Privacy Policy

Last updated: January 2025

1. Data Controller

The data controller for your personal data is:

XXX LDA
Portugal
Email: hi@offerscope.net

This Privacy Policy explains how we collect, use, and protect your personal data in accordance with the General Data Protection Regulation (GDPR) and Portuguese data protection laws.

2. Data We Collect

2.1 Contract Documents

When you upload a contract for analysis, we process the document text to generate your report. Our handling depends on your account status:

  • Without an account: Contract text is processed in memory and not stored after your session ends. We do not retain copies of contracts for non-subscribers.
  • With a subscription: Contracts and reports are encrypted and stored so you can access them later and use follow-up Q&A features. You can delete your contracts at any time.

2.2 Account Information

If you create an account, we collect:

  • Email address (provided by your OAuth provider: Google or Apple)
  • Subscription status and billing history

2.3 Payment Information

Payments are processed by Stripe. We do not store your credit card details. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy.

3. Legal Basis for Processing

We process your personal data based on:

  • Contract performance: Processing is necessary to provide the contract analysis service you requested.
  • Legitimate interests: For fraud prevention, security, and service improvement using aggregated, anonymized data.
  • Legal obligations: To comply with applicable laws, including tax and accounting requirements.
  • Consent: Where you have given explicit consent, such as for marketing communications (which we currently do not send).

4. How We Use Your Data

  • To analyze contracts and generate risk reports
  • To provide follow-up Q&A for subscribers
  • To process payments and manage subscriptions
  • To send transactional emails (receipts, account notifications)
  • To improve our analysis accuracy using aggregate, anonymized patterns (not your individual contract content)

5. What We Do NOT Do

  • We do not sell your data to third parties.
  • We do not use your contracts to train AI models. Your contract text is used only to generate your specific analysis.
  • We do not log raw contract text. Server logs do not contain contract contents.
  • We do not share contract contents with anyone except the AI services necessary to generate your report (see Section 6).
  • We do not send marketing emails unless you explicitly opt in.

6. Third-Party Processors

We use the following third-party services to provide OfferScope:

  • Supabase (USA): Authentication and database hosting. Data is encrypted at rest.
  • Stripe (USA): Payment processing. Acts as independent controller for payment data.
  • OpenAI (USA): AI-powered contract analysis. Per OpenAI's API terms, data sent via the API is not used for model training.
  • Vercel (USA): Application hosting.

These transfers to the USA are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards in compliance with GDPR Chapter V.

7. Data Retention

  • Non-subscribers: Contract data is not retained after your session ends. Unpaid report links expire after 24 hours.
  • Subscribers: Data is retained while your subscription is active. After cancellation, data is retained for 30 days, then permanently deleted.
  • Payment records: Retained for 7 years as required by Portuguese tax law.

8. Your Rights Under GDPR

You have the following rights:

  • Access: Request a copy of your personal data.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your data ("right to be forgotten").
  • Restriction: Request limitation of processing.
  • Portability: Request your data in a machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at hi@offerscope.net. We will respond within 30 days.

You also have the right to lodge a complaint with the Portuguese Data Protection Authority (CNPD) at www.cnpd.pt.

9. Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption at rest and in transit, secure authentication, access controls, and regular security reviews. However, no system is 100% secure, and we cannot guarantee absolute security.

10. Cookies

We use only essential cookies necessary for the Service to function (authentication, session management). We do not use tracking or advertising cookies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For any privacy-related questions, data requests, or to opt out of data processing, contact us at:

XXX LDA
Email: hi@offerscope.net