Data privacy & security
Scout is built for marketing teams who handle sensitive brand data. This page explains exactly what we store, what we send where, and how the system is secured. The full legal text is on our Privacy Policy.
What Scout stores about you
| Category | What's stored | Where |
|---|---|---|
| Account | Name, email, hashed password, plan, profile photo | MariaDB on Namecheap dedicated database |
| Brand profile | Brand name, website, industry, description, audience, language, country, competitors | Same DB |
| Topics & prompts | The text of every topic and prompt you create | Same DB |
| Scan results | Full AI responses, structured analysis (mention, sentiment, position, etc.), citations | Same DB |
| Optimize Hub state | Status (Done/Ignored) of every recommendation | Same DB |
| GSC data (if connected) | Read-only mirror of queries, pages, impressions | Same DB, refreshed on demand |
What we send to third parties
| Service | What we send | Why |
|---|---|---|
| OpenAI (ChatGPT, GPT-4o-mini) | Your prompts & the responses for analysis | To run scans and structured extraction. |
| Google (Gemini) | Your prompts | To run scans on Gemini. |
| Perplexity | Your prompts | To run scans on Perplexity. |
| Anthropic (Claude) | Crawled HTML of your pages (Audit), brand description (LinkedIn generator) | For AI Audit and LinkedIn suggestions. |
| Razorpay | Email, plan, payment amount | To process subscriptions. |
| Google (OAuth + GSC) | OAuth tokens; we read GSC data on your behalf | For Google sign-in and GSC integration. |
| SerpAPI | Reddit search queries derived from your topics | For Prompt Discovery (Reddit tab). |
| Google Cloud SMTP (GSuite) | Notification emails | To deliver invites, alerts, weekly summaries. |
What we never send
Your password (we only store a salted hash). Your team members' personal data beyond email and name. Your billing card details (Razorpay handles those — we never see them). Your brand description is sent to AI providers only when you trigger a relevant feature; we don't push it on every API call.
Data retention
- Active accounts — data is retained as long as your subscription is active.
- Cancelled accounts — data is kept read-only for 30 days, then permanently deleted.
- Deletion requests — email [email protected] from the account email; we delete within 7 days.
- Anonymised aggregate stats — we may keep counts of scans, signups, etc., but never tied to your account after deletion.
Security practices
- HTTPS everywhere (TLS 1.2+).
- Passwords stored with bcrypt (cost 10).
- Session cookies are HttpOnly + Secure + SameSite=Lax.
- OAuth tokens encrypted at rest.
- API keys (OpenAI, Claude, etc.) live in server environment files, never in source control.
- Daily database backups, retained for 30 days.
- Hosted on Namecheap Stellar shared infrastructure with cPanel-managed firewall and ModSecurity rules.
Reporting a vulnerability
If you find a security issue, please email [email protected] with the details before disclosing publicly. We try to respond within one business day.
Was this page helpful?
Thanks for the feedback — we read every response.