Privacy Policy

scomm.ai Applications and Related Services

Effective Date: February 06, 2026

Last Updated: ___________________

INTRODUCTION

This Privacy Policy explains how scomm.ai ("Company," "we," "us," or "our") collects, uses, discloses, and protects personal information when you use:

Static website (https://www.scomm.ai)

Billing portal
Server infrastructure (pubkey, connect, relay, public info, download servers)
Desktop applications (Windows, MacOS, Linux)
Mobile applications (iOS, Android)
Add-ons and paid features

Related services and applications

By using our services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use our services.

DEFINITIONS

For the purposes of this Privacy Policy:

Paying Party: The individual or entity that holds an active paid subscription and is responsible for payment.
Using Party: An individual authorized by a Paying Party to use the services. One Paying Party may add multiple Using Parties.
Provider Node: A device or server running the SComm Connect product that provides connectivity services.
User ID: A unique identifier assigned to each user account for authentication and service access.
Device Identifier: A unique identifier assigned to each device (desktop, mobile, browser) used to access our services.
SSO (Single Sign-On): Authentication through third-party identity providers (Google, Microsoft, etc.).
OTP (One-Time Password): A temporary password sent via email for authentication.
P2P (Peer-to-Peer): Direct communication between two devices without routing through our servers.
SDP (Session Description Protocol): WebRTC protocol used to establish peer-to-peer connections.
ICE (Interactive Connectivity Establishment): Protocol for finding the best path for peer-to-peer communication.
DTLS-SRTP: Encryption protocol used to secure peer-to-peer data transfers.
Canonicalized Email Address: Email address converted to a standard format before hashing.

SHA-256 Hash: A one-way cryptographic function that creates a unique fingerprint of data (non-reversible).

WHO WE ARE

scomm.ai is operated by:

Legal Entity Name: Media Routes Inc.
Registered Address: 86-50 Burnhamthorpe Rd., W., Mississauga ON L5B 3C2
Province/Territory: Ontario
Country: Canada
Contact Email: privacy@scomm.ai

Website: https://www.scomm.ai

For data protection purposes, we act as a Data Controller for personal information collected through our applications and services.

OVERVIEW OF OUR SERVICES

Our service ecosystem consists of:

Infrastructure Servers:

Static Website (www.scomm.ai) - Public information and marketing
Billing Portal (billing.scomm.ai) - Subscription and payment management
Public Key Server (pubkey.scomm.ai) - Public key storage for encryption
Connect Server (connect.scomm.ai) - Connection management for SComm Connect
Relay Server (relay.scomm.ai) - Data relay when P2P is not possible
Public Info Server (public.scomm.ai) - Public resources and version information
Download Server (d.scomm.ai) - Application downloads and AI model distribution
Authentication Server (auth.scomm.ai) - Token management and authentication

Client Applications:

Desktop applications (Windows, MacOS, Linux)
Mobile applications (iOS, Android)

STATIC WEBSITE (scomm.ai)

Data Collection

Our static website collects minimal technical data:

Infrastructure-Level Data (Automatic):

IP addresses (server logs, temporary)
HTTP request metadata (user agent, referrer)
Page access timestamps

CDN-level analytics (CloudFlare)

What We Do NOT Collect:

No user accounts or registrations
No cookies for tracking
No personal information
No behavioral analytics

No advertising trackers

Purpose

Infrastructure data is collected for:

Security monitoring and abuse prevention
Performance optimization
Error detection and troubleshooting

DDoS protection

Data Retention

Server logs: 7 days

CloudFlare logs: Per CloudFlare's retention policy

No long-term user tracking

Legal Basis

Legitimate interest in maintaining website security and performance.

BILLING PORTAL

Authentication Methods

Users can access the billing portal through:

Single Sign-On (SSO):

Google
Microsoft

Other third-party identity providers

Email OTP (One-Time Password):

Temporary password sent to provided email address

Valid for 10 minutes

Data Collected

Upon successful login, we create and store:

Paying Party Information:

Name
Email address
Billing address (street, city, state/province, postal code, country)
Stripe charge authorization tokens
PayPal charge authorization tokens
Subscription details (plan type, start date, renewal date)

Payment history (transaction IDs, amounts, dates)

Using Party Information:

SSO identifiers (Google ID, Microsoft ID, etc.)
Login IDs (for email-based authentication)
Email addresses

Association with Paying Party

Multi-User Management:

One Paying Party may add multiple Using Parties
Using Parties are linked to the Paying Party's subscription

Each Using Party receives independent access credentials

Purpose of Data Processing

Process subscription payments
Manage subscription lifecycle (activation, renewal, cancellation)
Issue invoices and transaction receipts
Prevent payment fraud
Provide customer support

Manage multi-user access

Payment Processing

We use Stripe and PayPal for payment processing
We do NOT store full credit card numbers
Payment tokens are encrypted and stored securely

PCI DSS compliance maintained through payment processors

Data Retention

Active subscriptions: Duration of subscription
Cancelled subscriptions: 7 years (tax and accounting requirements)
Payment transaction records: 7 years

Using Party associations: Until removed by Paying Party or account deletion

Legal Basis

Contractual necessity (to provide paid services)

Legal obligation (tax and financial record-keeping)

PUBLIC KEY SERVER (pubkey.scomm.ai)

Data Stored

This server stores cryptographic public keys for email encryption:

Email addresses (in plain text)
SHA-256 hash of canonicalized email addresses (one-way hash)
Public keys (cryptographic keys for encryption)
Key IDs (unique identifier for each public key)
Upload timestamp

Key expiration date (if applicable)

Plain email addresses are stored to associate public keys with users and to ensure interoperability with standard email encryption systems. Hashes are used to support privacy-enhanced lookup mechanisms.

