Privacy Policy

1. Data Controller

2. Information We Collect

Information You Provide

• Account Information: Email address and sign-in information (Google OAuth or magic link via Supabase)
• User Content: Ideas and research reports you create and choose to save in the app.
• Payment Information: Billing details (processed securely through Stripe)
• Communication Data: Support messages and feedback

Information Automatically Collected

• Usage Data: Feature usage, time spent, and interaction patterns
• Device Information: Browser type, operating system, device identifiers
• Log Data: IP address, access times, pages viewed

3. How We Use Your Information

We use the information we collect to:

• Provide and improve our idea generation service
• Process your subscription and handle payments
• Send you important updates about the service
• Respond to your questions and provide customer support
• Analyze usage patterns to improve features and performance
• Ensure security and prevent fraud

3.1. Email Communications

We send emails to operate the service and keep you informed:

• Service emails: Necessary to operate your account, including sign-in links (magic link), security and account notices, purchase confirmations, and report delivery. These emails are essential to the service.
• Product updates (optional): If you opt in, we may send occasional emails about new features, tips, and product announcements. You can unsubscribe at any time using the link in the email.
• Managing preferences: Product update emails include links to unsubscribe and to manage your email preferences.
• Email providers: We use third-party providers to deliver emails.
• Email logs: We keep limited email delivery logs (such as timestamps and delivery status) to operate and troubleshoot email sending. We retain these logs for up to 12 months.

Legal basis (GDPR):

• Service emails: Contract performance and legitimate interests (security)
• Product updates: Consent (opt-in, withdrawable at any time)

4. Information Sharing and Disclosure

We do not sell or trade your personal information. We only share data as necessary to provide our service:

• AI Service Providers: We use third-party artificial intelligence service providers to power our core features. Different providers may be used for different functions (e.g., idea generation, market research analysis). When you use IdeaScope, your input topics and generated content are sent to these AI providers for processing. The specific providers we use may change over time as we optimize our service, but all providers are selected based on their commitment to data protection and security. Each provider's privacy policy governs their processing of data we share with them. We only share the minimum data necessary for each specific function.
• Database and Authentication Providers: We use cloud database providers for data storage and user authentication. Your account information, topics, and generated ideas are stored on these providers' infrastructure. All database providers are selected based on their security standards and data protection commitments.
• Payment Processors: Stripe (Stripe, Inc.) handles payment processing securely. We do not store your full payment card details; Stripe processes all payment information according to PCI DSS standards.
• Cloud Hosting Providers: Our application is hosted on cloud infrastructure providers, which may process technical data including IP addresses and request logs for operational purposes.
• Analytics Services: We may use analytics tools to understand how the service is used and improve user experience. These tools may process usage and device information, and we configure them to minimize data collection where possible.
• Legal Requirements: We may disclose information when required by law, court order, or government regulation, or to protect our rights and the safety of our users.

All third-party service providers are contractually obligated to protect your data and use it only for the purposes we specify. We conduct due diligence to ensure our AI service providers maintain appropriate data protection standards and comply with applicable privacy laws.

We maintain a list of key subprocessors we use to provide the service. You can request the current list by contacting privacy@ideascope.com.

4.1. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on the following legal bases:

• Contract Performance: Processing necessary to provide our service and fulfill our contract with you (account management, idea generation, subscription processing)
• Legitimate Interests: Processing for our legitimate business interests, such as improving our service, security, fraud prevention, and analytics (balanced against your privacy rights)
• Consent: Where you have given explicit consent, such as marketing communications (you can withdraw consent at any time)
• Legal Obligation: Processing required to comply with legal obligations, such as tax and accounting requirements

4.2. International Data Transfers

IdeaScope operates globally, and your personal data may be transferred to and processed in countries outside your country of residence, including the United States, depending on the service provider and destination.

