This policy explains what data Scoutmon collects, why we collect it, and how we keep it safe. We do not sell your data to anyone, ever.
1. Who we are
Scoutmon is an IT asset management platform operated by Scoutmon ("we", "us", "our"). Our service is available at scoutmon.com.
For privacy enquiries, contact us at [email protected].
2. What data we collect
Account data
When you create an account or are invited to a company workspace, we collect:
- Your name and email address
- Your company or organisation name
- Your password (stored as a bcrypt hash — we never store plaintext passwords)
- Your role and permissions within your organisation
Asset and inventory data
The core purpose of Scoutmon is to store asset records you create. This may include:
- Asset names, descriptions, serial numbers, and purchase details
- Location, assignment, and status information
- Vendor and contract records you add
- Audit history and activity logs tied to your account
Sensitive fields (such as serial numbers and notes) may be encrypted at rest at your request.
Usage data
We collect basic server-side logs including:
- IP address and browser type (for security and rate-limiting purposes)
- Pages visited and actions taken within the application
- Login timestamps and session duration
3. How we use your data
We use the data we collect solely to provide and improve the Scoutmon service:
- To operate the service — storing and retrieving your asset records, managing user accounts, and sending transactional emails such as invitations and password resets.
- To send notifications — alerting you to warranty expirations, licence capacity issues, and overdue vendor audits as configured in your account.
- To ensure security — detecting and preventing abuse, rate-limiting login attempts, and maintaining audit logs.
- To improve the product — understanding usage patterns to prioritise features and fix issues.
We do not use your data for advertising, and we do not build profiles of your users for any purpose other than providing the service you signed up for.
4. Data sharing
We do not sell, rent, or trade your personal data. We share data only in limited circumstances:
- Service providers — we use Railway (infrastructure), PostgreSQL via Railway (database), and Resend (transactional email). These providers process data only as necessary to deliver the service and are bound by data processing agreements.
- Legal obligations — if required by law, court order, or to protect the rights and safety of Scoutmon or others.
- Business transfers — if Scoutmon is acquired or merged, your data may transfer as part of that transaction. We will notify you before this occurs.
5. Data storage & security
Your data is stored in a PostgreSQL database hosted on Railway's infrastructure. We implement the following security measures:
- Passwords hashed with bcrypt
- Session tokens stored server-side with expiry
- HTTPS enforced for all connections
- HTTP security headers (Content Security Policy, HSTS, etc.) via Helmet
- Rate limiting on all authentication and write endpoints
- Multi-tenant data isolation — each company's data is fully separated
No system is 100% secure. If you believe your account has been compromised, contact us immediately at [email protected].
6. Data retention
We retain your data for as long as your account is active. If you close your account:
- Your asset and company data will be deleted within 30 days of account closure
- Server logs may be retained for up to 90 days for security purposes
- Backups may retain data for up to 30 additional days before purging
7. Your rights
Depending on your location, you may have rights regarding your personal data, including:
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate data
- Deletion — request deletion of your personal data
- Portability — export your asset data at any time via CSV export within the application
- Objection — object to certain types of processing
To exercise any of these rights, email [email protected]. We will respond within 30 days.
8. Cookies
Scoutmon uses a single session cookie (token) to maintain your authenticated session. This cookie is:
- HTTP-only (not accessible to JavaScript)
- Secure (only sent over HTTPS in production)
- Set with SameSite=Strict to prevent cross-site request forgery
We do not use advertising cookies, analytics cookies, or any third-party tracking scripts.
9. Changes to this policy
We may update this privacy policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify account holders via email at least 14 days before the change takes effect.
For any questions about this privacy policy or how we handle your data: