Privacy Policy
Last updated: February 25, 2026
Scopeo (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your personal data when you use the NeverDrop website, platform, mobile application, and related services (collectively, the “Service”).
1. Data We Collect
We may collect the following categories of data:
a. Account Information
- Full name
- Email address
- Company or organization name
- Password (stored as a salted hash — we never store plaintext passwords)
b. Business Card Data
When you scan a business card using the Service, we collect:
- The business card image (photo uploaded from your device)
- Extracted contact data: first name, last name, company, job title, phone number, email address
Business card images are processed by our OCR system and stored on our servers for the duration of your account.
c. Conversation Context
- Voice recordings (audio captured via the mobile app’s hold-to-record feature)
- Voice transcriptions (generated in real-time from audio via Soniox)
- Text context notes entered manually by the user
Voice recordings are processed transiently: audio is streamed to Soniox for real-time transcription and is not stored on Scopeo’s servers after the transcription is complete. Only the resulting text transcription is retained.
d. Scan and Event Metadata
- Scan status and workflow step
- Event associations (which conference/trade show a scan belongs to)
- Timestamps (creation, modification)
- Follow-up email content (AI-generated drafts and user-edited versions)
e. Enrichment Data
When we enrich a contact, we send the contact’s name and company to our enrichment provider (FullEnrich) and receive back:
- Verified professional email address
- Deliverability status
f. Automatically Collected Data
When you use our website or Service, we may automatically collect:
- IP address
- Browser type and version
- Operating system and device type
- Pages visited and duration
- Referring URL
This data is collected using cookies and similar technologies for analytics purposes.
2. How We Use Your Data
We use your data to:
- Provide the Service: OCR processing, contact enrichment, AI follow-up email generation, team collaboration, CRM synchronization
- Manage your account and subscription
- Process payments via Stripe
- Send transactional emails (account verification, team invitations, password resets) via Resend
- Improve the Service through aggregated, anonymized analytics
- Ensure security and prevent abuse
- Respond to support requests
We do not use your Content (business card data, voice recordings, conversation context, follow-up emails) to train AI models or for any purpose other than providing the Service to you.
3. Legal Basis for Processing
We process your personal data on the following legal bases:
- Contract performance: Processing necessary to provide the Service you signed up for
- Legitimate interest: Analytics, security, and Service improvement (where not overridden by your rights)
- Consent: Where explicitly given (e.g., cookie consent, optional marketing communications)
4. Data Retention
- Account data: Retained for the duration of your account + 5 years (civil prescription)
- Business card images and scan data: Retained for the duration of your account. Deleted within 30 days of account deletion.
- Voice recordings: Not stored — processed transiently for transcription only
- Voice transcriptions and context notes: Retained for the duration of your account
- Analytics data: Retained for up to 14 months, then automatically deleted
5. Your Rights
In accordance with GDPR and applicable data protection laws, you have the right to:
- Access, correct, or delete your personal data
- Withdraw your consent at any time
- Request data portability
- Object to processing based on legitimate interest
- Lodge a complaint with a supervisory authority (CNIL in France)
To exercise any of these rights, contact us at:
Email: support [at] neverdrop [dot] com
6. Cookies
We use cookies to:
- Analyze site traffic and user behavior
- Remember your preferences
- Enhance user experience
You can manage your cookie preferences through your browser settings or via our cookie banner.
7. Analytics and Tracking
Hotjar
We use Hotjar (Hotjar Ltd, Malta) for session recording and heatmap analytics to understand how users interact with the Service.
- Data collected: Mouse movements, clicks, scroll behavior, page visits, device info, anonymized IP
- Hotjar ID: 6655292
- Purpose: UX improvement and product development
- Opt-out: You can opt out of Hotjar tracking at https://www.hotjar.com/policies/do-not-track/
- Privacy: See Hotjar’s Privacy Policy: https://www.hotjar.com/legal/policies/privacy/
Google Tag Manager
We use Google Tag Manager (Google Ireland Limited) to manage analytics and marketing tags. GTM itself does not collect personal data but may trigger other tools that do.
8. Third-Party Services
We share data with the following third-party services, each acting as a data processor on our behalf:
| Service | Purpose | Data shared |
|---|---|---|
| Stripe (Stripe, Inc.) | Payment processing | Name, email, payment method (PCI-DSS compliant — we do not store card numbers) |
| FullEnrich | Contact email enrichment | Contact name and company |
| Soniox | Speech-to-text transcription | Audio stream (transiently processed, not retained by Soniox) |
| Resend | Transactional email delivery | Recipient email, email content |
| Google (Google Ireland Limited) | OAuth authentication, Gmail integration | Profile info (sign-in), email sending (Gmail) |
| HubSpot | CRM integration (optional) | Enriched contact data (user-initiated) |
| Supabase | Database hosting | All Service data (encrypted at rest) |
| Netlify | Application hosting | Web traffic data |
| Amazon Web Services (AWS EMEA SARL) | Cloud infrastructure | Encrypted Service data |
| OpenAI / Anthropic | AI models | OCR input, conversation context (for follow-up generation) |
| Hotjar (Hotjar Ltd) | Analytics | Session behavior data (anonymized) |
We do not sell or share your personal data with third parties for advertising purposes.
9. Google OAuth Integration
We offer optional integrations with Google services via OAuth 2.0. Each integration is independent and requires separate, explicit authorization.
a. Google Sign-In
- Purpose: Account creation and authentication using your Google identity
- Data accessed: Full name, email address, and profile picture
- Use: Creating and managing your NeverDrop account and authenticating sessions
- Storage: Email and name stored as part of your account record
b. Gmail Integration (Follow-Up Sending)
- Purpose: Sending AI-drafted follow-up emails from your own Gmail address
- Scopes requested:
gmail.sendandgmail.compose - Use: Composing and sending follow-up emails that you have reviewed and approved
- What we do NOT do: We do not read, monitor, or scan your inbox. Gmail access is strictly limited to sending emails you initiate through the Service.
- Storage: We do not store Gmail message content. Sending is performed transiently when you trigger a follow-up.
User Control and Revocation
- You can authorize Sign-In and Gmail independently
- Disconnect at any time via Google Account settings or from within the Service
- Request deletion of Google-derived data by contacting support@neverdrop.com
Compliance with Google Policies
- Limited Use: Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements
- No advertising use: We do not use Google API data for advertising
- Least privilege: We request only the minimum scopes necessary
- No human access: We do not allow humans to read your Gmail data unless required for security investigation or legal compliance
10. Data Security
We implement industry-standard security measures including:
- Encryption in transit (TLS) and at rest
- Role-based access control
- Unique authentication per employee (Google Workspace SSO)
- API key encryption with regular key rotation
- Regular security awareness training
11. International Data Transfers
We process data primarily within the EU/EEA. Where transfers to third countries occur (e.g., US-based providers such as Stripe, OpenAI, Netlify), they are protected by Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent safeguards.
12. Children’s Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect data from minors.
13. Changes to This Policy
We may update this Privacy Policy from time to time. The latest version will always be available on our website, with the date of the last update indicated at the top. Material changes will be communicated via email or in-app notification.