1. Introduction
Scale Media AI ("we," "us," or "our") operates the Scale Media AI platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you access or use our Service. By using the Service you agree to the practices described in this policy.
2. Data Controller
In accordance with the General Data Protection Regulation (GDPR), the data controller responsible for the processing of your personal data is:
If you have any questions about how your personal data is processed, or if you wish to exercise your data subject rights, please contact us using the details above with the subject line "DATA PROTECTION: REQUEST".
3. Information We Collect
3.1 Information You Provide
- Account Data — Name, email address, and authentication credentials when you register.
- Brand Profile Data — Business name, website URL, industry, and brand description provided during onboarding.
- Visual Calibration Data — Your responses when swiping through curated visual pairs during the Taste Calibration process, indicating your aesthetic preferences.
- Anti-Style Selections — Design directions and visual patterns you explicitly reject, so the AI avoids them in your content.
- Reference Assets — Images or visual references you upload to guide the AI's understanding of your preferred style.
- Platform Preferences — Your selected social media platforms (Facebook, Instagram, X, Threads, LinkedIn) and per-platform tone, format, and posting preferences.
- Director Overrides — Optional advanced settings including template locks, font preferences, overlay rules, shot types, and call-to-action rules.
- Content Data — AI-generated posts, images, captions, and any user-uploaded media (e.g., logos).
- Payment Data — Billing information processed securely through Stripe. We do not store credit card numbers on our servers.
- Communications — Messages you send us through the contact form, support tickets, or email.
3.2 Information Collected Automatically
- Usage Data — Pages visited, features used, timestamps, click patterns, and interaction data.
- Device Data — Browser type, operating system, IP address, device identifiers, and screen resolution.
- Cookies & Similar Technologies — See our Cookie Policy for details.
3.3 Third-Party Data
When you connect social media accounts via our integration partners, we receive limited profile information (account name, profile picture, platform identifiers) necessary to publish content on your behalf. We do not access private messages or contact lists.
4. How We Use Your Information
- Provide, operate, and maintain the Service, including AI-powered content generation.
- Build and maintain your Brand Brain — a personalized AI profile used to generate content that matches your visual identity, voice, and strategy.
- Process your Visual Calibration responses through the Taste Intelligence Engine to learn your aesthetic preferences and anti-styles.
- Generate platform-specific social media content (captions, images, hashtags, posting schedules) tailored to your Brand Brain.
- Process transactions and manage your subscription.
- Send transactional emails (e.g., account verification, password resets, billing receipts).
- Respond to support requests and communicate product updates.
- Monitor and analyze usage trends to improve the Service.
- Detect, prevent, and address fraud, abuse, or technical issues.
- Comply with legal obligations.
We do not sell your personal data to third parties.
5. Legal Basis for Processing (GDPR)
If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your data under the following legal bases:
| Data Category | Legal Basis | Purpose |
|---|
| Account & Brand Data | Contract | Delivering the Service |
| Payment Data | Contract | Processing subscriptions & billing |
| Usage & Device Data | Legitimate Interest | Analytics, security, service improvement |
| Marketing emails | Consent | Promotional communications |
| Non-essential cookies | Consent | See Cookie Policy |
| Billing records | Legal Obligation | Tax & accounting compliance |
6. Data Sharing & Third-Party Services
We share data only with the following categories of service providers, under strict data-processing agreements:
| Provider | Purpose | Data Framework |
|---|
| Supabase (AWS EU) | Database, auth, storage | EU-hosted, SOC 2 |
| Google (Gemini API) | AI content & image generation | EU-US Data Privacy Framework |
| Stripe, Inc. | Subscription billing | PCI DSS Level 1 |
| Social Media Platforms | Content publishing via APIs | Platform-specific DPAs |
| Resend | Transactional & notification emails | SOC 2, SCCs |
| Firecrawl | Website scraping during onboarding | SCCs |
| OpenRouter | Fallback AI content generation | EU-US Data Privacy Framework |
Prompts and outputs sent to AI providers are processed but not used to train third-party models. We do not share your data with advertisers, data brokers, or any party for purposes unrelated to operating the Service.
7. Your Rights (GDPR & Applicable Law)
You have the following rights regarding your personal data:
- Right of Access — Request a copy of the personal data we hold about you, including information on what data is being processed, by whom, and for what purpose.
- Right to Rectification — Update or correct inaccurate or incomplete information via your account settings or by contacting us.
- Right to Erasure ("Right to be Forgotten") — Request deletion of your account and all associated data. We implement a 30-day grace period before permanent deletion, during which you may cancel the request.
- Right to Data Portability — Receive your data in a structured, commonly used, and machine-readable format (ZIP archive) and transfer it to another data controller. Export from Settings → Account → Export Data.
- Right to Restriction of Processing — Request that we limit how we use your data in certain circumstances, such as when you contest the accuracy of data or object to processing.
- Right to Object — Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
- Right to Withdraw Consent — Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing. You may withdraw consent by: adjusting cookie preferences via the cookie banner; unsubscribing from marketing emails; or contacting us directly.
- Right not to be Subject to Automated Decision-Making — You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you.
How to Exercise Your Rights
To exercise any of these rights, email us at info@scalemedia.ai with the subject line "DATA PROTECTION: RIGHTS REQUEST". We will verify your identity and respond within 30 days. If we cannot fulfill your request, we will explain why.
8. Automated Decision-Making
Scale Media AI uses AI algorithms to generate content and personalize your experience. However, we do not use automated decision-making or profiling in a way that produces legal effects or similarly significantly affects you. AI-generated content is provided as suggestions only — all publishing decisions remain under your full control.
9. Data Retention
- Active Accounts — We retain data for as long as your account is active and the Service is in use.
- Deleted Accounts — After account deletion is confirmed, all personal data is permanently removed within 30 days.
- Legal Requirements — Certain records (e.g., billing history) may be retained for up to 7 years as required by applicable tax and accounting laws.
- Anonymized Data — Aggregated, anonymized analytics data may be retained indefinitely as it cannot identify individuals.
- Communication Data — Support tickets and correspondence are retained for up to 2 years after resolution for quality assurance purposes.
10. Data Security
We implement industry-standard security measures to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Row-Level Security (RLS) policies ensuring strict data isolation between users.
- Secure authentication via Supabase Auth with bcrypt-hashed passwords.
- Secrets management with environment-level isolation — no credentials in source code.
- Regular security audits and dependency updates.
While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
11. International Data Transfers
Our primary infrastructure is hosted within the European Union. Where data is transferred outside the EEA (e.g., to AI processing services in the United States), we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- EU-US Data Privacy Framework (DPF) certification, where applicable.
- Data processing agreements with all sub-processors that include adequate data protection provisions.
12. Children's Privacy
The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete it promptly. If you are a parent or guardian and believe your child has provided personal data to us, please contact us at info@scalemedia.ai.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we will notify you via email or through a prominent notice on the Service. Continued use of the Service after changes constitutes acceptance of the revised policy.
14. Right to Lodge a Complaint
If you are located in the EU/EEA and believe your data protection rights have not been adequately addressed, you have the right to lodge a complaint with your local Data Protection Authority (DPA). A list of EU DPAs can be found at edpb.europa.eu.
15. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: