Last updated: July 2, 2026
1. Introduction
This Privacy Policy (“Policy”) explains how Scape collects, uses, discloses, and safeguards your Personal Data when you use our Service, and outlines your rights and choices. By accessing or using the Service, you agree to the data practices described in this Privacy Policy. This Policy incorporates and is incorporated by reference into our Terms of Service.
Scape is designed for professional users. It is not intended for anyone under the age of sixteen (16).
We do not use Covered Data, or any De-Identified Data derived from it, to train AI models, and we do not sell this data.
This Privacy Policy is reviewed at least annually to ensure it remains accurate, complete, and compliant with applicable laws and our internal data governance standards.
As our Service evolves, we may update this Policy from time to time. The “Last updated” date at the top indicates the latest version. For material changes that reduce your rights or expand our processing purposes, we will provide at least thirty (30) days' advance notice by email or in-product banner. Your continued use of the Service after the new Policy takes effect constitutes acceptance of the revised Policy.
2. Definitions
“Data Protection Laws” means, collectively, the EU General Data Protection Regulation (GDPR), the UK GDPR, the revised Swiss Federal Act on Data Protection (FADP), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and any other applicable national, state, or supranational privacy laws.
“Personal Data” means any information that relates to an identified or identifiable natural person.
“Processing” means any operation performed on Personal Data.
“Service” means the Scape application, website, desktop app, integrations, and related features.
“User”, “you” means the individual using Scape.
“Controller” and “Processor” have the meanings defined under the GDPR, depending on context.
“Customer Data” means the content Scape processes on your behalf to provide the Service, and excludes “Analytics Data”.
“Analytics Data” means information about how you interact with the Service, such as logins, device and browser information, and feature usage.
“Authentication Data” means credentials and tokens used to authenticate the Customer or its users and to connect the Service to third-party services, such as OAuth tokens.
“Covered Data” means, collectively, Personal Data, Customer Data, Analytics Data, and derived data such as embeddings.
“De-Identified Data” means data that has been processed so that it can no longer reasonably be linked to an identifiable individual.
“Sub-processor” means any processor, vendor, or service provider engaged by Scape to process Customer Data to provide the Service.
“AI Sub-processor” means any Sub-processor that processes Customer Data using large language models (LLMs) or similar AI models to provide AI-powered features such as summarization and transcription (“AI-processing”).
3. What Data We Collect
We collect only the data needed to provide and improve the Service. This falls into the following categories.
3.1 Data You Provide
When you create an account or use features of Scape, you provide:
- Name
- Email address
- Company or team information
- Job title, role, and similar professional information you choose to share
- Authentication Data (OAuth tokens)
3.2 Gmail and Calendar Data (User-Authorized)
When you connect Scape to your Google account, you explicitly authorize Scape to access:
- Email content
- Email metadata (sender, subject, timestamp)
- Drafts you choose to generate
- Calendar events and metadata
This access is required for Scape's features to function.
3.3 Meeting Data
When you use Scape's meeting features, we collect:
- During the meeting: audio recordings (microphone and system audio, no video or screen capture)
- After the meeting: transcripts generated from those recordings, and meeting summaries
All audio recordings are deleted after the transcript is generated. Transcription and all related AI processing are performed entirely within the EU, and our transcription and AI Sub-processors operate under zero-data-retention agreements, meaning they do not store your audio, transcripts, or other content after processing your request.
3.4 Data About Other People in Your Content
Your emails, calendar, and meetings may contain Personal Data about other people, including individuals who do not use Scape. We process this information only to provide the Service to you.
3.5 Analytics Data
We automatically collect operational telemetry that helps us secure and improve the Service. This may include:
- Logins and timestamps
- Device information and operating system
- Browser type and version
- IP address and approximate (city-level) location
- Session and performance metrics
- Pages, features, and APIs accessed within the Service
- Error and debugging diagnostics
- Email addresses in isolation
Analytics Data is retained for up to ninety (90) days unless required by law for longer.
3.6 Derived Data
To provide search, summarization, and retrieval features, Scape generates derived data from your content, including vector embeddings. Derived data is treated as Customer Data, hosted in the EU, encrypted in transit and rest and deleted when you delete your account.
3.7 Payment Data
Payment is processed by Stripe. Stripe collects your voluntarily provided payment-card information necessary to process your payment. We do not store full payment-card numbers. Stripe's use of your information is governed by Stripe's Privacy Policy.
