Last updated: 2026-05-29
Company: Reworks AI Labs AB (“Scape”, “we”, “us”, or “our”)
Service: Scape, an AI-powered email and meeting assistant
Website: https://scape.app
This Privacy Policy explains how Scape collects, uses, discloses, and safeguards your personal data when you use our Service, and outlines your rights and choices. By accessing or using the Service, you agree to the data practices described in this Privacy Policy. This Policy incorporates and is incorporated by reference into our Terms of Service.
Scape is designed for professional users. It is not intended for anyone under the age of 16.
We do not use your email, calendar, or meeting content to train AI models or any de-identified data derived from it, and we do not sell your data.
This Privacy Policy is reviewed at least annually to ensure it remains accurate, complete, and compliant with applicable laws and our internal data governance standards.
Changes to this Policy. As our Service evolves, we may update this Privacy Policy from time to time. The “Last updated” date at the top indicates the latest version. For material changes that reduce your rights or expand our processing purposes, we will provide at least thirty (30) days' advance notice by email or in-product banner. Your continued use of the Service after the new Policy takes effect constitutes acceptance of the revised Policy.
“Data Protection Laws” means, collectively, the EU General Data Protection Regulation (GDPR), the UK GDPR, the revised Swiss Federal Act on Data Protection (FADP), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and any other applicable national, state, or supranational privacy laws.
“Personal Data” means any information relating to an identifiable person. It includes information referred to as “personal information” under U.S. state privacy laws.
“Processing” means any operation performed on Personal Data.
“Service” means the Scape application, website, desktop app, integrations, and related features.
“User”, “you” means the individual using Scape.
“Controller” and “Processor” have the meanings defined under the GDPR, depending on context.
“Google Workspace Data” means information accessed through OAuth when you connect your Google account to Scape.
“Customer Data” means the content Scape processes on your behalf to provide the Service.
“Usage Data” means information about how you interact with the Service, such as logins, device and browser information, and feature usage.
“De-Identified Data” means data that has been processed so that it can no longer reasonably be linked to an identifiable individual.
We collect only the data needed to provide and improve the Service. This falls into the following categories.
When you create an account or use features of Scape, you provide:
When you connect Scape to your Google account, you explicitly authorize Scape to access:
This access is required for Scape's features to function.
When you use Scape's meeting features, we collect:
All audio recordings are deleted after the transcript is generated. Transcription and all related AI processing are performed entirely within the EU, and our transcription and AI subprocessors operate under zero-data-retention agreements, meaning they do not store your audio, transcripts, or other content after processing your request.
Your emails, calendar, and meetings may contain personal data about other people, including individuals who do not use Scape. We process this information only to provide the Service to you.
We automatically collect operational telemetry that helps us secure and improve the Service. This may include:
Log Data is retained for up to ninety (90) days unless required by law for longer. All email and meeting content is encrypted and separated from analytics data.
To provide search, summarization, and retrieval features, Scape generates derived data from your content, including vector embeddings of email and meeting text. Derived data is treated as Customer Data, hosted in the EU, encrypted in transit and rest and deleted when you delete your account.
Payment is processed by Stripe. Stripe collects your voluntarily provided payment-card information necessary to process your payment. We do not store full payment-card numbers. Stripe's use of your information is governed by Stripe's privacy policy.
We treat all of your emails, calendar, and meeting content as confidential and protect it to a high standard (see Section 13, Security).
Separately, certain information is classified as “special-category” or “sensitive” Personal Data under Data Protection Laws for example, data revealing health, biometric identifiers, government identifiers, financial-account numbers, or precise geolocation. Scape is not designed as a system of record for this type of data and does not intentionally process it as such. Any special-category data that incidentally appears in your content is processed only to provide the Service to you, on the same terms as your other content.
You remain responsible for ensuring that your use of the Service including any recording of meetings complies with applicable law (see Section 16, Recording Laws).
