Privacy Policy

Last updated: April 9, 2026

1. Who we are

AI Scale Studio ("we," "our," "us") is operated by Scale Studio GmbH, registered in Zug, Switzerland. We run AI-powered products and services including ARC Social (social.aiscalestudio.com), ARC YouTube (youtube.aiscalestudio.com), and related apps, workshops, and community offerings. This Privacy Policy describes how we handle personal information across all our products.

Scale Studio GmbH is the data controller responsible for your personal data. If you have questions about this policy or your personal data, contact us at dan@aiscalestudio.com.

2. Data we collect

Account data. When you create an account, we collect your name, email address, and a password hash. Authentication is handled by Supabase; we do not see or store your plaintext password.

Usage data. We collect anonymized product analytics (pages visited, features used, errors encountered) using PostHog. This data helps us improve the product.

Content data. Posts, topics, images, schedules, and other content you create in our products is stored in our database and associated with your account.

OAuth tokens. When you connect third-party platforms (see §4), we receive access and refresh tokens from those platforms. We store them encrypted at rest and use them only to perform actions you authorize.

Payment data. Paid subscriptions are processed by Stripe. We do not store credit-card numbers; we retain only subscription metadata (plan, status, renewal date) provided by Stripe.

Sensitive data. We do not collect Sensitive Data about you — this includes details about your race or ethnicity, religious or philosophical beliefs, political opinions, trade union membership, sex life, sexual orientation, health, or genetic or biometric data. We do not collect information about criminal convictions or offenses.

3. Legal basis for processing (GDPR)

For users in the European Economic Area, United Kingdom, and Switzerland, we rely on the following lawful grounds under Article 6 of the GDPR:

  • Performance of a contract — to provide the Services you've signed up for, including account creation, authentication, publishing content you've authorized, and billing.
  • Legitimate interest — to operate and secure our products, analyze aggregated usage to improve features, protect against fraud and abuse, and communicate with you about your account.
  • Consent — for non-essential cookies, marketing communications, and any processing requiring your explicit opt-in. You may withdraw consent at any time (see §10, Your rights).
  • Legal obligation — to comply with applicable law, including tax, accounting, and regulatory requirements.

4. How we use data

  • To provide and operate our products
  • To publish content you create to the third-party platforms you've connected
  • To send transactional emails (account confirmations, password resets, usage alerts)
  • To improve our products via aggregated analytics
  • To comply with legal obligations

We do not sell your personal data. We do not use your content to train AI models.

5. Platform-specific data handling

ARC Social connects to multiple third-party platforms via OAuth 2.0 to publish content you create. For each platform below, we describe exactly what data we access and how we handle it.

Pinterest

When you connect Pinterest, we request the following scopes: boards:read, boards:write, pins:read, pins:write. We access your boards to let you select a target board for publishing, and we create pins on your behalf when you publish. We store the access and refresh tokens encrypted at rest. We never read direct messages or private user data. You can disconnect Pinterest at any time via Settings → Integrations, which purges the stored tokens immediately.

TikTok

When you connect TikTok, we request scopes sufficient to upload and publish videos (user.info.basic, video.upload, video.publish). We access your video upload endpoints to publish content you create in ARC Social. We do not read private messages, engagement data beyond public metrics, or any data not related to your published videos. Tokens are encrypted at rest and revoked from our systems when you disconnect via Settings → Integrations.

LinkedIn

We access only the scopes necessary to post on your behalf (w_member_social, r_liteprofile) and to display your connected account name. We never read your private messages or connections. Tokens are encrypted at rest and purged on disconnect.

X (Twitter)

We use X's OAuth 2.0 flow with minimum scopes (tweet.read, tweet.write, users.read, offline.access) to publish tweets you create. We do not access direct messages or lists. Tokens encrypted at rest, purged on disconnect.