3.8 Sensitive Data
We treat Customer Data as confidential and protect it to a high standard (see Section 13, Security).
Separately, certain information is classified as “special-category” or “sensitive” Personal Data under Data Protection Laws for example, data revealing health, biometric identifiers, government identifiers, financial-account numbers, or precise geolocation. Scape is not designed as a system of record for this type of data and does not intentionally process it as such. Any special-category data that incidentally appears in your content is processed only to provide the Service to you, on the same terms as your other content. You remain responsible for ensuring that your use of the Service complies with applicable law.
4. Sources of Personal Data
We collect Personal Data from the following sources:
- Directly from you, when you create an account, configure the Service, send us communications, or use features;
- Automatically through your use of the Service, including Analytics Data and Cookies;
- From Google, when you authorize OAuth access to Gmail and Calendar.
5. How We Use Personal Data
We process Personal Data to:
- Provide and operate the Service, including generating email summaries, drafts, meeting notes, and other AI outputs;
- Provide customer support, including debugging as described below;
- Improve the Service, including product performance, user experience, and the quality of our AI features;
- Detect, prevent, and investigate fraud, abuse, and security incidents;
- Communicate product updates and measure the effectiveness of our own marketing;
- Comply with legal, regulatory, accounting, and tax obligations.
When improving the Service, we use only Analytics Data, De-Identified Data, and feedback you choose to submit. We do not access the content of your emails, calendar, or meetings for improvement purposes.
Support and debugging. If you report an issue with the Service, our engineers may need to view the specific content related to your report (for example, an email thread that produced an incorrect summary) in order to investigate and fix it. We will only access that content with your consent, given at the time of your report, and access is limited to the engineers working on the issue, to the minimum content necessary, and for the duration of the investigation. Such access is logged. You may decline, in which case we will investigate using Analytics Data and diagnostics only.
To generate AI outputs, relevant Customer Data is sent to our third-party AI Sub-processors. These AI Sub-processors process your Customer Data solely to produce your results, entirely within the EU, and under zero-data-retention agreements, meaning they do not store your Customer Data or the resulting output after returning it to you. They are contractually prohibited from using your Customer Data to train their models.
Scape does not send emails or take outbound actions on your behalf automatically. AI-generated drafts and outputs are presented to you for review, and nothing is sent to any recipient unless and until you explicitly choose to send it. You remain in control of every action the Service takes.
We may create De-Identified Data from Personal Data and use it for any lawful business purpose. We do not use Covered Data or De-Identified Data to train AI models, and we do not attempt to re-identify De-Identified Data.
6. Legal Bases (GDPR)
If you reside in the EEA, UK, or Switzerland, we process Personal Data on the following bases:
- Performance of a contract: providing and operating the Service, including the AI outputs you request;
- Legitimate interests: securing the Service, preventing abuse, monitoring and improving product and AI quality, and measuring our marketing;
- Consent: OAuth access to Gmail and Calendar, and optional non-essential Cookies;
- Compliance with legal obligations: tax, accounting, lawful requests, and similar duties;
- Vital interests: in rare cases, to protect a vital interest of you or another individual.
Where we rely on consent, you may withdraw it at any time. Where we rely on legitimate interests, you may object to that processing. If you reside in the U.S. or elsewhere, we process your Personal Data as described in this Policy and in accordance with applicable local law. For details on your rights, see Section 17 (and Section 18 if you are a California resident).
7. Sharing Personal Data
We share data only as necessary to operate Scape:
- To Sub-processors and AI Sub-processors for hosting, database, LLM inference, transcription, etc.;
- Your organization or team, if you use Scape in a team environment. Your administrator may have access to your account-level data and settings;
- Legal or regulatory authorities, if required by law (see Section 9, Investigations and Legal Disclosures);
- Business transfers, as described in Section 8 below;
- With your consent, when you explicitly approve an action.
We do not sell your Personal Data, and we do not share it for cross-context behavioral advertising. Our marketing website uses a Google Ads conversion-measurement Cookie only to measure our own ad performance, and only if you accept it via our Cookie banner. We do not share your Customer Data with advertisers.
8. Business Transfers
If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, or sale of some or all of our assets, your Personal Data may be transferred or disclosed in connection with the transaction, subject to a confidentiality agreement. We will use reasonable efforts to notify you before your Personal Data becomes subject to a different Privacy Policy.
