Privacy Policy

Last updated: 24 March 2026

1. Who We Are

ScopeShift is operated by Vaughan Williams trading as ScopeShift Ltd("ScopeShift", "we", "us", "our").

ScopeShift is the data controller for personal data collected through our marketing website (scopeshift.co.uk) and is the data processor for personal data that our customers (data controllers) upload or generate through the ScopeShift application (app.scopeshift.co.uk).

If you are a user of the ScopeShift platform on behalf of a company that has contracted with us, your employer or contracting company is the data controller for your data. Please also refer to your employer's privacy notices.

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What Personal Data We Collect

Account and Identity Data

When you create a ScopeShift account or are added as a user by your company's administrator, we collect your full name, email address, job title and role, phone number (optional), profile photograph (optional), hashed password, and two-factor authentication tokens (stored securely).

Company and Project Data

When you use the ScopeShift platform, we store the business data you input, including company details, project information, variation order details, client and subcontractor contact information, comments, approval decisions, and audit logs.

Media and Evidence Data

As part of VO documentation, the platform stores photographs (including EXIF metadata such as GPS coordinates), voice notes with AI-generated transcriptions, documents, drawings with annotations, and digital signatures captured as part of the client approval workflow.

Location Data

We do not perform continuous location tracking. Location data (GPS coordinates) is recorded only at specific, user-initiated moments — when a photograph is taken, when a signature is captured, or when a clock-in/clock-out action is recorded.

Technical and Usage Data

We automatically collect your IP address, device type, browser type, operating system, app version (mobile), usage logs and session information, and error and crash reports.

Payment and Billing Data

When you subscribe to a ScopeShift plan, we collect your company billing email address and company name for invoicing. Payment card details are never collected or stored by ScopeShift. All payment processing is handled directly by Stripe on their secure, PCI DSS Level 1 compliant infrastructure.

3. How We Use Your Data

We use your personal data to:

  • Provide, maintain, and improve the Service (contract performance).
  • Send transactional emails — verification, password resets, VO notifications, approval requests (contract performance).
  • Process subscription payments via Stripe (contract performance).
  • Maintain audit logs and change history (legitimate interest — security and compliance).
  • Monitor platform uptime and error reporting (legitimate interest — service reliability).
  • Respond to support requests (legitimate interest).
  • Comply with legal obligations such as tax and accounting records (legal obligation).
  • Send marketing emails about new features to existing customers (legitimate interest, with opt-out available).

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

4. Legal Basis for Processing

We process your data under the following legal bases:

  • Contract performance (Article 6(1)(b)): Processing necessary to provide the Service, including account management, authentication, transactional emails, and payment processing.
  • Legitimate interests (Article 6(1)(f)): Security, audit logging, error monitoring, service improvement, customer support, and marketing to existing customers.
  • Legal obligation (Article 6(1)(c)): Compliance with applicable laws and regulations.
  • Consent: Where you have given specific consent, such as for marketing communications. You may withdraw consent at any time.

5. Data Sharing

We do not sell, rent, or share your personal data with third parties for their own marketing purposes. We may share your data with:

  • Sub-processors: Third-party providers who process data on our behalf under written data processing agreements, including Neon (database hosting, EU), Render (API hosting, EU), Vercel (frontend hosting), Cloudflare (file storage, DNS, CDN), Stripe (payment processing), Resend (email delivery), Firebase (mobile push notifications), Sentry (error monitoring), and Better Stack (uptime monitoring).
  • Accounting integrations: If you connect Xero, QuickBooks, or Sage, invoice data is sent to your account with that provider. These integrations are user-initiated and can be disconnected at any time.
  • Your organisation: Other users within your company account, as configured by your administrator.
  • Legal requirements: When required by law, regulation, or legal process, or to protect the rights and safety of ScopeShift, our customers, or others.

6. Data Storage and Security

Your data is stored securely on servers located within the European Union (database and API hosting in Frankfurt, Germany). We implement appropriate technical and organisational measures to protect your data, including:

  • Encryption in transit (TLS 1.2+) and at rest
  • Role-based access control and multi-tenant data isolation
  • JWT authentication with bcrypt password hashing and optional two-factor authentication
  • Full audit trail of all data access and changes
  • ISO 27001 aligned security (97% Annex A control coverage)

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Key retention periods:

  • Active accounts and project data: duration of active subscription.
  • Variation order records, financial data, approval history, photographs, and media: 7 years from project completion (UK construction industry record-keeping requirements).
  • Audit logs and payment records: 7 years (legal obligation).
  • Deleted account data: up to 90 days (backup rotation).

On account termination, the account holder may request a full data export. Following the 90-day deletion window, all personal data is permanently deleted unless retention is legally required.

8. Your Rights

Under the UK GDPR, you have the right to:

  • Access (Article 15): Request a copy of the personal data we hold about you.
  • Rectification (Article 16): Request correction of inaccurate or incomplete data.
  • Erasure (Article 17): Request deletion of your personal data where there is no lawful basis to retain it. Note that 7-year retention obligations may apply.
  • Restriction (Article 18): Request restriction of processing in certain circumstances.
  • Portability (Article 20): Receive your data in a structured, machine-readable format (JSON/CSV).
  • Objection (Article 21): Object to processing based on legitimate interests, including marketing.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, please contact us at privacy@scopeshift.co.uk. We will respond within one calendar month.

9. International Transfers

ScopeShift's primary data processing is within the EU. Some sub-processors process data outside the UK, protected by UK IDTA / Standard Contractual Clauses or UK adequacy decisions. Full details of transfer mechanisms for each sub-processor are available on request.

10. Children's Privacy

ScopeShift is a business-to-business platform. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us at privacy@scopeshift.co.uk and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify active users by email at least 14 days before the change takes effect.

12. Contact Us

For any privacy-related questions, requests, or complaints, please contact us at privacy@scopeshift.co.uk.

For security or data breach notifications: security@scopeshift.co.uk.

For general support: support@scopeshift.co.uk.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint or by calling 0303 123 1113.