Meta (Facebook and Instagram)

We request only the scopes required to publish to your managed Facebook Pages and connected Instagram Business accounts (pages_show_list, pages_manage_posts, pages_read_engagement, instagram_basic, instagram_content_publish). We do not read private messages, friends lists, or personal timelines.

YouTube

We request scopes sufficient to upload and manage videos you create (youtube.upload, youtube.readonly). We do not access other channels or watch history. Tokens encrypted at rest, purged on disconnect.

Your control

You can disconnect any platform at any time from Settings → Integrations in your account. Disconnecting revokes our access and purges the stored tokens from our database immediately. You can also revoke access directly in each platform's app settings.

6. Marketing communications

With your consent, or under legitimate interest where permitted by law, we may send you marketing communications about AI Scale Studio products, workshops, and community offerings that are likely to be relevant to you.

You can opt out of marketing at any time by:

  • Clicking the unsubscribe link at the bottom of any marketing email we send you;
  • Adjusting your communication preferences in your account settings (where available);
  • Emailing us at dan@aiscalestudio.com with "Unsubscribe" in the subject line.

Opting out of marketing does not affect transactional communications — account confirmations, password resets, billing notifications, incident notices, and other service-related messages are sent regardless of marketing preferences because they are essential to delivering the Services.

We do not share your personal data with third parties for their own marketing purposes without your explicit consent.

7. Third-party processors

We use the following third-party services to operate the product. Each has its own privacy policy covering its handling of data:

  • Supabase — database and authentication (US region)
  • Vercel — hosting and CDN
  • Stripe — payment processing
  • PostHog — product analytics
  • Sentry — error monitoring
  • Trigger.dev — background job execution (publishing, notifications)
  • OpenAI, Anthropic, Google — AI text and image generation when you invoke those models. Your prompts and generated content are sent to these providers solely to produce your requested output.

8. Third-party links

Our websites and apps may contain links to third-party sites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party sites and are not responsible for their privacy practices. When you leave our sites, we encourage you to read the privacy policy of every site you visit.

9. Data retention

We retain account data for as long as you have an active account. When you delete your account, we purge account data within 30 days, except where we are legally required to retain it.

Tax and accounting records. Under Swiss and applicable tax law, we are required to retain basic customer and transaction data (including name, address, invoice data, and subscription history) for up to ten years after the end of the business relationship. This data is stored securely and used only to meet legal obligations.

OAuth tokens are purged immediately when you disconnect a platform from Settings → Integrations.

Content you create (posts, topics, schedules, generated assets) is retained as long as your account is active, and deleted with your account.

In some circumstances we may anonymize your personal data for research or statistical purposes so that it can no longer be associated with you. We may use such anonymized data indefinitely without further notice to you.

10. Your rights

Depending on your jurisdiction (GDPR for EU residents, CCPA for California residents, and similar regulations elsewhere), you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Request a portable export of your data
  • Object to or restrict certain processing

To exercise any of these rights, email dan@aiscalestudio.com. We process requests within 30 days.

11. Cookies

We use essential cookies for authentication (session cookies from Supabase) and optional cookies for analytics (PostHog).

You can set your browser to refuse all or some browser cookies, or to alert you when sites set or access cookies. If you disable or refuse cookies, please note that some parts of our Services may become inaccessible or may not function properly. Analytics cookies can be declined without affecting core product functionality.

12. Children's privacy

Our products are not directed at children under 16. We do not knowingly collect data from children under 16. If you believe we have, contact us immediately.

13. International data transfers

Our primary infrastructure is in the United States. If you access our products from outside the United States, your data will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

14. Changes to this policy

We may update this policy to reflect changes in our products or legal obligations. When we make material changes, we will notify you by email and update the "Last updated" date above.

15. Contact

Data controller
Scale Studio GmbH
Chamerstrasse 172
6300 Zug
Switzerland

Email:dan@aiscalestudio.com

If you are unhappy with how we've handled your personal data, you have the right to complain to your local data protection authority. We'd appreciate the chance to address your concerns directly first — please reach out to us using the details above.