1. Introduction
This Privacy Policy describes how Machete Marketing Germany GmbH, operating under the brand name Scalable ("Company," "we," "us," or "our"), collects, uses, stores, and shares your personal data when you use our website at https://scalable.so and associated services (the "Services").
We are committed to protecting your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable German data protection law, including the Bundesdatenschutzgesetz (BDSG) and the Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG).
2. Data Controller
The data controller responsible for processing your personal data is:
| Field | Detail |
|---|---|
| Company | Machete Marketing Germany GmbH |
| Address | Kirchstraße 31, 77815 Bühl, Germany |
| Registry | Amtsgericht Mannheim, HRB 733742 |
| Managing Director | Jacob Jan Michalik |
| Contact | legal@scalable.so |
3. Data Protection Officer
We have not appointed a Data Protection Officer. We are not required to appoint one under Section 38 BDSG, as we do not, as a rule, employ at least twenty persons permanently engaged in the automated processing of personal data, and none of the additional triggers in Section 38(1) sentence 2 BDSG applies to us. We remain fully bound by the GDPR. For any data-protection matter, contact us at legal@scalable.so.
4. Data We Collect
4.1. Data You Provide
When you register, subscribe, or use the Services, we collect:
- Account Data: Email address, first name, last name, password (hashed, managed by our authentication provider).
- Profile Data: Avatar/profile picture, referral code.
- Business Data: Business name, business type, business size, your role and role title.
- Onboarding Data: Primary goal, how you discovered Scalable.
- Product Data: Product titles, ASINs, product descriptions, images you upload, customer reviews you provide for analysis.
- Payment Data: Billing information is collected and processed by Stripe. We store your Stripe customer ID and subscription details but do not store credit card numbers or bank account details.
- Communications: Messages you send through our contact form or to our support email.
4.2. Data Collected Automatically
When you use the Services, we automatically collect:
- Usage Data: Pages visited, features used, image generations requested, interactions with the AI agent.
- Device Data: IP address, browser type and version, operating system, device type, screen resolution.
- Referral Data: The URL that referred you to our site.
- Cookie Data: See Section 8 for details on cookies.
4.3. Data Generated Through the Services
- AI-Generated Content: Images, text suggestions, and analytical insights created by the Services based on your inputs.
- Quality Scores: Internal quality and trust scores used for spam prevention and account integrity.
- Arena Interaction Data: Vote decisions submitted in Arena comparisons, linked to your account identifier and related product/image IDs, plus timestamps.
5. How We Use Your Data
We use your personal data for the following purposes:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing the Services (account management, AI generation, analysis) | Account, profile, product, business data | Contract performance — Art. 6(1)(b) GDPR |
| Running Arena preference comparisons and improving ranking quality | Arena vote selections, account identifier, related product/image IDs, timestamps | Contract performance — Art. 6(1)(b) GDPR |
| Processing payments and managing subscriptions | Payment data, subscription details | Contract performance — Art. 6(1)(b) GDPR |
| Spam and bot prevention during registration | Email, IP, quality scores | Legitimate interest — Art. 6(1)(f) GDPR |
| Sending transactional emails (account confirmations, subscription updates) | Email, first name, subscription data | Contract performance — Art. 6(1)(b) GDPR |
| Sending product update and marketing emails | Email, first name | Consent — Art. 6(1)(a) GDPR |
| Analytics and service improvement | Usage data, device data, anonymized interactions | Legitimate interest — Art. 6(1)(f) GDPR |
| Conversion tracking and advertising optimization | Hashed user identifiers, purchase events | Consent — Art. 6(1)(a) GDPR |
| Error monitoring and debugging | Device data, IP, error logs | Legitimate interest — Art. 6(1)(f) GDPR |
| Compliance with legal obligations (tax, accounting) | Payment and subscription records | Legal obligation — Art. 6(1)(c) GDPR |
6. AI Data Processing
6.1. When you use our AI-powered features (image generation, review analysis, AI agent chat), your inputs — including product titles, descriptions, images, customer reviews, and prompts — are transmitted to third-party AI service providers for processing.
6.2. AI Service Providers. We process AI requests through direct first-party APIs and, where the provider offers it, on privacy-protective higher tiers. The named language- and image-model providers we use are:
| Provider | Service | Data Transmitted |
|---|---|---|
| Google (Gemini) | Image generation, text analysis, AI chat agent | Product data, review text, images, prompts, chat messages |
| OpenAI | Text analysis, AI chat agent, image generation | Product data, review text, images, prompts, chat messages |
| Anthropic | Text analysis, AI chat agent | Product data, review text, prompts, chat messages |
6.3. Specialised image sub-processors. In addition to the model providers above, we use specialised image-generation and image-processing sub-processors to deliver editing, upscaling, and related image features. We disclose these by category here, as permitted by Article 13(1)(e) GDPR ("recipients or categories of recipients"). The full list of named sub-processors is available to business and enterprise customers on request, and we will name the specific sub-processors to any data subject who submits an access request under Article 15 GDPR to legal@scalable.so.
6.4. No Model Training. We do not use your data to train or fine-tune AI models. Your content is processed solely to generate the requested output and is retained by AI providers only as necessary to deliver that output and as governed by our agreements with them. Where providers offer zero- or limited-retention modes, we use them. A provider may be required to retain limited logs temporarily to meet its own legal obligations.
6.5. AI-generated outputs may be stored in your account for your continued access and use.
6.6. AI transparency (EU AI Act). Where required under Article 50 of Regulation (EU) 2024/1689 (the EU AI Act), AI-generated outputs may be labelled or marked as artificially generated.
7. Third-Party Service Providers (Sub-Processors)
We share personal data with the following service providers, who process data on our behalf under data processing agreements. The transfer mechanism for providers outside the EU/EEA is set out in Section 9.
| Provider | Purpose | Data Shared | Location | Transfer Mechanism |
|---|---|---|---|---|
| Supabase | Database hosting, authentication, file storage | All account and product data, uploaded images | EU (Frankfurt) | EU hosting (no third-country transfer) |
| Stripe | Payment processing | Email, billing details, subscription data | USA | EU-US Data Privacy Framework |
| Vercel | Application hosting | IP address, request data | USA / global CDN | EU-US Data Privacy Framework |
| Mixpanel | Product analytics | User ID, usage events, device data, IP | EU (EU data residency) | EU data residency |
| Loops | Email marketing and transactional emails | Email, name, subscription status, business data | USA | Standard Contractual Clauses |
| Meta | Conversion tracking | Hashed user ID, purchase events (no raw PII) | USA | EU-US Data Privacy Framework |
| Advertising and conversion tracking | Hashed user ID, conversion events | USA | EU-US Data Privacy Framework | |
| Google Ads | Advertising and conversion tracking | Hashed user ID, conversion events | USA | EU-US Data Privacy Framework |
| Sentry | Error monitoring | IP address, device data, error logs (text and media masked) | USA | Standard Contractual Clauses |
| Google (Gemini) | AI language and image processing | Product data, review text, images, prompts, chat messages | EU / USA | EU-US Data Privacy Framework |
| Google Workspace | Internal operations (email, documents, collaboration) | Incidental contact data in support and business communications | EU / USA | EU-US Data Privacy Framework |
| OpenAI | AI language and image processing | Product data, review text, images, prompts, chat messages | USA | Standard Contractual Clauses + transfer-impact assessment |
| Anthropic | AI language processing | Product data, review text, prompts, chat messages | USA | Standard Contractual Clauses + transfer-impact assessment |
| Specialised image sub-processors | AI image generation, editing, upscaling | Images, prompts, image parameters | Outside EU/EEA | Standard Contractual Clauses + transfer-impact assessment |
| Slack | Internal team communications | Limited account and support data referenced internally | USA | EU-US Data Privacy Framework |
We also use Instantly solely for outbound prospecting email. This processes prospect contact data only and does not process the personal data of our customers or registered account holders; it operates on the basis of Standard Contractual Clauses.
The full list of named sub-processors, including the specialised image sub-processors referenced above, is available to business and enterprise customers on request, and to any data subject on an access request under Article 15 GDPR.
We do not sell your personal data to third parties.
8. Cookies and Tracking Technologies
The storage of, or access to, information on your terminal device is governed by Section 25 TDDDG. Non-essential storage and access (analytics, advertising) requires your prior consent; strictly necessary functions are exempt under Section 25(2) TDDDG.
8.1. Types of Cookies
| Cookie/Technology | Purpose | Type | Duration |
|---|---|---|---|
| Supabase Auth | Session management and authentication | Essential | Session |
| Mixpanel Anonymous ID | Analytics tracking across sessions | Analytics | Persistent |
| Meta Pixel | Conversion tracking and ad optimization | Marketing | Persistent |
| LinkedIn Insight Tag | Conversion tracking and ad optimization | Marketing | Persistent |
| Sentry | Error tracking and performance monitoring | Functional | Session |
| Vercel Web Analytics | Aggregated page view and traffic analytics | Analytics | Cookieless |
| Vercel Speed Insights | Core Web Vitals and performance monitoring | Functional | Cookieless |
8.2. Essential Cookies
Essential cookies are necessary for the Services to function and are exempt from consent under Section 25(2) TDDDG. These include authentication and session cookies and the storage of your cookie-consent choice.
8.3. Analytics and Marketing Cookies
Analytics technologies (Mixpanel) and marketing technologies (Meta Pixel, LinkedIn Insight Tag) store information on or access information from your device. They are set only after, and on the basis of, your prior consent under Section 25 TDDDG and Art. 6(1)(a) GDPR, which you can grant or refuse with equal prominence and withdraw at any time through our cookie settings. Nothing non-essential is loaded before you consent.
