01Who we are

This Privacy Policy explains how GoScurry FZCO ("Scurry," "we," "us") collects, uses, stores, and protects your personal data when you use Scurry.ai.
Entity: GoScurry FZCO, registered under IFZA, Dubai, UAE.
Data Controller: GoScurry FZCO.

Contact: hello@goscurry.ai

02What data we collect

Account Information

Name, email address, and password (or OAuth identity) when you create an account.
Company name (if provided).
Plan tier and billing history (processed by Paddle — we don't store credit card numbers).

Transcript Data

Meeting transcripts received from your connected tools (Fireflies, or via endpoint from Otter, Gong, Fathom, etc.).
Meeting metadata: title, date/time, duration, participant names/emails, meeting type.
We read the full transcript to generate email sequences. We do NOT record or transcribe your meetings.

Generated Content

AI-generated email sequences, subject lines, and drafts produced by Scurry from your transcripts.

Integration Data

OAuth tokens for connected services (Fireflies, Gmail, Outlook, Pipedrive). We store tokens securely — we never see or store your passwords.
From Pipedrive (if connected): deal stage, contact info, custom fields, deal values — read-only. We do not write back to your CRM unless you configure the Action component to do so.
From Gmail/Outlook: OAuth send access only. We send emails on your behalf through your inbox. We do not read your inbox, search your emails, or access any email content beyond what Scurry generates and sends.

Usage Data

Pages visited, features used, timestamps, Acorn consumption, sequence volume, and other product analytics.
Browser type, device type, IP address, approximate geolocation (country/region level).
Error logs and performance data for debugging.

Cookies

Essential cookies for authentication and session management.
Analytics cookies (only with consent where required by law).
We do not use advertising or tracking cookies. We do not sell or share data with ad networks.

03How we use your data

To provide the Service: Process transcripts, generate email sequences, send emails via your inbox, execute AI Filters, manage Acorn balances, and run your workflows.
To maintain and improve quality: Our team may access transcript content, generated email sequences, and associated metadata when reasonably necessary for troubleshooting, quality assurance, technical support, abuse investigation, or product improvement. This access is limited to authorized personnel, governed by internal access controls, and never used for purposes unrelated to providing or improving the Service.
To communicate with you: Send account notifications, billing updates, product announcements, and support responses.
To comply with law: Respond to legal requests, enforce our Terms, and protect our rights.
To process payments: Paddle (our Merchant of Record) handles billing data. We share necessary identifiers with Paddle to manage your subscription.

04What we don't do

We don't sell your data. Ever. To anyone. For any reason.
We don't share your transcript content with third parties except our AI infrastructure providers, solely for the purpose of generating your sequences. Our AI providers operate under strict data processing agreements — your content is not stored or used for model training by these providers.
We don't use your transcript content to train third-party AI models. Your conversations stay yours. We may use your data internally to improve Scurry's prompts, workflows, and output quality — but we never feed it to external model training pipelines.
We don't record or transcribe your meetings. We only process transcripts your tools deliver to us.
We don't read your inbox. Gmail/Outlook OAuth is scoped to send only.
We don't use your data for advertising. No ads. No profiling. No data broker relationships.

05How we store & protect data

Data is stored on encrypted servers in secure data centers in Germany with Cloudflare CDN for edge delivery.
All data in transit is encrypted via TLS 1.2+. Data at rest is encrypted using AES-256 or equivalent.
OAuth tokens are stored encrypted and are never exposed in logs or to support staff.
Access to production data is restricted to authorized personnel only, with role-based access controls and audit logging.
Internal access: Authorized Scurry personnel may access your data (transcripts, outputs, account details) when reasonably necessary for support, troubleshooting, quality assurance, abuse prevention, or product improvement. Access is logged, role-restricted, and governed by internal security policies.
We conduct regular security reviews and follow industry-standard practices for SaaS security.

06Data retention

Active accounts: Your transcripts, generated sequences, and account data are retained for as long as your account is active.
After account deletion: We delete your personal data, transcripts, and generated content within 90 days of account deletion. Some data may persist in encrypted backups for up to 180 days before being purged.
Anonymized analytics data (no personal identifiers) may be retained indefinitely for product improvement.
Billing records: Retained by Paddle per their legal obligations (typically 7 years for tax compliance). We retain subscription-level records (plan, dates, amounts) for the same period.
Legal holds: If we are legally required to retain data (e.g., court order), we will do so for the minimum period required by law.

07International data transfers

GoScurry FZCO is based in the UAE. Our servers are in Germany. Our AI processing uses third-party infrastructure providers that may be located in various jurisdictions.
If you are in the EEA, UK, or other jurisdiction with data transfer restrictions: your data may be transferred to and processed in countries outside your jurisdiction. We rely on standard contractual clauses and/or the adequacy of the receiving country's data protection framework where applicable.
By using Scurry, you consent to the transfer of your data as described in this section.

08Your rights

Depending on your jurisdiction, you may have the right to:

Access your personal data — request a copy of what we hold.
Correct inaccurate data.
Delete your personal data (right to erasure / "right to be forgotten").
Export your data in a portable format.
Object to or restrict certain processing.
Withdraw consent where processing is based on consent.
Revoke OAuth connections at any time through your third-party provider (Fireflies, Google, Microsoft, Pipedrive) or through Scurry settings.

To exercise any of these rights: Email hello@goscurry.ai — we will respond within 30 days.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection authority.

09Third-party services

We use the following categories of third-party services:

AI Processing: We use third-party AI infrastructure providers to process transcript content and generate email sequences. These providers operate under data processing agreements with zero-retention policies — your content is processed in real-time and is not stored or used for model training by these providers. We do not disclose which specific AI providers we use.
Payment Processing: Paddle — Merchant of Record for billing, taxes, and invoicing. Paddle has its own Privacy Policy governing payment data.
Hosting: Secure data center infrastructure in Germany.
CDN/Security: Cloudflare — content delivery and DDoS protection.
Integrations: Fireflies, Google (Gmail), Microsoft (Outlook), Pipedrive — connected via OAuth per your instruction.

We select vendors with strong privacy and security practices. Each has their own privacy policy and data handling terms.

10Children

Scurry is a business tool designed for professional use. We do not knowingly collect data from anyone under 18 years of age. If we discover that a child's data has been collected, we will delete it immediately.

11Cookies

Essential cookies: Required for login, session management, and security. Cannot be disabled.
Analytics cookies: Used to understand product usage. Enabled only with consent where required.
No advertising cookies. No third-party trackers. No pixel-based retargeting.
You can manage cookie preferences through your browser settings or through our cookie consent mechanism.

12Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-product notice at least 14 days before they take effect.
Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.

13Governing law

This Privacy Policy is governed by the laws of the International Free Zone Authority (IFZA) and the federal laws of the United Arab Emirates.
For EU/EEA users: where GDPR applies, this Privacy Policy is supplemented by your rights under the General Data Protection Regulation.

Questions about your data?

Our team responds to privacy requests within 30 days. For any concerns about how we handle your information, reach out directly.

hello@goscurry.ai

Your data stays yours.