1. Introduction
This Privacy Policy describes how Scope Bid, Inc. ("Scope," "we," "us") collects, uses, discloses, and protects information when you use Scope's platform.
Scope operates a routing and protocol layer that connects law firms, claims operations, and other organizations ("Firms") with legal-services vendors ("Vendors") for the dispatch of professional-services Matters. Scope's data practices reflect this two-sided role: we receive data from both Firms and Vendors to facilitate Matter routing, payment, and reputation tracking.
2. Scope of this Policy
This Policy applies to:
- Personal information of Firm users (lawyers, paralegals, and authorized staff who use Scope on behalf of a Firm)
- Personal information of Vendor users (business contacts who manage Vendor's Scope presence)
- Matter data transmitted through Scope
- Account, authentication, and platform usage data
- Reputation graph and Matter history data
This Policy does not apply to:
- Information you provide directly to Stripe through the Stripe Connect onboarding flow (governed by Stripe's privacy policy)
- Information you provide directly to AI clients (Claude, ChatGPT, Cursor, Cowork, and other AI clients) which connect to Scope via MCP (governed by the AI client's privacy policy)
- Information transmitted to or from Vendors via channels outside Scope's platform (direct email, phone calls, in-person meetings)
3. Information we collect
Information you provide
- Account information. Email address, name, organization name, role, password, two-factor authentication setup.
- Firm and Vendor profile information. Business name, business address, business phone, business email, website, professional licenses and credentials, service categories, geographic coverage, capacity calendars.
- Matter content. Matter parameters (category, jurisdiction, deadline, scope description), bid amounts and terms, accepted scope details, deliverable references.
- Payment information. Payment instruments are processed by Stripe; Scope receives transaction metadata (amounts, currency, statuses) but does not store payment-card numbers or bank account details.
- Communication content. Messages exchanged through Scope's platform, notification preferences (email opt-in, SMS opt-in), inbound replies to dispatch notifications.
Information collected automatically
- Usage data. Pages visited, actions taken, time stamps, IP addresses, browser type, device information.
- Cookies and similar technologies. Session cookies for authentication, preference cookies (e.g., dark-mode setting), analytics cookies (limited; described below).
- Webhook data. Inbound webhook payloads from Stripe Connect, Twilio (for inbound SMS), and Resend (for inbound email) related to Matter execution.
- Error and diagnostic data. When the platform encounters an error, we collect diagnostic information (error traces, request metadata, sampled performance data) through Sentry to fix problems. We configure error reporting to avoid capturing Matter content in traces.
- Push notification tokens. If you enable push notifications (Vendor dispatch alerts), we store the device push token needed to deliver them. You can disable push at any time in your device or account settings.
- Bot-protection signals. Signup and other sensitive forms use Cloudflare Turnstile, which processes connection data to distinguish humans from bots.
Information from third parties
- Stripe Connect verification data. Vendor KYC results, Connected Account status, capability checks.
- AI client integration data. When you connect Scope via an MCP client (Claude, ChatGPT, Cowork, Cursor, etc.), Scope receives only the structured tool calls the AI client sends (for example, a dispatch request with its parameters) and returns structured responses. Scope does not receive, see, or store the rest of your conversation with your AI assistant. Your conversation is governed by the AI client's privacy policy.
- Calendar data (optional). If a Vendor connects a Google or Microsoft calendar, we request the minimum scopes needed to (a) read free/busy availability and (b) create and update events for accepted jobs. We store OAuth tokens encrypted (AES-256-GCM), we do not read event content unrelated to Scope jobs, and we do not use calendar data for any purpose other than scheduling and availability. Scope's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. You can disconnect a calendar at any time, which revokes Scope's access.
- Public-data vendor catalog. For vendors who appear in Scope's catalog from public sources (state CSR boards, ADR provider location pages, etc.), we maintain source-URL attribution.
4. How we use information
We use the information we collect to:
- Operate the Scope platform (route Matters, process bids, execute payments)
- Verify user identity and prevent fraud
- Maintain Scope's reputation graph (aggregate Vendor performance metrics)
- Send notifications you opted in to (dispatch alerts, payment confirmations, system messages)
- Provide customer support
- Comply with legal obligations (tax reporting, response to lawful requests)
- Improve Scope's platform and develop new features
- Communicate with you about Scope's services, updates, and policies (subject to applicable opt-out rights)
We do not use Matter data to train AI models. We do not sell personal information. We do not share personal information with advertisers.
5. How we share information
With Vendors and Firms
To route a Matter, we share necessary Matter information with the Vendor candidates Firm's AI Assistant selects to bid. Bid responses from Vendors are shared with the Firm that issued the Matter. The participating Firm and the awarded Vendor have visibility into the complete Matter record for their respective roles.
With service providers
We use third-party service providers to operate the platform, including:
- Supabase (database hosting, authentication infrastructure)
- Vercel (web hosting, edge functions)
- Stripe (payment processing, Connected Account management)
- Twilio (outbound and inbound SMS)
- Resend (transactional email)
- Anthropic (AI processing for intake parsing; API traffic is not used by Anthropic to train models per its commercial API terms)
- Sentry (error monitoring and diagnostics)
- Upstash (rate limiting infrastructure)
- Cloudflare (Turnstile bot protection)
- Google and Microsoft (calendar sync, only when a user connects a calendar; SSO identity, only when a Firm signs in with Google Workspace or Azure AD)
Each service provider is contractually bound to use information only for the purposes Scope authorizes. A current sub-processor list is available on request and will be maintained at scope.bid/trust.
With other parties
We may share information when required by law, when necessary to protect Scope's rights or the safety of users, or in connection with a merger, acquisition, or sale of Scope's business. We will provide notice of any such sharing where required by applicable law.
