Legal

Privacy Policy

Last updated:
23th of March, 2026
1. Introduction

This Privacy Policy explains how Subscope LTD ("Subscope", "we", "our", or "us"), acompany registered in England and Wales with address: 20 Wenlock Road, London N1 7GU, England, collects, uses, stores, and protects personal data whenyou access or use our website at subscope.ai (the "Site"), oursoftware-as-a-service platform for business spend analytics (the"Platform"), and any related services (collectively, the"Services").

Subscope provides business-to-business (B2B) analytics tools that help organisations track, analyse, and optimise their recurring software and service expenditures, including SaaS, PaaS, and other subscription-based payments.

If you are using or purchasing our Services on behalf of an organisation, you are a "Customer". If you are an individual authorised by a Customer to use the Services, you are an "Authorised User". This Policy applies to both Customers and Authorised Users, as wellas visitors to our Site.

By using our Services, you acknowledge that you have read and understood this Privacy Policy. Where processing is based on consent, you may withdraw that consent at any time by contacting us at privacy@subscope.ai.

2. Data Controller

The data controller responsible for your personal data is:

Subscope LTD

Registered in England and Wales

Company number: 17064724

Contact: privacy@subscope.ai


2.1 Controller and Processor Roles

Where Subscope processes personal data on behalf of a Customer (for example, data contained within invoices, emails, or financial records that Authorised Users submit to the Platform), the Customer acts as the data controller and Subscope acts as the data processor. In such cases, a Data Processing Agreement (DPA) between Subscope and the Customer governs our processing activities.

For all other personal data described in this Policy (such as account registration data, usage data, and cookies), Subscope is the data controller.

3. Personal Data We Collect
3.1 Account and Contact Information

When you register for or use our Services via Google or Microsoft OAuth, we collect:

• Name and email address from your Google or Microsoft account

• Profile picture (if available from your OAuth provider)

• Organisation name and role

• Account preferences and settings


3.2 Customer Data (Processed on Behalf of Customers)

In order to provide our spend analytics Services, we may access and process the following data that Customers or Authorised Users submit or grant access to:

• Email data: Invoices, receipts, and subscription confirmations from connected email accounts (Gmail, Microsoft Outlook) accessed via OAuth with limited, read-only scopes.

• Financial data: Transaction records, payment histories, and account information accessed through banking and financial APIs (such as Open Banking-compliant providers).

• Uploaded documents: Invoices, CSV files, and other financial documents directly uploaded by Authorised Users.

• Accounting software data: Invoice and billing records from integrated accounting platforms such as Xero or QuickBooks.

Important: We only access the minimum data necessary to provide our Services. For email integrations, we use read-only OAuth scopes limited to identifying and extracting invoice-related communications. We do not read, store, or process the full contents of your inbox.

3.3 Usage and Device Information

We automatically collect certain technical information when you interact with our Services:

• IP address and approximate geolocation

• Browser type, operating system, and device identifiers

• Pages visited, features used, and actions taken within the Platform

• Dates, times, and duration of visits

• Referring URLs and search terms


3.4 Payment Information

When payment processing is enabled, our third-party payment processor, Stripe, Inc., will collect and process your payment-related information, including credit/debit card details and billing address. Subscope does not directly store your full payment card details. Please refer to Stripe’s Privacy Policy at https://stripe.com/privacy for details on how Stripe handles your payment data.


3.5 Communications

If you contact us via email or through our Site, we collect the content of your messages, your email address, and any attachments you provide.

4. How We Use Your Personal Data

We process your personal data for the following purposesand on the following legal bases under UK GDPR:

Subscope Privacy Policy — Section 4
Purpose Description Legal Basis
Providing the Services To operate the Platform, process your data integrations, detect and extract invoice data, and deliver spend analytics. Performance of a contract
Account management To create and manage your account, authenticate your identity via OAuth, and maintain your preferences. Performance of a contract
Payment processing To handle subscription billing and payments through our payment processor. Performance of a contract
Service improvement To understand how the Services are used, identify trends, fix errors, and develop new features. Legitimate interest
AI model improvement To use anonymised and aggregated data derived from Customer Data to improve our machine learning models for invoice detection and data extraction. Legitimate interest
Security and fraud prevention To protect the Platform, detect and prevent fraudulent or unauthorised activity, and ensure data security. Legitimate interest
Analytics To measure site traffic, feature adoption, and user engagement through analytics tools. Consent (via cookies)
Marketing To send promotional communications about our Services (where you have opted in or where permitted by law). Consent / Legitimate interest
Emails and Digests To send you digest emails about your spend, apps usage and more, to send you emails with onboarding and offboarding options. Consent / Legitimate interest
Legal compliance To comply with applicable laws, regulations, legal processes, or governmental requests. Legal obligation
Communications To respond to your enquiries, provide customer support, and send service-related notices. Performance of a contract / Legitimate interest
4.1 AI and Machine Learning

Subscope uses third-party AI and large language model(LLM) services, including those provided by Anthropic and OpenAI, to powerinvoice detection and structured data extraction. When processing your datathrough these services:

•      Data is transmittedsecurely and processed in accordance with our agreements with these providers.

•      We do not permit theseproviders to use your data for training their own models beyond what isstrictly necessary to provide the service.

•      We may use anonymised andaggregated insights derived from processed data to improve our own analyticsalgorithms. Such data cannot be used to identify any individual ororganisation.

5. Cookies and Tracking Technologies

We use cookies and similar technologies on our Site and Platform. These fall into the following categories:

Subscope Privacy Policy — Section 5
Category Purpose Examples
Essential Required for the Site and Platform to function correctly, including authentication and security. Session cookies, CSRF tokens, OAuth state
Analytics Help us understand how visitors interact with the Site and Platform so we can improve the user experience. PostHog, Google Analytics
Marketing Used to deliver relevant advertisements and measure campaign effectiveness. Advertising pixels, retargeting tags

You can manage your cookie preferences through yourbrowser settings. Please note that disabling essential cookies may impair thefunctionality of the Services. We will implement a cookie consent mechanism toallow you to control non-essential cookies.

6. Data Sharing and Third-Party Processors

We do not sell your personal data. We share personal data only in the following circumstances:

6.1 Sub-Processors

We use the following categories of third-party service providers to help deliver our Services:

Subscope Privacy Policy — Section 6
Sub-Processor Category Provider(s) Purpose Location
Cloud hosting Hetzner Online GmbH Infrastructure and data storage Germany (EU)
Payment processing Stripe, Inc. Subscription billing and payments USA (with EU data handling)
AI / LLM services Anthropic, OpenAI Invoice detection and data extraction USA
Analytics PostHog, Google Analytics Usage analytics and product improvement EU / USA
Email provider Google, Microsoft OAuth authentication and email integration USA (with EU data handling)
6.2 Other Disclosures

We may also disclose your personal data:

• To comply with applicable law, regulation, legal process, or governmental request.

• To enforce our agreements, including our Terms of Service.

• To protect the rights, property, or safety of Subscope, our Customers, or others.

• In connection with a merger, acquisition, or sale of all or a portion of our assets, in which case you will be notified of any change in data controller.

7. International Data Transfers

Our primary data infrastructure is hosted in Germany (EU)by Hetzner Online GmbH. However, some of our sub-processors are located outsidethe UK and EEA, primarily in the United States.

Where personal data is transferred outside the UK or EEA,we ensure appropriate safeguards are in place, including:

•      UK International DataTransfer Agreement (IDTA) or the UKAddendum to EU Standard Contractual Clauses.

•      EU Standard ContractualClauses (SCCs) approved by the EuropeanCommission.

•      Adequacy decisions where the UK or EU has determined that a country providesan adequate level of data protection.

You may request a copy of the relevant transfersafeguards by contacting us at privacy@subscope.ai.

8. Data Retention

We retain your personal data only for as long asnecessary to fulfil the purposes described in this Policy, unless a longerretention period is required or permitted by law.

•      Account data: Retained for the duration of your account and for 90 daysfollowing account deletion, after which it is permanently deleted.

•      Customer Data (invoices,financial records): Retained for theduration of the Customer’s subscription. Upon termination, Customer Data isdeleted within 90 days unless the Customer requests earlier deletion.

•      Usage and analyticsdata: Retained in anonymised oraggregated form for up to 24 months for product improvement purposes.

•      Legal and tax records: Retained for up to 6 years as required by UK tax andaccounting legislation.

•      Marketing preferences: Retained until you unsubscribe or withdraw consent.

9. Data Security

We implement appropriate technical and organisationalmeasures to protect your personal data against unauthorised access, alteration,disclosure, or destruction. These measures include:

•      Encryption of data intransit (TLS 1.3+) and at rest.

•      OAuth 2.0 for secureauthentication with limited, revocable scopes.

•      Role-based access controlsand principle of least privilege.

•      Regular securityassessments and vulnerability testing.

•      Secure hosting on ISO27001-certified infrastructure (Hetzner).

•      Logging and monitoring ofaccess to sensitive data.

While we strive to use commercially acceptable means toprotect your personal data, no method of transmission over the Internet ormethod of electronic storage is 100% secure, and we cannot guarantee absolutesecurity.

10. Your Rights

Under UK GDPR and applicable data protection law, youhave the following rights in relation to your personal data:

Right Description
Access You have the right to request a copy of the personal data we hold about you.
Rectification You have the right to request correction of inaccurate or incomplete personal data.
Erasure You have the right to request deletion of your personal data, subject to certain legal exceptions.
Restriction You have the right to request that we restrict the processing of your personal data in certain circumstances.
Data portability You have the right to receive your personal data in a structured, commonly used, machine-readable format.
Objection You have the right to object to processing based on legitimate interests, including profiling and direct marketing.
Withdraw consent Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
Lodge a complaint You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.


To exercise any of these rights, please contact us at privacy@subscope.ai. We will respond to your request within one month, unless the request is complex, in which case we may extend the response period by afurther two months.

For Authorised Users: Ifyou wish to exercise rights relating to Customer Data processed on behalf ofyour organisation, please contact your organisation’s administrator in thefirst instance, as they are the data controller for that data.

11. Children’s Privacy

Our Services are designed for business use and are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete such data promptly.

12. Third-Party Links and Services

Our Services may contain links to third-party websites or integrate with third-party services (such as accounting platforms or email providers). This Privacy Policy does not apply to such third-party services. We encourage you to review their respective privacy policies before providing them with your personal data.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated Policy on our Site with a revised “Effective Date” and, where appropriate, by email or in-platform notification.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your personal data.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contactus at:

Subscope LTD

Email: privacy@subscope.ai

Website: https://subscope.ai

You also have the right to lodge a complaint with the UK’s supervisory authority:

Information Commissioner’s Office (ICO)

Website: https://ico.org.uk

Telephone: +44 (0) 303 123 1113

Tired of software chaos?

Get Started
Book a demo
Platform
Software HQ
For corporations
For startups & SME
About
Case Studies
Single Case Study
Blog
Contact Us
Product
Dashboard
Software Spend Control
Product C
Integrations
New
Pricing
More
Terms of Service
Privacy Policy
Create Account
Sign In
Book a demo
© Subscope LTD