Privacy Policy

Last updated: 19 May 2026

1. Who we are

ScoutCRM is a UK-based software-as-a-service product operated by AiCitizen. Our registered address is in the United Kingdom. You can contact us at sales@scoutcrm.co.uk.

This policy explains what personal data we collect, how we use it, and your rights under UK GDPR and the Data Protection Act 2018.

2. Data we collect

Account data — when you sign up, we collect your name, email address, and business name. This is necessary to provide the service.

Billing data — payment processing is handled entirely by Stripe. We never see or store your card details. We retain your Stripe customer ID and subscription status.

Usage data — we collect data about how you use ScoutCRM, including searches run, leads added, and features accessed. This is used to improve the product and enforce plan limits.

Lead data — contact details you add or enrich within the platform (business names, phone numbers, email addresses, websites). This is business contact information, not personal consumer data.

Technical data — IP addresses, browser type, and session data collected automatically via Supabase authentication and Vercel infrastructure.

3. How we use your data

  • To provide and operate the ScoutCRM service
  • To process payments and manage your subscription via Stripe
  • To send transactional emails (account confirmation, password reset, trial reminders, follow-up alerts) via Resend
  • To enforce plan feature limits and prevent abuse
  • To improve the product based on aggregated, anonymised usage patterns
  • To comply with legal obligations

We do not sell your personal data to third parties. We do not use your data for advertising.

4. Shared business data

ScoutCRM operates a shared data model for business contact information. When you add or enrich a contact detail for a lead (such as a phone number, email address, or website), that data may be shared anonymously across the platform to enrich the same business record for other ScoutCRM users.

This works similarly to how Waze aggregates road data from all drivers — your contribution improves the platform for everyone, but it is never attributed to you personally.

This applies only to business contact information (company phone numbers, company email addresses, company websites). It never applies to your personal data, your account information, or your CRM notes and activity logs — those remain strictly private to your organisation.

You can opt out of contributing to shared business data by contacting us at sales@scoutcrm.co.uk.

5. Legal basis for processing

We process your data under the following legal bases:

  • Contract — processing necessary to deliver the service you have subscribed to
  • Legitimate interests — product improvement, fraud prevention, platform integrity
  • Legal obligation — where required by UK law
  • Consent — where you have explicitly opted in (e.g. marketing emails)

B2B prospecting using publicly available business contact information is lawful under legitimate interests under UK GDPR. We never process consumer personal data for prospecting purposes.

6. Data storage and security

Your data is stored in Supabase (PostgreSQL) on servers located in the European Union. All data is encrypted in transit (TLS) and at rest.

Row-level security ensures that no ScoutCRM customer can access another customer's data — even if there were an application-level bug, the database enforces isolation at the query level.

We use Vercel for application hosting (US-based CDN with EU data processing) and Stripe for payment processing (PCI DSS Level 1 certified).

7. Data retention

We retain your account data for as long as your account is active. If you cancel your subscription and do not reactivate within 90 days, we will delete your account data on request.

Billing records are retained for 7 years as required by UK financial regulations.

Anonymised, aggregated usage data may be retained indefinitely for product analytics.

8. Third-party services

ScoutCRM uses the following third-party services to operate:

  • Supabase — database and authentication (EU servers)
  • Stripe — payment processing (PCI DSS compliant)
  • Vercel — application hosting
  • Resend — transactional email delivery
  • Anthropic Claude API — AI-powered outreach generation and lead enrichment (Growth/Pro plans)
  • Companies House API — free UK government API, no personal data transmitted
  • OpenStreetMap / Overpass API — open geographic data, no personal data transmitted
  • Postcodes.io — UK postcode geocoding, no personal data transmitted

Each service operates under its own privacy policy and data processing agreements where required by GDPR.

9. Your rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data ("right to be forgotten")
  • Restrict or object to processing
  • Data portability — receive your data in a machine-readable format
  • Withdraw consent where processing is based on consent

To exercise any of these rights, email sales@scoutcrm.co.uk. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. Cookies

ScoutCRM uses only functional cookies necessary to operate the authentication system (session tokens via Supabase). We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

11. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to registered users. Continued use of ScoutCRM after a policy update constitutes acceptance of the revised terms.

12. Contact

For any privacy-related queries, contact us at sales@scoutcrm.co.uk.