How scxale Protects Your Data

Your Shopify credentials, ad account tokens, and business data are stored encrypted in your isolated database space. Our team does not have access to your Shopify store, your Meta Ads account, your Google Ads account, or any other connected service.

When you connect your Shopify store, scxale uses the official Shopify OAuth flow — the same secure method used by apps like Klaviyo, Judge.me, and every other trusted Shopify app. We only request the specific permissions we need:

• Products (read & write, for AI descriptions push)
• Orders (read only, for invoice matching and analytics)
• Customers (read only, for notifications)

We cannot process refunds, change your payout settings, modify your theme, delete products, or access your Shopify admin login.

If you ever need hands-on support, you can request it through our Discord. But unless you specifically ask for help, your data stays untouched.

scxale uses Supabase with Row Level Security (RLS) on every single table in the database. This means:

• User A cannot see User B's keyword research
• User A cannot see User B's invoices
• User A cannot see User B's generated descriptions
• User A cannot see User B's notification logs

This isn't just application-level security — it's enforced at the database level. Even if there were a bug in our code, the database itself would refuse to return another user's data.

Think of it like a hotel: everyone has their own room with their own key. You can only access what's yours.

All data transmitted between your browser and scxale is encrypted via TLS (HTTPS). There is no unencrypted connection, ever.

Your Shopify access tokens, Meta Ads tokens, and Google Ads tokens are encrypted before they are stored in the database. Even in the unlikely event of a database breach, your credentials would be unreadable.

Our infrastructure runs on:

• Vercel for application hosting (enterprise-grade edge network, automatic HTTPS)
• Supabase for database and authentication (SOC 2 Type II compliant, encrypted at rest)
• Stripe for billing (PCI DSS Level 1 compliant — the highest level of payment security)

Every scxale account is protected by:

• Email and password authentication
• OTP (one-time password) verification on first login per device
• 30-day device memory, so you don't need to verify every time on trusted devices
• Secure session management with automatic expiry

All dashboard routes are protected by authentication middleware. You cannot access any tool or data without being logged in with a verified account and an active subscription.

When you connect your Shopify store, we follow the principle of least privilege. scxale only requests the permissions it needs to function:

You can disconnect your Shopify store at any time from Settings. When you disconnect, we revoke the access token immediately.

Here is everything we store:

• Your email address (for authentication and billing)
• Your name and store name (for personalization)
• Your niche selection (for AI prompt optimization)
• Your subscription info (managed by Stripe)
• Your tool data: keyword research results, generated descriptions, invoice match results, notification logs

We do NOT store:

• Your Shopify admin password
• Your ad platform passwords
• Your customer's payment information
• Your bank or payout details

When we ship updates, only the application code changes. Your data, your credentials, your settings, and your history all stay exactly where they are. Updates cannot touch your stored data.

Think about how most e-commerce founders operate today:

• You share your Shopify login with a VA
• You paste API keys into multiple SaaS tools
• You track invoices in Google Sheets that anyone on your team can access
• You share ad account access with freelancers and agencies

With scxale, there's one system with scoped permissions, encrypted credentials, and database-level isolation. No shared logins. No spreadsheets floating around. Just a secure dashboard doing the work for you.