Back to Home

Privacy Policy

Scout IP ยท Scout IP S.r.l.
Effective Date: May 2026
Platform: scoutip.it

This Privacy Policy explains what personal data Scout IP collects, why, how we protect it, and what rights you have. We are committed to being transparent and straightforward - this document describes what actually happens on the platform, not generic boilerplate. We are bound by the EU General Data Protection Regulation (GDPR) and applicable Italian data protection law (D.Lgs. 196/2003 as amended).

1. Data Controller

The data controller responsible for your personal data is:

Scout IP S.r.l.
Via Sile n. 41, 31056 Roncade (TV), Italy
Email: scoutip.info@gmail.com
Website: scoutip.it

Scout IP S.r.l. is registered as an Innovative Start-up (Startup Innovativa) under Italian law (D.L. 179/2012). For any privacy-related matters, please contact us at scoutip.info@gmail.com. Based on the nature and scale of our processing activities, we are not legally required to appoint a formal Data Protection Officer (DPO). All privacy inquiries are managed directly by our privacy team.

2. What Data We Collect

2.1 Account data

When you register, we collect:

  • Email address - used as your login identifier and for service communications.
  • Password - stored as a one-way cryptographic hash (bcrypt). We never store or see your plaintext password.
  • Role - the professional role you select at registration (investor, researcher, or lawyer). This determines your access level within the platform.
  • Organisation ID - if you are part of a team or organisation account (optional).

Providing your email, password, and role is a mandatory contractual requirement to create an account and use the platform. Without this data, we cannot provide our services to you. All other fields are optional.

2.2 Idea text - your search input

The most sensitive data you provide is your idea text: the description of the technology or invention you want to analyse. We treat this with particular care.

You have a choice about how this is handled:

  • Cloud Mode (default): Your idea text is encrypted in our database using AES-256-GCM encryption, with a per-user encryption key (DEK) that is itself encrypted with a master key. Your idea text is also sent to Google Gemini (our AI provider) to generate your analysis - see Section 4.
  • Local Mode: Your idea text is never written to our database. It is held temporarily in an in-memory cache (Redis) with a maximum lifetime of 2 hours, used only to complete your analysis, and then discarded. In Local Mode, your idea text is still sent to Google Gemini for processing.

You can change your privacy mode at any time in your account settings.

2.3 Search and analysis data

When you run a patent search, we store:

  • The patent results returned by the EPO database (patent numbers, titles, assignees, publication dates, CPC codes, abstracts) - these are public data from EPO OPS.
  • The AI-generated report and threat level for your search - stored linked to your account.
  • Search job metadata: status, timestamps, processing steps, and performance metrics.

2.4 Technical and security data

For security, fraud prevention, and service operation, we automatically collect:

  • IP address - recorded at login, registration, and failed login attempts.
  • User agent - your browser or client type, recorded at the same events.
  • Audit log entries - a record of actions taken on the platform (e.g. search initiated, job completed), linked to your account. We do not log the content of your searches in audit logs - only the action type.
  • Authentication events - every successful login, failed login, and registration is logged with timestamp, IP address, user agent, and, for failed logins, the reason (wrong password, user not found, inactive account).

2.5 Data we do not collect

  • We do not use tracking cookies or third-party analytics (e.g. Google Analytics).
  • We do not collect payment information. There is no payment system in the current pilot.
  • We do not collect any sensitive personal data (health data, financial data, national identity numbers, etc.).
  • We do not collect data from social media accounts or third-party login providers.

3. Why We Collect Your Data - Legal Bases

Under GDPR, we must have a legal basis for each type of processing. Here is a plain-language breakdown:

  • Account data (email, password, role): necessary to perform the contract with you - i.e. to provide you with access to the platform (Art. 6(1)(b) GDPR).
  • Idea text and analysis outputs: necessary to perform the contract - you submit idea text in order to receive the analysis service (Art. 6(1)(b) GDPR).
  • IP address, user agent, authentication events, and audit logs: our legitimate interest in maintaining security, preventing misuse and fraud, and debugging service issues (Art. 6(1)(f) GDPR). This interest does not override your rights - we do not use this data for profiling or marketing.
  • Service communications: necessary to perform the contract, or our legitimate interest in keeping you informed about material changes (Art. 6(1)(b) and 6(1)(f) GDPR).
  • Marketing communications: We currently do not send promotional marketing emails. If we introduce them in the future, we will only do so with your explicit prior consent (Art. 6(1)(a) GDPR), which you can withdraw at any time.

3.1 No Automated Decision-Making

Because our platform is AI-driven, we want to be absolutely clear: we do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects concerning you (as defined in Art. 22 GDPR). Our AI operates purely as an analytical tool to evaluate the idea texts you submit and assist you in your research, not to make judgments about you as an individual.

4. Third-Party Processors

We use the following third-party services to operate Scout IP. All are engaged under appropriate data processing agreements.

Third PartyPurposeData SharedLocation
Google LLC (Cloud Vertex AI)AI processing of idea text to generate reportsYour idea textUSA (EU SCCs apply; ZDR agreement)
EPO (European Patent Office)Patent database searchSearch queries (CPC codes). No personal data.EU
Railway (railway.app)Cloud infrastructure and application hostingAll application data as processed on serverEU (Amsterdam, NL)
PostgreSQL databasePersistent storage of account data, jobs, reportsAll structured data described in Section 2EU (Amsterdam, NL)
RedisTemporary in-memory storage for Local ModeIdea text (Local Mode, TTL 2h); job metadataEU (Amsterdam, NL)

Regarding Google Cloud Vertex AI: your idea text is sent to Google's enterprise API to generate your analysis. We operate under a Google Cloud Data Processing Addendum that includes a Zero Data Retention (ZDR) agreement - a legally binding contractual obligation under which Google permanently deletes your idea text immediately after returning the analysis response. Your data is never logged, retained, or used to train any model by Google. EU Standard Contractual Clauses apply for the transfer to Google's US infrastructure.

All other infrastructure runs within the European Union. Your data does not leave the EU except when sent to Google Vertex AI for analysis processing, as described above. We do not sell your data to any third party, ever.

Business Transfers:
If Scout IP S.r.l. is involved in a merger, acquisition, restructuring, or sale of all or a portion of its assets, your personal data may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice on our platform of any such change in ownership and outline your choices regarding your personal data.

5. International Data Transfers

Scout IP's infrastructure is hosted entirely within the European Union (Railway, Amsterdam, Netherlands). The only transfer of personal data outside the EU occurs when your idea text is sent to Google Cloud Vertex AI for analysis processing. Google is based in the United States.

For this transfer, we rely on: (a) EU Standard Contractual Clauses (SCCs) approved by the European Commission; and (b) a Zero Data Retention agreement with Google, under which your idea text is permanently deleted by Google immediately after the analysis response is returned and is never stored, logged, or used beyond that single processing operation. If you would like more information about the safeguards in place for this transfer, please contact us at scoutip.info@gmail.com.

6. How Long We Keep Your Data

We keep your data only as long as needed for the purpose it was collected, or as required by law.

  • Account data: retained for the duration of your account. If you request deletion, we will permanently delete your account data within 30 days of receiving your request.
  • Search jobs and reports: retained until you delete them using the platform's history deletion feature, or for up to 24 months after your last active use of the platform, whichever comes first. You can soft-delete individual jobs or your entire history at any time from your dashboard; the data is then permanently removed within 30 days.
  • Security and authentication logs: retained for 12 months from the date of the event, then permanently deleted. This retention period is justified by our legitimate interest in security and fraud prevention.
  • Idea text in Local Mode: maximum 2 hours in Redis, then automatically discarded.
  • Idea text in Cloud Mode (encrypted): retained with your job data, subject to the same retention period as search jobs above. Deleted upon your request or at retention expiry.

When you request deletion of your account or data, we process the request within 30 days. Data is first flagged as deleted (making it inaccessible to you and to Scout IP), then permanently and irreversibly removed within that 30-day window.

7. Your Rights Under GDPR

As a person whose data we process, you have the following rights:

  • Right of access (Art. 15): you can request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): you can ask us to correct inaccurate data.
  • Right to erasure (Art. 17): you can request deletion of your personal data where there is no overriding legitimate reason to retain it.
  • Right to restriction of processing (Art. 18): you can ask us to restrict processing in certain circumstances.
  • Right to data portability (Art. 20): you can request your data in a structured, machine-readable format.
  • Right to object (Art. 21): you can object to processing based on our legitimate interests.
  • Right to withdraw consent: where we rely on consent as a legal basis, you can withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at scoutip.info@gmail.com. We will respond within 30 days. We will not charge you for legitimate requests. We may ask you to verify your identity before fulfilling a request.

You also have the right to lodge a complaint with the Italian data protection authority (Garante per la Protezione dei Dati Personali, www.garanteprivacy.it) or the supervisory authority in your EU country of residence.

8. How We Protect Your Data

We take the security of your data seriously and have implemented technical measures proportionate to our current scale:

  • Passwords are hashed using bcrypt - never stored in plaintext.
  • JWT tokens are used for session authentication with configurable expiry.
  • Idea texts in Cloud Mode are encrypted using AES-256-GCM with per-user data encryption keys (DEKs), themselves encrypted by a master key. This means that even a database breach does not expose your idea texts in readable form.
  • All connections to the platform use HTTPS/TLS encryption in transit.
  • Access to the platform is invite-code gated during the pilot phase.
  • All authentication events are logged for security monitoring.

Data Breach Notification:
No security system is perfect. In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay, in compliance with GDPR obligations. If you discover a security issue, please report it responsibly to scoutip.info@gmail.com.

9. Public Report Sharing

Scout IP allows you to generate a shareable public link for any of your reports. If you activate this feature:

  • The report becomes accessible to anyone with the link, without requiring a login.
  • The link contains a unique, unguessable token. There is no central directory of shared reports.
  • You can revoke the public link at any time by disabling sharing for that report.

Public report links do not expose your account details, email address, or idea text - only the report content (patent analysis, threat level, prior art list).

10. Cookies and Local Storage

Scout IP does not use tracking cookies or advertising cookies. We do not use third-party analytics tools. The platform uses localStorage in your browser to store your authentication token (JWT). This is a technical necessity to maintain your login session. It is not used for tracking or cross-site profiling. If you clear your browser storage, you will be logged out.

11. Minimum Age

Scout IP is not intended for use by persons under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us and we will delete it promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy as our platform evolves. When we make material changes, we will notify you by email or by a notice on the platform before the changes take effect. The date at the top of this document indicates when it was last updated.

13. Contact

For any privacy questions, data subject requests, or concerns:

Scout IP S.r.l.
Via Sile n. 41, 31056 Roncade (TV), Italy
Email: scoutip.info@gmail.com
Website: scoutip.it

We aim to respond to all privacy enquiries within 5 business days, and will always respond within 30 days as required by GDPR.