Cookie & Data Protection Policy

Effective Date: February 14, 2026

Last updated: April 23, 2026

1. Data Controller

The data controller responsible for the processing of personal data collected via cookies and similar technologies is:

Scale Media AI

Email: info@scalemedia.ai

Website: scalemedia.ai

2. What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help websites function properly, remember your preferences, and provide information to the site owner. Some cookies are essential for the website to work, while others help us improve your experience.

3. Cookie Regulations

The use of cookies is regulated by the ePrivacy Directive (2002/58/EC) and the General Data Protection Regulation (GDPR). Under these regulations:

  • Strictly necessary cookies are exempt from consent requirements — they are essential for the Service to function (e.g., authentication, security).
  • All other cookies (functional, analytics, marketing) require your prior informed consent before being placed on your device.
  • Consent must be freely given, specific, informed, and unambiguous.
  • You may withdraw your consent at any time (see Section 6).

4. Cookies We Use

4.1 Strictly Necessary Cookies

These cookies are essential for the Service to function and cannot be disabled. No consent is required.

CookiePurposeLegal BasisDuration
sb-*-auth-tokenAuthentication session (Supabase Auth)EssentialSession / 1 year
sb-*-auth-token-code-verifierPKCE authentication flow verificationEssentialSession
NEXT_LOCALERemembers your preferred site language (English, German, Spanish, or Italian)Essential1 year
lang-chosenRecords that you have chosen a language so the welcome-language prompt is not shown againEssential1 year
ref_codePreserves affiliate referral code during the signup processEssential30 days
sma_impShort-lived admin impersonation token set only when a Scale Media AI support agent accesses your workspace. All such sessions are audit-logged.Essential (support)30 minutes

4.2 Functional Storage

These browser storage items remember your preferences and settings to enhance your experience. They are stored in localStorage and do not require consent as they are limited to UI preferences within the application.

KeyPurposeStorage TypeDuration
cookie-consentRecords whether you accepted or declined non-essential cookies so we don't re-promptlocalStoragePersistent until cleared
sidebar-collapsedRemembers whether you had the in-app sidebar collapsed or expandedlocalStoragePersistent until cleared
dashboard_lang_gate_doneOne-time flag so the in-app language confirmation prompt is shown only oncelocalStoragePersistent until cleared

4.3 Analytics

We use Vercel Web Analytics to understand page views and site performance. This service is only activated after you give consent via our cookie banner. No data is collected before you accept.

ServicePurposeLegal BasisData Collected
Vercel Web AnalyticsPage views, web performance metrics, visitor countConsentAnonymized page view data, no personal identifiers

Vercel Analytics is privacy-focused and does not use cookies for tracking. It collects anonymized, aggregated data. You can withdraw consent at any time via the "Cookie Settings" link in our website footer.

4.4 Marketing / Advertising Cookies

We do not use any marketing or advertising cookies. We do not track you across other websites, share data with ad networks, or use retargeting pixels.

5. Local Storage & Session Storage

In addition to cookies, we use browser local storage and session storage to persist certain preferences and application state. These technologies function similarly to cookies but are managed differently by the browser. They are subject to the same policies described here.

  • localStorage — Stores your cookie consent preference, UI preferences (e.g., sidebar state), and the one-time language confirmation flag. Data persists until manually cleared.
  • sessionStorage — Used for short-lived in-tab state such as CRM sync flags and post-approval auto-refresh markers. Data is automatically cleared when the browser tab is closed.
  • Cloudflare Turnstile — Our authentication forms are protected by Cloudflare Turnstile, a privacy-preserving CAPTCHA. Turnstile may store a challenge token for the duration of the form submission to distinguish humans from automated abuse. It does not track you across sites and does not set advertising cookies.

You can clear local storage and session storage at any time via your browser's developer tools or privacy settings.

