Privacy Policy — DemandScout

This Privacy Policy describes what personal data DemandScout.ai ("we") collects, how we use it, who we share it with, and what your rights are. It applies to use of the DemandScout.ai service.

1. Data we collect from you

Account data: your email address, optionally a display name, and your hashed password (we never store passwords in clear text).
Workspace data: the workspace name and URL slug you choose, and the ICP filters you configure (job titles, industries, countries).
Billing data: if you subscribe to a paid plan, Stripe processes your payment. We never see or store your card details. We do store a Stripe customer ID and subscription metadata.
Authentication: if you sign in via Google, we receive the email address, name, and Google account ID returned by Google. Nothing more.
Usage data: server logs of requests (path, status, IP, user agent) are retained for 30 days for security and debugging.
Cookies: a single session cookie (`demandscout.sid`) is set after sign-in. It is HttpOnly, Secure, SameSite=Lax. We don't use third-party analytics or marketing cookies.

2. Data we collect from public sources

To provide the lead-generation service, we crawl public sources (job boards, RSS feeds, public discussions) for information about companies. This data is processed under legitimate-interest grounds (GDPR Art. 6(1)(f)). We:

Only collect information that companies have published publicly.
Honour robots.txt and identify our crawler with a unique User-Agent.
Rate-limit our requests politely (≤ 1 request/second per source).
Do not scrape LinkedIn or other sites with anti-scraping restrictions.

Opt-out: if you represent a company that doesn't want to appear in the DemandScout lead database, email [email protected] with the company name and domain. We will remove and add to a permanent suppression list.

3. How we use your data

To provide and improve the Service.
To send you transactional emails (digest, password changes, billing receipts).
To enforce our Terms and detect abuse.
To comply with legal obligations.

We do not sell your data. We do not share your data with advertisers. Period.

4. Who we share data with

Stripe — for processing payments. Stripe is the payment Data Processor; their privacy policy applies to your payment information.
Google — only if you choose Sign in with Google. We receive identity data from them, we don't send anything except the OAuth request.
Anthropic — anonymised public text from sources we crawl is sent to Claude for classification (e.g., parsing a HN comment into structured fields). We do not send any of your personal data to Anthropic.
AWS — Simple Email Service (SES) sends transactional / digest emails on our behalf.

5. Where data is stored

DemandScout.ai runs in our self-hosted Kubernetes cluster. The cluster is operated from the European Union. Your workspace lives in a dedicated Postgres database isolated from every other customer's data.

Stripe, Google, Anthropic, and AWS may process data outside the EU; their respective Standard Contractual Clauses or equivalent transfer mechanisms apply.

6. Retention

Account data: while your account exists, plus 30 days after deletion.
Workspace data: while the workspace is active, plus 30 days after deletion. Backups may persist up to 90 days.
Server logs: 30 days.
Audit log: indefinitely (it's what proves who did what — required for compliance).

7. Your rights (GDPR + CCPA)

You have the right to:

Access the personal data we hold about you.
Correct it if it's inaccurate.
Delete it (you can delete your account directly from /app/account).
Export it ("data portability").
Object to processing under legitimate-interest grounds.
Lodge a complaint with your local data protection authority.

To exercise any of these, email [email protected]. We aim to respond within 30 days.

8. Security

See our security model for technical detail. Highlights: passwords hashed with bcrypt, sessions HttpOnly + Secure + SameSite=Lax, per-tenant database isolation, no card data in our systems (Stripe-hosted checkout), audit log of every state-changing action, signed-secret webhook verification, response-header hardening (HSTS, X-Frame-Options DENY, nosniff, restrictive Permissions-Policy).

9. Children

The Service is for business use and not directed to children under 16. If we learn we've collected data on a minor we will delete it.

10. Changes

We may update this Policy. Material changes will be announced by email or in-app banner before they take effect.

11. Contact

Privacy questions: [email protected].

This policy is a starting point and should be reviewed by qualified counsel for your jurisdiction before relying on it in commerce. It is provided as-is for the initial launch.