We collect Personal Data from the following sources:
We process Personal Data to:
To generate AI outputs, relevant content from your emails and meetings is sent to our third-party AI subprocessors. These subprocessors process your content solely to produce your results, entirely within the EU, and under zero-data-retention agreements meaning they do not store your content or the resulting output after returning it to you. They are contractually prohibited from using your content to train their models, and we do not use your email, calendar, or meeting content to train AI models.
Scape does not send emails or take outbound actions on your behalf automatically. AI-generated drafts and outputs are presented to you for review, and nothing is sent to any recipient unless and until you explicitly choose to send it. You remain in control of every action the Service takes.
We may create De-Identified Data from Personal Data and use it for any lawful business purpose, including analytics and Service improvement. We do not use De-Identified Data or any other data derived from your content to train AI models, and we do not attempt to re-identify De-Identified Data.
If you reside in the EEA, UK, or Switzerland, we process Personal Data on the following bases:
Where we rely on consent, you may withdraw it at any time. Where we rely on legitimate interests, you may object to that processing (see Section 12, Your Rights).
We share data only as necessary to operate Scape:
We do not sell your Personal Data, and we do not share it for cross-context behavioral advertising. Our marketing website uses a Google Ads conversion-measurement cookie only to measure our own ad performance, and only if you accept it via our cookie banner. We do not share your account information or the content of your emails or meetings with advertisers.
If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, or sale of some or all of our assets, your Personal Data may be transferred or disclosed in connection with the transaction, subject to a confidentiality agreement. We will use reasonable efforts to notify you before your Personal Data becomes subject to a different privacy policy.
We may disclose Personal Data when we believe in good faith that disclosure is required to:
Unless legally prohibited, we will notify the affected customer before producing Personal Data in response to a legal request. Disclosures will be limited to the minimum necessary and will challenge requests that are unlawful, overbroad, or inconsistent with applicable Data Protection Laws.
Subprocessors are bound by data-protection terms and may only process Personal Data to provide the Service on our behalf.
We inform you of any addition or replacement of a subprocessor by updating our subprocessor list, available in the Scape Trust Center, where you can subscribe to receive notifications of changes. Where we act as your processor, your right to object to a new subprocessor and the applicable timeline are set out in our DPA.
Scape is operated from Stockholm, Sweden. Your data, including the content of your emails, calendar, and meetings, is hosted and processed entirely within the EU. This includes meeting transcription and all AI processing, which is performed in the EU under zero-data-retention agreements.
We do not transfer the content of your emails, calendar, or meetings outside the EU. Where limited account or usage data is processed by a subprocessor outside the EEA, UK, or Switzerland (for example, payment or error-monitoring providers), that transfer relies on:
We retain Personal Data only as long as necessary to fulfill the purposes outlined in this Policy or as required by applicable law, including to:
Audio recordings of meetings are deleted immediately after transcription is complete and are not stored by Scape beyond that point. Meeting transcripts and summaries are retained as part of your account data until you delete your account. Log Data is retained for up to 90 days as described in Section 3.5.
When you delete your account, we delete the associated Personal Data, including emails, calendar data, meeting recordings, transcripts, and derived data such as embeddings, from our systems within thirty (30) days, except where retention is required by law (for example, for fraud prevention, tax records, or legal defense). To request account deletion, contact us at security@scape.app.
Copies of Personal Data may remain temporarily in encrypted backups before being overwritten in the normal course of operations on our standard backup schedule, and are not used for any other purpose in the meantime.
Standard account deletion is free of charge. Where you request manual data export or bespoke deletion work that materially exceeds our standard process and requirements by law, we may charge reasonable, documented costs, except where prohibited by applicable law.
We use industry-standard technical and organizational measures, including:
Certifications and audits. Scape is certified to SOC 2 Type II and ISO 27001, and our processing of Personal Data is compliant with the GDPR. We undergo independent third-party audits on an annual basis. Our current certifications and audit reports are available in the Scape Trust Center.
