Privacy Policy

Last updated: March 2026

1. Data We Collect

  • Account data: email address (for API key and magic link auth)
  • Usage data: API call paths, timestamps, IP hashes (SHA-256, not reversible), response codes
  • Payment data: processed by Stripe; we store only Stripe customer IDs, not card numbers
  • Cookies: session cookie for dashboard auth (scand-session, HttpOnly, Secure)

2. Legal Basis for Processing (GDPR Art. 6)

  • Art. 6(1)(b) — Contract performance: processing your email and API key data is necessary to provide the API service you signed up for.
  • Art. 6(1)(f) — Legitimate interest: aggregation and analysis of publicly available data (tweets, Reddit posts, news articles) for controversy monitoring. This does not include private or non-public data.
  • Art. 6(1)(a) — Consent: email alerts are sent only when you explicitly opt in.

3. Public Data Aggregation

SCAND.Ai aggregates publicly available content from Twitter/X, Reddit, Hacker News, RSS feeds, and news sites. We do not collect private messages, login credentials, or non-public data from any platform.

4. How We Use Data

  • Provide and improve the controversy monitoring service
  • Enforce rate limits and prevent abuse
  • Send email alerts (if you opt in)
  • Generate aggregate usage statistics

5. Data Sharing & Sub-processors

We do not sell personal data. We share data only with the following sub-processors:

  • Stripe, Inc. — payment processing (PCI DSS compliant)
  • Cloudflare, Inc. — infrastructure hosting, CDN, Workers runtime, D1 database, KV storage
  • Resend, Inc. — transactional email delivery (eu-west-1 region)
  • Google LLC — AI analysis of public content (Gemini API, no personal data sent)

Data Processing Agreements (DPAs) are in place with all sub-processors that handle personal data.

6. Data Retention

  • API call logs: 30 days
  • Account data: until account deletion
  • Aggregated content: indefinitely (public data)

7. Your Rights (GDPR Art. 12-23)

  • Access (Art. 15): request a copy of your personal data.
  • Rectification (Art. 16): correct inaccurate personal data.
  • Erasure (Art. 17): request deletion of your personal data.
  • Data Portability (Art. 20): export your data in machine-readable format via /api/export/ (Pro/Enterprise) or by contacting us.
  • Restriction (Art. 18): request restriction of processing.
  • Objection (Art. 21): object to processing based on legitimate interest.

API key deactivation removes access immediately. To exercise these rights, contact us at contact@scand.ai.

8. Automated Decision-Making (GDPR Art. 22)

SCAND.Ai uses AI (Gemini by Google) to classify and analyze public controversy data. These automated assessments determine topic categorization, noise levels, and state transitions. No automated decisions are made that produce legal or similarly significant effects on individuals.

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, in accordance with GDPR Art. 33-34.

10. Security

All data is encrypted in transit (TLS). API keys are stored as SHA-256 hashes. IP addresses are hashed before storage. Session cookies are HttpOnly and Secure.

11. Contact

Privacy inquiries: contact@scand.ai.