Privacy Policy

Last updated: April 14, 2026

Scopeo (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your personal data when you use the NeverDrop website, platform, mobile application, and related services (collectively, the “Service”).

1. Data We Collect

We may collect the following categories of data:

a. Account Information

Full name
Email address
Company or organization name
Password (stored as a salted hash — we never store plaintext passwords)

b. Business Card Data

When you scan a business card using the Service, we collect:

The business card image (photo uploaded from your device)
Extracted contact data: first name, last name, company, job title, phone number, email address

Business card images are processed by our OCR system and retained on our servers (AWS S3, EU) for up to 90 days as a technical backup, to allow OCR recovery in case of processing failure. After 90 days they are automatically deleted. The extracted contact data is kept for the duration of your account.

c. Conversation Context

Voice recordings (audio captured via the mobile app or web application using dictaphone-style recording with pause, resume, and stop controls)
Voice transcriptions (generated in real-time from audio via Soniox)
Text context notes entered manually by the user

Voice recordings are streamed to Soniox for real-time transcription. The final audio file is retained on our servers (AWS S3, EU) for up to 90 days as a technical backup, to allow transcription recovery and repair in case of failure. After 90 days it is automatically deleted. When transcription fails or the device is offline, audio may also be temporarily stored on your device until it can be uploaded. The resulting text transcription is retained for the duration of your account.

d. Scan and Event Metadata

Scan status and workflow step
Event associations (which conference/trade show a scan belongs to)
Timestamps (creation, modification)
Follow-up email content (AI-generated drafts and user-edited versions)
AI-generated lead reports

e. Enrichment Data

When we enrich a contact, we send the contact’s name, company, and LinkedIn URL to our enrichment provider (FullEnrich) and receive back:

Verified professional email address and deliverability status (email enrichment)
Professional phone number and region (phone enrichment)

f. Automatically Collected Data

When you use our website or Service, we may automatically collect:

IP address
Browser type and version
Operating system and device type
Pages visited and duration
Referring URL

This data is collected using cookies and similar technologies for analytics purposes.

2. How We Use Your Data

We use your data to:

Provide the Service: OCR processing, contact enrichment, AI follow-up email generation, report generation, team collaboration, CRM synchronization
Manage your account and subscription
Process payments via Stripe
Send transactional emails (account verification, team invitations, password resets) via Resend
Improve the Service through aggregated, anonymized analytics
Ensure security and prevent abuse
Respond to support requests

We do not use your Content (business card data, voice recordings, conversation context, follow-up emails, reports) to train AI models or for any purpose other than providing the Service to you.

3. Legal Basis for Processing

We process your personal data on the following legal bases:

Contract performance: Processing necessary to provide the Service you signed up for
Legitimate interest: Analytics, security, and Service improvement (where not overridden by your rights)
Consent: Where explicitly given (e.g., cookie consent, optional marketing communications)

4. Data Retention

Account data: Retained for the duration of your account + 5 years (civil prescription)
Business card images: Retained on our servers (AWS S3, EU) for up to 90 days as a technical backup, then automatically deleted. The extracted contact data is retained for the duration of your account and deleted within 30 days of account deletion.
Audio recordings: Retained on our servers (AWS S3, EU) for up to 90 days as a technical backup to allow transcription recovery, then automatically deleted. The resulting text transcriptions are retained for the duration of your account.
Conversation transcripts and context notes: Retained for the duration of your account
Enrichment results (raw data from providers): Retained for the duration of your account
AI-generated content (drafts, reports): Retained for the duration of your account
Analytics data: Mixpanel retains data for up to 14 months. Sentry retains error data for 90 days.

5. Your Rights

In accordance with GDPR and applicable data protection laws, you have the right to:

Access, correct, or delete your personal data
Withdraw your consent at any time
Request data portability
Object to processing based on legitimate interest
Lodge a complaint with a supervisory authority (CNIL in France)

To exercise any of these rights, contact us at:

Email: support [at] neverdrop [dot] com

We will respond to your request within 30 days, in accordance with Article 12(3) of the GDPR.

6. Cookies

We use cookies and local storage to operate the Service and analyze usage. Below is an inventory of the cookies and storage mechanisms we use:

Cookie / Storage	Type	Purpose	Duration
`session` (app only)	Essential	Authentication session token	24 hours (rolling)
`nd_conversion` (app only)	Functional	Post-checkout attribution data	24 hours
`nd:utm` (localStorage)	Marketing	First-touch UTM parameters and ad click IDs	Persistent
Mixpanel (localStorage)	Analytics	User identification and event tracking	Persistent
GTM / Google Analytics	Analytics / Marketing	Page analytics, conversion tracking	Varies by cookie

On our marketing website (never-drop.com), we use a consent banner that lets you accept or refuse non-essential cookies before they are set. In the application (app.never-drop.com), only essential cookies are used for authentication.

7. Analytics and Tracking

Mixpanel

We use Mixpanel (Mixpanel Inc., San Francisco, USA) for product analytics and session replay.

Data collected: User interactions, page views, feature usage, session recordings (with text masking enabled)
Data residency: EU (api-eu.mixpanel.com)
Purpose: Product improvement and user experience analysis
Opt-out: You can opt out via our cookie settings on the marketing website. In-app analytics are tied to your account.

Sentry

We use Sentry (Functional Software Inc., San Francisco, USA) for error monitoring and performance tracking.

Data collected: Error logs, performance metrics, session replays on error (with text masking enabled), IP address, browser/device info
Data residency: EU (ingest.de.sentry.io)
Purpose: Bug detection, performance monitoring, and service reliability

Google Tag Manager

We use Google Tag Manager (Google Ireland Limited) to manage analytics and marketing tags on our marketing website. GTM itself does not collect personal data but may trigger other tools (such as Google Analytics) that do, subject to your cookie consent.