Breach notification. We maintain an incident-response process and will notify affected customers without undue delay, and in any case within seventy-two (72) hours after confirming a Personal Data Breach that affects their Personal Data, to the extent feasible. Notification of, or response to, a Personal Data Breach is not an acknowledgment of fault or liability. Our security depends in part on third-party providers and we are not liable for their failures, but we use commercially reasonable efforts to notify you of material security incidents involving your data.
More detail on our security practices is available in the Scape Trust Center.
Our website and product use cookies and similar technologies (“Cookies”) to operate, secure, and analyze the Service. We use four categories of Cookies:
You can manage or withdraw your Cookie preferences at any time via our cookie banner or your browser settings. Cookie-derived identifiers are retained only for the period necessary for these purposes and never longer than thirteen (13) months for analytics Cookies, after which they are deleted or irreversibly anonymized.
By using the Service, you agree to receive transactional and administrative electronic communications from Scape, such as account alerts, security notifications, and billing messages. You may opt out of non-essential marketing emails at any time through the “unsubscribe” link in those emails or your account settings; this will not affect core service communications.
To send a formal privacy notice to Scape, email security@scape.app or write to the address in Section 19. Scape may provide legal or privacy notices to you by email, in-product banner, or any other method allowed by law.
If you use Scape's meeting features to record, transcribe, or otherwise process audio from calls or meetings, you are solely responsible for complying with all applicable laws governing the recording, monitoring, and processing of communications (“Recording Laws”). Recording Laws vary by jurisdiction and may require the consent of every participant before a recording begins. You are solely responsible for providing required notices and obtaining required consents from all participants before any recording. See Section 8 of our Terms of Service for the full clause.
Depending on your jurisdiction, you may have rights to:
To exercise your rights, email dpo@scape.app or security@scape.app. We will verify your identity and respond within thirty (30) days, or the period required by your local law. Where we are unable to fully comply with a request, we will explain why and what alternatives are available.
Right to appeal. If you are a U.S. resident and we deny a Personal Data request, you may appeal that decision within sixty (60) days by replying to our response. We will respond to the appeal within forty-five (45) days or as required by applicable law.
Right to lodge a complaint. If you are in the EEA, UK, or Switzerland, you also have the right to lodge a complaint with your local data protection authority, including the Swedish Authority for Privacy Protection (IMY).
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights regarding your personal information.
We do not sell your personal information and do not share it for cross-context behavioral advertising purposes.
Your rights under California law include the right to know what personal information we collect and how it is used, the right to delete your personal information (subject to certain exceptions), the right to correct inaccurate personal information, the right to limit use of sensitive personal information, and the right to non-discrimination for exercising your privacy rights.
Although we do not sell user data and perform the majority of the service through our service in the desktop app, for the data in scope, we treat a valid Global Privacy Control (GPC) browser signal as a request to opt out of any sale or sharing of personal information to the extent applicable under California law.
To exercise your California privacy rights, email security@scape.app.
Scape is not intended for anyone under the age of 16, and we do not knowingly collect Personal Data from children under 16. If we become aware that we have collected such data, we will delete it. If you believe a child under 16 has provided us Personal Data, contact us at security@scape.app.
This Privacy Policy is governed by the laws of Sweden, without regard to its conflict-of-law principles. If you are located in a jurisdiction that grants you mandatory consumer or data-protection rights under local law, those rights take precedence to the extent they conflict with this Policy. For EEA, UK, and Switzerland users, international transfer mechanisms are governed by their applicable instruments (SCCs, UK Addendum, Swiss Addendum).
If any provision of this Policy is found unlawful, void, or unenforceable, that provision will be interpreted to achieve its intent as closely as possible, or, if impossible, severed, and the remaining provisions will remain in full force and effect.
This Policy, together with our Terms of Service and Data Processing Addendum, constitutes the entire agreement between you and Scape regarding privacy and data protection in connection with the Service.
For questions about this Policy or to exercise your privacy rights, contact us at:
Scape © 2026