Public keys stored on our servers are intended for distribution and do not grant access to private communications.

Purpose of Data Processing

Enable end-to-end encrypted email communication
Allow users to find public keys for recipients
Verify sender identity through cryptographic signatures

Support key rotation and updates

Email Hash Explanation

Why SHA-256 Hashes:

Provides privacy-enhanced lookup mechanism
Allows key discovery without exposing exact email addresses in all queries

SHA-256 is a one-way cryptographic hash (cannot be reversed to obtain original email)

How It Works:

Email addresses are converted to a standard format (canonicalized)
SHA-256 hash is computed from the canonicalized email

Hash is stored alongside the plain email address and public key

Data Retention

Public keys: Indefinitely until user deletes them
Email addresses: Indefinitely until user requests deletion

Expired keys: Marked as expired but retained for 90 days for verification purposes

Data Deletion

Users can delete their public keys at any time through:

Account settings in client applications

Email request to privacy@scomm.ai

Legal Basis

Contractual necessity (to provide encryption services)

Legitimate interest (secure communications)

CONNECT SERVER (connect.scomm.ai)

Data Stored

This server manages connections for the SComm Connect product:

Provider Node Information:

Current IP address of Provider Nodes
Node online/offline status
Last connection timestamp

Geographic location (inferred from IP, for routing optimization)

User Access Control:

User IDs
Access Control Lists (which users can access which Provider Nodes)
Device identifiers for each user

Multiple devices per user support

Connection Metadata:

SDP (Session Description Protocol) offers
SDP answers
ICE (Interactive Connectivity Establishment) candidates

WebRTC connection state

Purpose of Data Processing

Facilitate peer-to-peer connections between users and Provider Nodes
Route SDP offers and answers through our server
Maintain Access Control Lists for security
Support multi-device access

Optimize connection routing based on geographic location

How Connections Work

Peer-to-Peer (P2P) Communication:

Most data communications go directly between two nodes (peer-to-peer)
Our server only facilitates the initial connection setup

Once connected, data flows directly without passing through our servers

When Relay is Used:

Only when P2P is technically impossible (strict firewalls, NAT traversal failures)

Data is routed through relay.scomm.ai (see Section 9)

Encryption:

All data transfers are fully encrypted using DTLS-SRTP

End-to-end encryption ensures we cannot read the content

Data Retention

Active Provider Node IP addresses: While Provider Node is online
Offline Provider Nodes: IP address deleted after 24 hours
Access Control Lists: Until user modifies or deletes
Connection metadata (SDP/ICE): Deleted immediately after connection established

Device identifiers: Until user removes device or deletes account

Legal Basis

Contractual necessity (to provide SComm Connect service)

Legitimate interest (network security and optimization)

RELAY SERVER (relay.scomm.ai)

When Relay is Used

The Relay Server is used only when direct peer-to-peer communication is not possible due to:

Strict firewall configurations
NAT traversal failures

Network topology restrictions

Data Handled

When data passes through our Relay servers:

Encrypted Data:

All data is encrypted with DTLS-SRTP
We cannot decrypt or inspect the content

Data is immediately forwarded to destination

All data transmitted between systems is encrypted in transit using industry-standard protocols, and any stored data is protected using appropriate security measures

Metadata Collected:

Using Party ID (who is accessing the service)
Paying Party ID (who is responsible for billing)
Data volume (bytes transferred)
Connection duration
Timestamp

Geographic location of relay server used

Purpose of Data Processing

Route encrypted data when P2P is impossible
Measure data consumption for usage-based billing
Provide fallback connectivity

Ensure service availability

What Relay Servers Do NOT Do

Do NOT decrypt or inspect data content
Do NOT store transmitted data
Do NOT log message content
Do NOT perform deep packet inspection

Do NOT share data with third parties

Data Logging

Temporary Handling:

Data packets are held in memory only during transit (milliseconds)
No persistent storage of data content

Encrypted data is immediately forwarded

Metadata Logging:

Using Party ID and Paying Party ID: Logged for billing
Data volume: Logged for billing

Connection logs: Retained for 90 days for troubleshooting

Usage-Based Billing

Data consumption is measured and stored
Billing is calculated based on data transferred through relay
Paying Party is charged according to subscription plan

Detailed usage reports available to Paying Party

Geographic Distribution

Relay servers are distributed across multiple geographic locations
Data is routed through the nearest available relay server

This may involve international data transfers (see Section 24)

Data Retention

Real-time data: Not stored (immediate forwarding)
Billing metadata (data volume, party IDs): 7 years (accounting requirements)
Connection logs: 90 days

Usage reports: 7 years

Legal Basis

Contractual necessity (to provide relay service)

Legal obligation (billing and accounting records)

PUBLIC INFO SERVER (public.scomm.ai)

Data Served

This server hosts publicly accessible information:

.well-known Folder:

App IDs and configurations
Service discovery information

Authentication endpoints

Version Information:

Latest application versions for all platforms
Update changelogs

Download links

Links to current privacy policy

Historical policy versions

Other Public Resources:

API documentation (if public)
Support resources

Public announcements

Data Collection

What We Collect:

HTTP GET request logs (IP address, timestamp, user agent)

Request frequency (for abuse detection)

What We Do NOT Collect:

No personal information
No cookies
No user tracking

No behavioral analytics

Purpose

Provide public information to apps and users
Support application updates and version checking
Distribute privacy policy and legal information

Abuse prevention and DDoS protection

Data Retention

HTTP request logs: 7 days

Public content: Indefinitely (publicly accessible)

Legal Basis

Legitimate interest in providing public information and maintaining security.

