Privacy Policy
Effective date: 3 May 2026 · Version 2.0
In one minute
- Scout is operated by The Customer Lab (trading as Ask Scout), a company based in Sydney, Australia.
- We collect what we need to draft your weekly client reports - your account info, the data you connect from Shopify, Klaviyo, Meta Ads, Google Search Console, and GA4, and the notes and edits you make in Scout.
- We don’t sell your data, we don’t use it to train third-party models, we only read from your connected ad and marketing platforms, and you can disconnect or delete anything at any time.
- Questions: steven@askscout.app.
1. Who we are
“Scout”, “we”, “us” and “our” refer to The Customer Lab, an Australian company trading as Ask Scout. Our registered address is in Sydney, NSW, Australia. Scout operates the marketing site at askscout.app, the product application at dashboard.askscout.app, the Ask Scout Shopify app, and the Model Context Protocol (MCP) endpoint that integrates Scout with Claude (Anthropic’s AI assistant).
For the purposes of the EU/UK GDPR, the California Consumer Privacy Act/CPRA, and the Australian Privacy Act 1988 (Cth), Scout acts as a data controller for the personal information of our direct customers (agency users) and as a data processor for the personal information of our customers’ end clients (e.g. anonymised purchaser IDs from a Shopify store the agency manages).
2. Who this policy covers
This policy applies to three groups:
- Agency users - people who sign up for Scout to draft client reports. Scout is built for performance agencies; agency users are our direct customers.
- End clients of agencies - the businesses whose Shopify, Klaviyo, Meta Ads, Google Search Console, and GA4 accounts are connected to Scout by their agency. Scout reads data from these platforms only because the agency has been authorised by the end client to do so.
- Marketing site visitors - anyone visiting askscout.app or the marketing pages.
3. What we collect
3.1 From agency users (direct accounts)
- Account info: name, email address, agency/workspace name, role.
- Authentication data: session tokens (managed by Clerk).
- Billing info: if you subscribe - handled by Stripe; we receive subscription status and the last four digits of your payment method, never the full card number.
- Product use: client and integration configuration, agency voice settings, briefing prompts, report drafts and finals, edits you make to drafts, observations and notes you record, MCP API keys you create.
- Support communications: messages you send us by email or in-app.
3.2 From the marketing site (askscout.app)
- Web analytics: page views, referrer, viewport size, approximate region, device type. Used to understand which content works.
- Cookies: see Section 9.
3.3 From connected Shopify stores
When an agency connects a client’s Shopify store, Scout reads:
- Order data: order ID, date, totals, line items, discounts, refunds.
- Product catalogue: product IDs, titles, vendors, variants, pricing.
- Shop-level analytics (aggregate metrics).
- An anonymised customer ID and a new-vs-returning flag per order.
We do not collect or store customer names, emails, addresses, phone numbers, or payment details from Shopify orders. Scout never writes back to Shopify.
3.4 From connected Klaviyo accounts
Scout reads (using OAuth scopes accounts:read, campaigns:read, flows:read, lists:read, metrics:read):
- Account metadata (timezone, currency, account name).
- Campaign list and per-campaign performance (sent, opens, clicks, attributed revenue).
- Flow list and per-flow performance metrics.
- List names and aggregate member counts (
profile_count). - Aggregate metric values for the last 90 days.
Scout does not download or persist individual subscriber profiles, names, emails, addresses, or phone numbers from Klaviyo. Only aggregate counts and campaign-level metrics are stored. Scout never writes to Klaviyo.
3.5 From connected Meta Ads accounts
- Ad account metadata (currency, timezone, account name).
- Campaign, adset, and ad metadata (names, objectives, status).
- Performance metrics: spend, impressions, clicks, conversions, ROAS.
- Creative thumbnails (base64-encoded image previews) so Claude can describe the creative in commentary.
Scout does not read audience data, individual user data, custom audience membership, or any other person-level data from Meta. Scout never writes to Meta.
