Privacy Policy
Last updated: 9 March 2026
1. Who we are
Overscope is a product of Offeryn Ltd (“Overscope”, “we”, “us”), a company registered in England and Wales. We are the data controller for the personal data we process through the Overscope platform at overscope.co.uk.
Contact: support@overscope.co.uk
2. What data we collect
| Category | Data | Lawful basis |
|---|---|---|
| Account | Name, email address, organisation name | Contract (Art. 6(1)(b)) |
| Billing | Processed by Stripe — we never store card data | Contract |
| Documents | SOW files you upload for analysis | Contract |
| Integration data | Jira / Asana / Monday.com tickets synced by you | Contract |
| Usage analytics | Anonymised feature usage (PostHog) | Consent |
| Technical | IP address, browser type (via server logs) | Legitimate interest |
3. How we use your data
- To provide and improve the Overscope service
- To analyse SOW documents using AI (OpenAI GPT-4o — see Section 4)
- To detect scope creep by comparing your project signals against your scope model
- To generate change order drafts
- To send you service-related notifications
- To respond to support requests
4. AI data processing
We use OpenAI's GPT-4o model to analyse your documents and project data. OpenAI processes this data under their Enterprise Privacy terms:
- Your data is not used to train OpenAI's models
- Data is processed in the US under UK International Data Transfer Agreements (IDTAs)
- Data is not retained by OpenAI after processing (zero data retention API policy)
5. Data sharing & sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Railway | Application hosting | US (IDTA) |
| Neon | Database hosting | US (IDTA) |
| AWS S3 | Document storage | US (IDTA) |
| Clerk | Authentication | US (IDTA) |
| Stripe | Payment processing | US (IDTA, PCI-DSS) |
| OpenAI | AI document analysis | US (IDTA, DPA) |
| PostHog (EU Cloud) | Product analytics | EU (Frankfurt) |
| Resend | Transactional email | US (IDTA) |
6. Data retention
- Account data: Retained while your account is active. Deleted within 30 days of account closure.
- Documents: SOW files are stored in S3-compatible storage. Deleted with your account.
- Audit logs: Retained for 2 years (anonymised after account deletion) per legitimate interest for security auditing.
- Analytics: Anonymised after 90 days.
7. International transfers
Your data is processed by sub-processors in the United States. All US transfers are covered by UK International Data Transfer Agreements (IDTAs) as required by the UK GDPR and the Data Protection Act 2018.
8. Your rights (UK GDPR)
You have the right to:
- Access your personal data (Art. 15) — use Settings → Export Data
- Rectify inaccurate data (Art. 16) — edit your profile in Settings
- Erase your data (Art. 17) — use Settings → Delete Account
- Port your data (Art. 20) — export in machine-readable JSON format
- Object to processing (Art. 21) — contact support@overscope.co.uk
- Restrict processing (Art. 18) — contact support@overscope.co.uk
- Withdraw consent for analytics at any time via cookie settings
We will respond to all data subject requests within 30 days as required by the ICO.
9. Security
- All data encrypted in transit with TLS
- OAuth tokens encrypted at rest with AES-256-GCM before storage
- Database connections enforce SSL in production
- Multi-tenancy isolation verified by automated test suite
- Rate limiting and webhook signature verification on all endpoints
10. Cookies
See our Cookie Policy for details on cookies and similar technologies used on this site.
11. Children
Overscope is a B2B service designed for professional-services teams. We do not knowingly collect data from individuals under 18.
12. Changes to this policy
We may update this policy from time to time. Material changes will be notified via email or in-app notification at least 30 days before taking effect.
13. Complaints
If you're not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):