DOWNLOAD SERVER (d.scomm.ai)

Service Description

The download server facilitates distribution of:

Desktop Applications:

Windows installers
MacOS applications

Linux packages

AI Models:

Machine learning models for local processing

Model updates and improvements

How It Works

User requests download from d.scomm.ai
Server redirects to CloudFlare CDN links
Actual download is served by CloudFlare CDN

AI models are hosted on CloudFlare CDN account

Data Collected

By Our Server:

Download request IP address (temporary, for redirect)
Requested file/version
User agent (browser/OS information)

Timestamp

By CloudFlare CDN:

IP address
Download completion status
Bandwidth usage
Geographic location

Per CloudFlare's privacy policy

Purpose

Distribute application installers
Provide AI model downloads for local processing
Track download statistics (aggregate)
Abuse prevention

Bandwidth optimization

AI Model Usage

Local Processing:

AI models are downloaded to user's device
All AI processing happens locally on user's device

No user data is sent to remote AI servers

Currently, no third-party AI services are used for processing user data. If this changes in the future, this Privacy Policy will be updated accordingly.

Model Updates:

Users check for model updates periodically
Updates are downloaded from CloudFlare CDN

No personal data transmitted during update checks

Data Retention

Download request logs: 30 days
Aggregate statistics: Indefinitely (anonymized)

CloudFlare logs: Per CloudFlare's retention policy

Legal Basis

Legitimate interest in software distribution and service improvement.

CLIENT APPLICATIONS (Desktop, Mobile)

Platform Availability

Desktop Applications:

Windows (Windows 10 and later)
MacOS (MacOS 11 and later)
Linux (major distributions)

Mobile Applications:

iOS (available on App Store)
Android (available on Google Play)

Email Service Integration

Our client applications integrate with:

Microsoft Mail APIs:

outlook.com
hotmail.com
live.com

Custom domains hosted on Microsoft 365

Google APIs:

gmail.com

Custom domains hosted on Google Workspace

IMAP Access:

All other IMAP-based email servers

Custom IMAP configurations

For IMAP-based accounts, data is accessed only for user-requested operations and is not permanently stored on our servers unless explicitly required for functionality.

Authentication

Users may log into client applications when they need to:

Prove their identity
Access commercial add-ons
Use SComm Connect product

Sync settings across devices

Authentication Methods:

SSO (Google, Microsoft)
Email OTP

OAuth tokens

Data Stored Locally

Client applications store on user's device:

Application Data:

User preferences and settings
Private cryptographic keys (encrypted)
Raw Emails
Email processed bodies cache

Application logs (local only)

AI Models:

Downloaded from d.scomm.ai
Stored locally for offline processing

Updated periodically

Data NOT Stored on Our Servers

Email Content:

Never transmitted to our servers
Never stored on our servers

Processed entirely on user's device

Email Metadata:

Headers, subject lines, sender information

Remain on user's device only

Email Account Credentials:

Stored securely on user's device
Never transmitted to our servers

OAuth tokens managed locally

Local AI Processing

All AI-based features (spam detection, search, classification) run locally
No email content sent to remote AI services
No third-party AI APIs involved

Models are updated via download server

Version Update Checks

Applications check https://scomm-ai.github.io/version/index.json
HTTPS GET request
No personal data transmitted
No Application data sent during request

No logging of individual update checks

Platform-Specific Privacy

Desktop Applications:

Follow OS-specific security guidelines
Store data in OS-designated secure locations

Use OS keychain/credential manager for secrets

Mobile Applications:

Follow iOS/Android privacy guidelines
Use platform secure storage (Keychain/Keystore)
Request only necessary permissions

Comply with App Store/Play Store policies

GOOGLE API USAGE AND RESTRICTED SCOPES

For Google email services (Gmail, custom domains hosted on Google Workspace):

Scopes Used

scomm.ai uses the following Google API scopes:

gmail.modify - Used to allow users to read, compose, send, and organize emails within the application.
contacts.readonly - Used to allow users to view and select contacts when composing emails.

How These Scopes Are Used

All data accessed through these scopes is processed primarily on the user’s device. We do not store email or contact content on our servers.

Access to this data occurs only when the user actively uses related features within the application.

These scopes are used ONLY for:

Displaying emails in the application
Composing and sending emails
Managing email folders and labels
Organizing messages
Providing contact autocomplete when composing
Local spam and phishing detection

Local AI-powered search

These scopes are NEVER used for:

Analytics or tracking
Advertising or marketing
Sharing with third parties
Credit or lending decisions
Profiling or behavioral analysis

Any purpose unrelated to core application functionality

OAuth Permissions

When you grant OAuth permissions:

You authorize access only to the specified scopes
You can revoke access at any time through your Google Account settings

Revoking access will disable certain features but not delete your account

Microsoft Mail API Usage

For Microsoft email services (Outlook, Hotmail, Live, custom domains hosted on Microsoft 365):

Permissions Requested:

Mail.Read
Mail.Send
Mail.ReadWrite

Contacts.Read

Usage:

Same client-side only processing as Google APIs
No data transmitted to our servers

Can be revoked through Microsoft Account settings

DATA USE RESTRICTIONS

In compliance with Google API Services User Data Policy, we declare:

What We DO:

✓ Process email data only on your device
✓ Use data only for email functionality
✓ Encrypt data in transit (TLS/HTTPS)
✓ Allow users to delete their data anytime
✓ Maintain zero-knowledge architecture for private keys
✓ Provide transparent privacy controls
✓ Respect user data ownership
✓ Process AI models locally without cloud AI services