6. Managing & Withdrawing Cookie Consent

You can manage or withdraw your cookie consent at any time using any of the following methods:

6.1 Cookie Banner

When you first visit our website, a cookie consent banner allows you to accept or decline non-essential cookies and analytics. You can update your preferences at any time by clicking the "Cookie Settings" link in the website footer, which re-opens the consent banner.

6.2 Browser Settings

Most browsers allow you to control cookies through their settings. Here are instructions for common browsers:

  • Google Chrome — Settings → Privacy and Security → Cookies and other site data
  • Mozilla Firefox — Settings → Privacy & Security → Cookies and Site Data
  • Safari — Preferences → Privacy → Manage Website Data
  • Microsoft Edge — Settings → Cookies and site permissions → Manage and delete cookies

6.3 Device Settings

Mobile devices typically offer cookie management options within their privacy settings. iOS users can manage this via Settings → Safari → Advanced → Website Data. Android users can manage via Chrome → Settings → Privacy and Security → Clear Browsing Data.

Note: Blocking or deleting strictly necessary cookies (such as authentication tokens) may prevent the Service from functioning correctly. You may be unable to log in or use certain features.

7. Data Protection Measures

Scale Media AI implements comprehensive data protection measures to safeguard your personal information:

7.1 Encryption

  • All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Data at rest is encrypted using AES-256 encryption.
  • Passwords are hashed using bcrypt with a cost factor of 10 and are never stored in plain text.

7.2 Access Controls

  • Row-Level Security (RLS) policies ensure that each user can only access their own data.
  • Administrative access is restricted to authorized personnel with role-based permissions.
  • API keys and credentials are stored in environment-level secrets, never in source code.

7.3 Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never store, process, or have access to full credit card numbers. Payment forms are served directly by Stripe's secure infrastructure.

7.4 Infrastructure Security

  • Our database and authentication services are hosted on Supabase, which runs on AWS infrastructure within the EU.
  • Automatic backups are performed daily with point-in-time recovery capabilities.
  • Regular security patches and dependency updates are applied.

8. Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours as required by GDPR Article 33.
  • Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
  • Take immediate steps to contain the breach and mitigate its effects.
  • Document the breach, its effects, and the remedial actions taken.

9. Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with all third-party service providers who process personal data on our behalf. These agreements ensure compliance with GDPR Article 28 requirements, including:

  • Processing only on our documented instructions.
  • Ensuring confidentiality of persons authorized to process the data.
  • Implementing appropriate technical and organizational security measures.
  • Assisting us in responding to data subject rights requests.
  • Deleting or returning all personal data at the end of the service relationship.

10. Your Rights

You have the right to access, rectify, erase, restrict, object to, and port your data. You also have the right to withdraw consent for non-essential cookies at any time. For a complete overview of your data protection rights, please refer to our Privacy Policy.

To exercise your rights, email info@scalemedia.ai with the subject line "DATA PROTECTION: RIGHTS REQUEST".

10a. Public Demo Page

When you visit our public demo at scalemedia.ai/demo, the page loads Cloudflare Turnstile for invisible bot-protection. Turnstile may set strictly-necessary first-party cookies and short-lived clearance tokens that are essential for it to function and cannot be turned off without breaking the demo. We additionally write a server-side record of your submission attempt (IP, user-agent, the URL you sent, timestamp, and the exact text of the consent statement you accepted) to our demo_consent_log table and retain it for up to 12 months for fraud-prevention purposes — those records are server-side database entries, not cookies; full detail in our Privacy Policy.

11. Changes to This Policy

We may update this Cookie & Data Protection Policy from time to time. We will notify you of material changes by updating the "Last updated" date above and, where appropriate, by notifying you via email. We encourage you to review this policy periodically.

12. Data Protection Contact

For questions related to data protection, cookies, or to exercise your data rights, please contact:

Scale Media AI — Data Protection

Email: info@scalemedia.ai

Website: scalemedia.ai

Terms of ServicePrivacy PolicyAI TransparencyAcceptable UseRefund PolicyAccessibilityImprint← Back to Scale Media AI