Last updated: September 30, 2025
This Privacy Notice explains how Scotty, Inc. ("Scotty," "we," "us," or "our") collects, uses, discloses, and safeguards personal data when you use our websites, mobile experiences, and services that link to this Privacy Notice (collectively, the "Services"). It also describes your choices and rights. Capitalized terms not defined here have the meanings given in our Terms of Service.
Scotty provides an AI assisted financial digest that connects to your financial accounts and inbox to find savings opportunities, missed refunds, duplicate subscriptions, and suspicious charges, and to send you a monthly summary and optional alerts. This Privacy Notice applies to personal data we process about consumers and visitors. It does not apply to job applicants or employees.
Controller: Scotty, Inc., San Francisco, California, USA. Contact: privacy@joinscotty.co.
The personal data we collect depends on how you use the Services.
Account data: name, email address, phone number, password or one time codes, preferences.
Financial related data you connect: account and transaction data from financial institutions via our integration provider Plaid. We do not receive or store your bank credentials. Plaid provides us with read only tokens and financial data you authorize. See Plaid’s privacy policy for details.
Inbox data you authorize: email headers and content, attachments, labels, sender and recipient information, calendar events, contact names and email addresses, and other data you choose to connect so that Scotty can surface refunds, subscriptions, receipts, and similar items. You may revoke access at any time in your Google account security settings.
Customer content: files, data, and communications you submit, upload, or route through the Services, including feedback you send us.
Payment data: payment card details and billing information, which are processed by our payment processors. We do not store full card numbers.
Device and usage data: device type, operating system, browser, IP address, timestamps, pages viewed, referring pages, clicks, and interactions.
Cookies and similar technologies: we use cookies, pixels, and SDKs for authentication, security, product features, and analytics. See Section 9 for your choices.
Approximate location: derived from your IP address to localize content and prevent fraud.
Service providers and partners: analytics, error reporting, and authentication providers.
Inferences: we create inferences about likely subscriptions, refunds, merchants, and spend categories based on your connected data in order to power insights and automation.
We do not intentionally collect data from children. See Section 12.
We use personal data to:
Provide, operate, and improve the Services, including creating your monthly digest and savings insights.
Detect potential savings such as duplicate subscriptions, missed refunds, or suspicious charges and message you about them.
Power AI assisted features that summarize emails and transactions, classify merchants and categories, and draft suggested actions.
Communicate with you about your account, product updates, and security notices.
Personalize content and measure feature usage and performance.
Protect, investigate, and deter fraud, unauthorized use, and abuse.
Comply with law and enforce our agreements.
Model training and product improvement. We do not use your personal inbox content or financial transaction details to train third party foundation models. We may use de-identified or aggregated data to improve our features and classifiers. You can opt out of de-identified improvement uses at any time by emailing privacy@joinscotty.co.
Automated processing. Scotty uses automated processing to classify transactions, identify potential savings, and draft alerts. These activities do not produce legal or similarly significant effects for you. You can ask us to review any output or to disable certain automations in Settings.
We share personal data as follows:
Service providers: companies that help us run the Services, such as cloud hosting, data storage, analytics, email delivery, authentication, customer support, and payments. Our providers may access personal data only to perform work for us under contract.
Financial connectivity partners: Plaid and similar providers to connect your bank and card accounts. These partners receive and process data you authorize to share with us.
Email and identity providers: Google and similar providers when you connect inbox, calendar, or contacts.
Legal and safety: to comply with law, protect rights and safety, prevent fraud, or respond to legal process.
Business transfers: in connection with a merger, financing, acquisition, or sale of all or part of our business.
We do not sell personal data. We also do not share personal data for cross context behavioral advertising.
Access, correction, deletion, portability: subject to applicable law, you may request access to, correction of, deletion of, or a portable copy of your personal data by emailing privacy@joinscotty.co.
Revoke integrations: you can disconnect Scotty from Gmail, Google Calendar, and Google Contacts in your Google account settings at any time. Disconnecting will stop future access. You may also disconnect financial accounts through Plaid’s portal or within Scotty.
Marketing preferences: you can opt out of marketing emails by using the unsubscribe link in those emails.
Cookies and analytics: you can control cookies in your browser and limit advertising identifiers in your device settings. Some features may not work without certain cookies.
We will not discriminate against you for exercising your privacy rights.
We retain personal data for as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. We may retain de-identified data for product improvement and statistical purposes. When data is no longer needed, we delete or de-identify it.
We use administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit, access controls, and secure development practices. No system can be guaranteed secure, and you are responsible for keeping your login credentials confidential.
We operate in the United States and may transfer personal data to countries with different data protection laws. Where required, we use appropriate safeguards such as Standard Contractual Clauses with our processors.
We use cookies and similar technologies for authentication, security, preferences, analytics, and product features. You can control cookies through your browser settings. If you block cookies, some features may not work.
Categories collected: identifiers; commercial information; internet or network activity; geolocation (approximate); inferences; audio or electronic communications you choose to connect; financial information via Plaid; and account credentials for Scotty.
Sources: you, your devices, your connected accounts, service providers.
Business purposes: as described in Sections 3 and 4.
Disclosures for business purposes: service providers and partners listed in Section 4.
Sale or sharing: we do not sell personal information and we do not share it for cross context behavioral advertising.
Sensitive personal information: we use sensitive data you choose to connect, such as financial transaction data and the contents of communications, only to provide the Services. We do not use or disclose sensitive personal information for any purpose that requires offering a right to limit under CPRA.
California residents may exercise access, deletion, correction, and portability rights by emailing privacy@joinscotty.co. We will verify your request and respond as required by law. You may use an authorized agent with proof of authorization.
Controller: Scotty, Inc., San Francisco, USA. Contact: privacy@joinscotty.co.
Lawful bases: contract performance; legitimate interests such as product improvement and security; compliance with law; and consent where required. Where we rely on legitimate interests, we balance our interests with your rights.
Transfers: we use Standard Contractual Clauses when transferring personal data to the United States and other countries. Copies are available on request.
Rights: access, rectification, erasure, restriction, objection, portability, and withdrawal of consent. You may lodge a complaint with your local supervisory authority.
The Services are not directed to children under 16, and we do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, contact us and we will delete it.
We may update this Notice. If we make material changes, we will notify you by email or in product notice. The updated Notice will have a new "Last updated" date.
Questions or requests: privacy@joinscotty.co.
We use the following categories of subprocessors. We will maintain an up to date list at joinscotty.co/legal/subprocessors.
Cloud infrastructure and storage
Financial connectivity (Plaid)
Authentication and identity
Email and calendar access (Google APIs)
Product analytics and crash reporting
Customer support tools
Payment processing
If you connect Google user data, our use of that data complies with the Google API Services User Data Policy and the Limited Use requirements. We only use the Gmail, Calendar, and Contacts data you authorize to provide user facing features, we do not transfer it to third parties except to provide or improve those features, we do not use it for advertising, and we do not allow humans to read it except where required for security, compliance, or to resolve a user initiated issue.