At ScribeArc, privacy isn't an afterthought — it's a core design principle. Here's exactly how we handle your data.
Last updated: May 1, 2026 · Effective: May 1, 2026
AES-256 Encryption
Zero-Trust Architecture
SOC 2 Certified AWS
Full Audit Trails
When you create an account, we collect your name, email address, company name, and role. This information is essential for providing our services and personalizing your experience.
Documents you upload for processing (invoices, receipts, financial statements) are processed by our AI models. We retain extracted data only as long as needed to provide our services and as specified in your data retention preferences.
We collect anonymized usage data including feature interactions, processing volumes, and performance metrics to improve our platform. This data is never tied to individual documents or personal information.
We automatically collect device type, browser version, IP address, and access timestamps. This data helps us maintain security, troubleshoot issues, and optimize performance.
Your data is used to process documents, generate analytics, execute workflows, and deliver the core functionality of ScribeArc. We never use your financial documents to train our base AI models.
Aggregated, anonymized usage patterns help us understand which features deliver the most value, identify performance bottlenecks, and prioritize our product roadmap.
We use your contact information to send service notifications, security alerts, product updates, and — only with your consent — marketing communications. You can opt out of non-essential emails at any time.
We may process data to comply with legal obligations, respond to lawful requests from public authorities, or protect our rights, privacy, safety, or property.
All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Your documents never traverse unencrypted channels.
Our infrastructure runs on AWS, whose data centers hold SOC 2 Type II certification. We employ multi-region redundancy, automated backups, and disaster recovery protocols. ScribeArc's own SOC 2 Type II audit is targeted for late 2026.
We implement role-based access control (RBAC) and the principle of least privilege. Our team members only access customer data when necessary for support, with full audit trails.
You control your data retention periods. Upon account deletion, we initiate a 30-day grace period followed by permanent, irreversible deletion of all your data from our systems, including backups.
You have the right to request a complete copy of all personal data we hold about you, delivered in a machine-readable format (JSON/CSV) within 30 days of request.
You can update your personal information at any time through your account settings, or request that we correct or delete specific data by contacting our privacy team.
You have the right to restrict processing of your data or object to certain types of processing, including automated decision-making and profiling.
Where processing is based on consent, you can withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
We work with carefully vetted third-party providers (cloud infrastructure, payment processing, analytics) who are contractually bound to protect your data and process it only as instructed.
We never sell, rent, or trade your personal data or document contents to third parties. Your financial documents are your property.
We may disclose data when required by law, subpoena, or court order. We will notify you of such requests unless legally prohibited from doing so.
Our privacy team is here to help. Reach out at support@scribearc.com and we'll respond within 48 hours.