1. Status of This Document
This DPA supplements the Scannect Terms of Service and Privacy Policy and applies solely to Scannect's processing of Personal Data on behalf of Customer in connection with the Service. Terms not defined here have the meanings given in the Terms.
2. Definitions
- "Customer" means the entity or individual that has accepted the Terms and uses the Service.
- "Personal Data" means information relating to an identified or identifiable natural person that is included in Customer Data.
- "Processing" means any operation performed on Personal Data.
- "Data Protection Laws" means U.S. state privacy laws (including VCDPA), and other applicable data-protection or privacy laws.
- "Subprocessor" means a third party engaged by Scannect to process Personal Data on Customer's behalf.
3. Roles
For Personal Data included in Customer Data, Customer acts as the controller / business, and Scannect acts as the processor / service provider. Each party is independently responsible for its own compliance with applicable Data Protection Laws.
4. Documented Instructions
Scannect will Process Personal Data only on Customer's documented instructions, which include the Terms, this DPA, Customer's use of Service features, and Customer's written requests, except where otherwise required by law. Scannect will inform Customer if, in its opinion, an instruction violates applicable Data Protection Laws, unless prohibited from doing so.
5. Confidentiality
Scannect will ensure that persons authorized to Process Personal Data on Customer's behalf are subject to appropriate written confidentiality obligations or are under an equivalent statutory duty of confidentiality.
6. Security Safeguards
Scannect implements and maintains reasonable and appropriate administrative, technical, and organizational safeguards designed to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage. Current practices are described on the Security page.
7. Subprocessors
Customer provides general authorization for Scannect to engage Subprocessors to Process Personal Data, provided that Scannect (a) enters into written contracts with each Subprocessor imposing data-protection obligations no less protective than this DPA in substance, and (b) remains liable for its Subprocessors' acts and omissions in the performance of their subprocessing obligations. The current categories of Subprocessors are listed in Schedule B.
8. Privacy Requests
Taking into account the nature of the Processing, Scannect will provide reasonable assistance, through appropriate technical and organizational measures, to help Customer respond to requests from data subjects to exercise their rights under applicable Data Protection Laws. Scannect will forward to Customer any data-subject request it receives directly and relating to Customer's Personal Data, and will not respond to that request except on Customer's instructions or as required by law.
9. Incident Cooperation
Scannect will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer's Personal Data, and will provide information reasonably available to Scannect to help Customer meet its obligations to notify regulators or affected individuals.
10. Return & Deletion
Upon termination of the Service or Customer's written request, Scannect will, within a reasonable period, delete or make available for export the Personal Data it processes on behalf of Customer, subject to the retention behavior described on the Data Retention page and to legal, backup, and security exceptions.
11. Audit Information
Scannect will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, which may include written responses to reasonable security questionnaires. On-site audits are not offered as a matter of course and, where required by law, will be arranged on mutually agreed terms with reasonable notice, at Customer's expense, and subject to appropriate confidentiality protections.
12. International Transfers
The Service is operated from the United States. Where Personal Data originates from a jurisdiction that restricts cross-border transfers, the parties will cooperate in good faith to implement a lawful transfer mechanism where applicable.
13. Order of Precedence
In the event of any conflict between this DPA and the Terms with respect to the Processing of Personal Data on Customer's behalf, this DPA controls solely to the extent of the conflict.
Schedule A: Processing Description
Nature and purpose of Processing: providing the Scannect field-sales CRM Service, including account and workspace management, business-card scanning, contact and office management, visit logging, task and pipeline tracking, AI-assisted extraction and drafting, connected email sending when configured, support, security, and billing when activated.
Duration: for the term of Customer's use of the Service, plus limited additional periods for backups, legal, security, and audit purposes as described on the Data Retention page.
Categories of data subjects: Customer's authorized users; the professional business contacts Customer chooses to add or scan.
Categories of Personal Data:
- user and account data (name, work email, hashed authentication credentials, sender identity, business profile, signature, logo, workspace name);
- professional contacts (name, title, company, work contact details, notes);
- business-card images uploaded by users;
- offices, visits, tasks, and pipeline records;
- email templates and drafts;
- support communications;
- AI-assisted scan and draft inputs and outputs;
- integration metadata for connected email accounts (e.g., Gmail, Outlook) when Customer connects them;
- technical logs, usage metering, and diagnostic events.
Explicitly excluded: patient records, protected health information (PHI), diagnoses, treatment or prescription information, laboratory or test results, medical images, insurance or claims data, and any other patient-identifying medical data. See the Terms.
Schedule B: Subprocessor Categories
The following categories describe Subprocessors currently engaged. Legal entity names and locations are omitted here; Customer may request the current entity-level list by contacting support@myscannect.com.
- Managed backend platform (Supabase). Database, authentication, and object storage for the Service.
- Lovable infrastructure and AI Gateway. Application hosting and AI request routing.
- Google AI model processing. Underlying AI model inference for card extraction and drafting, accessed through the AI Gateway.
- Gmail or Microsoft Outlook. Only when Customer connects a mailbox to send email from the Service.
- Payment processing. Only when paid subscriptions are activated for Customer.
