Privacy Policy

Who we are

Scaley AI is operated by Zenox Marketing Management - FZCO, Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates (“Scaley”, “we”, “us”). This page explains what personal data we collect, why we collect it, how we handle it, and the rights you have.

For most data we collect through the scaleyai.com website and account administration, Scaley acts as the data controller. For personal data that our customers bring into the product (for example, Google Ads data about their end customers), Scaley acts as a data processor on behalf of the customer, under our Data Processing Addendum.

What we collect

• Account and contact data: name, work email, company name, role, password hash, and anything you send us by email or through support chat.
• Authorized integration data: when you connect Google Ads, Google Merchant Center, Shopify, Google Analytics 4, or other supported platforms via OAuth, we receive the data covered by the scopes you approve. That typically includes campaign, ad group, keyword, product, audience, and performance data for the accounts you connect. We store OAuth tokens securely and only access data needed to operate the service.
• Billing data: when you subscribe, our payment processor collects and processes your payment details. We do not see or store full card numbers. We keep records of plan, amount, invoices, and tax information for accounting and compliance.
• Usage and device data: IP address, browser type and version, device type, operating system, referring URL, pages viewed, features used, and timestamps. We use this to operate the service, secure it, and improve it.
• Cookies and similar tech: essential cookies keep you logged in and secure. Optional analytics help us understand how the site and product are used. Full breakdown below.
• Communications: emails, calls, and chats you have with our team. We may record support calls or sales demos when you are told in advance.

Why we use it and on what lawful basis

Under the GDPR we rely on the following lawful bases:

• Contract: to provide the service, manage your account, authenticate you, run authorized automations on the integrations you connect, bill you, and provide support.
• Legitimate interests: to secure the service, prevent fraud and abuse, analyze usage in aggregate, debug, train and evaluate our AI on de-identified or aggregated data, and communicate essential product updates. We balance these interests against your rights.
• Consent: where required, for marketing emails, optional analytics cookies, and any processing that strictly requires consent under local law. You can withdraw consent at any time.
• Legal obligation: to keep records we are required to keep (for example, tax and accounting records), respond to valid legal requests, and comply with regulator demands.

We do not sell personal data. We do not use customer data or end-user data brought into Scaley to train public AI models. We do not share data with third-party ad networks for their own advertising.

Cookies and similar tech

Cookies are small text files stored on your device when you visit a website. Some are set by us (first-party), some by third parties we use (third-party). Some are session-based (deleted when you close the browser), some persistent.

Strictly necessary

Needed to run the site and product. These keep you logged in, preserve your session, protect against cross-site request forgery, and route traffic across our infrastructure. These cannot be turned off without breaking core functionality. Providers: Scaley AI and our hosting provider (Vercel).

Performance and analytics

Help us understand how the site and product are used, which pages are popular, and where things break. Where these cookies are not strictly necessary under local law, we load them only after you give consent. We currently use Vercel Analytics and Vercel Speed Insights. Both are designed to be privacy-friendly and do not track individual visitors across sites.

Functional

Remember preferences you set, such as language or theme. Load only when you use the feature that relies on them.

Marketing

We do not run cross-site advertising trackers on scaleyai.com. If that ever changes, we will update this page, update the consent banner, and load marketing cookies only with your consent.

Your choices

Where we show a consent banner, you can accept or reject non-essential cookies. You can change your choice at any time by clearing the consent cookie or using the in-product preference control (when available). You can also block or delete cookies in your browser settings. Some parts of the site may not work correctly if essential cookies are blocked. Global browser signals such as Global Privacy Control are honored where required by applicable law.

AI and automated decisions

Scaley uses artificial intelligence and machine-learning models to surface recommendations and, where you enable it, to apply changes to your ad accounts. The Terms (Section 5) describe what the AI does, the limits of the AI, and what you stay in control of. This section covers the data side.

Data we use to train and evaluate models

We use de-identified, aggregated data to evaluate and improve our models. We do not train public AI models on identifiable customer data or on personal data about your end customers. Where we use third-party model providers for inference, we do so under zero-data-retention configurations where applicable. Customer data sent for inference is not used by those providers for their own training.

Solely automated decisions under GDPR

Scaley does not make solely automated decisions that produce legal or similarly significant effects on individuals within the meaning of Article 22 of the GDPR. Our automations act on ad-campaign configuration (budgets, bids, keywords, audiences, products, labels), which is operational, not a decision about an individual's legal status.

Platform-specific obligations

If a platform you connect through Scaley (for example, Google Ads or Shopify) requires you to disclose AI-generated or AI-modified content, you are responsible for making those disclosures in the platform's own tools. Scaley does not file platform-side disclosures on your behalf.

Sub-processors we share data with

We share data only with the vendors we need to run the service, and with integration partners you authorize. Every vendor is bound by a written data-processing agreement that restricts them to acting on our instructions. We give customers at least thirty (30) days' notice before adding or replacing a sub-processor that affects customer data.

Primary sub-processors

Operational sub-processors

Behind the scenes, we also use operational sub-processors for subscription billing and payment processing, transactional email delivery, error monitoring, and AI model inference. These vendors do not receive end-user personal data beyond what is required to run the service, and AI inference providers are engaged under zero-data-retention terms where applicable. Enterprise customers and customers subject to vendor due diligence can request the current, named list (legal entity, region, purpose) at hello@scaleyai.com.

Google and Shopify appear above because customer-connected integrations flow data through their APIs. They are the customer's chosen platforms; they process data according to their own terms in addition to ours. International transfers outside the EEA, UK, or Switzerland rely on the safeguards described in our DPA.

International transfers

Scaley is operated from the United Arab Emirates. Our sub-processors are primarily in the European Union and the United States. When personal data moves across borders we rely on appropriate safeguards, including the European Commission Standard Contractual Clauses, the UK International Data Transfer Addendum, the Swiss addendum, and any successor mechanisms. We are happy to share a copy of the relevant transfer mechanism on request.

How long we keep it

• Account and contact data: for as long as your account is active, plus up to ninety (90) days after cancellation.
• Integration data (ad accounts, campaigns, performance): deleted on request or within ninety (90) days of account cancellation, whichever comes first.
• Billing and tax records: retained for the period required by applicable tax and accounting law (typically 7-10 years).
• Support communications: up to three (3) years for quality and dispute purposes.
• Backups: rolling, with encryption at rest, purged on a cycle that does not exceed ninety (90) days for routine backups.

Your rights

If you are in the EEA, UK, or Switzerland, you have the right under the GDPR and similar laws to access your personal data, correct it, delete it, restrict or object to processing, receive it in a portable format, and withdraw consent where consent is the basis. You can lodge a complaint with your local supervisory authority.

If you are a California resident, you have rights under the CCPA/CPRA: the right to know what we collect and how we use it, the right to correct inaccurate information, the right to delete, the right to limit the use of sensitive personal information, the right to data portability, and the right to opt out of any sale or sharing of personal information. Scaley does not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of, but the right exists.

To exercise any of these rights, email hello@scaleyai.com. We respond within the timelines required by applicable law (usually within 30 days under GDPR, 45 days under CCPA, extendable where permitted).

If your data is processed under UAE jurisdiction, the UAE Personal Data Protection Law (PDPL) applies. Your rights include access to your data, correction of inaccurate data, deletion, restriction of processing, objection to processing, data portability, withdrawal of consent, the right to be informed of automated decision-making, and the right to file a complaint with the UAE Data Office. Cross-border data transfers occur only with adequate protection, contractual safeguards, or user consent.

Children

Scaley is a B2B product and is not intended for anyone under 16. We do not knowingly collect personal data from children. If you believe a child has given us data, email us and we will delete it.

Security

We protect your data with industry-standard controls: TLS in transit, encryption at rest for credentials and OAuth tokens, least-privilege access controls, audit logs, and regular reviews. We are working toward SOC 2 Type II certification. If we become aware of a personal data breach that is likely to result in risk to your rights, we will notify affected customers and the relevant supervisory authority within 72 hours where required by GDPR.

No system is perfectly secure. You are responsible for protecting your own account credentials, enabling any multi-factor authentication we offer, and telling us right away if you suspect unauthorized access.

Changes to this policy

If we update this policy we will post the new version here with a new “Last updated” date. Material changes will be communicated by email or in-product.

Contact

Questions, requests, or complaints? Email hello@scaleyai.com. You can also reach us by post at the address above.