What We DO NOT DO:

✗ Store email content on our servers
✗ Share data with advertisers or data brokers
✗ Use data for targeted advertising
✗ Perform analytics on email content
✗ Use data for credit or lending decisions
✗ Transfer email data to third parties
✗ Track or monitor user email activity
✗ Use email data to train AI models
✗ Sell user data
✗ Share data for cross-context behavioral advertising

Limited Use Disclosure

scomm.ai's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

PURPOSE OF DATA PROCESSING

Authentication and Account Management

Data Collected: Email, name, SSO identifiers, login credentials

Purpose:

Verify user identity
Create and manage accounts
Provide secure access to services
Support multi-device access

Enable SSO functionality

Billing and Payment

Data Collected: Billing address, payment tokens, transaction history

Purpose:

Process subscription payments
Issue invoices
Manage subscriptions
Prevent fraud

Comply with tax regulations

Encryption Services

Data Collected: Public keys, email addresses, SHA-256 hashes

Purpose:

Enable end-to-end encryption
Facilitate secure email communication
Support key discovery

Verify sender identity

Network Connectivity (SComm Connect)

Data Collected: IP addresses, device IDs, connection metadata

Purpose:

Establish peer-to-peer connections
Route connection requests
Maintain access control
Support multi-device usage

Optimize routing

Relay Services

Data Collected: Party IDs, data volume, connection metadata

Purpose:

Provide fallback connectivity
Enable usage-based billing
Route encrypted data

Ensure service availability

Software Distribution

Data Collected: Download requests, IP addresses (temporary)

Purpose:

Distribute applications
Provide updates
Deliver AI models
Track download statistics (aggregate)

Prevent abuse

Security and Abuse Prevention

Data Collected: IP addresses, request metadata, logs

Purpose:

Detect and prevent abuse
Protect against DDoS attacks
Identify security threats
Troubleshoot issues

Maintain service integrity

Data Minimization We collect and process only the minimum amount of personal data necessary to provide, secure, and improve our services.

LEGAL BASIS FOR PROCESSING

Under GDPR, PIPEDA, and other data protection laws, we process personal data based on:

Consent

OAuth authorization for email access
Optional encrypted private key backup
Marketing communications

Optional features and services - Review our Terms of Service for additional details

Contractual Necessity

Providing services you requested
Processing payments
Managing subscriptions
Authenticating users

Delivering purchased features

Legitimate Interests

Security and abuse prevention
Service improvement
Network optimization
Fraud prevention

Troubleshooting and support

Legal Obligation

Tax and accounting compliance (7-year retention)
Response to legal processes
Regulatory reporting

Financial record-keeping

HOW WE USE YOUR INFORMATION

No Profiling or Behavioral Tracking We do not use your personal data for profiling, behavioral tracking, or cross-service tracking. We do not build user profiles for advertising or data monetization purposes.

Service Delivery

Provide email functionality through client applications
Enable encrypted communication
Facilitate SComm Connect peer-to-peer connections
Relay data when P2P is not possible

Distribute software updates and AI models

Account Management

Create and manage user accounts
Authenticate users across devices
Support SSO and OTP login
Manage Paying Party and Using Party relationships

Maintain access control lists

Billing and Subscriptions

Process payments through Stripe and PayPal
Calculate usage-based billing for relay services
Generate invoices and receipts
Manage subscription lifecycle

Provide usage reports to Paying Parties

Communication

Send transactional emails (receipts, confirmations, alerts)
Notify users of version updates
Respond to support inquiries
Send security notifications

Provide service announcements

Analytics and Improvement

Aggregate download statistics
Monitor service performance
Identify bugs and errors
Optimize routing and connectivity

Improve AI models (using only aggregated, anonymized data)

Security

Detect and prevent abuse
Protect against fraud
Monitor for suspicious activity
Maintain logs for security investigations

Enforce access controls

Data Minimization We collect and process only the minimum amount of personal data necessary to provide, secure, and improve our services.

No Automated Decision-Making We do not use your personal data for automated decision-making that produces legal or similarly significant effects.

Data Breach

In the event of a data breach affecting personal data, we will take appropriate steps to investigate, mitigate, and notify affected users and relevant authorities as required by applicable laws.

DATA RETENTION POLICY

Account Data

Active accounts: Duration of account relationship
Inactive accounts: 2 years after last login

Deleted accounts: 30 days for recovery, then permanently deleted

Billing Data

Transaction records: 7 years (tax and accounting requirements)
Payment tokens: Until subscription ends or updated
Invoices: 7 years

Usage data (relay billing): 7 years

Public Keys

Active keys: Indefinitely until user deletes
Expired keys: Marked expired, retained 90 days for verification

Deleted keys: Immediately upon user request

Email Hashes

SHA-256 hashes: Retained while associated public key exists

Deleted: When user deletes public key or account

IP Addresses

Connect server (active nodes): While Provider Node is online
Connect server (offline nodes): 24 hours after disconnection
Download server: 30 days
Static website: 7 days

Public info server: 7 days

Connection Metadata

SDP/ICE candidates: Deleted immediately after connection established
Connection logs: 90 days

Relay metadata (billing): 7 years

Device Identifiers

Active devices: Until user removes device

Removed devices: Immediately deleted

Application Logs

Client-side logs: Stored locally, user controls retention
Server logs: 90 days

Error logs: 90 days

Version Check Logs

Individual checks: Not logged

Aggregate statistics: Indefinitely (anonymized)

Marketing Preferences

Until user unsubscribes

DATA SECURITY

We implement industry-standard technical and organizational measures to protect personal data against unauthorized access, loss, misuse, or alteration.

