Privacy Policy

ScanToComply · Effective 29 April 2026

This Privacy Policy explains what personal information ScanToComply (“we”, “us”, “our”) collects when you use our mobile app and website at scantocomply.co.uk (the “Service”), how we use it, and the rights you have over it. It applies whether you access the Service from the United Kingdom, the European Economic Area, the United States (including California), or anywhere else in the world. Where laws differ, the strictest applicable law applies.

We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR), and — for users located in California — the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (together, “CCPA”). We also honour comparable data-protection rights under Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Brazil’s LGPD, and Canada’s PIPEDA where applicable.

1. Who we are

ScanToComply is a sole-trader business based in the United Kingdom that provides automated local-government compliance monitoring and SMS, push and email alerts to small businesses. The data controller (UK/EU GDPR) and the “business” (CCPA) is ScanToComply, contactable at support@scantocomply.co.uk.

2. What we collect

• Account data: phone number, email address, business name, business type, country, city.
• Monitoring data: the URLs of websites you ask us to monitor and the publicly accessible content of those pages we scan on your behalf.
• Payment data: processed entirely by Stripe — we never see or store your full card number, expiry, or CVV. We only store Stripe’s customer ID and your subscription status.
• Device and usage data: IP address, device model and operating-system version, app version, timestamps, request paths, push-notification tokens.
• Communications: any messages you send us via the in-app Contact Us form, email, or SMS.

We do NOT knowingly collect: government-issued IDs, biometric data, precise GPS location, financial-account data beyond what Stripe shares with us, health data, sexual-orientation data, racial or ethnic data, religious or political beliefs, trade-union membership, or genetic data. Please do not send us any of these via the Service.

3. Why we use it (lawful basis under UK and EU GDPR)

• To deliver the Service — performance of a contract.
• To take payment — performance of a contract, via Stripe.
• To send transactional messages (signup confirmation, new findings, subscription expiring, contact replies, scan results) — performance of a contract.
• To keep the Service secure and prevent abuse — legitimate interests.
• To meet legal, accounting and tax obligations (e.g. HMRC record-keeping) — legal obligation.
• For optional marketing about new features or pricing — only with your explicit consent, which you can withdraw at any time.

We do not use your data for advertising, profiling for advertising, or any form of automated decision-making that produces legal or similarly significant effects. We do not sell your personal information.

4. Subprocessors (who we share with)

We only share with the following service providers (“processors” under GDPR / “service providers” under CCPA), and only the minimum data needed for them to do their job:

Provider	Country	Purpose	Data shared
Stripe, Inc. [privacy]	USA	Payment processing	email, country, currency, Stripe customer ID
Twilio, Inc. [privacy]	USA	SMS delivery	phone number, message body
Resend, Inc. [privacy]	USA	Transactional email delivery	email address, message body
OpenAI, L.L.C. [privacy]	USA	AI summarisation of public web pages you have asked us to monitor	URL + the publicly available page text we have already scanned. We do not send your account data.
Exa Labs, Inc. [privacy]	USA	Web search used to find recent public enforcement / fine reports for your business type in your area	your business type and city/country as a search query. We do not send your name, email, phone number or any other account data.
Replit, Inc. [privacy]	USA	Hosting and infrastructure	all account and operational data on encrypted-at-rest disk

We do not share your personal data with anyone else, advertisers, or data brokers, except where (a) we are legally required to (e.g. court order, lawful regulator request), (b) we need to defend against fraud or a legal claim, or (c) you have given us explicit consent.

5. International data transfers

Some of the providers above are based in the United States. Where personal data is transferred outside the UK or the EEA, we rely on the UK’s adequacy regulations or “data bridge” mechanisms, the EU’s adequacy decisions and the EU-US Data Privacy Framework where applicable, and/or Standard Contractual Clauses with the UK International Data Transfer Addendum, put in place by the receiving provider. You can request a copy of the safeguards in place by emailing us.

6. How long we keep it

• Account data: while your account is active, then up to 12 months after you delete it (for legal/audit reasons), then permanently deleted.
• Payment records: 6 years, as required by HMRC.
• Scan history and findings: while your account is active, then deleted with your account.
• Server logs: 30 days.
• Communications you send us: 24 months from the last reply.
• Backups: rolling 30-day backups; deleted accounts are purged from backups within that window.

7. Your rights — UK and EEA (UK GDPR / EU GDPR)

You have the right to:

• Access the personal data we hold about you.
• Correct anything that is inaccurate.
• Have your data deleted (the “right to be forgotten”), subject to legal-retention exceptions such as tax records.
• Restrict or object to how we use it.
• Receive a copy in a structured, portable format (CSV/JSON).
• Withdraw consent (where we rely on it) at any time.
• Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects on you.
• Lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or, if you are in the EEA, with your national supervisory authority.

