Sculptor
Sign inRegister

Privacy policy — Sculptor

Last updated: 30 April 2026

This Privacy Policy describes how Sculptor (the "App"), operated on behalf of ScrumDesk and related product stewards, handles information when you use the service. It should be read together with the Terms of use.

1. Who we are

The App is provided by or on behalf of ScrumDesk. For privacy-related requests, use the contact channels published on https://scrumdesk.com (or as updated in the product).

2. What we process

Depending on how you use the App, processing may include:

  • Account data — if you register or sign in (for example email, display name, organisation membership, authentication identifiers, and session-related records as described in product documentation).
  • Workspace and collaboration data — content you create in the App (for example projects, conversations, strategy artefacts, and company directory data where those features are enabled).
  • Technical data — server logs, security and abuse-prevention signals, and similar metadata needed to operate and protect the service.
  • Local-first data — much of your project and coaching state may remain in your browser (for example IndexedDB). That data stays on your device unless you export it or the App synchronises it according to your configuration.

3. Purposes

We use information to:

  • provide, secure, and improve the App;
  • authenticate users and enforce access controls;
  • communicate about the service (for example verification or invitation emails where applicable);
  • comply with law and respond to lawful requests.

4. Legal bases (EEA / UK)

Where the GDPR applies, we rely on appropriate bases such as contract (delivering the service you request), legitimate interests (security, product improvement balanced against your rights), and consent where required (for example non-essential cookies or marketing, if offered).

5. Sharing

We share data with processors that help us run the App (for example hosting, database, cache, email delivery, optional sign-in providers, and analytics if you consent) under contracts that require protection of personal data. A current list for B2B deployments is in the Data Processing Agreement template (Section 5). We may disclose information if required by law or to protect rights, safety, and integrity of users and the service. We do not sell your personal information as a commodity; any "sale" / sharing terminology required by US state laws will be reflected in supplementary disclosures if the product is offered in those jurisdictions.

6. Retention

We retain information for as long as needed to provide the service, comply with legal obligations, resolve disputes, and enforce agreements. Account deletion flows described in the product (where available) apply additional deletion or anonymisation steps subject to legal retention needs.

7. Security

We implement appropriate technical and organisational measures. No method of transmission or storage is completely secure; you should protect your credentials and devices.

8. International transfers

If data is processed outside your country, we use appropriate safeguards (for example standard contractual clauses) where required.

9. Your rights

Depending on your location, you may have rights to access, rectify, erase, restrict, port, or object to certain processing, and to withdraw consent where processing is consent-based. You may also lodge a complaint with a supervisory authority. Use the contact channels above to exercise rights; we may need to verify your identity.

10. Children

The App is not directed at children under the age where parental consent is required for online services in your jurisdiction. We do not knowingly collect personal information from such children.

11. Changes

We may update this policy. The "Last updated" date will change; material changes may be communicated through the App or by email where appropriate.

12. AI and third-party models

When you connect third-party AI providers, your prompts and context may be sent to those providers under their terms and privacy policies. Review those providers’ documentation and your organisation’s policies before enabling integrations.