Sign inGet started
Data minimization by design

Privacy Policy.

We are committed to minimal data collection. Prompt content never leaves your process. This policy explains what we collect, how we use it, and your rights.

Last updated 2026-05-23.

1. Scope

This policy applies to ScopeVeil's marketing website (scopeveil.com), dashboard (app.scopeveil.com), LLM gateway (gateway.scopeveil.com), observability ingest pipeline (ingest.scopeveil.com), and the ScopeVeil SDKs for TypeScript and Python.

2. Data we collect

From you directly

  • Email: required for authentication and account communications.
  • Name: optional, for display purposes.
  • Password: stored as a bcrypt hash; plaintext never stored.
  • Organization name: for billing and team management.

Payments are handled by Stripe; we store only a Stripe customer ID, never card numbers.

Via the SDK and gateway

We receive operational metadata only:

  • Provider and model name
  • Token counts (input, output, cached)
  • Latency, HTTP status codes, error categories, timestamps
  • Your custom tags and metadata fields (you control what to send)
  • SHA-256 hashes of user identifiers if you opt to send them; raw identifiers are rejected at our schema boundary
  • API key prefix for authentication and rate limiting

We never collect: prompt content, completion text, system prompts, tool arguments or responses, raw end-user identifiers, or any data you did not explicitly choose to send. Our SDKs read response bodies locally to count tokens and discard them before transmission.

Automatically

When you use our website or dashboard, we log IP address (retained 30 days for security and rate limiting), browser type, viewport, pages visited, and referrer. We use New Relic for our own application performance monitoring. Service telemetry only, no prompt or completion content.

Cookies

  • scopeveil-session (httpOnly, secure, SameSite=Lax): authentication session, 7 days.
  • XSRF-TOKEN (secure, SameSite=Lax): CSRF protection.

We do not use third-party tracking, advertising, or fingerprinting cookies.

3. Legal bases for processing

We rely on the following legal bases (GDPR Art. 6 / LGPD Art. 7):

  • Performance of a contract: to provide the service you signed up for (account, gateway, dashboard).
  • Legitimate interest: to secure our systems (rate limiting, abuse detection, logging).
  • Legal obligation: to keep billing records as required by tax law (7 years).
  • Consent: for optional features like email notifications beyond transactional.

4. How we use your data

  • Operate, maintain, and improve the platform
  • Process payments and manage billing
  • Authenticate users and prevent fraud or abuse
  • Send transactional emails (verification, password reset, low-balance alerts, receipts)
  • Investigate operational issues and respond to support requests
  • Comply with legal obligations

We do not sell or rent personal data, train AI models on your data, profile users for advertising, or share data with data brokers.

5. Subprocessors

The following third parties process data on our behalf:

  • Fly.io: hosting (web, gateway, API, ingest, worker). US (Ashburn, VA).
  • Stripe: payment processing. US.
  • OpenAI, Anthropic, Google, Mistral, Cohere and other LLM providers: upstream LLM execution when you route requests through our gateway. We act as a transparent proxy and never store the request payload. Each provider's privacy policy applies to your traffic.
  • New Relic: application performance monitoring of our own services. US. Service telemetry only.
  • Mailgun or Amazon SES (subject to change): transactional email delivery. US.

Material changes to subprocessors will be announced at least 30 days in advance.

6. Data retention

  • Account information: lifetime of account + 90 days after deletion.
  • Billing records: 7 years (legal/tax requirement).
  • Usage metadata: 90 days by default; configurable per organization.
  • Server logs and security events: 30 days.
  • Session cookies: 7 days from issuance.

You may request earlier deletion at any time (Section 8).

7. Data residency and international transfers

Our primary infrastructure is hosted in the United States (Fly.io, region iad, Ashburn, Virginia). For users in the EEA, the UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) as the legal basis for transfers. EU data residency is on our roadmap; get in touch if you require it.

8. Your rights

You have the right to access, correct, delete, port, restrict, and object to processing of your data. You may also withdraw consent at any time where processing is based on consent.

Most rights can be exercised directly from your account (Export data, Delete account). For anything else, use our contact form from the address associated with your account. We respond within 30 days.

Region-specific frameworks: GDPR (EEA, UK, Switzerland), LGPD (Brazil, Lei 13.709/2018), CCPA / CPRA (California). See /data-rights for a detailed breakdown per jurisdiction.

9. Security

  • TLS 1.2+ for all data in transit; AES-256 for data at rest (Fly.io and Postgres managed).
  • bcrypt password hashes; Argon2 hashes for API keys.
  • Rate limiting on authentication, signup, and outbound email endpoints.
  • HTTPS-only with HSTS; strict Content Security Policy.
  • Application monitoring via New Relic for anomaly detection.
  • Principle of least privilege for internal access.

No system is fully secure. We commit to notifying affected users within 72 hours of confirming a data breach, in line with GDPR Art. 33 and LGPD Art. 48.

10. Data Protection Officer / Encarregado

Our Data Protection Officer (Encarregado de Proteção de Dados Pessoais, per LGPD Art. 41) can be reached through our contact form. Pick the "Privacy / data rights" topic so it lands directly with the right team. Use this channel for any privacy concern, formal request, or regulatory inquiry.

11. Children's privacy

ScopeVeil is a B2B developer platform, not directed at anyone under 18. If we learn we have collected data from a minor, we will delete it promptly.

12. Changes to this policy

We may update this policy. The "Last updated" date at the top reflects any change. For material changes affecting how we collect or use your data, we notify by email at least 30 days before they take effect. The current version is always available at scopeveil.com/privacy.

13. Contact

All privacy, DPO, and legal inquiries go through our contact form. Pick the topic that fits your message ("Privacy / data rights", "Legal", or "Other") and we route it to the right person internally. Same response time, fewer dead-letter mailboxes.