Legal

Privacy Policy

Last updated: March 2026

🔒
The short version

This policy explains what data Scoutmon collects, why we collect it, and how we keep it safe. We do not sell your data to anyone, ever.

1. Who we are

Scoutmon is an IT asset management platform operated by Scoutmon ("we", "us", "our"). Our service is available at scoutmon.com.

For privacy enquiries, contact us at [email protected].

2. What data we collect

Account data

When you create an account or are invited to a company workspace, we collect:

  • Your name and email address
  • Your company or organisation name
  • Your password (stored as a bcrypt hash — we never store plaintext passwords)
  • Your role and permissions within your organisation

Asset and inventory data

The core purpose of Scoutmon is to store asset records you create. This may include:

  • Asset names, descriptions, serial numbers, and purchase details
  • Location, assignment, and status information
  • Vendor and contract records you add
  • Audit history and activity logs tied to your account

Sensitive fields (such as serial numbers and notes) may be encrypted at rest at your request.

Usage data

We collect basic server-side logs including:

  • IP address and browser type (for security and rate-limiting purposes)
  • Pages visited and actions taken within the application
  • Login timestamps and session duration

3. How we use your data

We use the data we collect solely to provide and improve the Scoutmon service:

  • To operate the service — storing and retrieving your asset records, managing user accounts, and sending transactional emails such as invitations and password resets.
  • To send notifications — alerting you to warranty expirations, licence capacity issues, and overdue vendor audits as configured in your account.
  • To ensure security — detecting and preventing abuse, rate-limiting login attempts, and maintaining audit logs.
  • To improve the product — understanding usage patterns to prioritise features and fix issues.

We do not use your data for advertising, and we do not build profiles of your users for any purpose other than providing the service you signed up for.

4. Data sharing

We do not sell, rent, or trade your personal data. We share data only in limited circumstances:

  • Service providers — we use Railway (infrastructure), PostgreSQL via Railway (database), and Resend (transactional email). These providers process data only as necessary to deliver the service and are bound by data processing agreements.
  • Legal obligations — if required by law, court order, or to protect the rights and safety of Scoutmon or others.
  • Business transfers — if Scoutmon is acquired or merged, your data may transfer as part of that transaction. We will notify you before this occurs.

5. Data storage & security

Your data is stored in a PostgreSQL database hosted on Railway's infrastructure. We implement the following security measures:

  • Passwords hashed with bcrypt
  • Session tokens stored server-side with expiry
  • HTTPS enforced for all connections
  • HTTP security headers (Content Security Policy, HSTS, etc.) via Helmet
  • Rate limiting on all authentication and write endpoints
  • Multi-tenant data isolation — each company's data is fully separated
🛡️
Security incidents

No system is 100% secure. If you believe your account has been compromised, contact us immediately at [email protected].

6. Data retention

We retain your data for as long as your account is active. If you close your account:

  • Your asset and company data will be deleted within 30 days of account closure
  • Server logs may be retained for up to 90 days for security purposes
  • Backups may retain data for up to 30 additional days before purging

7. Your rights

Depending on your location, you may have rights regarding your personal data, including:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your personal data
  • Portability — export your asset data at any time via CSV export within the application
  • Objection — object to certain types of processing

To exercise any of these rights, email [email protected]. We will respond within 30 days.

8. Cookies

Scoutmon uses a single session cookie (token) to maintain your authenticated session. This cookie is:

  • HTTP-only (not accessible to JavaScript)
  • Secure (only sent over HTTPS in production)
  • Set with SameSite=Strict to prevent cross-site request forgery

We do not use advertising cookies, analytics cookies, or any third-party tracking scripts.

9. Changes to this policy

We may update this privacy policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify account holders via email at least 14 days before the change takes effect.

10. Contact us

For any questions about this privacy policy or how we handle your data: