Privacy policy
Effective Date: 13 September 2021
Last Updated: 25 February 2026
I. Introduction
In the following, we provide information about the collection and processing of personal data in the context of the AI-powered innovation intelligence platform and related cloud-based services (the "Service") provided by Scale Company Oy ("Scale", "we", "us").
Depending on the processing activity, Scale acts either as a Processor or a Controller:
As a Processor (see Section II), we process your personal data on behalf of your employer (our Customer), who in this case is the Controller. Please contact your employer directly for any questions regarding such processing.
As a Controller (see Section III), we process personal data for our own business purposes, such as account administration, billing, support, marketing, and website operation.
The Service is intended for business use and is not directed to children under 16. We do not knowingly collect personal data from children.
II. Scale as a Processor
Our platform is provided to companies as an AI-powered innovation intelligence tool. If the Service is made available to you by your employer, your employer is the Controller of your personal data and Scale is the Processor. Scale processes your personal data only under the instructions of your employer and is not responsible for your employer's independent privacy practices.
1. Types of Personal Data Processed as a Processor
a) User Profile Data
Name, work email address, and login credentials managed through our authentication provider.
b) Customer-Uploaded Content
Documents (such as PDFs, spreadsheets, and presentations) that users upload to the platform. These documents may incidentally contain personal data, such as team member names and email addresses in project files, steering committee decks, or similar materials. Scale does not systematically extract personal data from these documents.
c) Project Data
Team member names and email addresses added to projects by users in connection with project management and collaboration features.
d) Access and Technical Data
IP address, browser type, operating system, device identifiers, date and time of access, error logs, and usage metrics (for stability and security).
2. Use of AI
The Service uses artificial intelligence models to analyze Customer-uploaded documents and generate innovation insights and recommendations.
The AI engine is powered by Google Vertex AI by default. Where a Customer configures a third-party AI provider, processing is subject to that provider's terms.
AI may encounter personal data incidentally present in uploaded documents. It does not extract, profile, or store personal data separately from the documents themselves.
This may constitute profiling under GDPR, as it involves automated analysis of content that may contain personal data. However, the AI outputs are advisory only. They do not have legal or similarly significant effects on individuals. All business decisions remain the responsibility of human users at the Customer.
Data subjects have the right to object to profiling under GDPR Art. 21.
Scale's default AI provider (Google Vertex AI) is contractually prohibited from using Customer Data to train or optimize its general AI models. Where the Customer configures a third-party AI provider, the Customer is responsible for reviewing that provider's data use terms.
All AI processing occurs within EU infrastructure by default (Google Cloud Platform, europe-north1 and europe-west3 regions). Where a Customer configures a third-party AI provider, processing location is determined by that provider's terms.
3. Storage Duration as a Processor
Customer Data: Deleted within 120 days after contract termination, unless required longer for legal claims.
User Account Data: Deleted within 120 days after termination of the Customer's contract.
Technical Logs: Deleted within 120 days.
III. Scale as a Controller
Scale is the Controller for personal data processed for our own business purposes, including account management, billing, communications, support, marketing, and website operation.
1. Categories of Data Processed as a Controller
a) Account and Contact Data
Names, job titles, business email addresses, and Customer billing information. Payment transactions are processed by Stripe; Scale does not store payment card data directly.
b) Support and Communication Data
Data from support requests, administrative correspondence, or other communications with Scale, including messages sent via our website chat.
c) Website and Marketing Data
Cookies and analytics information collected through our website (where applicable), and newsletter or product update subscription information.
d) Prospect Data
Contact information of potential business customers, such as names, job titles, business email addresses, and company names, collected from public sources or through sales outreach.
2. Legal Bases for Processing as a Controller
Scale processes personal data under the following GDPR legal bases (Art. 6):
Contract (Art. 6(1)(b)) — To provide and administer the Service, manage user accounts, and fulfill agreements.
Legitimate Interest (Art. 6(1)(f)) — To secure, improve, and operate the Service, support Customers, and communicate relevant updates.
Legal Obligation (Art. 6(1)(c)) — To comply with statutory obligations (e.g., tax and accounting requirements under Finnish law).
Consent (Art. 6(1)(a)) — For optional activities such as marketing communications, analytics cookies, or participation in product feedback programs. Consent can be withdrawn at any time.
3. How We Use Your Information
We use the information we process for the following purposes:
To Provide and Improve the Service: This is our primary goal. We use Customer Data to deliver the innovation intelligence platform and use technical data to improve performance and reliability.
For Security and Troubleshooting: We monitor our systems to prevent security incidents and resolve technical issues.
To Communicate With You: We use your contact information to send service updates, support messages, and (with your consent) marketing communications.
To Create Anonymized Insights: We may anonymize and aggregate data to analyze usage trends and improve our product. This anonymized data cannot be used to identify any individual or company. Benchmarking features are enabled by default and can be disabled through the Service settings.
4. International Transfers
Scale Company Oy is based in Finland and primarily uses EU-based infrastructure. Platform data (customer-uploaded content, user accounts) is hosted within the EU on Google Cloud Platform (europe-north1 and europe-west3 regions).
Some website analytics and marketing data may be transferred to the United States (Google Analytics, Google Ads) only with the user's prior consent via our cookie consent mechanism.
Where personal data is transferred to countries outside the EU/EEA, we rely on:
Standard Contractual Clauses (SCCs) approved by the European Commission; and/or
The EU-U.S. Data Privacy Framework (DPF), where applicable.
5. Storage Duration as a Controller
Account and billing data: Stored for the duration of the contractual relationship and thereafter as required by law (e.g., Finnish Accounting Act).
Marketing data: Retained until you withdraw consent or opt out.
Support and communications data: Retained as long as necessary to resolve the issue and for legitimate record-keeping.
Website analytics data: Per cookie retention periods (maximum 2 years).
IV. How We Share Your Information
We do not sell personal data. We only share personal data with trusted service providers who help us operate the Service.
Service providers that may process Customer platform data (Processor role):
Provider
Purpose
Location
Google Cloud Platform (incl. Vertex AI)
Cloud hosting, AI-powered document analysis
EU (Finland / Frankfurt)
Auth0 (Okta, Inc.)
Platform authentication
EU
Slack (Salesforce, Inc.)
Customer communication channel
EU
Stripe Technology Europe, Limited
Payment processing
EU (Ireland) / US
Sendinblue SAS (trading as Brevo)
Customer communication
EU (France)
Where the Customer configures enterprise single sign-on (SSO) via their own identity provider (such as Microsoft Entra), that provider processes authentication data under the Customer's own agreement. Scale integrates with customer-configured identity providers but does not engage them as sub-processors.
Stripe processes payment data in the EU (Ireland) and may transfer certain data to the United States for fraud prevention and regulatory compliance purposes, subject to the EU-U.S. Data Privacy Framework and Standard Contractual Clauses. Scale does not store payment card data directly; card data is tokenized and held by Stripe.
Service providers for Scale's own business operations (Controller role):
Provider
Purpose
Location
Google Workspace
Internal email, collaboration
EU
Slack (Salesforce, Inc.)
Communication channel
EU
Sendinblue SAS (trading as Brevo)
Email marketing, website chat
EU
Linear
Incident Management, Product Management
EU
Zero.inc
CRM
EU
Google Analytics / Google Ads
Website analytics, conversion tracking
US (consent-gated)
Framer
Website hosting
EU
Tana
Internal documentation
US
GitHub
Source code management
US
Scytale
Compliance automation
EU
Stripe Technology Europe, Limited
Payment processing
EU (Ireland) / US
Anthropic, PBC
AI-assisted development and internal operations
US
All sub-processors are bound by Data Processing Agreements. A current list is maintained in our DPA and at our Trust Center (trust.scale-company.com).
Data may also be disclosed if required by law or in connection with mergers, acquisitions, or other corporate transactions.
V. Data Protection Officer and Contact
If you have any questions about this Privacy Policy or our data processing practices, please contact us.
Data Protection Officer: CEO (Eero Talonen)
Scale Company Oy
Business ID: 3193447-1
Fenixinrinne 4 C 34, 00580 Helsinki, Finland
Email: gdpr@scale-company.com
VI. Your Rights
As a data subject, you have the following rights under the GDPR (depending on the processing context and legal basis):
Right of access — to obtain confirmation as to whether your personal data is processed and to receive a copy (Art. 15 GDPR).
Right to rectification — to correct inaccurate or incomplete personal data (Art. 16 GDPR).
Right to erasure ("right to be forgotten") — to request deletion of personal data under certain conditions (Art. 17 GDPR).
Right to restriction of processing — to request limitation of processing under certain conditions (Art. 18 GDPR).
Right to data portability — to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another Controller (Art. 20 GDPR).
Right to object — to processing of personal data, including profiling, where the legal basis is legitimate interest (Art. 21 GDPR).
Right to withdraw consent — if processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal (Art. 7(3) GDPR).
We will respond to rights requests without undue delay and at the latest within 30 days. If the request is complex or numerous, we may extend this period by up to two further months, but we will inform you of the extension and the reasons for it.
For Customer Data (e.g., uploaded documents, project data) processed by Scale as a Processor, please contact your employer (the Controller).
For User Account, billing, or website data processed by Scale as a Controller, please contact us at gdpr@scale-company.com.
You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto, tietosuoja.fi) or with the supervisory authority in the EU Member State of your residence or place of work.
VII. Cookies and Tracking Technologies
Our website (www.scale-company.com) uses cookies and similar technologies. We implement Google Consent Mode v2, which means analytics and marketing cookies are blocked by default until you provide consent through our cookie banner.
Essential cookies are required for the website to function and cannot be disabled:
Framer (website platform functionality)
Analytics cookies (require your consent):
Google Analytics 4 — website usage analysis
Framer Analytics — website usage statistics
Marketing cookies (require your consent):
Google Ads — conversion tracking and advertising
Brevo — marketing automation
Functional cookies:
Brevo — chat widget functionality
You can manage your cookie preferences at any time using the cookie banner on our website or by adjusting your browser settings. Note that disabling certain cookies may affect website functionality.
VIII. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify Customers' designated administrators by email or through the Service with reasonable advance notice before the changes take effect. The updated version will always be available at scale-company.com/privacy.