9. Investigations and Legal Disclosures
We may disclose Personal Data when we believe in good faith that disclosure is required to:
- Comply with a valid legal process or governmental request (for example, a subpoena, court order, or law-enforcement demand);
- Investigate, prevent, or respond to fraud, security incidents, or other wrongdoing;
- Protect the rights, property, or safety of Scape, our users, or the public.
Unless legally prohibited, we will notify the affected customer before producing Personal Data in response to a legal request. Disclosures will be limited to the minimum necessary and will challenge requests that are unlawful, overbroad, or inconsistent with applicable Data Protection Laws.
10. Sub-processors
Sub-processors are bound by data-protection terms and may only process Personal Data to provide the Service on our behalf.
We inform you of any addition or replacement of a Sub-processor by updating our Sub-processor list, available in the Scape Trust Center: https://trust.scape.app/subprocessors. Where we act as your processor, your right to object to a new Sub-processor and the applicable timeline are set out in our DPA.
11. International Transfers
Scape is operated from Stockholm, Sweden. We do not transfer Customer Data outside the EU. Where Analytics Data or Authentication Data (OAuth tokens) is processed by a Sub-processor outside the EEA, UK, or Switzerland (for example, payment or error-monitoring providers), that transfer relies on:
- Standard Contractual Clauses (SCCs); and
- UK and Swiss addenda, where applicable.
12. Data Retention
We retain Personal Data only as long as necessary to fulfill the purposes outlined in this Policy or as required by applicable law, including to:
- Provide and improve the Service;
- Meet legal, regulatory, and accounting obligations;
- Resolve disputes; and
- Enforce agreements.
Audio recordings of meetings are deleted immediately after transcription is complete and are not stored by Scape beyond that point. Meeting transcripts and summaries are retained as part of your Customer Data until you delete your account. Analytics Data is retained for up to 90 days as described in Section 3.5.
When you delete your account, we only retain the Covered Data as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by applicable Data Protection Law. To request account deletion, contact us at security@scape.app.
Standard account deletion is free of charge. Where you request manual data export or bespoke deletion work that materially exceeds our standard process and requirements by law, we may charge reasonable, documented costs, except where prohibited by applicable law.
13. Security
Scape is built to a security standard that goes beyond typical industry practice. Most services encrypt data at rest and in transit; we additionally encrypt per user, keep data encrypted even inside our own infrastructure, and decrypt only the specific data needed for a given operation, for the duration of that operation.
13.1 Encryption architecture
All data is encrypted in transit (TLS) and at rest (AES-256), with encryption applied per user. Decryption keys are held in Google Cloud Key Management Service (KMS) and are never stored alongside the data. No data can be decrypted without access to decryption keys in KMS. During processing, only the data required for the specific request is decrypted, and it is re-encrypted the moment processing completes. Customer Data is additionally logically isolated per workspace, enforced at the application data layer to prevent cross-tenant access. Authentication Data is handled through our identity provider, with session tokens verified on each request. All Scape employees only have the minimum access and permissions their work requires. Full administrative access exists only on a dedicated superadmin account protected by multi-factor authentication and split credentials, so no single person can use it alone. Production, staging, and development run in separate, isolated environments with separate databases and credentials; Customer Data exists only in production.
13.2 Organizational security
Every Sub-processor is bound by DPAs ensuring that Customer Data never leaves the EU, and furthermore AI Sub-processors' DPAs bind them to zero data retention policies.
Furthermore Scape is certified to SOC 2 Type II and ISO 27001, and our processing of Personal Data complies with the GDPR and relevant Data Protection Laws. We undergo independent third-party audits annually and current certifications and reports are available in the Scape Trust Center.
All personnel undergo background checks, sign confidentiality agreements, and complete security training. We run centralized logging, monitoring, and incident-response procedures, and perform regular security reviews and vendor due diligence.
13.3 Breach notification
We maintain an incident-response process and will notify affected customers without undue delay after becoming aware of a Personal Data Breach affecting their Personal Data. Notification of, or response to, a breach is not an acknowledgment of fault or liability. Our security depends in part on third-party providers; we remain responsible for our Sub-processors' performance to the extent required by applicable Data Protection Laws.
For more information regarding our security measures, please view our Security Whitepaper.
14. Cookies
Our website and product use Cookies and similar technologies (“Cookies”) to operate, secure, and analyze the Service. We use four categories of Cookies:
- Strictly Necessary Cookies. Required for core functions such as sign-in, session routing, fraud prevention, and consent storage and do not require consent.
