Privacy Policy — Scoprix

v0.1 placeholder — last updated 2026-04-28. Replaces with counsel-reviewed version before GA.

Scoprix takes the data you trust us with seriously. This is a short v0.1 placeholder; a counsel-reviewed version replaces it before general availability. 1. What we collect. - Account info: email, password (hashed by our authentication provider, Supabase), company name, role (GC vs vendor). - Profile info you choose to share: trades, service area, license numbers, COI expiration, public contact info. - Project data you create: project records, quotes you upload, estimates you build, schedule events, activity, action items. - Activity logs: who accessed what within your organization, used for security auditing. - Standard server logs: IP, user agent, request paths. 2. What we don't collect. - We do not run third-party analytics on authenticated pages. - We do not sell or rent your contact info to data brokers. - We do not share project-level data with anyone outside your organization without an explicit grant (an accepted invitation, or an approved vendor claim). 3. How aggregation works. - Line-item pricing extracted from quotes feeds an anonymized aggregate dataset that powers market-rate features. - Aggregates are exposed only when at least 5 records from at least 3 distinct vendors are present (minimum bucket size). - Aggregates are time-lagged by at least 30 days. We do not surface "what is vendor X bidding right now." - Individual vendor identities are never surfaced through the aggregate API. - You can opt out of contributing to aggregates by emailing scoprixlabs@gmail.com. 4. Cross-organization sharing. - When you (a GC) upload a quote attributed to a vendor, that quote becomes visible to the vendor IF they later sign up and have their claim approved by you. - When you (a GC) invite a vendor org to bid on a project, the invited org sees only the project context you scoped them to — not other vendors' bids on the same project, and not your internal markup or notes. - Activity ledger entries are tagged with a visibility level (internal / all_invited / field_only) and the platform enforces who can read which. 5. Email. - We send transactional email (claim approvals, invitations, bid receipts) via Resend, on the send.scoprix.ai subdomain. Replies reach scoprixlabs@gmail.com. - We do not send marketing email during the closed beta. 6. Data retention. - Account data: kept for as long as your account is active. - On account deletion: account-identifying data is removed within 30 days. Aggregated, anonymized derivatives may persist if they can no longer be tied back to you. - Audit logs: retained for 12 months after last activity. 7. Your rights. - Export: email scoprixlabs@gmail.com for a zip of your data. - Deletion: same email, with subject "Delete account". - Correction: edit your profile in-app, or email us. - California residents: you have the rights granted by the CCPA (knowledge, deletion, no-sale). EU/UK residents: GDPR analog. 8. Subprocessors. - Supabase (auth + database hosting) - Resend (transactional email) - Vercel (web hosting) - Anthropic (Claude API for parse + coordinator features) 9. Children. Scoprix is not directed at children under 13 and does not knowingly collect data from them. 10. Changes. We will email you and post in-app when we make a material change. Continued use after the change constitutes acceptance. Questions or requests: scoprixlabs@gmail.com.