Privacy Policy

scxale ("scxale", "we", "us") is a software-as-a-service product for Shopify founders, operated from the Netherlands. This policy explains what data we collect when you use scxale.com and the connected dashboard at scxale.com/dashboard, how we use it, and the rights you have over it.

If you have questions about this policy or want to exercise any of your rights under it, email us at info@scxale.com.

Account information

When you sign up we collect your email address, a hashed password (via Supabase Auth), your store name, and optional profile fields (e.g. product niche). We never see your raw password.

Shopify data

When you connect a Shopify store we request the following scopes:read_products, write_products, read_orders, read_customers. With those we read your products (for AI descriptions + COGS matching), your orders (for ROAS + invoice matching), and customer metadata tied to orders. We write back only when you explicitly trigger a push (e.g. updating a product description). We store encrypted API credentials in our database so the tools can keep working in the background.

Ad platform data (Google Ads, Meta, TikTok)

When you connect an ad account we request read-only scopes and pull daily spend, impressions, clicks, conversions, and campaign metadata. We use this to calculate ROAS and net profit on your dashboard. We never make changes to your ad accounts or campaigns. OAuth refresh tokens are stored encrypted at rest using AES-256.

Invoice and COGS data

If you upload supplier invoices or COGS spreadsheets, we store the file contents, extracted line items, and your column mappings. We use this data only to match invoices to orders and compute profit for your store.

Payment data

Subscription payments are handled entirely by Stripe. We never see or store your card details. Stripe sends us a customer ID, subscription status, and invoice amounts so we know whether your account is active.

Usage and technical data

We log errors, API call counts, and the timestamps of background jobs (cron runs, webhook deliveries). We use these only to keep the service running and to debug issues.

• To deliver the features you signed up for (keyword research, AI descriptions, notifications, invoice matching, ROAS, etc.).
• To keep your account secure and detect abuse of the service.
• To send you operational email about your account (e.g. failed payment, cancelled subscription, important security alerts). You cannot opt out of these — they are required to run the service.
• To comply with legal obligations (e.g. tax records, GDPR data requests).

We do not: sell your data, share it with data brokers, use it to train AI models, or use your store data to benefit other customers.

scxale's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

• We only use Google Ads data to display performance metrics, calculate ROAS, and power profit notifications on your own dashboard.
• We do not transfer Google user data to third parties except as necessary to provide the service (e.g. storing it in our Supabase database) or when required by law.
• We do not use Google user data for advertising, and we do not allow humans to read your Google user data unless we have your explicit consent, it is necessary for security (e.g. to investigate abuse), or required by law.

We rely on a small set of trusted subprocessors to run scxale:

• Supabase — database, authentication, and file storage (EU region).
• Vercel — web hosting and serverless functions.
• Stripe — subscription billing and payment processing.
• OpenAI — AI-generated product descriptions and titles (product names only, no personal data is sent).
• Shopify, Google, Meta, TikTok — the platforms you explicitly connect via OAuth.
• Discord — optional notification delivery if you enable Discord alerts.

All core data is stored in Supabase EU-region data centers. Backups are encrypted and retained for 30 days. API tokens for third-party services (Shopify, Google Ads, Meta, TikTok) are encrypted at the application layer using AES-256 before being written to the database.

We keep your data for as long as your account is active. When you cancel your subscription, your data remains available for 30 days so you can export it or reactivate. After 30 days it is permanently deleted from our live systems. Encrypted backups are rotated out within a further 30 days.

You can request an immediate export or deletion at any time by emailing info@scxale.com.

Because we are EU-based and serve EU customers, the General Data Protection Regulation applies regardless of where you live. You have the right to:

• Access the data we hold about you.
• Correct anything that is inaccurate.
• Delete your account and all associated data.
• Export your data in a portable format (CSV / JSON).
• Object to or restrict specific processing.
• Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe we are mishandling your data.

Email info@scxale.com to exercise any of these rights. We respond within 30 days.

We use only strictly necessary cookies: a Supabase session cookie to keep you logged in, and a theme preference cookie. We do not use tracking or advertising cookies, and we do not embed third-party analytics on the dashboard.

We use TLS everywhere, encrypt sensitive credentials at rest, and restrict production database access to a small number of authorized operators. If we ever detect a breach that affects your data, we will notify you within 72 hours as required by GDPR.

scxale is not intended for anyone under 18. We do not knowingly collect data from children.

We will post any changes to this page and update the "last updated" date above. For material changes, we will also email active account holders at least 30 days before the changes take effect.

For any privacy question, data request, or security report:
info@scxale.com