Vendor reputation, shared across Firms by design
Portable reputation is a core platform feature, and Vendors should understand it before joining: performance metrics derived from completed Matters (on-time percentage, completed-matter counts, satisfaction scores, response times) are visible to other Firms evaluating that Vendor on Scope. Individual Matter content is never part of the visible reputation record; only the performance metrics are. Vendors can view their own reputation record at any time.
Aggregate and de-identified market data
We may produce and share aggregate or de-identified data that does not identify any individual user, Firm, or Vendor. This includes market-rate statistics (for example, median and percentile pricing for a service category in a region), which Scope surfaces in-product and may offer as a commercial data product. Our commitments on this data:
- Statistics are computed only from cohorts of at least 10 awarded prices spanning multiple Firms; smaller cohorts return no data.
- Individual prices, Vendor names, Firm names, and Matter details are never disclosed.
- We maintain and use de-identified data only in de-identified form, we will not attempt to re-identify it, and we contractually require the same of anyone who receives it.
We do not sell personal information. Aggregate market statistics as described here are not personal information.
6. Matter data and privilege
Firms transmit Matter data through Scope that may include privileged or confidential client information. Scope's treatment of Matter data:
- We treat Matter data as confidential and apply Row Level Security to enforce that only authorized users (the issuing Firm and the awarded Vendor, plus Scope administrators with audit-logged access) can view a specific Matter's content.
- We encrypt Matter data in transit (TLS) and at rest (AES-256-GCM for OAuth tokens; database-level encryption for Matter content).
- We do not access Matter content except for routing, payment, debugging on Firm's direct request, dispute resolution, or as required by law.
- Scope's employees and contractors are bound by confidentiality obligations equivalent to those described in this Policy.
For claims-vertical Matters involving Protected Health Information (PHI), Scope will execute a Business Associate Agreement (BAA) with the Firm consistent with HIPAA requirements.
7. Data retention
We retain personal information for as long as your account is active, plus a defined post-account-closure period:
- Account data. Retained for the duration of the account plus three (3) years after closure, to support audit, dispute, and tax-reporting obligations.
- Matter data. Retained for seven (7) years after Matter completion, consistent with typical litigation-hold standards. Firms may request earlier deletion subject to legal and regulatory holds.
- Payment records. Retained per IRS tax-reporting requirements (typically seven years).
- Reputation graph events. Aggregated reputation metrics are retained indefinitely; individual Matter contributions to reputation are retained per the Matter data retention schedule.
- Communication records. Retained for the longer of the Matter retention period or applicable statutory retention requirements.
8. Your rights
Depending on your jurisdiction, you may have the right to:
- Access the personal information we hold about you
- Correct inaccurate personal information
- Delete your personal information (subject to legal retention requirements)
- Restrict or object to processing of your personal information
- Portability of your personal information in a structured, machine-readable format
- Withdraw consent where processing is based on consent
To exercise these rights, contact us at the email address provided at the end of this Policy. We will respond to verifiable requests within the time period required by applicable law (typically 30 to 45 days under CCPA and analogous state laws).
California residents
California residents have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information we have collected, the right to request deletion, the right to opt out of the sale or sharing of personal information (Scope does not sell or share personal information for cross-context advertising), and the right to non-discrimination for exercising these rights.
We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
Other US states
Residents of states with comprehensive privacy laws have rights similar to California residents, including under the Texas Data Privacy and Security Act and the Colorado Privacy Act (Scope's launch markets), as well as Virginia, Connecticut, Utah, and other states with comparable statutes. We honor verifiable rights requests in accordance with applicable state law.
EU and UK residents
If you are in the European Union, the European Economic Area, or the United Kingdom, you have rights under the GDPR or UK GDPR, including the rights described above. The legal bases for our processing are: contract performance (operating the platform), legitimate interests (fraud prevention, service improvement), legal obligations (tax reporting), and consent (where we have requested it).
9. Security
We implement reasonable technical and organizational measures to protect personal information, including:
- Encryption in transit (TLS) and at rest (AES-256-GCM)
- Row-Level Security on Vendor and Matter data
- HMAC-signed webhooks
- Multi-factor authentication for administrator access
- Regular security audits and dependency reviews
- Limited employee access on a need-to-know basis with audit logging
We are working toward SOC 2 Type I certification. Until certification is achieved, we operate the controls described above on a self-attested basis and provide documentation upon request.
No security system is impenetrable. We will notify affected users of material breaches consistent with applicable law.
10. Cookies and tracking technologies
Scope uses cookies for:
- Strictly necessary cookies. Session authentication, security, and core functionality. These are not optional.
- Preference cookies. User preferences like display settings.
- Analytics cookies. Aggregate, privacy-respecting analytics to improve the platform. We do not use third-party advertising tracking pixels.
You can manage cookie preferences through your browser settings or through the cookie preferences interface (if applicable) on Scope's website.
11. International transfers
Scope is headquartered in the United States. Personal information you provide is transferred to and processed in the United States. If you are accessing Scope from outside the United States, you consent to the transfer of your personal information to the United States.
For users in the EU, UK, or EEA, we rely on appropriate transfer mechanisms (Standard Contractual Clauses, adequacy decisions where applicable) to ensure your personal information receives equivalent protection.
12. Children's privacy
Scope is a business-to-business service and is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.
13. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to users via:
- Email to the account owner's notification email address
- A prominent notice on Scope's website
- In-app notification at next login
Material changes take effect thirty (30) days after notice. Continued use of Scope after the effective date constitutes acceptance of the updated Policy.
14. Contact us
For questions about this Privacy Policy or to exercise your rights, contact:
Scope Bid, Inc. privacy@scope.bid
We aim to respond to all inquiries within 10 business days. Rights requests are processed within the time period required by applicable law.