Encryption

Data in Transit:

TLS 1.2+ for all HTTPS connections
DTLS-SRTP for peer-to-peer data transfers
End-to-end encryption for emails (user-controlled)

Perfect forward secrecy

Data at Rest:

AES-256-GCM for optional private key backups
Encrypted database storage for sensitive data
Secure password hashing (bcrypt with salt)

Encrypted backups

Access Controls

Role-based access control (RBAC)
Multi-factor authentication for administrative access
Principle of least privilege
Regular access reviews

Automated access revocation for terminated employees

Key Management

Private Keys:

Stored on user's device only (default)
Optional encrypted cloud backup with user-chosen password
We cannot decrypt private keys without user's password

Zero-knowledge architecture

Public Keys:

Stored on pubkey.scomm.ai
Publicly accessible for encryption purposes

Integrity verified through cryptographic signatures

Authentication Tokens:

Short-lived access tokens (typically hours)
Long-term refresh tokens (revocable)
Cryptographically signed

Secure storage and transmission

Authentication Safeguards

OAuth 2.0 for third-party authentication
OTP with 10-minute expiration
Rate limiting on authentication attempts
Account lockout after failed attempts
Session management and timeout

Device tracking and suspicious login detection

Network Security

Firewall protection
Intrusion detection and prevention systems (IDS/IPS)
DDoS mitigation through CloudFlare
Regular security monitoring
Penetration testing

Vulnerability scanning

Payment Security

PCI DSS compliance through payment processors (Stripe, PayPal)
No storage of full credit card numbers
Tokenization of payment data

Secure payment processor integration

Infrastructure Security

Regular security updates and patches
Isolated server environments
Backup and disaster recovery procedures
Secure configuration management
Audit logging

Incident response plan

Organizational Security

Employee background checks
Confidentiality agreements
Security awareness training
Limited access to production systems
Third-party security audits
Compliance reviews

We do not allow human access to user email.

SECURITY & COMPLIANCE

Our services are built using privacy-by-design principles. This means we minimize data collection, process data locally on user devices wherever possible, and implement strong encryption and access controls to protect user information by default

Google OAuth Compliance

scomm.ai maintains compliance with Google's OAuth app verification requirements:

Annual security assessments by Google-approved third parties
Regular security audits and updates
Adherence to industry security standards
Immediate notification of any data breaches
Zero-knowledge architecture for private data
Compliance with Google API Services User Data Policy

Limited Use requirements adherence

Industry Standards

SOC 2 Type II controls (planned/in progress)
ISO 27001 information security practices
OWASP security guidelines

CIS benchmarks for server hardening

Data Breach Response

In the event of a data breach:

Affected users notified within 72 hours
Notification includes nature of breach, data affected, and remediation steps
Relevant authorities notified as required by law
Investigation and root cause analysis
Implementation of additional safeguards

Transparent communication throughout process

Vulnerability Disclosure

Responsible disclosure program
Security contact: security@scomm.ai
Coordinated vulnerability disclosure

Regular security updates

CONTENT PRIVACY - WHAT WE NEVER ACCESS

Email Content

We NEVER:

Access your email messages
Read email content
Store email on our servers
Analyze email for advertising
Share email with third parties

Use email to train AI models

Your emails:

Remain on your email provider's servers (Gmail, Microsoft, IMAP server)
Are processed entirely on your device
Are encrypted end-to-end (if you enable encryption)

Are subject to your email provider's privacy policy

Email Metadata

We do not access or store [data] as part of normal operations and system design:

Email headers
Subject lines
Sender/recipient information
Timestamps
Attachment names or content

Folder/label information

Relay Server Content

Relay servers transmit encrypted data and do not have access to decryption keys or the ability to decrypt user communications.

Even when data passes through relay servers:

Data is encrypted with DTLS-SRTP
We cannot decrypt the content
We cannot inspect packet contents
Data is immediately forwarded (not stored)

Only metadata is logged for billing (party IDs, data volume)

Connection Content

For SComm Connect peer-to-peer connections:

Data flows directly between nodes (when possible)
We only facilitate the initial connection setup
We do not inspect or log communication content

End-to-end encryption prevents us from reading data

Local AI Processing

All AI features run locally on your device
Email content is not sent to cloud AI services
AI models are downloaded to your device
No third-party AI APIs involved

Your data stays on your device

DATA SHARING AND THIRD PARTIES

Providers such as Cloudflare act as data processors on our behalf and process limited technical data (such as IP addresses and request metadata) to provide content delivery, caching, and security services. These providers operate under contractual data protection obligations.

Service Providers

We share limited data with trusted third-party service providers:

Payment Processors:

Who: Stripe, PayPal
What: Billing information, payment tokens, transaction details
Why: Process payments and subscriptions

Safeguards: PCI DSS compliance, contractual data protection

Cloud Infrastructure:

Who: CloudFlare (CDN), cloud hosting providers
What: IP addresses, download requests, CDN logs
Why: Distribute software, host services, DDoS protection

Safeguards: Data processing agreements, encryption in transit

Analytics Providers:

Who: Anonymous aggregate analytics only
What: Anonymized usage statistics (e.g., download counts)
Why: Service improvement

Safeguards: No personally identifiable information shared

Email Service Providers:

Who: Transactional email service (for OTPs, receipts)
What: Email addresses, transactional message content
Why: Send OTPs, receipts, notifications

Safeguards: GDPR-compliant providers, minimal data sharing

What We NEVER Share

Email content or communications
Email metadata or headers
Private cryptographic keys (we don't have access)
Private key encryption passwords (you choose, we never see)
OAuth tokens (managed locally)
Email account credentials
Connection content (encrypted, we can't read)

Personally identifiable relay data

Legal Requirements

We may disclose information when legally required:

Court orders or legal processes
Government requests (with legal basis)
Prevent fraud or criminal activity
Protect safety of users or public

Enforce our terms of service

Transparency Where permitted by law, we may publish aggregated transparency information regarding government or legal data requests.

