Skip to main content

Legal

Privacy Policy

Effective April 18, 2026 · Last updated June 6, 2026

This Privacy Policy explains how Scopeful (operated by Supering Technology LLC, “Supering”, “we”, “us”, a Wyoming limited liability company) handles information when you visit scopeful.org(the “Site”). Scopeful publishes a public, USD-normalized reference for the cost of AI creative tools and offers an optional paid membership called Scopeful Pro that unlocks long-form content, downloadable agent skills, a personal library, and an authenticated MCP (Model Context Protocol) endpoint to query the pricing engine from coding agents.

You can browse the public site without an account or cookies. Some features (saving items to your library, downloading skills, subscribing to Pro, or using the MCP endpoint) require you to sign in with email or Google. This policy describes both modes.

We collect as little as we need for each feature. This policy tells you exactly what that means.

1. Who we are

The Site is operated by:

Supering Technology LLC
A Wyoming limited liability company
5830 E 2nd St, Ste 7000, Casper, Wyoming 82609, US
Contact: hello@scopeful.org

If you are in the EU, UK, or Switzerland, you can reach us by email for any data-protection request. Supering Technology LLC is the data controller for the Site. No Data Protection Officer has been formally appointed; privacy requests should be directed to hello@scopeful.org. If an EU or UK representative is required under GDPR Article 27, their contact details will be posted here.

2. What we collect

The public Site can be used without an account. The Site does not run advertising and does not display contact forms beyond the optional newsletter signup. When you create an account, subscribe to Pro, generate an MCP API key, or save items to your library, we process the additional data described below.

a) Request logs (via our hosting provider)

When you load a page, our host (Vercel Inc.) temporarily records standard request data (IP address, user-agent string, requested URL, referrer, and timestamp) for security, abuse prevention, and operational purposes. These logs are retained on a short-term rolling basis under Vercel’s retention policy.

b) Vercel Web Analytics (cookieless)

We use Vercel Web Analytics to measure aggregate traffic (page views, country-level geography, referrer, device type). It does not set cookies, does not use persistent client-side identifiers, and does not track you across sites. A short-lived hash derived from your IP address and user-agent is used to count unique visits within a single day; the raw IP is discarded and is never stored by us.

b2) PostHog (product analytics, cookieless for visitors)

For signed-in users we also use PostHog (PostHog, Inc.) to record product-level events: which calculator inputs you tried, which skills you installed or downloaded, when you subscribed to Pro, and how long after signing up that happened. Anonymous visitors are tracked cookielessly: PostHog sets no persistent browser identifier, and events are stitched together only once you sign in. Session replay is enabled and masks all form inputs by default. We do not use PostHog for advertising, cross-site tracking, or to train third-party models. Data is sent to the PostHog cloud region matching your account configuration; you can email hello@scopeful.org to request data deletion or to opt out of PostHog session replay and autocapture.

c) Theme preference

If you change the light/dark toggle, your choice is saved in your browser’s local storage under the key theme. This value stays on your device and is never transmitted to us.

d) Outbound affiliate clicks

Some outbound links to third-party tools (for example Freepik, Runway, or Midjourney) carry an affiliate tracking parameter. When you click one, the destination vendor may record the referral on their own systems. We may later receive aggregate click or conversion counts from that vendor, but we do not receive information that identifies you personally.

e) Newsletter subscription

If you choose to subscribe to the Scopeful Dispatch, you provide your email address. New subscribers are added to all three editorial lists (Deals, Models, Blog) by default; per-list preferences are managed in the Loops-hosted Preference Center linked from every email. This data is sent to our newsletter provider, Loops (Loops Technology Inc.), which stores your email and preferences, handles delivery, and provides unsubscribe functionality. We do not store subscriber data on our own servers.

f) Account data (when you sign in)

You can create an account by completing a one-time-code email flow or by signing in with Google. We store, in our database hosted by Supabase:

  • Your email address, and (if you signed in with Google) your display name and avatar URL returned by Google.
  • A signup_source attribution tag identifying which page or skill you signed up from (for example skill:higgsfield-mcp). This is first-touch only, never overwritten on later sign-ins, and is used to understand which surfaces drive accounts.
  • A welcomed_at timestamp recording whether we have already sent you the first-sign-in welcome email.

