an end-user of a customer's widget, please direct your request first to that customer (the team that runs the site you were chatting with). They are the data controller for that conversation; we will assist them in honoring your request.
If you are in the European Economic Area or the United Kingdom, you also have the right to lodge a complaint with your local data-protection authority.
If you are a California resident, see Your Privacy Choices for a summary of your rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act) and how to exercise them, including our position on "sale" and "sharing" of personal information.
12. Where your data is stored
Stored data. Your account data, conversations, files, and backups are stored only in the United States, in the AWS us-west-2 (Oregon) region. This is the single location where we persistently hold Customer Content and End-User Data.
AI processing. To generate replies and transcribe voice, we send the content needed for a given request to the AI providers listed in Section 6. They process it only transiently to return a response, are contractually prohibited from retaining it beyond what is necessary, and do not use it to train their models. Depending on the provider and model, this brief processing and the inference itself may take place in the United States or in another region outside mainland China.
In no case do we store or process Customer Content or End-User Data in mainland China.
Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on the EU Standard Contractual Clauses (SCCs) — supplemented, where the recipient has self-certified, by the EU–U.S. Data Privacy Framework and its UK Extension and Swiss-U.S. Bridge.
13. Children
The Service is not intended for children under 13 (or under 16 in the European Economic Area). We do not knowingly collect personal data from children. If you believe a child has provided data through our Service, please contact us so we can delete it.
14. Changes to this Policy
We may update this Policy as our practices evolve. The "Last updated" date at the top reflects the current version. Material changes will be announced via email or in the dashboard before they take effect.
15. Contact
For privacy questions, requests, or complaints, email hello@scouti.chat.