To exercise any of these rights, email support@scantocomply.co.uk from the email address on your account. We will respond within 30 days (UK GDPR) or one month (EU GDPR), free of charge unless your request is manifestly unfounded or excessive.

You can also delete your account and all associated data immediately from inside the ScanToComply app: open the Account tab, scroll to “Delete account”, and follow the on-screen confirmation. This wipes your business profile, monitored locations, scan history, and message preferences, and (if you have an active paid subscription) cancels billing immediately.

8. Your rights — California residents (CCPA / CPRA)

If you are a California resident, you have the additional rights to:

• Know what personal information we have collected, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
• Receive a portable copy of that information.
• Delete the information we have collected from you (subject to permitted exceptions such as completing a transaction, security, legal compliance).
• Correct inaccurate personal information.
• Opt out of the sale or sharing of your personal information for cross-context behavioural advertising. We do not sell or share personal information for advertising and have not done so in the preceding 12 months.
• Limit the use of sensitive personal information. We do not collect or use sensitive personal information for inferring characteristics.
• Not be discriminated against for exercising any of these rights — we will not deny you the Service, charge you a different price, or provide a different level of quality.

To exercise any California right, email support@scantocomply.co.uk. We verify your identity using the email and phone number on your account before disclosing or deleting information. You may also designate an authorised agent (in writing) to act on your behalf.

CCPA disclosure — categories collected in the past 12 months: identifiers (email, phone, business name); customer-record information (account history, payment-status indicators from Stripe); internet/network-activity information (IP, request paths, timestamps); coarse geolocation (country and city only at registration); inferences — none drawn from the data. We do not knowingly collect or sell the personal information of consumers under 16 years of age.

9. Your rights — other US states

If you live in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or any other US state with a comprehensive consumer-privacy law, you have similar rights to know, correct, delete, port, and opt out. To exercise them, contact us as above. We will treat your request the same way as a California request.

10. Automated decision-making and AI

We use OpenAI to summarise publicly accessible web pages you ask us to monitor into compliance alerts. This is an automated process. The output is informational only — it never independently makes decisions that produce legal or similarly significant effects on you. You can ask us to review or override any AI-generated alert by emailing us.

We also use a third-party web-search provider (Exa) to find recent, publicly available reports of enforcement action or fines relevant to your business type and area — for example, in your welcome email when your first scan finds nothing new. These are real, public third-party news / regulator pages that we link to; we verify that each link loads before showing it, but we do not write, control or guarantee the accuracy of that third-party content, and linking to it is not an endorsement.

11. SMS and push notifications (consent)

By providing a phone number, you consent to receive transactional SMS from ScanToComply about your account, your scans, and your subscription. Consent to receive SMS is not a condition of purchase or of using the Service.

Expected message frequency: typically 0–10 messages per week, depending on the number of monitored URLs and how often they change. Message and data rates may apply (your carrier may charge you for sending or receiving SMS).

You can opt out at any time by replying STOP to any SMS or by emailing us; reply HELP for help. STOP unsubscribes you from SMS only — it does not cancel your subscription. To cancel billing, use the in-app Auto-renew toggle. We do not send marketing or promotional SMS.

12. Cookies and similar technologies

The mobile app does not use cookies. The marketing website (scantocomply.co.uk) uses only the strictly-necessary cookies needed to keep you signed in. We do not use advertising cookies, analytics cookies, social-media tracking pixels, fingerprinting techniques, or session-replay tools that would require your consent under the UK Privacy and Electronic Communications Regulations (PECR) or the EU ePrivacy Directive.

13. Security

We use TLS 1.2+ for all traffic, store credentials hashed and salted (where applicable), encrypt data at rest, restrict access on a need-to-know basis, and review our subprocessors’ SOC 2 / ISO 27001 attestations. No system is perfectly secure — if you believe your account has been compromised, email us immediately.

14. Data breach notification

If we discover a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the UK ICO within 72 hours of becoming aware of it, and will notify you without undue delay if the breach is likely to result in a high risk to your rights.

15. Children

The Service is intended for businesses and is not directed at anyone under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, email us and we will delete it.

16. Marketing communications

We will only send you marketing communications if you have given us explicit consent. You can withdraw consent at any time by clicking “unsubscribe” in any marketing email or by emailing us. We will continue to send you transactional messages required to operate the Service (compliance alerts, payment receipts, security notices) regardless of your marketing preference.

17. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email or in-app notice at least 14 days before they take effect. The “Effective” date at the top reflects the latest version. We keep an internal log of every material change and can provide a copy on request.

18. Contact

ScanToComply · support@scantocomply.co.uk · United Kingdom. For UK GDPR, EU GDPR, CCPA or other privacy requests, please put “Privacy request” in the subject line so we can prioritise. If you are not satisfied with our response, you can complain to the UK ICO (ico.org.uk), your EEA national supervisory authority, or — if you are in California — the California Privacy Protection Agency (cppa.ca.gov).