8. Third-Party Services

We share data with the following third-party services, each acting as a data processor on our behalf:

Service	Purpose	Data shared
Stripe (Stripe, Inc.)	Payment processing	Name, email, payment method (PCI-DSS compliant — we do not store card numbers)
FullEnrich	Contact enrichment (email and phone)	Contact name, company, LinkedIn URL
Soniox	Speech-to-text transcription	Audio stream (transiently processed, not retained by Soniox)
Resend	Transactional email delivery	Recipient email, email content
Google (Google Ireland Limited)	OAuth authentication, Gmail integration	Profile info (sign-in), email sending (Gmail) — scope: gmail.send only
Microsoft (Microsoft Corporation)	Outlook email integration	Email sending (Outlook) — scope: Mail.Send only
HubSpot (HubSpot Inc.)	CRM integration + demo scheduling (marketing site)	Contact data (user-initiated CRM sync), meeting booking data (marketing site)
Supabase	Database hosting	All Service data (encrypted at rest)
Vercel	Application hosting	Web traffic data
Amazon Web Services (AWS EMEA SARL)	Cloud infrastructure	Encrypted Service data
OpenAI / Anthropic	AI models	OCR input, conversation context (for follow-up and report generation)
Mixpanel (Mixpanel Inc.)	Product analytics and session replay	User interactions, feature usage, session recordings (EU data residency)
Sentry (Functional Software Inc.)	Error monitoring and performance	Error logs, session replays on error, IP address, device info (EU data residency)
Expo (650 Industries Inc.)	Mobile app distribution and updates	Device metadata, app version

We do not sell or share your personal data with third parties for advertising purposes.

9. Email Provider Integrations

We offer optional integrations with email providers via OAuth 2.0. Each integration is independent and requires separate, explicit authorization.

Purpose: Account creation and authentication using your Google identity
Data accessed: Full name, email address, and profile picture
Use: Creating and managing your NeverDrop account and authenticating sessions
Storage: Email and name stored as part of your account record

b. Gmail Integration (Follow-Up Sending)

Purpose: Sending AI-drafted follow-up emails from your own Gmail address
Scopes requested: gmail.send
Use: Sending follow-up emails that you have reviewed and approved
What we do NOT do: We do not read, monitor, or scan your inbox. Gmail access is strictly limited to sending emails you initiate through the Service.
Storage: We do not store Gmail message content. Sending is performed transiently when you trigger a follow-up.

c. Outlook Integration (Follow-Up Sending)

Purpose: Sending AI-drafted follow-up emails from your own Outlook address
Scopes requested: Mail.Send only
Use: Sending follow-up emails that you have reviewed and approved
What we do NOT do: We do not read, monitor, or scan your inbox. Outlook access is strictly limited to sending emails you initiate through the Service.
Storage: We do not store Outlook message content. Sending is performed transiently when you trigger a follow-up.
OAuth: Managed by our workflow platform (Draft’n Run by Scopeo)

User Control and Revocation

You can authorize Sign-In, Gmail, and Outlook independently
Disconnect Google integrations at any time via Google Account settings or from within the Service
Disconnect Outlook at any time from within the Service or via Microsoft account settings
Request deletion of provider-derived data by contacting support@neverdrop.com

Compliance with Google Policies

Limited Use: Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements
No advertising use: We do not use Google API data for advertising
Least privilege: We request only the minimum scopes necessary
No human access: We do not allow humans to read your Gmail data unless required for security investigation or legal compliance

10. Automated Processing and AI

The Service uses artificial intelligence and automated processing for:

Optical Character Recognition (OCR): Extracting text from business card images
Contact enrichment: Automated lookup of professional email addresses and phone numbers
Draft generation: AI-generated follow-up email suggestions based on contact data and conversation context
Report generation: AI-powered analysis of conversation transcripts
Website analysis: Automated extraction of company information from websites

None of these processes involve automated decision-making that produces legal effects or similarly significant effects on individuals, within the meaning of Article 22 of the GDPR. All AI-generated content (email drafts, reports) is presented as a suggestion for the user to review and approve before any action is taken.

We do not use your Content to train AI models.

11. Session Replay

We use session replay tools (Mixpanel, Sentry) to understand how users interact with our product and to diagnose errors. Session recordings capture page interactions (clicks, scrolls, navigation) with text content masked to protect sensitive information. Recordings are stored in the EU. On the marketing website, session replay is subject to your cookie consent preferences. In the application, session replay is used for error diagnosis and product improvement.

12. Mobile Application

Our mobile app is available on the Apple App Store and Google Play Store. The app requests the following device permissions:

Camera: For scanning business cards and event badges
Photo library: For uploading images
Microphone: For voice recording (conversation transcription and voice notes)

The app does not access your contacts, location, calendar, or send push notifications. Device metadata (OS version, app version) is collected for error monitoring via Sentry and app distribution via Expo.

13. Data Security

We implement industry-standard security measures including:

Encryption in transit (TLS) and at rest
Role-based access control
Unique authentication per employee (Google Workspace SSO)
API key encryption with regular key rotation
Regular security awareness training

14. International Data Transfers

We process data primarily within the EU/EEA. Where transfers to third countries occur (e.g., US-based providers such as Stripe, OpenAI, Vercel, Mixpanel, Sentry), they are protected by Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent safeguards.

15. Children’s Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect data from minors.

16. Data Portability

You may request a copy of your personal data in a structured, machine-readable format by contacting support@never-drop.com. We will provide your data within 30 days of your request.

17. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available on our website, with the date of the last update indicated at the top. Material changes will be communicated via email or in-app notification.