3.6 From connected Google Search Console accounts
- Property metadata.
- Search performance: queries, clicks, impressions, average position.
- Top pages performance.
Scout never writes to Google Search Console.
3.7 From connected Google Analytics 4 accounts
- Property metadata.
- Aggregate metrics: sessions, users, channel grouping, page performance, conversion events.
Scout reads only aggregate (report-level) data from GA4. Scout does not export the user-level data stream, the BigQuery export, or any cookie/device-level identifiers. Scout never writes to GA4.
3.8 OAuth tokens for connected platforms
For each platform an agency connects, Scout stores OAuth access tokens and refresh tokens encrypted at rest. These tokens are used solely to make read-only API calls on the agency’s behalf. Tokens can be revoked at any time from the Scout client detail page or from the source platform’s account-settings page - revocation immediately stops all syncs.
4. How we use what we collect
We use the data described above to:
- Operate Scout - sign you in, run your workspace, draft your weekly reports.
- Compute metrics, narratives, and recommendations that appear in those reports.
- Learn from the agency’s edits so future drafts match the agency’s voice and structure.
- Send transactional and account emails (sign-in confirmations, billing receipts, system notifications, breach notices when applicable).
- Send product and marketing emails - only with your consent (see Section 8).
- Provide customer support.
- Detect, investigate, and respond to security incidents and abuse.
- Comply with legal obligations (e.g. tax records, lawful requests).
- Improve the Scout product through aggregated, de-identified analysis.
We do not sell your personal information. We do not use merchant or end-client data to train third-party AI models. We do not share your personal information with advertisers or data brokers.
5. Legal bases for processing (GDPR / UK GDPR)
If you are in the EU, UK, or another GDPR-aligned jurisdiction, we process your personal data on the following legal bases:
- Contract - to provide the Scout service you signed up for (Article 6(1)(b)). Covers account, billing, and product-use processing.
- Legitimate interests - to secure the service, prevent abuse, and improve the product (Article 6(1)(f)). Covers logging, error monitoring, and aggregated product analytics.
- Consent - for marketing emails and any non-essential cookies (Article 6(1)(a)). You can withdraw consent at any time.
- Legal obligation - for retaining tax and accounting records (Article 6(1)(c)).
For end-client data fetched from connected platforms, the agency is the data controller and Scout is the processor. Our contract with the agency (the Scout Terms of Service and Data Processing Addendum) governs that relationship.
6. AI and automated decision-making
Scout uses Anthropic’s Claude to draft weekly client reports. When you (or Claude on your behalf) request a draft, Scout assembles the relevant client context - synced metrics, prior reports, agency voice settings, your notes - and sends it to Claude as input. Claude returns a draft. The draft is shown to you for review and editing before any further action.
What this means for your data:
- Data sent to Claude is processed under Anthropic’s commercial terms, which prohibit using customer inputs to train Anthropic’s models.
- Drafts are stored in Scout’s database; you can delete them at any time.
- Scout does not make any automated decisions that produce legal or similarly significant effects on a data subject. Drafts are advisory; an agency user reviews and approves all output.
If you would prefer Scout not to send any of your data to Claude (which means Scout cannot generate drafts for you), email steven@askscout.app and we will discuss alternatives.
7. Sub-processors
Scout uses the following service providers to deliver the product. Each has signed a data processing agreement and meets recognised security standards.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Database and storage | US (primary); EU available on request |
| Vercel | Application hosting and edge | US + global edge |
| Clerk | Authentication and session management | US |
| Stripe | Subscription billing and payments | US (with EU/AU regions for local processing) |
| Nango | OAuth token broker for connected integrations | EU (Ireland, AWS eu-west-1) |
| Anthropic | Claude API for drafting reports | US |
| Resend | Transactional and report-delivery email | US |
| Upstash | Redis for rate limiting and caching | Multi-region |
| Sentry | Application error and security event monitoring | US (EU available on request) |
We will provide at least 30 days’ notice by email before adding a new sub-processor that processes personal data. You can object during the notice period; if we cannot accommodate the objection, you can terminate the affected services without penalty.
8. Marketing communications
We may send you product news, tips, and updates by email. We will only do this if you have opted in - for example by ticking a marketing box at sign-up or subscribing to a newsletter. You can opt out at any time using the unsubscribe link at the bottom of any marketing email, or by emailing steven@askscout.app. Opting out of marketing does not stop transactional emails (sign-in, billing, security notices) which are necessary to operate the service.
Marketing emails comply with the Australian Spam Act 2003, the US CAN-SPAM Act, and (where applicable) the EU ePrivacy Directive.
9. Cookies and tracking technologies
Scout uses cookies and similar technologies in three categories:
- Strictly necessary - needed for the site to work. Includes Clerk authentication cookies, session cookies, and CSRF tokens. These cannot be disabled and are exempt from consent requirements.
- Functional - remember your preferences (e.g. theme, recently viewed clients). Set when you use the product.
- Analytics - measure how the marketing site and the product are used so we can improve them. Scout uses or may use product analytics tools (such as PostHog or similar) that may set first-party cookies and may include user-level event tracking. These are loaded only with your consent where required by law.
Where required by law, we present a cookie banner the first time you visit the site so you can accept or reject non-essential cookies. You can change your choice at any time via the “Cookie preferences” link in the footer (where shown).
We do not use cross-site advertising cookies. We do not sell or share cookie data with advertisers.
10. International data transfers
Scout is based in Australia. Several of our sub-processors operate in the United States and other countries that may not provide a level of data protection equivalent to the EU/UK or Australia. Where personal data is transferred out of its origin region, we rely on:
- The European Commission’s Standard Contractual Clauses (and the UK Addendum where applicable) with each sub-processor.
- Australian Privacy Principle 8 (cross-border disclosure) - we take reasonable steps to ensure overseas recipients comply with the APPs.
- Adequacy decisions where they apply (e.g. the EU-US Data Privacy Framework, where the recipient has self-certified).
You can request a copy of the relevant transfer mechanism by emailing steven@askscout.app.
11. How long we keep data
| Data category | Retention |
|---|---|
| Account info (name, email, workspace) | Until you delete your account, then 30 days for backup purge. |
| Billing records (Stripe customer reference, invoices) | 7 years (Australian tax law). |
| Daily metrics from connected platforms | Rolling 90 days. |
| Campaign / flow / list metadata from connected platforms | For the lifetime of the connection. |
| Reports (drafts and finals) | Until you delete them, or 365 days after workspace deactivation. |
| Observations, notes, learned voice patterns | Until you delete them. |
| OAuth tokens for connected platforms | Until disconnected; deleted within 24 hours of revocation. |
| Logs and security events | 90 days (some Sentry events up to 90 days; access logs up to 30 days). |
| Shopify shop data after app uninstall | Deleted within 48 hours via Shopify’s shop/redact webhook. |
You can ask us to delete your data sooner - see Section 13.
12. Security
We protect your information with technical and organisational measures appropriate to the risk. Highlights:
- TLS encryption in transit; HSTS preload-eligible.
- Encryption at rest for the database and OAuth token vault.
- Multi-tenancy enforced at the application layer (every query scoped by workspace) and at the database layer (Postgres row-level security).
- OAuth tokens encrypted at rest using Supabase Vault; rotated on platform expiry.
- Multi-factor authentication available for agency accounts; required for organisation administrators.
- Daily dependency vulnerability scanning; defined remediation SLAs (72 hours for critical, 7 days for high).
- Application errors and security events captured in Sentry with alerting.
- Access to production systems reviewed quarterly; standard-user accounts reviewed semi-annually.
- Documented incident response plan - see steven@askscout.app for security disclosures.