Where we transfer personal data from the European Economic Area (EEA) to countries outside the EEA, we rely on the following transfer mechanisms, as applicable:

• Adequacy decisions (GDPR Art. 45): where available, including transfers to U.S. organizations certified under the EU-U.S. Data Privacy Framework.
• Appropriate safeguards (GDPR Art. 46): including the European Commission's Standard Contractual Clauses (SCCs).

You can request more information about our transfer safeguards (including a copy of relevant SCCs, where applicable) by contacting privacy@ideascope.com.

5. Data Security

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. Our security measures include:

• Encryption in transit (HTTPS/TLS) for all data transmission
• Secure authentication using industry-standard protocols
• Regular security audits and vulnerability assessments
• Access controls and authentication requirements for our systems
• Secure data storage with encryption at rest where applicable
• Regular backups and disaster recovery procedures

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

5.1. Data Breach Notification

In the event of a personal data breach, we will assess the impact and take appropriate steps to contain and remediate the incident.

• Where required by applicable law, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
• If the breach is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay.
• We will provide information about the nature of the breach, likely consequences, and the measures taken or proposed to address it.

We may notify you via email associated with your account and/or by a prominent notice within the service, depending on the nature of the incident.

6. Your Rights and Choices

You have the following rights regarding your personal data:

• Right of Access: Request a copy of your personal data and information about how we process it
• Right to Rectification: Update or correct inaccurate or incomplete information
• Right to Erasure ("Right to be Forgotten"): Request deletion of your account and data, subject to legal retention requirements
• Right to Data Portability: Receive your data in a structured, commonly used format and transmit it to another service provider
• Right to Restrict Processing: Request that we limit how we use your data in certain circumstances
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes
• Right to Withdraw Consent: Withdraw consent where processing is based on consent (does not affect processing before withdrawal)
• Right to Opt-out (CCPA): California residents can opt-out of the sale of personal information (we do not sell personal information)
• Export: Download your generated ideas as CSV (available for Pro+ plans)

To exercise these rights, contact us at privacy@ideascope.com. We will respond to your request within one month (and in any event within the time limits required by applicable law). If a request is complex or numerous, we may extend the response time by up to two additional months, and we will inform you of any extension and the reasons for it.

We may request additional information to verify your identity before fulfilling a request.

Right to Lodge a Complaint: If you are located in the EEA, you have the right to lodge a complaint with your local data protection authority if you believe we have violated your data protection rights. For UK residents, you can contact the Information Commissioner's Office (ICO). For EU residents, contact your local supervisory authority. If you are in Estonia, you can contact the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

6.1. Automated Decision Making and Profiling

IdeaScope uses automated processing, including AI algorithms, to generate ideas and calculate rarity scores. This processing:

• Generates ideas based on your input topics using AI models
• Calculates semantic rarity scores to measure idea originality
• Does not involve profiling that produces legal effects or significantly affects you

You have the right not to be subject to automated decision-making that produces legal effects or significantly affects you. If you have concerns about automated processing, please contact us.

6.2. Age Restrictions

IdeaScope is not intended for children under 13 years of age, and we do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@ideascope.com.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the service, keep you signed in, improve performance, and (where enabled) understand how the service is used.

• Strictly necessary cookies: Required to provide core functionality such as authentication (Google OAuth / magic link), session management, security, and fraud prevention.
• Preferences cookies: Remember your settings (where applicable).
• Analytics cookies (optional): Used to measure usage and improve the service. Where required by law, we only set analytics cookies after you provide consent.

You can manage cookies through your browser settings. Where we use optional cookies, you can also withdraw consent at any time via our cookie preferences/consent settings (where we provide them).

8. Data Retention

We retain your personal information only for as long as necessary to provide our services and fulfill the purposes outlined in this Privacy Policy. Generated ideas are stored according to your subscription plan (30 days for Free, 90 days for Basic, etc.). You may request deletion of your data at any time, subject to applicable legal and accounting retention requirements.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by posting the updated Privacy Policy on our website and updating the "Last updated" date.

10. Contact Us

If you have questions about this Privacy Policy, please contact us:

• Email: privacy@ideascope.com
• Support: support@ideascope.com