Privacy policy

• We monitor only public sources on the internet. We do not scrape gated content, private apps, or anything behind a login.
• For your account, we collect what we need to run the service: email, workspace metadata, the competitors you ask us to watch, and basic product analytics.
• We do not sell your data. We use a small, named set of subprocessors (hosting, payments, email, AI inference, public-web scraping) and publish them below.
• You can export or delete your account's data at any time by emailing us.

Account information. When you sign up we collect your email address, an authentication credential (password hash or SSO identifier), and the workspace name you create.

Workspace configuration. The competitor domains you ask us to monitor, your alert preferences, your time zone, and the integration endpoints you connect (Slack workspace, webhook URLs, email addresses for digest delivery).

Billing information. If you upgrade to a paid plan, our payments processor (Stripe) collects and stores card details directly. We receive a customer ID, the plan, the seat count, and the invoice history — never the card number itself.

Product usage. We log requests to our API, which pages you view in the dashboard, and aggregated counts (events generated, digests sent) so we can keep the service healthy and improve it.

Communications. If you email us, we keep the thread so we can follow up. We use a transactional email provider to send digests and notifications.

We use the information above to:

• Operate the service — monitor the competitors you ask for, generate signals, send the alerts and digests you configured.
• Keep the platform secure — detect abuse, prevent unauthorized access, debug issues.
• Bill you accurately — process subscription payments and send invoices.
• Communicate with you — service updates, security notices, replies to the things you asked us about.
• Improve the product — aggregate usage to find what's slow, what's broken, and what people actually use.

We do not use your workspace data to train models for anyone else and we do not share it across customers.

The data RivalScope captures about competitor companies comes from public surfaces: pricing pages, careers pages, product documentation, public changelogs, press releases, and public blog posts.

We respect robots.txt directives, identify our crawler with a descriptive user agent, and rate-limit our requests so we do not impose a meaningful load on the sites we read. If you operate a site we monitor and would prefer we stop, write to abuse@competitorintelligence.co and we will remove it.

We do not sell your data. We share it only:

• With subprocessors we use to run the service (listed below), under contract.
• With integrations you explicitly connect — e.g. a Slack workspace you authorise, a webhook URL you configure, a digest email recipient you add.
• When required by law — a valid subpoena, court order, or other legal process. We push back on overly broad requests where we can.
• In connection with a business transfer (e.g. a merger or acquisition). If that happens we will give you advance notice and a chance to delete your data first.

Subprocessor list reviewed: April 24, 2026.

We rely on a small, named set of service providers to run the platform. The list below reflects what production actually runs against today. When we add or replace a subprocessor we update this page and email account owners at least 30 days before the change takes effect, so you have time to object.

If you need a contract that names us as the processor and references this list, our customer-facing data processing addendum is published at /dpa. It is pre-signed and downloadable, no email back-and-forth required.

• Replit, Inc. — application hosting, the primary PostgreSQL database, and object storage for cached page snapshots. United States. Data processing addendum.
• Stripe, Inc. — subscription billing, card processing, and invoice history. We never receive card numbers. United States. Data processing addendum.
• Resend (Resend, Inc.) — transactional and digest email delivery, including per-recipient delivery, bounce, and complaint telemetry used to maintain our suppression list. United States. Data processing addendum.
• OpenRouter, Inc.— LLM inference (Kimi 2.6) for the in-app AI chat, automated competitor teardowns, and support triage. Prompts include the competitor data we have collected and any text you type into chat. United States. OpenRouter's DPA is incorporated by reference into their Terms of Service and published in their trust center: Data processing addendum · Terms of service.
• Apify Technologies s.r.o. — managed browser actors used to fetch the public competitor surfaces (pricing, careers, changelog pages) you ask us to monitor. Processes URLs and rendered page content, not customer personal data. Czech Republic / EU. Data processing addendum.

Operator-facing support tooling. Email you send to support@competitorintelligence.co is received and triaged by AgentMail (an inbound-mail service, United States) before being forwarded to the on-call operator. AgentMail does not yet publish a public DPA, so we have intentionally not listed it as a contracted subprocessor above. If your security review requires an executed DPA covering inbound support email, write to privacy@competitorintelligence.co and we will provide one before you send any sensitive content to support.

We do not currently use a third-party error monitoring or product analytics service. Crash logs and request metrics live inside the Replit-hosted infrastructure listed above. If that changes, we will update this list and notify account owners as described above. Questions? Email privacy@competitorintelligence.co.

We keep account and workspace data for as long as your account is active. Captured competitor events are retained according to the history window of your plan (30 days on Free, longer on paid plans, full history on Growth and above).

When you delete your workspace, we remove account and workspace data within 30 days, except where we are legally required to keep it (e.g. invoices for tax purposes).

We encrypt data in transit (TLS) and at rest. Authentication tokens are hashed. Access to production systems is restricted to the small team that operates them and is logged.

No system is perfectly secure. If you discover a vulnerability, please email security@competitorintelligence.co. We commit to responding within two business days.

Depending on where you live (e.g. the EEA, the UK, California), you may have rights to access, correct, export, or delete the personal data we hold about you, and to object to certain processing. You can exercise any of these rights by emailing privacy@competitorintelligence.co. We will respond within the timeframe required by applicable law.

We are based in the United States and our infrastructure providers operate globally. If you access the service from outside the country where data is processed, your information may be transferred to, stored, and processed in another country. We rely on standard contractual clauses and similar mechanisms to safeguard those transfers.

For business customers, the EU SCCs (Module Two and Module Three), the UK International Data Transfer Addendum, and the Swiss FADP variations are incorporated into our customer data processing addendum at /dpa.

RivalScope is a B2B product not intended for children under 16. We do not knowingly collect data from children. If you believe a child has provided us information, email us and we will delete it.

We may update this policy as the product and our practices evolve. When we make a material change we will email account owners and update the “last updated” date at the top of this page.

For privacy questions, data requests, or anything else covered by this policy, email privacy@competitorintelligence.co. For everything else, our general inbox is hello@competitorintelligence.co.