Vercel Web Analytics and Vercel Speed Insights are cookieless: they store nothing on and access nothing from your device, and collect only aggregated, non-identifying page-performance and traffic data. They therefore do not require consent under Section 25 TDDDG; Speed Insights is processed on the basis of our legitimate interest in service reliability (Art. 6(1)(f) GDPR).
8.4. Managing Cookies
You can manage your cookie preferences at any time through our cookie settings, and withdrawal of consent is as easy as granting it. You can also manage cookies through your browser settings. Note that disabling essential cookies may prevent the Services from functioning correctly.
9. International Data Transfers
Some of our service providers are located outside the European Economic Area (EEA), primarily in the United States. Where personal data is transferred outside the EEA, we ensure appropriate safeguards under Chapter V of the GDPR:
- EU-US Data Privacy Framework (DPF): For providers certified under the EU-US Data Privacy Framework — including Google, Stripe, Vercel, Meta, LinkedIn, and Slack — transfers are covered by the European Commission's adequacy decision of 10 July 2023. As a prudential measure, we also maintain EU Standard Contractual Clauses with these providers as a fallback safeguard.
- Standard Contractual Clauses (SCCs): For providers that are not certified under the DPF — including OpenAI, Anthropic, Loops, Sentry, our specialised image sub-processors, and Instantly — transfers are based on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914). For OpenAI, Anthropic, and the specialised image sub-processors we have additionally carried out a transfer-impact assessment and apply supplementary measures where appropriate.
- EU Data Residency: Where available, we use EU-based data processing (for example, Mixpanel EU data residency and Supabase EU hosting), so that no third-country transfer takes place for in-region data.
You may request a copy of the relevant safeguards by contacting us at legal@scalable.so.
10. Data Retention
We retain your personal data only as long as necessary for the purposes outlined in this Privacy Policy:
| Data Category | Retention Period |
|---|---|
| Account and profile data | Until account deletion |
| Invoices and accounting vouchers | 8 years (Section 257 HGB, Section 147 AO, Section 14b UStG, as amended with effect from 1 January 2025) |
| Trading books and annual financial statements | 10 years (Section 257 HGB, Section 147 AO, Section 14b UStG) |
| AI-generated content | Until account deletion or manual deletion by you |
| Analytics data | 24 months from collection |
| Error logs | 90 days |
| Marketing consent records | Until withdrawal of consent plus 3 years for proof of consent |
Statutory retention periods may be extended where tax-assessment periods remain open. After the applicable retention period, data is deleted or anonymized (Art. 5(1)(e) GDPR).
11. Your Rights Under GDPR
Under the GDPR, you have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access (Art. 15) | Request a copy of the personal data we hold about you, including the specific recipients of your data. |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data. |
| Erasure (Art. 17) | Request deletion of your personal data ("right to be forgotten"). |
| Restriction (Art. 18) | Request that we restrict processing of your data in certain circumstances. |
| Data Portability (Art. 20) | Receive your data in a structured, machine-readable format. |
| Objection (Art. 21) | Object to processing based on legitimate interest. |
| Withdraw Consent (Art. 7(3)) | Withdraw consent for consent-based processing at any time, without affecting the lawfulness of prior processing. |
To exercise any of these rights, contact us at legal@scalable.so. We will respond within one month.
You also have the right to lodge a complaint with a supervisory authority. The competent authority for our company is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg Lautenschlagerstraße 20, 70173 Stuttgart, Germany https://www.baden-wuerttemberg.datenschutz.de
12. Account Deletion
12.1. You can delete your account through the account settings in the Services. Upon deletion:
- Your user profile, credits, and role assignments are permanently deleted.
- Products you own and associated processing jobs are deleted.
- Your contact record is removed from our email marketing platform (Loops).
- Invoices, accounting vouchers, and related financial records are retained as required by law (see Section 10).
12.2. Account deletion is irreversible. We recommend downloading any content you wish to keep before requesting deletion.
13. Data Security
We implement appropriate technical and organizational measures to protect your personal data (Art. 32 GDPR), including:
- Encryption of data in transit (TLS/SSL).
- Row-Level Security (RLS) on database tables to ensure data isolation between users.
- Secure authentication with hashed passwords and magic-link login.
- Access controls limiting employee access to personal data.
- Sentry session replays configured with text and media masking enabled by default.
- Regular security reviews.
No method of transmission over the internet is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.
14. Children's Privacy
The Services are intended for business and adult users and are not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at legal@scalable.so.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Services at least 30 days before the changes take effect.
The current version of this Privacy Policy is always available at https://scalable.so/legal/privacy. For any question about this Privacy Policy, contact us at legal@scalable.so.