ScentShieldHome

Privacy Policy

Last updated: 14 May 2026

Who we are

ScentShield AI Limited (“ScentShield”, “we”, “us”) is the data controller of personal data processed when you use our service at scentshield.io. We are based in the United Kingdom.

Contact: privacy@scentshield.io

What data we collect

We collect only what we need to provide the service:

  • Account data: email address, full name, company name, password hash (via Supabase Auth)
  • Formula data: the formulas you create — ingredient CAS numbers, concentrations, target markets, names you choose
  • Compliance results: the output of our regulatory checks for your formulas
  • Generated documents: SDS, labels, and PCN exports you generate
  • Billing data: payment method and invoice history (processed by Stripe; we never see your card number)
  • Usage data: which features you use, performance metrics, error logs (for service improvement only)

We do not use cookies for advertising or tracking. We do not sell your data to anyone.

Lawful basis (UK GDPR / EU GDPR)

We process your personal data on the following lawful bases:

  • Performance of a contract: to provide the service you signed up for
  • Legal obligation: to keep tax and accounting records
  • Legitimate interests: to keep the service secure and improve it (you can object — see below)

Your formula data

You own your formulas. We process them solely to provide the service to you.

We will never:

  • Share your formulas with other tenants or third parties
  • Use your formulas to train AI models
  • Sell, rent, or licence your formulas
  • Disclose your formulas without your explicit consent or legal compulsion

Formula data is encrypted at rest and in transit. Access is restricted to your tenant via row-level security in our database.

Sub-processors

We use the following sub-processors to deliver the service. All are bound by data processing agreements:

  • Supabase (database and authentication) — EU region
  • Vercel (web hosting) — EU edge
  • Stripe (payment processing) — UK/EU
  • Resend (transactional email) — EU
  • Anthropic (AI for content/support agents only — never sees your formulas) — US, with Standard Contractual Clauses

Data retention

We retain your data while your account is active and for 30 days after account deletion (to allow recovery in case of mistake). After 30 days, all personal data and formulas are permanently deleted from our systems and from sub-processor backups within their standard backup retention windows.

Billing records are retained for 7 years to meet UK accounting law.

Your rights (UK / EU GDPR)

You have the right to:

  • Access: request a copy of all personal data we hold about you
  • Rectification: correct inaccurate data (you can do this directly via Settings)
  • Erasure (right to be forgotten): delete your account and all associated data
  • Portability: export your formulas in a machine-readable format
  • Object to processing based on legitimate interests
  • Restrict processing in certain circumstances
  • Withdraw consent for any consent-based processing
  • Lodge a complaint with the UK Information Commissioner's Office (ICO) or your local EU data protection authority

To exercise these rights, email privacy@scentshield.io. We respond within 30 days.

International transfers

Where data is transferred outside the UK or EEA (e.g. for the AI agents that use Anthropic's US-based service), we rely on Standard Contractual Clauses approved by the European Commission and the UK ICO.

Security

We follow industry-standard security practices: encryption in transit (TLS) and at rest (AES-256), row-level security in the database, multi-factor authentication for all internal access, regular security audits, and a vulnerability disclosure programme.

Report security issues to security@scentshield.io.

Changes to this policy

We will notify you by email at least 30 days before any material change takes effect.