Legal Request Process:

We review all requests for legal validity
We notify users when legally permitted
We provide only the minimum required data

We cannot disclose data we don't have (e.g., email content, private keys)

Business Transfers

In the event of merger, acquisition, or asset sale:

Users will be notified in advance
New entity will be bound by this privacy policy
Users can delete accounts before transfer

Encrypted private key backups remain encrypted (new entity still can't decrypt without your password)

No Data Sales

We do NOT sell personal data
We do NOT share data for advertising
We do NOT participate in data broker markets

We do NOT allow third-party tracking on our services

COOKIES AND WEBSITE TRACKING

Static Website (scomm.ai)

Cookies Used:

None: We do not use cookies on our static website

Tracking:

No behavioral tracking
No advertising cookies
No cross-site tracking

No third-party analytics cookies

Billing Portal

Essential Cookies:

Session authentication (required for login)
CSRF protection (security)

Cannot be disabled (necessary for functionality)

Optional Cookies:

None currently used

Server Logs

What We Log:

IP address (temporary)
Timestamp
HTTP request method and path
User agent (browser/OS)

Referrer (source page)

Purpose:

Security monitoring
Abuse detection
Error troubleshooting

Performance optimization

Retention:

Static website: 7 days
Download server: 30 days

Billing portal: 90 days

We may collect limited technical logs (such as IP address, timestamps, and connection status) for security, debugging, and performance purposes. These logs do not include the content of communications.

CDN-Level Data Collection

CloudFlare (CDN Provider):

Collects IP addresses, request data
Provides DDoS protection and caching
Subject to CloudFlare's privacy policy

We receive only aggregate statistics

Your Controls

Browser settings to block cookies
Private/incognito browsing
VPN usage (masks IP address)

Ad blockers (though we don't have ads)

Do Not Track

We respect browser Do Not Track signals where applicable

Our minimal tracking approach means there's little to track anyway

INTERNATIONAL DATA TRANSFERS

Data Storage Locations

Primary Storage: Canada

Distributed Servers:

Relay servers: Multiple geographic locations (US, EU, Asia)
CDN: CloudFlare global network

Cloud infrastructure: May span multiple regions

Cross-Border Transfers

Your data may be transferred to and processed in countries other than your country of residence:

United States (cloud services, relay servers)
European Union (relay servers, support services)

Other countries where relay servers are located

Safeguards

For transfers outside Canada/EU/UK:

Legal Mechanisms:

Standard Contractual Clauses (EU Commission approved)
Adequacy decisions by relevant authorities

Contractual commitments from service providers

Technical Safeguards:

Encryption in transit (TLS/HTTPS)
Encrypted private key backups remain encrypted regardless of location

DTLS-SRTP encryption for relay data

Relay Server Locations

To optimize performance, relay servers are geographically distributed:

North America
Europe

Asia-Pacific

When data passes through relay servers:

It's encrypted and we cannot read it
Location is chosen based on optimal routing

No content is stored (immediate forwarding)

Your Rights

You have the right to:

Object to international transfers
Request information about transfer safeguards
Obtain copies of transfer agreements

Request data be stored in specific regions (may limit functionality)

YOUR PRIVACY RIGHTS

Rights Under PIPEDA (Canada)

Access:

Request copies of your personal information
Receive information about how it's used

Request information about stored public keys and encrypted backups

Correction:

Update inaccurate or incomplete information

Request corrections to your records

Withdrawal of Consent:

Withdraw consent for processing at any time
Revoke OAuth permissions
Delete encrypted private key backups

May limit service availability

Complaint:

Lodge complaints with Privacy Commissioner of Canada

Rights Under GDPR (EU/UK)

Access (Article 15):

Obtain confirmation of processing
Receive copy of your data

Understand how data is used

Rectification (Article 16):

Correct inaccurate data

Complete incomplete data

Erasure (Article 17) - "Right to be Forgotten":

Request deletion of your data
Subject to legal retention requirements (e.g., 7-year billing records)

Includes deletion of public keys, encrypted private key backups, authentication tokens

Restriction of Processing (Article 18):

Limit how we use your data

Applicable in specific circumstances

Data Portability (Article 20):

Receive data in machine-readable format (JSON, CSV)
Transfer data to another provider

Export public keys and encrypted private key backups

Objection (Article 21):

Object to processing based on legitimate interests

Object to direct marketing at any time

Automated Decision-Making (Article 22):

Right not to be subject to automated decisions

We do not use automated decision-making

Rights Under CCPA (California)

Right to Know:

Categories of personal information collected
Sources and purposes of collection

Third parties with whom information is shared

Right to Delete:

Request deletion of personal information

Subject to exceptions (legal retention)

Right to Opt-Out:

Opt out of sale of personal information (we do not sell data)

Right to Non-Discrimination:

Not be discriminated against for exercising rights

Rights Specific to Google Data

For data accessed via Google APIs (Gmail, Contacts):

Access:

Request copies of data we have about you (note: email content stays on Google's servers)

Deletion:

Delete your account and all associated Google OAuth permissions

Revoke Google OAuth access anytime in Google Account settings

Portability:

