Back
Privacy Policy for SupplyScout
Last Updated: June 15, 2026
SupplyScout ("SupplyScout," "we," "us," or "our") provides a B2B software-as-a-service platform that helps restaurants and food-service businesses manage procurement — capturing and reconciling supplier invoices, detecting overcharges, recommending suppliers, and automating reordering through autonomous AI agents. This Privacy Policy explains what information we collect, how we use it, the third-party service providers ("sub-processors") that process data on our behalf, and the choices and rights you have.
This policy covers our marketing website at https://supplyscout.ai, our web application at https://app.supplyscout.ai, and our iOS and Android mobile apps. By creating an account or using SupplyScout, you agree to the practices described here. SupplyScout is a business product sold to and used by businesses; if you use SupplyScout as an employee or representative of a business, the business is the controller of the data you submit and this policy describes how we process it on that business's behalf.
1. INFORMATION WE COLLECT
We collect the following categories of information, almost all of which you or your business provide directly by using the product:
1.1 Account and Identity Data
- Your name, email address, and phone number, collected at signup and in your profile.
- Authentication and session data used to keep you securely signed in.
1.2 Business and Operational Data
- Your business and restaurant information: business name, restaurant locations, and addresses.
- Your suppliers, products, recipes, and cart/order data, whether entered by you or synced from a connected integration.
1.3 Invoices, Documents, and Images
- Invoice and document images (photos and PDFs) that you upload, plus delivery-verification photos you capture. These are stored as files in our backend storage and are sent to an AI provider for optical character recognition (OCR) and line-item extraction (see Section 3).
1.4 Financial and Purchase Data
- Invoice line items, totals, prices, vendor amounts, spend and analytics figures, and purchase history — extracted from your invoices and from any connected point-of-sale or accounting systems.
1.5 Chat and Conversation Content
- Messages and conversation history you exchange with our Scout AI assistant, and messages submitted through the marketing-site chat. These are processed by a third-party AI model (see Section 3).
1.6 Billing Data
- Your billing name and email, your subscription and customer identifiers, and plan selections. Card and payment details are entered on, and handled by, our payment processor's hosted pages — SupplyScout does not store full card numbers on its servers.
1.7 Integration Data (only if you connect an integration)
- QuickBooks Online (Intuit): if you authorize it, we read and write vendors, bills, bill payments, and expense accounts.
- Square: if you authorize it, we read catalog items and orders and compute demand forecasts.
- The OAuth tokens for these integrations are stored in our backend so the integration can continue to sync.
1.8 Push Notification Data
- If you enable notifications, we store your browser/device push subscription so we can deliver alerts (such as price alerts) to you.
1.9 Device, Usage, and Request Metadata
- IP address, browser/user-agent and device information, requested URLs, and the platform you use (web, iOS, or Android). This is processed by our hosting providers and our backend as part of normal operation.
We do NOT use third-party web-analytics, advertising, crash-reporting, or product-analytics tracking SDKs (for example, Google Analytics, Mixpanel, Amplitude, Segment, PostHog, Sentry, or advertising/marketing pixels). The spend "analytics" in the product are our own in-app features computed from your data, not a third-party tracker.
2. HOW WE USE YOUR INFORMATION
We use the information above to:
- Provide the core service: capture and read your invoices, reconcile them, detect overcharges and anomalies, score and recommend suppliers, generate insights and briefings, and power autonomous reordering agents.
- Run the Scout AI assistant and answer natural-language questions about your own data.
- Authenticate you, maintain your account and sessions, and keep the service secure.
- Process subscriptions and billing.
- Send you transactional and operational messages — onboarding emails, price-alert emails, weekly digests, reports, scheduled exports, and push notifications you have enabled.
- Operate, maintain, debug, and improve the product.
- Comply with legal obligations and enforce our terms.
We do not sell your personal information, and we do not rent or trade it for others' marketing.
3. THIRD-PARTY SUB-PROCESSORS AND AI PROCESSING
To run SupplyScout we rely on the trusted service providers below. Each receives only the data needed for its function, and acts as our processor under contract. This is a full list of the providers that process user data.
Supabase — Core backend platform.
Receives: effectively all of your data — account identity, business/restaurant profile, locations, suppliers, products, recipes, invoice and document images, financial and purchase data, chat content, push subscriptions, integration OAuth tokens, and device/session data.
Why: Supabase hosts our database, authentication, file/object storage, and serverless functions. It is the primary store and processor for the entire product.
Google (Gemini / Google Generative Language API) — AI and OCR provider.
Receives: invoice and document images and delivery photos (for OCR and verification); your Scout and marketing chat messages and history; and restaurant/business, supplier, product, purchase, and invoice data used as context for AI features.
Why: Google's Gemini models perform the invoice OCR and line-item extraction used in the web app and mobile apps, delivery-photo verification, the conversational Scout assistant, natural-language queries over your data, anomaly detection, supplier and dashboard scoring, alerts, briefings, purchase advice, and reorder suggestions. IMPORTANT: this means user content — including your invoice images and your chat messages — is sent to and processed by a third-party AI model operated by Google.
