Compliance & Data Security

Last updated: April 2026

Overview

UltraScout AI is a London-based SaaS platform. We take data privacy and security seriously — both as a regulatory obligation and as a matter of principle. This page summarises our compliance posture for enterprise buyers, procurement teams, and Data Protection Officers.

For our full legal documents: Privacy Policy · Terms of Service · Cookie Policy

GDPR & UK GDPR

UltraScout AI processes personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU 2016/679), and the Data Protection Act 2018.

• Legal basis for processing: Contract performance, legitimate interests, and consent where applicable
• Data Subject Rights: We support all data subject rights — access, rectification, erasure, portability, restriction, and objection. Requests can be submitted to [email protected]
• Data Protection Officer: Available on request for enterprise customers
• Data Processing Agreement (DPA): Available on request — contact [email protected]
• International transfers: Where data is transferred outside the UK/EU, we use Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms

Data We Process

Platform data

When you use UltraScout AI's platform, we process:

• Account information (name, email, organisation)
• Query data you submit for AI visibility analysis
• Brand and competitor names you configure for tracking
• Usage and activity logs
• Payment information (processed by Stripe — we do not store card details)

What we do not process

• Your end customers' personal data
• Sensitive personal data (health, financial, biometric)
• Data from your own databases or CRM systems

Sub-Processors

We use a limited number of sub-processors. We conduct due diligence on each and maintain Data Processing Agreements with all sub-processors who handle personal data.

A full sub-processor list is available on request from enterprise customers.

Security Practices

• Encryption in transit: All data transmitted to and from UltraScout AI is encrypted using TLS 1.2+
• Encryption at rest: Data stored in our systems is encrypted at rest
• Access controls: Role-based access control (RBAC) within the platform; least-privilege principle for internal systems
• Authentication: Multi-factor authentication available for all accounts; SSO available on Enterprise plans
• Penetration testing: Conducted annually by independent third parties
• Incident response: Documented incident response plan; breach notification within 72 hours of discovery in line with UK GDPR Article 33
• Employee training: All staff receive data protection training on joining and annually thereafter

Data Retention

• Active accounts: Data retained for the duration of the contract
• Post-termination: Account data deleted within 30 days of contract end unless a longer retention period is required by law
• Backups: Backup data purged within 90 days of contract end
• Logs: Security and access logs retained for 12 months

Enterprise Features

Enterprise plan customers have access to additional compliance and security capabilities:

• Single Sign-On (SSO) via SAML 2.0
• Role-Based Access Control (RBAC) with custom roles
• Audit logs for all user actions
• Custom data retention configuration
• Dedicated Data Processing Agreement
• Named Data Protection Officer contact
• Security review calls with our engineering team

See Enterprise AI Optimization or Platform Enterprise for more.

AI Data Handling

UltraScout AI submits queries to AI platforms (ChatGPT, Gemini, Claude, Perplexity, Copilot) as part of its core AI visibility tracking function. These queries contain brand names and market terms — not personal data. We do not send personal data about your customers to AI platforms.

AI platform API usage is governed by each platform's own terms of service. We use API access (not consumer interfaces) where available, which provides stronger data protection guarantees.