SCOUT.IO
Privacy PolicyTerms of Service

Privacy Policy

Last updated: March 2026

1. Introduction

MIRA SYSTEMS LTD (company number 16488333, registered in England and Wales) ("we", "us", "our") is the data controller for personal data processed through Scout.io, a B2B sales outreach automation platform (the "Service").

This Privacy Policy explains what personal data we collect, why we collect it, how we use and store it, who we share it with, and what rights you have. It applies to all users of the Service and to individuals whose data is processed through the Service (such as business contacts uploaded by our users).

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Personal Data We Collect

2.1 Account Information

When you create an account, we collect your full name, email address, and company details. If you connect a Gmail account for email sending, we store encrypted OAuth tokens to access Gmail on your behalf. We do not store your Gmail password.

2.2 Lead and Contact Data

You may upload business contact data (names, business email addresses, company information, job titles) via CSV import or manual entry. This data is stored in our database and processed by our AI systems to generate research summaries, lead scores, and outreach content. You are the data controller for any personal data you upload. We act as your data processor for that data and process it solely on your instructions and for the purpose of providing the Service.

2.3 Usage and Analytics Data

We collect usage metrics including pipeline runs, messages generated, emails sent, and feature usage statistics. This data is used to provide your analytics dashboard, enforce quotas, and improve the Service.

2.4 Email Tracking Data

When emails are sent through the Service, we embed a small tracking pixel (a 1x1 transparent image) and wrap links to measure open rates and click-through rates. This tracking collects the recipient's IP address, approximate location, device type, and the time of the open or click event. Recipients can disable image loading in their email client to prevent pixel tracking.

3. Lawful Bases for Processing

We rely on the following lawful bases under UK GDPR Article 6(1):

  • Performance of a contract (Article 6(1)(b)): Processing your account information and usage data is necessary to provide the Service to you under our Terms of Service.
  • Legitimate interests (Article 6(1)(f)): We process usage analytics and error logs to maintain, secure, and improve the Service. We have assessed that these interests do not override your rights and freedoms, particularly as the data processed is limited to business-context information.
  • Legal obligation (Article 6(1)(c)): We may process data where necessary to comply with legal obligations, such as responding to lawful requests from regulators or law enforcement.
  • Consent (Article 6(1)(a)): Where you connect your Gmail account, we obtain your explicit consent via the OAuth authorisation flow. You may revoke this consent at any time by disconnecting your account in Settings.

For lead and contact data you upload, you are the data controller and are responsible for establishing your own lawful basis for processing that data (for example, legitimate interest in B2B prospecting). We process it on your behalf as a data processor.

4. Third-Party Data Processors and Sub-Processors

We use the following third-party services to operate Scout.io. Each acts as a sub-processor of personal data:

  • Anthropic, PBC (San Francisco, USA) - Provides the Claude AI API used for lead research, scoring, strategy planning, and message generation. Lead data including names, job titles, and company information is sent to Anthropic's API for processing. Anthropic does not use API inputs for model training per their commercial terms. Transfer mechanism: Standard Contractual Clauses (SCCs).
  • Brave Software, Inc. (San Francisco, USA) - Provides the Brave Search API used to gather publicly available company information for research purposes. Only company names and website URLs are sent as search queries. Transfer mechanism: SCCs.
  • Supabase, Inc. (San Francisco, USA) - Provides managed PostgreSQL database hosting and user authentication. All user data, lead data, and application state is stored in Supabase. Row-level security policies ensure tenant isolation. Transfer mechanism: SCCs with supplementary measures (encryption at rest, TLS in transit).
  • Google LLC (Mountain View, USA) - Provides the Gmail API for email sending and inbox synchronisation. We access only the scopes you explicitly authorise during the OAuth flow (send and read-only). Transfer mechanism: covered under the UK-US Data Bridge adequacy framework.
  • Apollo.io, Inc. (San Francisco, USA) - Provides optional lead enrichment (additional contact details, company firmographics). Data is sent only when enrichment is triggered by the user. Transfer mechanism: SCCs.
  • Sentry (Functional Software, Inc., San Francisco, USA) - Provides error monitoring and performance tracking. May receive IP addresses and browser metadata in error reports. We have disabled the collection of personally identifiable information where possible. Transfer mechanism: SCCs.