Export your data in standard formats

Withdrawal:

Revoke Google OAuth access immediately

Access Google Account → Security → Third-party apps → scomm.ai → Remove access

Complaints:

File complaints with Google if you believe we've misused your data
Contact: privacy@scomm.ai

Response time: 30 days

Rights Specific to Microsoft Data

For data accessed via Microsoft APIs (Outlook, Hotmail, Live):

Withdrawal:

Revoke Microsoft OAuth access

Access Microsoft Account → Apps and services → scomm.ai → Remove

How to Exercise Your Rights

Email: privacy@scomm.ai

Subject Line: Privacy Rights Request - [Type of Request]

Include:

Your full name
Email address associated with account
Specific right you wish to exercise

Verification information (for security)

Response Time:

Acknowledgment within 5 business days
Complete response within 30 days (GDPR/PIPEDA)
45 days for CCPA requests

Extensions communicated if needed

Verification: We may request additional information to verify your identity before fulfilling requests (to protect your data from unauthorized access).

No Fee: Requests are processed free of charge (unless manifestly unfounded or excessive).

Special Notes:

Cryptographic Data:

We can provide your public keys and encrypted private key backups
We cannot decrypt your private key backups (you control the encryption password)

We can delete all cryptographic data upon request

What We Cannot Provide:

Email content (we don't have it - it's on your email provider's servers)
Private keys (stored on your device only)

Decrypted private key backups (we don't have your password)

DATA DELETION PROCESS

For comprehensive information on how to delete your account and manage your data, please see our dedicated Delete Account page.

CHILDREN'S PRIVACY

Age Restriction

Our services are not intended for children under 13 (under 16 in EU/EEA)
We do not knowingly collect information from children

Users must be of legal age to form a binding contract

Parental Notification

If we discover we have collected information from a child:

We will delete it immediately
We will notify parents/guardians if possible

Account will be terminated

Parental Rights

Parents or legal guardians may:

Request access to their child's information
Request deletion of information
Refuse further collection

Contact Us

If you believe a child has provided information:

Email: privacy@scomm.ai
Subject: Child Privacy Concern

Include: Details of the situation

MARKETING COMMUNICATIONS

Types of Communications

Transactional Messages (cannot opt out):

Purchase confirmations
Payment receipts
Account notifications
Security alerts
Service updates
Feature announcements
Application version update notifications
Authentication and token-related alerts
Billing reminders

Subscription expiration notices

Marketing Messages (can opt out):

Product announcements
Promotional offers
Newsletters
Tips and tutorials
Feature highlights

Company news

Consent and Opt-Out

CASL Compliance (Canada):

We obtain express or implied consent before sending commercial electronic messages
Every marketing email includes an unsubscribe link

We honor opt-out requests within 10 business days

You can opt out by:

Clicking "unsubscribe" in any marketing email
Emailing privacy@scomm.ai with "Unsubscribe" in the subject
Updating preferences in your account settings

Adjusting notification settings in the application

What Happens When You Opt Out

Marketing emails stop within 10 business days
Transactional and service-related communications continue
Account functionality unaffected

You can opt back in at any time

CALIFORNIA-SPECIFIC DISCLOSURES

Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information (as defined by CCPA):

Identifiers:

Name, email, IP address
Device identifiers

User IDs

Commercial Information:

Purchase history
Payment details
Subscription information

Transaction records

Internet Activity:

Service usage patterns
Feature interactions
Download requests

Connection logs

Geolocation Data:

Approximate location from IP address (for routing optimization)

What We Do NOT Collect

Email content or communications
Email metadata or headers
Biometric information
Sensitive personal information beyond what is necessary for account security
Precise geolocation

Browsing history outside our services

Sources of Information

We collect personal information from:

Directly from you (account registration, purchases)
Automatically through your use of our services

Third parties (payment processors, identity providers)

Business Purposes

We use personal information for purposes described in Section 17 (How We Use Your Information).

Sharing for Business Purposes

We share information with service providers for business purposes as described in Section 22 (Data Sharing and Third Parties).

No Sale of Personal Information

We do NOT sell personal information as defined by CCPA
We do NOT share personal information for cross-context behavioral advertising

We have not sold personal information in the past 12 months

California Shine the Light Law

California residents may request information about disclosure of personal information to third parties for direct marketing purposes.

Our Disclosure:

We do NOT share personal information with third parties for their direct marketing

You may still request this information annually

How to Request:

Email: privacy@scomm.ai

Subject: California Shine the Light Request

CHANGES TO THIS PRIVACY POLICY

Updates and Modifications

We reserve the right to update this Privacy Policy at any time to reflect:

Changes in our practices
Legal or regulatory requirements
New features or services
Feedback and improvements
Updates to authentication mechanisms or cryptographic protocols
New platform support (additional operating systems or devices)

Changes to third-party services

Notice of Changes

Material Changes:

We will provide prominent notice (email notification, in-app notification, website banner)
Effective 30 days after notice
You may review changes before they take effect

Continued use after effective date constitutes acceptance

Examples of material changes:

New types of data collected
Changes to data sharing practices
Significant changes to user rights

Changes to data retention periods

Non-Material Changes:

Updated "Last Updated" date at top of policy
Effective immediately upon posting

Continued use constitutes acceptance

Examples of non-material changes:

Clarifications to existing practices
Formatting improvements
Contact information updates

Minor edits for clarity

How We Notify You

Email to registered email address
In-app notifications
Website banner on scomm.ai

Notice in client applications

Review and Acceptance

We encourage you to review this Privacy Policy periodically.

Continued use of our services after changes become effective constitutes acceptance of the updated policy.

