Privacy Policy
Last updated: January 2026 (v1.0)
This privacy policy explains how ScopeKit (“we”, “us”, or “our”) collects, uses, and protects your personal data in accordance with the UK General Data Protection Regulation (as amended by the Data Use and Access Act 2025) and the Data Protection Act 2018.
1. Who We Are
ScopeKit is a UK-based software company providing intelligent construction quote generation and project management services. We are the data controller for the personal data described in this policy.
Data Controller Details
Company: ScopeKit
Company Number: 16168944
Registered Address: 14th Floor, The Plaza, Old Hall St, Liverpool, L3 9QJ, United Kingdom
Email: privacy@scopekit.co.uk
ICO Registration: [ICO Registration Number]
2. Data We Collect
We collect different types of personal data depending on how you interact with our services. The table below summarises the categories of data we process:
| Category | Data Collected | Purpose |
|---|---|---|
| Account Information | Email address, name, password (encrypted), account preferences | To create and manage your account, authenticate access |
| Employee Records | Full name, date of birth, National Insurance number, address, phone, emergency contacts, employment details | Workforce management, payroll, legal compliance |
| Customer/Client Data | Company name, contact details, address, VAT number, project history | Service delivery, invoicing, customer relationship management |
| Quote & Project Data | Site photos, measurements, project descriptions, cost estimates, progress updates | Quote generation, project management, service delivery |
| Documents & Files | Uploaded documents, certifications, photos, file metadata | Document management, compliance verification, project records |
| Timesheet & Location Data | Work hours, check-in/out times, GPS coordinates (if enabled) | Time tracking, payroll, workforce management |
| Communication Data | Chat messages, email communications, notifications | Customer communication, quote discussions, support |
| Technical Data | IP address, browser type, device information, cookies | Security, analytics, service improvement |
| Audit Logs | User actions, timestamps, system events | Security, compliance, troubleshooting |
Special Category Data
We may process limited special category data including:
National Insurance Numbers
Processed for employee payroll and tax compliance under legal obligation
Location Data (GPS)
Point-in-time collection at check-in/check-out only (not continuous tracking). Requires explicit consent from each individual employee via the app, not just employer opt-in. Precise coordinates are retained for 30 days, then aggregated to area level. Can be disabled at any time in individual user settings.
3. How We Use Your Data
We use your personal data for the following purposes:
Service Delivery
Processing quotes, managing projects, workforce scheduling
Account Management
Creating accounts, authentication, password resets
Communication
Sending quotes, project updates, support responses
Billing & Payments
Processing subscriptions, invoicing, payment collection
Legal Compliance
Tax records, employment law, CDM 2015 regulations
Security
Fraud prevention, audit logging, access monitoring
Service Improvement
Analytics, feature development, performance monitoring
AI Model Improvement
Using anonymised and aggregated data to improve our AI systems. Identifiable data is never used for AI training without explicit consent. You may opt out by contacting us.
4. Lawful Basis for Processing
Under the UK GDPR (as amended by the Data Use and Access Act 2025), we process your data based on the following lawful bases:
Contract Performance (Article 6(1)(b))
Processing necessary to deliver our services, manage your account, and fulfil our contractual obligations.
Legal Obligation (Article 6(1)(c))
Processing required by UK law, including tax records, employment regulations, and construction industry compliance (CDM 2015).
Legitimate Interests (Article 6(1)(f))
Processing for business purposes such as security, fraud prevention, analytics, and service improvement. Where the processing falls within the scope of "recognised legitimate interests" under the Data Use and Access Act 2025, a balancing test is not required. For all other legitimate interests processing, we conduct balancing tests to ensure your rights are not overridden.
Consent (Article 6(1)(a))
For optional processing such as marketing communications and non-essential cookies. You can withdraw consent at any time.
5. Data Retention
We retain personal data only as long as necessary for the purposes outlined above, or as required by law. Our standard retention periods are:
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Account Information | Duration of account + 7 years | Contract performance |
| Employee Records | 7 years after employment ends | Contract performance, Legal obligation |
| Customer/Client Data | 7 years after last transaction | Contract performance, Legitimate interest |
| Quote & Project Data | 7 years after project completion | Contract performance |
| Documents & Files | 7 years or as legally required | Contract performance, Legal obligation |
| Timesheet & Location Data | 7 years | Contract performance, Legitimate interest |
| Communication Data | 3 years after last activity | Contract performance |
| Technical Data | IP addresses anonymised after 30 days | Legitimate interest, Consent (for non-essential cookies) |
| Audit Logs | 7 years | Legitimate interest, Legal obligation |
6. Data Sharing & Third Parties
We share your data with trusted third-party service providers who assist in delivering our services. All processors are bound by Data Processing Agreements and appropriate safeguards.
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data storage, authentication (Cognito) | EU (Ireland/Frankfurt) | EU-US Data Privacy Framework, Standard Contractual Clauses |
| Stripe | Payment processing, subscription management | EU/US | PCI DSS Level 1, EU-US Data Privacy Framework |
| Elastic Cloud | Search and data indexing | EU | Standard Contractual Clauses, ISO 27001 |
We may also share data with:
Legal authorities
When required by law or to protect our legal rights
Professional advisers
Accountants, lawyers, and auditors under confidentiality agreements
Business transfers
In the event of a merger, acquisition, or sale of assets (with notice)
6A. Data Breach Notification
In the event of a personal data breach, we will:
Notify the ICO
Where required, we will notify the Information Commissioner's Office within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals' rights and freedoms.
Notify Affected Individuals
Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay via email and in-app notification.
Breach Notification Content
Notifications will include: the nature of the breach, categories of data affected, likely consequences, measures taken to address the breach, and contact details for further information.
Organisation Notification
If you are an Organisation using our Service as a data controller, we will notify your designated contact within 48 hours of confirming a breach affecting your data, as detailed in our Data Processing Agreement.
7. International Transfers
Your data is primarily stored and processed within the UK and European Economic Area (EEA). When we transfer data outside the UK/EEA, we ensure appropriate safeguards are in place:
UK Adequacy Decisions
Transfers to countries deemed adequate by the UK Secretary of State
Standard Contractual Clauses (SCCs)
UK-approved contractual safeguards for international transfers
EU-US Data Privacy Framework
For transfers to certified US organisations
8. Your Rights
Under the UK GDPR (as amended by the Data Use and Access Act 2025), you have the following rights regarding your personal data:
Right of Access (Article 15)
Request a copy of all personal data we hold about you
How to exercise: Use the Data Export feature in Settings or contact us
Right to Rectification (Article 16)
Request correction of inaccurate or incomplete data
How to exercise: Update your profile in Settings or contact us
Right to Erasure (Article 17)
Request deletion of your personal data (subject to legal retention requirements)
How to exercise: Use the Data Deletion feature in Settings or contact us
Right to Restrict Processing (Article 18)
Request limitation of processing in certain circumstances
How to exercise: Contact us with your request
Right to Data Portability (Article 20)
Receive your data in a structured, machine-readable format
How to exercise: Use the Data Export feature (JSON format available)
Right to Object (Article 21)
Object to processing based on legitimate interests or for marketing
How to exercise: Contact us or update your preferences in Settings
Rights Related to Automated Decision-Making (Article 22)
Request human review of automated decisions that significantly affect you
How to exercise: Contact us for review of AI-generated content
Response Time
We will respond to your request within one month. If your request is complex, we may extend this by up to two additional months, and we will inform you of any extension.
9. Cookies
We use cookies and similar technologies to enhance your experience. For detailed information about the cookies we use, please see our Cookie Policy.
You can manage your cookie preferences at any time through our cookie banner or in your browser settings.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Multi-factor authentication available for all accounts
- Regular security audits and penetration testing
- Role-based access controls with audit logging
- Automatic virus scanning of all uploaded files
- Secure cloud infrastructure with ISO 27001 certified providers
- Staff training on data protection and security
- Incident response procedures and breach notification processes
11. Children's Privacy
Our services are designed for business use and are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.
12. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by email or through a prominent notice on our website. We encourage you to review this policy periodically.
13. Contact Us
If you have questions about this privacy policy or wish to exercise your data protection rights, please contact us:
Email: privacy@scopekit.co.uk
Company Number: 16168944
Registered Address: ScopeKit, 14th Floor, The Plaza, Old Hall St, Liverpool, L3 9QJ, United Kingdom
For data protection enquiries, please include “Data Protection Request” in your subject line.
Right to Complain
If you are not satisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk/make-a-complaint
Phone: 0303 123 1113