Sign-in sets a Supabase session cookie on your browser so that you stay signed in across pages (see Section 8). You can sign out at any time from the account menu; you can delete the account entirely by emailing hello@scopeful.org.

g) Scopeful Pro subscription data

If you subscribe to Scopeful Pro, our payment processor Creem handles checkout, card processing, billing, renewals, invoices, the customer portal, and any tax collection. We never see or store your card number, CVV, or full billing address. Creem returns to us only the identifiers and status we need to grant you access:

  • Creem customer ID and subscription ID
  • Subscription status (active, canceled, past_due, etc.) and current billing period end
  • The email used at checkout (matched to your Scopeful account)

Creem may also send you transactional billing communications directly (receipts, payment-failure notices, abandoned-checkout reminders) under its own privacy policy.

h) Personal library, skill downloads, and notifications

When signed in, you can save skills, workflows, collections, and posts to a personal library. We store the item type and ID alongside your user ID. We also record an event row each time you successfully install or download a skill (skill ID, delivery method, and timestamp) so we can show usage analytics on Pro content. Notifications surfaced inside your account include a read/unread flag.

i) MCP API key usage

If you generate an API key for the Scopeful MCP endpoint, we store a SHA-256 hash of the key (never the raw key after the moment of creation), a short non-secret prefix to help you identify the key in your account, an optional name you choose, and an active/revoked flag. Each call made with the key writes a row to our usage log containing the tool name invoked, the call duration, success/error status, and an optional error message. We use these logs to enforce daily rate limits (currently 100 calls/month for free, 3,000 calls/month for Pro), to detect abuse, and to show you your own usage history.

j) Rate limiting

We use Upstash Redis to enforce sliding-window rate limits on a small number of API routes. The limiter sees your IP address (for unauthenticated routes) or your user ID (for authenticated routes) and a request count. No request bodies are stored.

k) Agent, prompts, uploads, generated artifacts, and provider keys

If you use Scopeful’s agent or creative-generation features, we process the information needed to run those features. This may include prompts, chat messages, conversation titles, uploaded files or images, generated outputs, selected provider/model settings, workflow steps, execution status, cost estimates, error messages, and timestamps.

Generated artifacts may include images, video, audio, text, metadata, thumbnails, and related files. We store these artifacts so you can view, download, organize, or reuse them in your account. Do not upload or submit sensitive personal information unless the feature specifically asks for it and this Privacy Policy says it is supported.

If you choose to connect your own provider API key, we store the key in encrypted form and use it only to call the provider you selected, validate access, or operate the feature you requested. We do not sell your provider keys. You are responsible for the charges, limits, and terms that apply to your provider account.

To provide these features, we may send prompts, uploads, settings, and related metadata to third-party AI, media-generation, storage, and infrastructure providers selected by us or by you. These providers process the data under their own terms and privacy policies or under our provider agreements where applicable.

What we do not collect

We do not intentionally collect: your card number or CVV (Creem handles those), your precise location, or sensitive categories of personal data under GDPR Art. 9 (health, biometric, genetic, racial, religious, political, union membership, sex life, or sexual orientation data). Because some features accept free-form text, uploads, or prompts, you are responsible for not submitting sensitive information unless we specifically say the feature supports it. If you submit sensitive information anyway, we will process it only as needed to provide the feature, secure the service, comply with law, or delete it at your request where required.

We do not run browser fingerprinting. We do not use your private prompts, uploads, conversations, provider keys, or generated artifacts to train Scopeful-owned machine-learning models. Third-party AI providers may process inputs and outputs according to their own policies. Where provider settings allow, we prefer configurations that restrict training on customer content, but you should not submit information that you are not allowed to share with the selected provider. The Site is not directed to children, and we do not knowingly collect data from anyone under 13 (or the equivalent minimum age under local law, up to 16 in the EEA/UK).

3. Why we process this data (purposes and legal bases)

  • Request logs: security, abuse prevention, and fixing errors. Legal basis: legitimate interest (GDPR Art. 6(1)(f)).
  • Vercel Analytics: understanding aggregate traffic and content usage so we know which pages are useful. Legal basis: legitimate interest (GDPR Art. 6(1)(f)).
  • Theme preference: honoring your UI choice. Not personal data; stored only on your device.
  • Affiliate referrals: operating part of the Site’s revenue model so the reference content remains free to read. Legal basis: legitimate interest (GDPR Art. 6(1)(f)). You can avoid this entirely by visiting vendors directly rather than through our links.
  • Replying to your email: we use the address to respond. Legal basis: legitimate interest, or performance of pre-contractual steps at your request.
  • Newsletter: sending the Scopeful Dispatch to subscribers who have opted in. Legal basis: consent (GDPR Art. 6(1)(a)), which you provide when you submit the signup form. You can withdraw consent at any time by clicking the unsubscribe link in any email.
  • Accounts (sign-in, session): letting you sign in and stay signed in across pages, and powering features that only make sense with an identity attached (library, skill downloads, MCP keys). Legal basis: performance of a contract (GDPR Art. 6(1)(b)) when you are a Pro subscriber, otherwise legitimate interest (Art. 6(1)(f)).
  • Sign-up attribution (signup_source): understanding which surfaces (tool pages, skill pages, landing) drive new accounts so we can improve the product. Legal basis: legitimate interest (Art. 6(1)(f)). Stored first-touch only and never used to send you marketing.
  • Scopeful Pro subscription data: granting and revoking access to paid features, and supporting your billing lifecycle. Legal basis: performance of a contract (Art. 6(1)(b)).
  • Library, skill downloads, notifications: operating the features themselves and producing aggregate analytics on which skills are popular. Legal basis: performance of a contract / legitimate interest (Art. 6(1)(b) and (f)).
  • MCP API keys and usage logs: authenticating requests, enforcing daily rate limits, detecting abuse, and showing you your own usage. Legal basis: performance of a contract and legitimate interest (Art. 6(1)(b) and (f)).
  • Rate limiting (Upstash): protecting the Site and API from abuse. Legal basis: legitimate interest (Art. 6(1)(f)).
  • Agent features: processing prompts, conversation history, uploads, provider keys, settings, execution logs, and generated artifacts to provide the features you requested. Legal basis: performance of a contract when you use those features (Art. 6(1)(b)), legitimate interests for security, debugging, abuse prevention, and service improvement (Art. 6(1)(f)), and consent where a feature specifically asks for optional consent.
  • Service emails: we send non-marketing service emails needed to operate your account, such as OTP codes, security notices, receipts, payment-failure notices, subscription status, account changes, and requested support responses. Legal basis: legitimate interest for account-security and service messages (Art. 6(1)(f)), or performance of a contract when you are a subscriber (Art. 6(1)(b)).
  • Marketing emails: if you have opted in to marketing, we send product updates, tips, deals, model releases, blog posts, offers, and other Scopeful marketing messages through Loops. Legal basis: consent (Art. 6(1)(a)), except where applicable law permits limited existing-customer soft opt-in messages. You can withdraw consent at any time by clicking unsubscribe or using the Loops Preference Center linked in every email. We do not rely on pre-checked boxes for marketing consent.

For visitors who never sign in, the impact of this processing is minimal: no persistent identifiers or tracking cookies are set, and we never receive your raw IP through the analytics product. For signed-in users, the additional processing is limited to what is needed to operate the features you use.

4. Who we share data with

  • Vercel Inc.: our hosting and analytics processor (United States). Processes request logs and aggregated analytics on our behalf under a data processing agreement.
  • Supabase Inc.: our database and authentication provider (United States). Stores account records (email, display name, avatar URL, signup attribution, welcome-email stamp), Pro subscription state, library bookmarks, skill download events, MCP key hashes and usage logs, and runs the email one-time-code and Google OAuth sign-in flows. Acts as a data processor under its DPA.
  • Google LLC: OAuth identity provider for “Continue with Google”. If you choose this method, Google handles your authentication and returns your email, display name, and avatar URL to us. Google’s use of your data is governed by its own privacy policy.
  • Loops (Loops Technology Inc.): our newsletter and transactional email provider (United States). Stores subscriber email addresses and list preferences, delivers the Scopeful Dispatch, handles unsubscribes, and sends our transactional welcome / Pro-welcome / cancellation win-back emails. Loops acts as a data processor under its data processing agreement.
  • Creem: our Merchant of Record and payment processor. If you subscribe to Scopeful Pro, your email and billing details are processed by Creem to handle payment, subscription lifecycle, invoices, the customer portal, and abandoned-cart recovery emails. We never see or store your payment card details. Creem operates under its own terms and privacy policy. For clarity: Creem is a separate company from Supering Technology LLC (the Site operator).
  • Upstash, Inc.: our rate-limit provider (United States). Stores short-lived counters keyed by IP address or user ID. No request bodies or content are sent.
  • Cloudflare, Inc.: stores and delivers uploaded files, generated artifacts, and related media assets through Cloudflare R2 and related infrastructure where used (United States).
  • AI and media-generation providers: when you use agent or generation features, we may send prompts, uploads, settings, and metadata to providers such as Alibaba Cloud/DashScope/Qwen, Replicate, Together, fal, Leonardo, OpenAI, Anthropic, Google, or other providers identified in the product. The exact provider depends on the model or integration you select. These providers process the data under their own terms and privacy policies or under our provider agreements where applicable.
  • Affiliate vendors: when you click an outbound affiliate link, the destination site processes your visit under its own privacy policy.
  • Legal requests: we will disclose information if required by a valid legal process or to defend our rights. We require valid legal process (such as a subpoena, court order, or warrant) before disclosing user information to law enforcement or government agencies, except in emergencies involving imminent harm. Where permitted by law, we will notify affected users before disclosure.
  • Business transfers: if Scopeful or Supering Technology LLC is involved in a merger, acquisition, reorganization, asset sale, or similar transaction, user information may be transferred as part of that transaction. We will notify you before your information is transferred and becomes subject to a different privacy policy.

We do not sell personal information. We do not“share” personal information for cross-context behavioral advertising as defined under the CCPA/CPRA. We do not use visitor data to train machine-learning models.

5. International data transfers

Our company is based in the United States, and many of our infrastructure, authentication, email, payment, analytics, storage, and AI-service providers are based in or process data from the United States and other countries. If you access Scopeful from outside the United States, your information may be transferred to and processed in countries that may not provide the same level of data protection as your home country.

Where required, we rely on appropriate transfer safeguards such as Standard Contractual Clauses, the UK International Data Transfer Addendum or equivalent UK transfer mechanism, Data Privacy Framework certification where available, provider data-processing agreements, and other lawful transfer tools. Some third-party services you choose to connect, such as your own AI provider account, may process data under their own terms and transfer mechanisms.

6. How long we keep data

  • Request logs: short-term rolling retention by our hosting provider (typically under 30 days).
  • Analytics: stored in aggregated form without individual identifiers; retained per Vercel’s default analytics retention.
  • Emails you send us: kept in our inbox until no longer needed for the correspondence, typically up to 24 months.
  • Newsletter subscriptions: retained by Loops until you unsubscribe. When you unsubscribe, Loops retains your email on a suppression list so you are not re-added accidentally. You can request full deletion by emailing hello@scopeful.org.
  • Account data: retained for as long as your account exists. Email hello@scopeful.org to delete your account; we will delete the profile, library, MCP keys, and notification rows. Subscription records, billing history, and skill download events may be retained for up to seven years where needed for tax, accounting, or fraud-prevention purposes.
  • MCP usage logs: retained for 90 days for rate limiting, abuse detection, and your own usage history, then aggregated or deleted.
  • Agent conversations, prompts, uploads, generated artifacts, and memory: kept while your account exists or until you delete them through the product if deletion controls are available. Provider API keys are kept until you revoke them, replace them, or delete your account. Execution logs, cost records, abuse-prevention records, and billing-support records may be retained for a limited period after deletion where needed for security, accounting, dispute handling, or legal compliance.
  • Webhook delivery records: retained indefinitely as an idempotency ledger for payment webhooks. These rows contain a provider event ID and event type only, no customer data.