- Functional Cookies. Remember your preferences (such as language or theme) and recognize you when you return.
- Analytics Cookies. Measure feature adoption and diagnose errors. Set only with your consent in the EEA, UK, and Switzerland.
- Marketing-Measurement Cookies. A Google Ads conversion-measurement Cookie used to measure the performance of our own marketing. Set only with your consent. We do not use Cookies for cross-context behavioral advertising.
You can manage or withdraw your Cookie preferences at any time via our Cookie banner or your browser settings. Cookies are set with a maximum lifespan of thirteen (13) months. Information collected through Cookies is retained only for as long as necessary for the purposes described above, and never longer than twenty-five (25) months, after which it is deleted or irreversibly anonymized. Analytics Data collected through Analytics Cookies is retained for up to ninety (90) days as described in Section 3.5; the twenty-five (25) month maximum applies to the other Cookie categories.
15. Notice and Communications
By using the Service, you agree to receive transactional and administrative electronic communications from Scape, such as account alerts, security notifications, and billing messages. You may opt out of non-essential marketing emails at any time through the “unsubscribe” link in those emails or your account settings; this will not affect core service communications.
To send a formal privacy notice to Scape, email security@scape.app or write to the address in Section 19. Scape may provide legal or privacy notices to you by email, in-product banner, or any other method allowed by law.
16. Recording Laws
If you use Scape's meeting features to record, transcribe, or otherwise process audio from calls or meetings, you are solely responsible for complying with all applicable laws governing the recording, monitoring, and processing of communications (“Recording Laws”). Recording Laws vary by jurisdiction and may require the consent of every participant before a recording begins. You are solely responsible for providing required notices and obtaining required consents from all participants before any recording. See Section 8 of our Terms of Service for the full clause.
17. Your Rights
Depending on your jurisdiction, you may have rights to:
- Access your Personal Data;
- Correct inaccuracies;
- Request deletion;
- Request data portability;
- Object to processing;
- Restrict processing; and
- Withdraw consent.
To exercise your rights, email dpo@scape.app or security@scape.app. We will verify your identity and respond within thirty (30) days, or the period required by your local law. Where we are unable to fully comply with a request, we will explain why and what alternatives are available.
17.1 Right to appeal
If you are a U.S. resident and we deny a Personal Data request, you may appeal that decision within sixty (60) days by replying to our response. We will respond to the appeal within forty-five (45) days or as required by applicable law.
17.2 Right to lodge a complaint
If you are in the EEA, UK, or Switzerland, you also have the right to lodge a complaint with your local data protection authority, including the Swedish Authority for Privacy Protection (IMY).
18. California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights regarding your personal information.
We do not sell your personal information and do not share it for cross-context behavioral advertising purposes.
Your rights under California law include the right to know what personal information we collect and how it is used, the right to delete your personal information (subject to certain exceptions), the right to correct inaccurate personal information, the right to limit use of sensitive personal information, and the right to non-discrimination for exercising your privacy rights.
Although we do not sell or share personal information, we treat a valid Global Privacy Control (GPC) browser signal as a request to opt out of any sale or sharing of personal information to the extent applicable under California law.
To exercise your California privacy rights, email security@scape.app.
19. Children's Privacy
Scape is not intended for anyone under the age of sixteen (16), and we do not knowingly collect Personal Data from children under 16. If we become aware that we have collected such data, we will delete it. If you believe a child under 16 has provided us Personal Data, contact us at security@scape.app.
20. Governing Law
This Privacy Policy is governed by the laws of Sweden, without regard to its conflict-of-law principles. If you are located in a jurisdiction that grants you mandatory consumer or data-protection rights under local law, those rights take precedence to the extent they conflict with this Policy. For EEA, UK, and Switzerland residents and users, international transfer mechanisms are governed by their applicable instruments (SCCs, UK Addendum, Swiss Addendum).
21. Severability and Entire Agreement
If any provision of this Policy is found unlawful, void, or unenforceable, that provision will be interpreted to achieve its intent as closely as possible, or, if impossible, severed, and the remaining provisions will remain in full force and effect.
This Policy, together with our Terms of Service and Data Processing Agreement, constitutes the entire agreement between you and Scape regarding privacy and data protection in connection with the Service.
22. Contact Us
For questions about this Policy or to exercise your privacy rights, contact us at: