Privacy Policy

1. Introduction

Scale Media AI ("we," "us," or "our") operates the Scale Media AI platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you access or use our Service. By using the Service you agree to the practices described in this policy.

2. Data Controller

In accordance with the General Data Protection Regulation (GDPR), the data controller responsible for the processing of your personal data is:

If you have any questions about how your personal data is processed, or if you wish to exercise your data subject rights, please contact us using the details above with the subject line "DATA PROTECTION: REQUEST".

3. Information We Collect

3.1 Information You Provide

• Account Data — Name, email address, and authentication credentials when you register.
• Brand Profile Data — Business name, website URL, industry, and brand description provided during onboarding.
• Visual Calibration Data — Your responses when swiping through curated visual pairs during the Taste Calibration process, indicating your aesthetic preferences.
• Anti-Style Selections — Design directions and visual patterns you explicitly reject, so the AI avoids them in your content.
• Reference Assets — Images or visual references you upload to guide the AI's understanding of your preferred style.
• Platform Preferences — Your selected social media platforms (Facebook, Instagram, X, Threads, LinkedIn) and per-platform tone, format, and posting preferences.
• Director Overrides — Optional advanced settings including template locks, font preferences, overlay rules, shot types, and call-to-action rules.
• Content Data — AI-generated posts, images, captions, and any user-uploaded media (e.g., logos).
• Payment Data — Billing information processed securely through Stripe. We do not store credit card numbers on our servers.
• Communications — Messages you send us through the contact form, support tickets, or email.

3.2 Information Collected Automatically

• Usage Data — Pages visited, features used, timestamps, click patterns, and interaction data.
• Device Data — Browser type, operating system, IP address, device identifiers, and screen resolution.
• Cookies & Similar Technologies — See our Cookie Policy for details.

3.3 Third-Party Data

When you connect social media accounts via our integration partners, we receive limited profile information (account name, profile picture, platform identifiers) necessary to publish content on your behalf. We do not access private messages or contact lists.

3.4 User-Submitted Data Sources

During onboarding and brand setup, you may provide website URLs and social media profile URLs. We use automated tools (including Firecrawl and social media scraping APIs) to extract publicly available information such as brand colors, tone, logos, images, and text content from these sources. This processing is performed:

• Solely at your instruction and on your behalf — we only process URLs you explicitly submit.
• For the purpose of building your Brand Brain — the extracted data is used exclusively to personalize your AI-generated content.
• Without independent verification of ownership — we rely on your representation (as stated in our Terms of Service, Section 5.4) that you own or are authorized to use the submitted websites and social media profiles.

We do not retain raw scraped data beyond what is necessary to build your brand profile. Extracted data is processed and stored in a structured format within your workspace and is subject to the same security measures and retention policies described in this Privacy Policy.

4. How We Use Your Information

• Provide, operate, and maintain the Service, including AI-powered content generation.
• Build and maintain your Brand Brain — a personalized AI profile used to generate content that matches your visual identity, voice, and strategy.
• Process your Visual Calibration responses through the Taste Intelligence Engine to learn your aesthetic preferences and anti-styles.
• Generate platform-specific social media content (captions, images, hashtags, posting schedules) tailored to your Brand Brain.
• Process transactions and manage your subscription.
• Send transactional emails (e.g., account verification, password resets, billing receipts).
• Respond to support requests and communicate product updates.
• Monitor and analyze usage trends to improve the Service.
• Detect, prevent, and address fraud, abuse, or technical issues.
• Comply with legal obligations.

We do not sell your personal data to third parties.

5. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your data under the following legal bases:

6. Data Sharing & Third-Party Services

We share data only with the following categories of service providers, under strict data-processing agreements:

Prompts and outputs sent to AI providers are processed but not used to train third-party models. We do not share your data with advertisers, data brokers, or any party for purposes unrelated to operating the Service.

7. Your Rights (GDPR & Applicable Law)

You have the following rights regarding your personal data:

• Right of Access — Request a copy of the personal data we hold about you, including information on what data is being processed, by whom, and for what purpose.
• Right to Rectification — Update or correct inaccurate or incomplete information via your account settings or by contacting us.
• Right to Erasure ("Right to be Forgotten") — Request deletion of your account and all associated data. We implement a 30-day grace period before permanent deletion, during which you may cancel the request.
• Right to Data Portability — Receive your data in a structured, commonly used, and machine-readable format (ZIP archive) and transfer it to another data controller. Export from Settings → Account → Export Data.
• Right to Restriction of Processing — Request that we limit how we use your data in certain circumstances, such as when you contest the accuracy of data or object to processing.
• Right to Object — Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right to Withdraw Consent — Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing. You may withdraw consent by: adjusting cookie preferences via the cookie banner; unsubscribing from marketing emails; or contacting us directly.
• Right not to be Subject to Automated Decision-Making — You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you.

How to Exercise Your Rights

To exercise any of these rights, email us at info@scalemedia.ai with the subject line "DATA PROTECTION: RIGHTS REQUEST". We will verify your identity and respond within 30 days. If we cannot fulfill your request, we will explain why.

8. Automated Decision-Making

Scale Media AI uses AI algorithms to generate content and personalize your experience. However, we do not use automated decision-making or profiling in a way that produces legal effects or similarly significantly affects you. AI-generated content is provided as suggestions only — all publishing decisions remain under your full control.

8A. AI Processing Transparency (EU AI Act)

In compliance with the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), we provide the following transparency information about how AI processes your personal data:

• Your brand profile data, visual calibration responses, and content preferences are processed by AI models (Google Gemini, OpenRouter) to generate personalized social media content.
• AI processing is performed solely to provide the Service — your data is not used to train third-party AI models.
• AI prompts and outputs are processed in real-time and are not retained by AI providers for model improvement.
• All AI-generated content is subject to your review and approval before publication — no automated publishing occurs without your explicit action.
• Our AI systems are classified as limited risk under the EU AI Act, as they generate content recommendations and do not make autonomous decisions with legal effect.

For comprehensive details about our AI systems, please see our AI Transparency Notice.

9. Data Retention

• Active Accounts — We retain data for as long as your account is active and the Service is in use.
• Deleted Accounts — After account deletion is confirmed, all personal data is permanently removed within 30 days.
• Legal Requirements — Certain records (e.g., billing history) may be retained for up to 7 years as required by applicable tax and accounting laws.
• Anonymized Data — Aggregated, anonymized analytics data may be retained indefinitely as it cannot identify individuals.
• Communication Data — Support tickets and correspondence are retained for up to 2 years after resolution for quality assurance purposes.

10. Data Security

We implement industry-standard security measures to protect your data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Row-Level Security (RLS) policies ensuring strict data isolation between users.
• Secure authentication via Supabase Auth with bcrypt-hashed passwords.
• Secrets management with environment-level isolation — no credentials in source code.
• Regular security audits and dependency updates.

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

11. International Data Transfers

Our primary infrastructure is hosted within the European Union. Where data is transferred outside the EEA (e.g., to AI processing services in the United States), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• EU-US Data Privacy Framework (DPF) certification, where applicable.
• Data processing agreements with all sub-processors that include adequate data protection provisions.

12. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete it promptly. If you are a parent or guardian and believe your child has provided personal data to us, please contact us at info@scalemedia.ai.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we will notify you via email or through a prominent notice on the Service. Continued use of the Service after changes constitutes acceptance of the revised policy.

14. Right to Lodge a Complaint

If you are located in the EU/EEA and believe your data protection rights have not been adequately addressed, you have the right to lodge a complaint with your local Data Protection Authority (DPA). A list of EU DPAs can be found at edpb.europa.eu.

14a. Demo Page Data Handling

When you use our public demo at scalemedia.ai/demo to generate sample posts from a URL, we additionally process: (i) the URL you submit, (ii) your IP address, (iii) your browser user-agent, and (iv) the timestamp of submission, together with the exact text of the consent statement you accepted. This information is retained for up to 12 months for fraud-prevention and dispute-resolution purposes. Generated sample images and any content scraped during the demo are deleted within 7 days of generation. By using the demo you confirm that you are the owner of, or are explicitly authorized to use, the URL you submit; submitting URLs you do not own or are not authorized to use may constitute a breach of our Terms of Service.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: