Privacy Policy

At SCM, your privacy is foundational to our product philosophy. We believe your data belongs to you — not us, not advertisers, not data brokers. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.

1. Information We Collect

1.1 Information You Provide

• Account information: Name, email address, company name, job title, and phone number when you create an account or contact us.
• Customer Data: All data you and your users submit to or generate through the SCM platform, including contacts, tickets, deals, emails, documents, and any other business data.
• Payment information: Billing address and payment method details, processed through our PCI-compliant payment processor. We do not store full credit card numbers.
• Communications: Information you provide when contacting our support team or participating in surveys.
• Workshop data: Business process information shared during Operations Audits and Discovery Workshops.

1.2 Information Collected Automatically

• Usage data: How you interact with the Service, including features used, pages visited, and actions taken.
• Device information: Browser type, operating system, IP address, and device identifiers.
• Log data: Server logs including access times, pages viewed, and referring URLs.

1.3 Information We Do NOT Collect

• We do not use third-party tracking pixels or advertising cookies.
• We do not collect data from third-party data brokers.
• We do not monitor or record the content of your communications through the platform beyond what is necessary to provide the Service.

2. How We Use Your Information

• Providing the Service: To operate, maintain, and improve the SCM platform.
• Customer support: To respond to your requests and resolve issues.
• Communication: To send service-related notices, updates, and security alerts.
• Analytics: To understand usage patterns and improve the Service. We use aggregate, anonymized data for this purpose.
• AI model training: To improve AI features within YOUR instance only. We never use one customer's data to train models for another customer.
• Legal compliance: To comply with applicable laws and regulations.

3. How We Share Your Information

We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:

• Service providers: With trusted third-party service providers who assist in operating the Service (hosting, payment processing), bound by strict data processing agreements.
• Legal requirements: When required by law, court order, or governmental regulation.
• Business transfers: In connection with a merger, acquisition, or sale of assets, with advance notice to you.
• With your consent: When you explicitly direct us to share information.

4. Data Storage and Security

Customer Data is stored on secure servers with industry-standard encryption at rest and in transit. We implement technical and organizational measures to protect your data, including:

• AES-256 encryption at rest
• TLS 1.3 encryption in transit
• Regular security audits and penetration testing
• Role-based access control for our team
• Automated backup and disaster recovery procedures
• SOC 2 Type II compliance (in progress)

5. Data Retention

We retain Customer Data for the duration of your subscription plus 90 days to allow for data export. After this period, data is permanently deleted from our systems and backups within 30 additional days.

We retain account and billing information for as long as required by applicable tax and accounting regulations.

6. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate personal data.
• Deletion: Request deletion of your personal data (subject to legal retention requirements).
• Export: Export all your Customer Data at any time in standard formats (CSV, JSON).
• Restriction: Request restriction of processing of your personal data.
• Objection: Object to processing of your personal data.
• Portability: Receive your data in a structured, machine-readable format.

To exercise any of these rights, contact us at privacy@usescm.com.

7. GDPR Compliance

For customers in the European Economic Area (EEA), UK, and Switzerland:

• We process personal data as a data processor on your behalf (for Customer Data) and as a data controller (for account data).
• Our legal basis for processing includes: performance of contract, legitimate interests, and consent where applicable.
• We offer a Data Processing Agreement (DPA) with Standard Contractual Clauses (SCCs) for international data transfers.
• You have the right to lodge a complaint with your local supervisory authority.

8. CCPA Compliance

For California residents: We do not sell personal information. You have the right to know what information we collect, request deletion, and opt out of any sale of personal information (which we do not engage in).

9. Cookies

We use only essential cookies required for the Service to function (session management, authentication). We do not use advertising or tracking cookies. We do not participate in cross-site tracking.

10. Children's Privacy

The Service is not directed to individuals under 16. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days in advance via email or through the Service.

12. Contact Us

For privacy-related questions or to exercise your rights:

SCM — Privacy Team
Email: privacy@usescm.com

For EU-specific inquiries, you may also contact our Data Protection Officer at dpo@usescm.com.