Legal

Privacy Policy

Last updated: July 17, 2026

1. Introduction

Scovant ("Company", "we", "us") respects your privacy. This Privacy Policy explains how we collect, use, and protect your information when you use our platform at scovant.com ("Service").

2. Information We Collect

Account Information: When you sign in with Google or GitHub OAuth, we receive your name, email address, and profile picture from your chosen provider. We do not receive or store your provider password.

Workspace Data: Website URLs, scan configurations, site names, and team member email addresses you provide.

Scan and Simulation Results: Compatibility scores, detected issues, screenshots, HTML snapshots, and simulation step data generated when you use the Service.

Usage Data: Pages visited, features used, timestamps, IP addresses, browser type, and device information. We collect this through server logs and standard web analytics.

Payment Information: Billing is handled by Paddle, our Merchant of Record. We do not store credit card numbers or payment details. We receive from Paddle: customer ID, transaction identifiers, purchase amounts, and purchase timestamps for one-time credit-pack purchases and recurring subscription charges (Monitor, Team, Business).

3. How We Use Your Information

We use your information to: (a) provide and operate the Service; (b) process scans and simulations on your websites; (c) process your credit-pack purchases and subscription billing through Paddle; (d) send transactional emails (scan completion, regression alerts, billing notifications); (e) improve the Service through aggregated, anonymized analytics; (f) ensure security and prevent abuse.

4. Data Storage and Security

Your data is stored on Amazon Web Services (AWS) infrastructure in the United States. We use encryption in transit (HTTPS/TLS) for all connections. Database credentials and API keys are stored in AWS Secrets Manager. HTML snapshots and screenshots are stored in AWS S3 with a 90-day lifecycle policy, after which raw files are automatically deleted.

5. Data Sharing

We do not sell your personal information. We share data only with: (a) Paddle — for payment processing and tax compliance; (b) Amazon Web Services — as our infrastructure provider; (c) Google and GitHub — for authentication (OAuth); (d) Law enforcement — if required by law. We may share aggregated, anonymized data (e.g., industry-wide compatibility trends) publicly.

6. Data Retention

Account data is retained as long as your account is active. Scan results and simulation data are retained while your workspace exists. Raw HTML files and screenshots in S3 are automatically deleted after 90 days. Server-side audit logs are retained for 90 days by default. If you delete your account, your personal data is anonymised immediately as part of the deletion (see Section 12); anonymized and aggregated data may be retained.

7. Your Rights

Depending on your jurisdiction, you may have the right to: access your personal data, correct inaccurate data, delete your data, export your data, and object to certain processing. You can delete your account yourself at any time from Settings. For other requests, contact us at privacy@scovant.com. We will respond within 30 days.

8. Cookies

We use minimal, functional cookies for authentication session management and theme preferences. We do not use third-party tracking cookies or advertising cookies.

9. Children’s Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children.

10. International Transfers

Your data may be transferred to and processed in the United States. By using the Service, you consent to this transfer. Paddle, as our Merchant of Record, may process payment data in other jurisdictions as required for tax compliance.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify active users of material changes via email. The "Last updated" date at the top indicates when this policy was last revised.

12. Abuse Prevention

To detect and prevent fraudulent multi-account activity we capture the following signals at signup and login: client IP address, browser User-Agent string, country and ASN derived from the IP, and a normalized form of your email address (used to detect alias-based duplicates). Legal basis: legitimate interest under Art. 6(1)(f) GDPR — fraud prevention. These signals are not shared with third parties and are not used for marketing. When you delete your account, IP addresses are anonymized (last octet stripped on IPv4, last 80 bits zeroed on IPv6), the normalized email is removed, and the stored User-Agent string is cleared.

13. Contact

For privacy questions or data requests, contact us at privacy@scovant.com.