If you do not agree with changes:

You should discontinue use
You may request deletion of your account

You can export your data before deletion

Version History

Previous versions of this Privacy Policy are available upon request:

Email: privacy@scomm.ai

Subject: Privacy Policy Version History Request

CONTACT INFORMATION

Privacy Inquiries

For privacy-related questions, concerns, or requests:

Email: privacy@scomm.ai

Subject Line: Privacy Inquiry

Mailing Address:

scomm.ai Media Routes Inc. 86-50 Burnhamthorpe Rd W Mississauga, ON L5B 3C2 Canada

Security Concerns

For security-related reports:

Email: security@scomm.ai

Subject Line: Security Report

Data Protection Officer

If required by applicable law, you may contact our Data Protection Officer at:

dpo@scomm.ai

Regulatory Authorities

You have the right to lodge a complaint with relevant supervisory authorities:

Canada: Office of the Privacy Commissioner of Canada Website: www.priv.gc.ca Phone: 1-800-282-1376
EU/UK: Your local data protection authority EU list: https://edpb.europa.eu/about-edpb/board/members_en

California: California Attorney General Website: oag.ca.gov California Privacy Protection Agency: cppa.ca.gov

Response Time

We strive to respond to all inquiries within:

Acknowledgment: 5 business days
Complete response: 30 days

Complex requests: 60 days (with notification of extension)

Business Hours

Support available:

Monday - Friday: 9 AM - 5 PM EST

Emergency security issues: 24/7 response

ACCESSIBILITY

We are committed to ensuring this Privacy Policy is accessible to everyone.

Alternative Formats

If you have difficulty accessing this policy or require it in an alternative format, contact us:

Email: privacy@scomm.ai

Available formats:

Large print
Audio (MP3)
Plain language summary
Braille (upon request)

Other formats as requested

Response Time

We will provide reasonable accommodations within 10 business days.

Website Accessibility

Our website follows WCAG 2.1 Level AA guidelines where possible.

If you encounter accessibility barriers:

Email: accessibility@scomm.ai

We will work to provide alternative access

LANGUAGE

This Privacy Policy is provided in English.

If translated versions are made available in the future, the English version prevails in case of conflicts or discrepancies.

Translation requests:

Email: privacy@scomm.ai

Subject: Privacy Policy Translation Request

SUMMARY OF OUR PRIVACY COMMITMENTS

Privacy-First Architecture

✓ All email processing happens on YOUR device, not our servers
✓ We never access, read, or store your email content
✓ We never see email headers, metadata, or sender information
✓ Your emails stay with your email provider (Gmail, Microsoft, IMAP server)
✓ Client-side architecture across all platforms
✓ Zero-knowledge encryption for private keys

What We Actually Collect

Account & Authentication

✓ Name, email address (for account creation)
✓ SSO identifiers (Google, Microsoft)
✓ Login credentials (encrypted)

Billing (Paying Parties Only)

✓ Billing address
✓ Payment tokens (Stripe, PayPal)
✓ Transaction history

Encryption Services

✓ Public cryptographic keys
✓ Email address hashes (SHA-256, non-reversible)
✓ Optionally: Encrypted private key backups (with YOUR password using AES-256-GCM)

Connectivity (SComm Connect)

✓ IP addresses (temporary, for routing)
✓ Device identifiers
✓ Access Control Lists

Usage & Billing

✓ Relay usage data (for usage-based billing)
✓ Party IDs (Paying and Using)

What We Never Collect

✗ Email content or communications
✗ Email metadata or headers
✗ Your email provider account credentials
✗ Unencrypted private cryptographic keys
✗ Your private key encryption passwords
✗ Personal data during version update checks
✗ Communication content (even through relay servers - it's encrypted)

Google API Compliance

✓ Process Gmail data only on your device
✓ Use Gmail scopes only for email functionality
✓ Never share Gmail data with third parties
✓ Never use Gmail data for advertising or analytics
✓ Allow data deletion anytime

Your Rights

✓ Access your data (including all stored information)
✓ Correct inaccurate information
✓ Delete your account and data
✓ Export your data in machine-readable formats
✓ Revoke OAuth access anytime (Google, Microsoft)
✓ Delete individual components (public keys, backups, devices)
✓ Opt out of marketing communications
✓ File complaints with regulators

Security Measures

✓ Zero-knowledge architecture for private keys
✓ AES-256-GCM encryption for optional key backups
✓ TLS/HTTPS for all communications
✓ DTLS-SRTP for peer-to-peer transfers
✓ Short-lived access tokens for enhanced security
✓ Cryptographically signed authentication tokens
✓ Client-side processing on all platforms
✓ Annual security assessments by Google-approved third parties
✓ PCI DSS compliance for payments
✓ Encrypted backups and secure storage

Data Retention

✓ You control public key retention (delete anytime)
✓ Account data deleted within 30 days of request
✓ Billing records retained 7 years (legal requirement)
✓ Temporary data (logs, IP addresses) deleted quickly (7-90 days)
✓ No permanent tracking of your activity

ACKNOWLEDGMENT

By using scomm.ai applications and services, you acknowledge that you have read, understood, and agree to this Privacy Policy.

If you do not agree with this policy, please do not use our services.

Please also review our Terms of Service for additional information about your use of scomm.ai services.

Your Consent:

Using our services constitutes consent to this Privacy Policy
OAuth authorization is separate consent for email access
Marketing communications require separate consent (can opt out)
You can withdraw consent at any time
Questions? Contact us at privacy@scomm.ai
Last Updated: ___________________
Version: 3.0

END OF PRIVACY POLICY