Privacy policy.

01Who we are

ScoutYourLead is a service operated by Rafal, a sole trader based in the United Kingdom. You can reach us at info@scoutyourlead.com for any questions, data-subject requests, or to exercise your rights under the UK GDPR.

For the purposes of the UK GDPR and the Data Protection Act 2018, Rafal is the data controller for personal data collected directly from you via this site (waitlist signups and operator account data). For the lead data that operators collect about third-party businesses using ScoutYourLead, see section [10].

02Two roles you might play

How we handle your data depends on how you interact with the site:

• Waitlist subscriber — you submitted an email on the landing page hoping for early access. Covered in section [03].
• Operator — you've been approved as a beta user or paid subscriber and are signed into the app at /app. Covered in sections [04]–[06].
• Email recipient — an operator added you as a lead and may send you a cold email. Covered in section [07].

03Waitlist signups

When you join our early-access waitlist we collect only your email address and the timestamp of your signup. We use it to send a welcome email and occasional launch updates — typically fewer than five emails before launch. You can withdraw consent any time by emailing info@scoutyourlead.com.

04Operator accounts (sign-in + profile)

If you're signed in as an operator, we collect and store:

• Your email address, name and email signature (from Settings).
• If you've subscribed to a paid plan: your Stripe customer ID, current subscription tier, billing period end date and subscription status. We never see, store or transmit your full card number — Stripe handles that on their own servers.
• Your Gmail OAuth tokens (encrypted at rest with AES-256-GCM) so we can send mail on your behalf via the gmail.send scope. We can't read your inbox; the OAuth scope is send-only.
• A short-lived JWT session cookie set when you sign in via the magic-link flow. Cookie attributes: HttpOnly, Secure (in production), SameSite=Lax, 30-day expiry. The cookie contains your email address and a signature — nothing else.
• The IP address of every API request, logged by our hosting provider (Vercel). We don't use these logs for any analytics; they exist for security/debugging and are retained per Vercel's retention policy.

05What operators do inside the app

While you use the app, the following actions write to our database:

• Scouts you run create session records with the query, location, and snapshot of results returned by Google Maps.
• Leads you save store business name, phone, website, address, rating, review count, contact email (if found), social profiles, and (for UK leads) Companies House data.
• Activity log per lead — your status changes, notes, sent emails, and recipient opens of those emails.
• Templates you write — subject + body text.
• Daily quotas + usage counters per your tier.

06Cookies + similar storage

We set one cookie: the signed-in session cookie described in [04]. We also write a small piece of localStorage in your browser to remember your light/dark theme preference. That's it. We don't set any third-party cookies, advertising trackers, or analytics pixels.

07Email recipients (open tracking)

If an operator using ScoutYourLead sends you a cold email, the message includes a 1×1 transparent tracking image. When your mail client loads the image, we record:

• The fact that the email was opened, with a timestamp.
• Your IP address and User-Agent string, stored alongside the open event.

This is standard cold-outreach practice and lets the sender see whether you've seen their message. Gmail and Apple Mail proxy image fetches on your behalf, so the first "open" may be your provider prefetching rather than you reading it.

Each outgoing email also includes the sender's own email address so you can reply directly. To stop receiving mail from a specific sender, reply with "stop" or "unsubscribe" — they will see that and (we hope) honour it. We do not store a global do-not-contact list; that's between you and the sender.

08Sub-processors

We use the following third-party services to operate ScoutYourLead. Each is bound by their own data-processing agreement, and we've chosen them for their compliance with GDPR + UK data protection laws.

• Vercel (United States) — application hosting + request logs.
• Neon / Vercel Postgres (Europe) — your account, leads, and activity database.
• Upstash Redis / Vercel KV (Europe) — operator account records.
• Stripe (United States / Ireland) — payment processing. Stripe stores your billing details.
• Resend (United States) — transactional emails from us (welcome, magic links) + inbound email forwarding.
• Google (United States) — Maps Places API for business search; Gmail API for sending operator emails; PageSpeed Insights API for site audits.
• Internet Archive (United States) — Wayback Machine, for site-age lookups.
• Companies House (United Kingdom) — UK director and SIC code lookups.

Transfers to providers outside the UK are covered by the UK International Data Transfer Agreement, the EU-U.S. Data Privacy Framework, or standard contractual clauses, as applicable.

09Retention

• Waitlist email — kept until you ask us to remove it, or until twelve months after launch if you haven't engaged.
• Operator account data — kept for as long as your account exists. Deleted within 30 days of you closing the account by emailing us.
• Open tracking events — kept for 24 months for analytics, then purged.
• Stripe billing records — retained for 7 years by Stripe under tax/accounting law, even if you close your account.

10If you're an operator: you're a controller too

The lead data you collect using ScoutYourLead is data you control. We process it on your instructions, but UK GDPR considers you the data controller for that data. That means:

• You are responsible for having a lawful basis (typically legitimate interest for B2B cold outreach) for contacting the businesses you've saved.
• If a recipient asks you to stop, exercise their rights, or delete their data — you handle the request.
• You should disclose in your own privacy policy (or in your outbound emails) that you may track opens.
• Make sure your outbound emails clearly identify you, include a way to opt out (reply "stop" works), and don't impersonate anyone.

If a recipient contacts us asking who sent them an email, we will tell them and route them back to the sender for any further action. If we receive an unambiguous legal demand to remove specific lead data, we will, and notify you.

11Lawful basis (summary)

• Waitlist + welcome emails: consent (Art. 6(1)(a)).
• Operator accounts + billing: contract (Art. 6(1)(b)).
• Security logs, fraud prevention, service operation: legitimate interest (Art. 6(1)(f)).
• Open tracking on operator-sent emails: relies on the operator's lawful basis (typically legitimate interest for B2B cold outreach), not ours.

12Your rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you.
• Have inaccurate data corrected.
• Request deletion of your data (the "right to be forgotten").
• Port your data to another service.
• Object to how we process it.
• Lodge a complaint with the Information Commissioner's Office — ico.org.uk.

To exercise any of these rights, email info@scoutyourlead.com. We respond within 30 days, usually much faster.

13We do not sell your data

We do not sell, rent, or trade personal data to anyone. Full stop. Sub-processors in [08] handle data on our behalf under data-processing agreements — they don't get to use your data for their own purposes.

14Changes

We may update this policy. Material changes will be highlighted at the top of the page and (for operator accounts) emailed to you. Minor wording adjustments may be made silently. The "last updated" date reflects the most recent revision.

End of document · v2.0