We maintain Data Processing Agreements (DPAs) with each sub-processor. Where data is transferred outside the UK, we rely on Standard Contractual Clauses approved by the ICO, or on relevant adequacy decisions, as noted above. You may request copies of relevant transfer safeguards by contacting us.

5. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Specific retention periods are as follows:

  • Account information: Retained for the duration of your account. Upon account deletion, all account data is permanently erased within 30 days.
  • Lead and contact data: Retained for the duration of your account unless you delete individual records sooner. Default automatic archival after 24 months of inactivity (configurable per account).
  • Outreach content (messages, sequences): Retained for the duration of your account. Deleted within 30 days of account deletion.
  • Engagement events (opens, clicks, replies): Retained for 12 months, then automatically deleted.
  • Email tracking data: Retained for 12 months, then automatically deleted.
  • API and application logs: Retained for 90 days, then automatically purged.
  • Error reports (Sentry): Retained for 90 days per Sentry's default policy.

6. Your Rights Under UK GDPR

You have the following rights in relation to your personal data:

  • Right of access (Article 15): You can request a copy of all personal data we hold about you. You can also export your data at any time from Settings > Account > Export Data.
  • Right to rectification (Article 16): You can update your personal information and lead data directly through the platform, or contact us to request corrections.
  • Right to erasure (Article 17): You can delete your account and all associated data from Settings > Account > Delete Account. This action is irreversible. Deletion is completed within 30 days.
  • Right to data portability (Article 20): You can export your data in JSON format at any time via the platform.
  • Right to restrict processing (Article 18): You can request that we restrict processing of your data in certain circumstances, for example while we verify the accuracy of your data following a dispute.
  • Right to object (Article 21): You can object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to withdraw consent (Article 7(3)): Where processing is based on consent (such as Gmail integration), you may withdraw consent at any time by disconnecting the relevant account in Settings.

To exercise any of these rights, contact us at privacy@mirasystems.co. We will respond within one month of receiving your request, as required by law. If we need to extend this period, we will inform you within the first month.

7. Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include: encryption at rest and in transit (TLS 1.2 or higher); row-level security policies in our database ensuring strict tenant isolation; encrypted storage of OAuth tokens; rate limiting and request size restrictions on all API endpoints; SSRF protection to prevent server-side request forgery; security response headers on all HTTP responses; and a mandatory human review step before any AI-generated content is sent.

We regularly review our security practices and update them in line with industry standards. If we become aware of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected users without undue delay.

8. CAN-SPAM and Anti-Spam Compliance

All emails sent through Scout.io include a functioning unsubscribe mechanism and the sender's physical mailing address, as required by the CAN-SPAM Act (15 U.S.C. 7701-7713) and the Privacy and Electronic Communications Regulations 2003 (PECR). We enforce unsubscribe requests automatically and maintain a suppression list for bounced and unsubscribed addresses. Users are responsible for ensuring their outreach campaigns comply with all applicable anti-spam and electronic marketing laws in their jurisdiction, including but not limited to CAN-SPAM, PECR, and the ePrivacy Directive.

9. Cookies and Similar Technologies

The Service uses essential cookies for authentication and session management. These are strictly necessary for the operation of the Service and do not require consent under PECR. We do not use advertising cookies, social media tracking cookies, or any non-essential cookies. The email tracking pixel described in Section 2.4 operates outside of the browser cookie context and is governed by the terms above.

10. Children

The Service is intended for business use by individuals aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from a minor, we will take steps to delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or through an in-app notification at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after a change takes effect constitutes acceptance of the revised policy.

12. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). You can contact the ICO at ico.org.uk or by calling 0303 123 1113. We would appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first at privacy@mirasystems.co.

13. Contact

For any questions or requests relating to this Privacy Policy or your personal data, please contact:

MIRA SYSTEMS LTD
Email: privacy@mirasystems.co
Address: 124 City Road, London, England, EC1V 2NX