7. Your rights

Regardless of where you are, you can email hello@scopeful.org to ask what we hold about you, ask us to correct or delete it, object to our use of it, or ask for a copy in a portable format.

EU / UK / Swiss residents (GDPR, UK-GDPR, FADP)

In addition, you have the right to:

  • Restrict processing in certain circumstances (Art. 18 GDPR).
  • Not be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects (Art. 22). We do not carry out such processing. AI-generated pricing recommendations, search results, and content suggestions are informational tools, not legally binding decisions.
  • Lodge a complaint with your local supervisory authority. A list of EEA authorities is available at edpb.europa.eu.

California residents (CCPA/CPRA)

Some privacy laws apply only if a business meets revenue, volume, or activity thresholds. Where a law does not legally apply to Scopeful, we may still honor similar requests voluntarily when feasible. You have the right to:

  • Know the categories of personal information we collect, the sources, the purposes, and the third parties we disclose to. This policy serves as that notice.
  • Request deletion of your personal information.
  • Request correction of inaccurate personal information.
  • Opt out of “sale” or “sharing” of personal information. We do not sell or share personal information, so there is nothing to opt out of.
  • Limit the use of sensitive personal information. We do not intentionally collect sensitive personal information, but some features accept free-form input as described in Section 2.
  • Not be discriminated against for exercising these rights.

We honor the Global Privacy Control browser signal. Because we do not sell or share personal information, enabling GPC produces no additional change in our behavior, but we record receipt of the signal. You may designate an authorized agent to submit requests on your behalf. If you use an authorized agent, we may require written proof of authorization and may verify your identity directly with you.

Other US state residents (VA, CO, CT, UT, TX, OR, and others)

You have substantially similar rights of access, deletion, correction, and opt-out under your state’s comprehensive privacy law. Email us to exercise them. Where your state law provides a right to appeal a denial of your request, you may email us to initiate that appeal and we will respond within the timeframe required by applicable law.

We will respond within the timeframe required by applicable law (usually 30–45 days). We may need to verify your identity by matching information you provide with data we already hold before fulfilling the request.

8. Cookies and similar technologies

We do not set advertising or cross-site tracking cookies on the Site. The Site uses only the following:

  • Supabase session cookies (names beginning with sb-): set only when you sign in, used to keep you signed in across pages. These are strictly necessary for the authentication feature to function and are not used for analytics or advertising. They expire when you sign out or when the session lapses.
  • theme: saved in your browser’s local storage to remember your light/dark preference. Not a cookie and never transmitted to us.

We do not use cookies for visitor analytics. Vercel Web Analytics operates cookielessly and we do not set any first-party analytics cookie of our own. You can clear cookies and local storage through your browser at any time; clearing the Supabase session cookie will sign you out.

9. Do Not Track and Global Privacy Control

We honor the Global Privacy Control(GPC) browser signal as described in Section 7. Some browsers offer a “Do Not Track” (DNT) setting. Because there is no widely accepted standard for how websites should respond to DNT, we do not currently change our behavior based on the DNT signal. We do, however, not sell or share personal information regardless of signal, so no additional opt-out is needed.

10. Security

We rely on our hosting provider’s security controls: TLS encryption in transit, at-rest encryption, and managed infrastructure. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

11. Children

The Site is not directed to children under 13 (or the equivalent minimum age under local law). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, email hello@scopeful.org and we will delete it.

12. Changes to this policy

We will update this policy as the Site evolves. The “Last updated” date at the top reflects the most recent revision. Material changes will be highlighted at the top of this page for 30 days.

13. Contact

Questions, requests, or complaints: hello@scopeful.org

Postal mail:
Supering Technology LLC
5830 E 2nd St, Ste 7000
Casper, Wyoming 82609, USA