AWS (Amazon Textract) — Invoice OCR provider (marketing-site path).
Receives: raw invoice file bytes (image or PDF) for line-item and total extraction.
Why: Amazon Textract is an alternative/legacy OCR path used by the marketing-site invoice flow when AWS credentials are configured. Where this path is active, your uploaded invoice content is processed by Amazon Textract in addition to, or instead of, Google Gemini. IMPORTANT: invoice content uploaded through that path is processed by a third-party OCR service operated by Amazon Web Services.
Stripe — Payments and subscription billing.
Receives: billing identity (email, name), Stripe customer/subscription identifiers, your plan selections, and the card/payment data you enter on Stripe-hosted pages.
Why: Stripe processes checkout, manages subscriptions and the billing portal, and drives subscription state via webhooks.
Resend — Transactional and notification email delivery.
Receives: your recipient email address and name, and the email body content — which embeds your data (price alerts, report/digest contents, export data, and invoice/supplier figures).
Why: Resend delivers onboarding emails, price-alert emails, weekly digests, reports, and scheduled exports.
Netlify — Hosting and CDN for the web application (app.supplyscout.ai).
Receives: HTTP request metadata — IP address, user-agent/device information, and requested URLs. Your application data itself transits through Netlify to Supabase rather than being stored by Netlify.
Why: Netlify serves the web-app shell and processes its web traffic.
Hostinger — Hosting for the marketing website (supplyscout.ai).
Receives: HTTP request metadata for marketing-site visitors (IP, user-agent, page requests).
Why: Hostinger serves the static marketing pages.
Browser and OS Push Services (Google FCM, Apple Push Notification service, Mozilla autopush) — Notification delivery.
Receives: your push subscription endpoint (the vendor URL on your device) and the encrypted notification payload (for example, price-alert text).
Why: When you enable push notifications, the actual delivery endpoint is the push service of your own browser or operating system. We implement the standard Web Push protocol with VAPID; we do not use a separate third-party notification vendor.
User-authorized integrations (Intuit / QuickBooks Online and Square).
These are services that YOU connect by authorizing them. When connected, data flows between SupplyScout and Intuit (oauth.platform.intuit.com and related Intuit hosts) and/or Square (connect.squareup.com) as described in Section 1.7. These integrations are optional and operate only after you grant access; you can disconnect them at any time.
Read-only market-data sources. We also read public, non-user-data market information (for example, USDA market prices and CME futures data) to inform pricing insights. No user data is sent to these sources.
We may engage additional sub-processors as the product evolves; where required, we will update this list. We may also disclose information if required by law, to protect our rights, or in connection with a merger, acquisition, or sale of assets.
4. DATA RETENTION
We retain your information for as long as your account is active and as needed to provide the service. Invoices, documents, financial records, and operational data are retained so the product remains useful to you over time (for example, for historical spend analytics and overcharge detection). Billing records are retained as required for accounting and legal compliance. When you delete your account (see Section 5), we delete or anonymize your personal data, except where we are required to retain certain records to meet legal, tax, or regulatory obligations, or as residual copies persist temporarily in routine backups.
5. HOW TO DELETE YOUR DATA
You can delete your account and associated data at any time:
- In the app, go to Settings > Delete Account. This invokes our delete-account process, which removes your account and associated data and cancels any active subscription.
- Alternatively, email us at support@supplyscout.ai and we will process your deletion request.
You can also disconnect any QuickBooks or Square integration at any time, which stops further syncing.
6. SECURITY
We protect your data using industry-standard measures. All traffic between your device and our services is encrypted in transit using HTTPS/TLS. Data stored in our backend is encrypted at rest by our backend platform (Supabase). Access to production data is restricted, and authentication is enforced on every request. While no method of transmission or storage is perfectly secure, we work to safeguard your information against unauthorized access, alteration, or destruction.
7. CHILDREN'S PRIVACY
SupplyScout is a business-to-business product intended for use by businesses and their authorized personnel. It is not directed to children, and we do not knowingly collect personal information from anyone under the age of 16. If you believe a child has provided us with personal information, contact us at support@supplyscout.ai and we will delete it.
8. YOUR RIGHTS AND CHOICES
Depending on your location, you may have rights to access, correct, export, or delete your personal information, to object to or restrict certain processing, and to withdraw consent where processing is based on consent. You can exercise many of these directly in the app (editing your profile, managing integrations, deleting your account). For any other request, contact us at support@supplyscout.ai and we will respond consistent with applicable law. Because SupplyScout is typically used on behalf of a business, we may direct certain requests to the business that controls your data.
9. INTERNATIONAL USERS
SupplyScout and its sub-processors operate using cloud infrastructure that may process and store data in the United States and other countries. By using SupplyScout, you understand that your information may be transferred to and processed in jurisdictions that may have different data-protection laws than your own.
10. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will post the updated policy on this page with a new "Last Updated" date, and we may notify you by email of material changes.
11. CONTACT US
If you have questions, concerns, or requests about this Privacy Policy or your data, contact us at:
Email: support@supplyscout.ai
By using SupplyScout, you acknowledge that you have read and understood this Privacy Policy.