Despite these measures, no service is perfectly secure. If we ever experience a personal data breach that is likely to result in a risk to your rights, we will notify affected users and the relevant supervisory authorities within 72 hours of becoming aware (per GDPR Article 33 and the Australian Notifiable Data Breaches scheme).
13. Your rights
Depending on where you live, you have some or all of the following rights over your personal information. To exercise any right, email steven@askscout.app - we’ll respond within 30 days (or sooner where the law requires).
For everyone
- Access - request a copy of the personal information we hold about you.
- Correction - ask us to fix inaccurate information.
- Deletion - ask us to delete your account and personal data (subject to legal retention obligations like tax records).
- Export - receive your data in a portable, machine-readable format.
For EU/UK residents (GDPR)
In addition to the above:
- Restriction of processing - ask us to limit how we use your data while a dispute is being resolved.
- Objection - object to processing based on legitimate interests, including for direct marketing (we will stop processing for marketing immediately).
- Withdraw consent - at any time, with no effect on processing carried out before withdrawal.
- Lodge a complaint with your local supervisory authority. For the UK that is the Information Commissioner’s Office (ico.org.uk).
- Not be subject to solely automated decisions with legal/similar effect - Scout does not currently make such decisions (see Section 6).
For California residents (CCPA / CPRA)
- Right to know what personal information we collect, use, disclose, and (if applicable) sell or share.
- Right to delete personal information we have collected from you.
- Right to correct inaccurate personal information.
- Right to opt-out of sale or sharing - Scout does not sell or share personal information for cross-context behavioural advertising. There is nothing to opt out of.
- Right to limit use of sensitive personal information - Scout does not process sensitive personal information beyond what is strictly necessary to provide the service.
- Right to non-discrimination - we will not retaliate against you for exercising any of these rights.
For Australian residents (Privacy Act)
You can also lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you believe we have breached the Australian Privacy Principles.
For Shopify merchants
If your store is connected via the Ask Scout Shopify app, you can also trigger data access and deletion via Shopify’s customer data request flow. Scout handles Shopify’s customers/data_request, customers/redact, and shop/redact webhooks automatically.
14. Children
Scout is a B2B product designed for performance agency users. It is not directed at children, and we do not knowingly collect personal information from anyone under 16 (or under 13 in the United States, per COPPA). If you believe we have collected information from a child, contact us and we will delete it.
15. When we disclose personal information
We disclose personal information only:
- To the sub-processors listed in Section 7, for the purposes described.
- To you and to other agency users authorised within the same workspace.
- To professional advisers (lawyers, accountants) under confidentiality.
- If required by law - for example, in response to a valid subpoena or court order. Where legally possible we will notify the affected user before disclosing.
- If we sell or restructure the business - your data may transfer to the acquirer under equivalent privacy protections, with notice to you.
We do not disclose personal information to advertisers, data brokers, or third parties for their own marketing.
16. Changes to this policy
We’ll update the version number and effective date at the top of this page whenever we change the policy. For material changes (anything that meaningfully expands how we use your data), we’ll email account owners at least 30 days before the change takes effect, and the change won’t apply retroactively to data we already hold.
17. Contact us
Privacy questions, data requests, or complaints:
- Email: steven@askscout.app
- Security disclosures: steven@askscout.app
- General contact: steven@askscout.app
- Postal: The Customer Lab, Sydney NSW, Australia (full address on request)
If you are based in the EU or UK and would prefer to contact our representative for the purposes of GDPR Article 27, email steven@askscout.app and we will provide current contact details.
18. Version history
- v2.0 - 3 May 2026: comprehensive rewrite. Added per-platform data inventory (Klaviyo, Meta, GSC, GA4 each detailed), legal bases for processing, full data-subject rights enumeration (GDPR + CCPA/CPRA + Australian), explicit cookies + tracking section, automated decision-making disclosure, sub-processor table with regions, retention table per category, breach notification commitment, sub-processor change-notice clause, marketing-communications opt-in/opt-out.
- v1.0 - 24 April 2026: initial policy.