Last updated: 19 May 2026
ScoutCRM is a UK-based software-as-a-service product operated by AiCitizen. Our registered address is in the United Kingdom. You can contact us at sales@scoutcrm.co.uk.
This policy explains what personal data we collect, how we use it, and your rights under UK GDPR and the Data Protection Act 2018.
Account data — when you sign up, we collect your name, email address, and business name. This is necessary to provide the service.
Billing data — payment processing is handled entirely by Stripe. We never see or store your card details. We retain your Stripe customer ID and subscription status.
Usage data — we collect data about how you use ScoutCRM, including searches run, leads added, and features accessed. This is used to improve the product and enforce plan limits.
Lead data — contact details you add or enrich within the platform (business names, phone numbers, email addresses, websites). This is business contact information, not personal consumer data.
Technical data — IP addresses, browser type, and session data collected automatically via Supabase authentication and Vercel infrastructure.
We do not sell your personal data to third parties. We do not use your data for advertising.
ScoutCRM operates a shared data model for business contact information. When you add or enrich a contact detail for a lead (such as a phone number, email address, or website), that data may be shared anonymously across the platform to enrich the same business record for other ScoutCRM users.
This works similarly to how Waze aggregates road data from all drivers — your contribution improves the platform for everyone, but it is never attributed to you personally.
This applies only to business contact information (company phone numbers, company email addresses, company websites). It never applies to your personal data, your account information, or your CRM notes and activity logs — those remain strictly private to your organisation.
You can opt out of contributing to shared business data by contacting us at sales@scoutcrm.co.uk.
We process your data under the following legal bases:
B2B prospecting using publicly available business contact information is lawful under legitimate interests under UK GDPR. We never process consumer personal data for prospecting purposes.
Your data is stored in Supabase (PostgreSQL) on servers located in the European Union. All data is encrypted in transit (TLS) and at rest.
Row-level security ensures that no ScoutCRM customer can access another customer's data — even if there were an application-level bug, the database enforces isolation at the query level.
We use Vercel for application hosting (US-based CDN with EU data processing) and Stripe for payment processing (PCI DSS Level 1 certified).
We retain your account data for as long as your account is active. If you cancel your subscription and do not reactivate within 90 days, we will delete your account data on request.
Billing records are retained for 7 years as required by UK financial regulations.
Anonymised, aggregated usage data may be retained indefinitely for product analytics.
ScoutCRM uses the following third-party services to operate:
Each service operates under its own privacy policy and data processing agreements where required by GDPR.
Under UK GDPR, you have the right to:
To exercise any of these rights, email sales@scoutcrm.co.uk. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
ScoutCRM uses only functional cookies necessary to operate the authentication system (session tokens via Supabase). We do not use advertising cookies, tracking pixels, or third-party analytics cookies.
We may update this policy from time to time. Material changes will be communicated by email to registered users. Continued use of ScoutCRM after a policy update constitutes acceptance of the revised terms.
For any privacy-related queries, contact us at sales@scoutcrm.co.uk.