Privacy policy
Effective Date: 18 March 2026
Last Updated: 18 March 2026
I. Introduction
In the following, we provide information about the collection and processing of personal data in the context of the Scale Platform, an AI-powered intelligence platform, including the Max Scale application for Microsoft Teams, and related cloud-based services (the "Service") provided by Scale Company Oy ("Scale", "we", "us").
Depending on the processing activity, Scale acts either as a Processor or a Controller:
Processor (see Section II)
We process personal data on behalf of your employer (our Customer), who acts as the Controller. Please contact your employer directly for any questions regarding such processing.
Controller (see Section III)
We process personal data for our own business purposes, such as account administration, billing, support, marketing, and website operation.
The Service is intended for business use and is not directed to children under 16. We do not knowingly collect personal data from children.
This Privacy Policy applies to the following categories of data subjects: users of the Service, Customer personnel whose information appears in uploaded materials, website visitors, Customer representatives, and prospective business contacts.
II. Scale as a Processor
Our platform is provided to companies as an AI-powered intelligence tool. If the Service is made available to you by your employer, your employer is the Controller of your personal data and Scale is the Processor.
Scale processes personal data only under the instructions of the Customer and is not responsible for the Customer's independent privacy practices.
Scale does not independently determine the purposes or means of processing Customer Data and acts solely on the instructions of the Customer in its role as Processor.
1. Types of Personal Data Processed as a Processor
a) User Profile Data
Name
Work email address
Login credentials managed through our authentication provider
b) Customer-Uploaded Content
Documents (such as PDFs, spreadsheets, and presentations) that users upload to the platform.
These documents may incidentally contain personal data, such as team member names and email addresses in project files, steering committee decks, or similar materials. Scale does not systematically extract personal data from these documents.
c) Project Data
Team member names and email addresses added to projects by users in connection with project management and collaboration features.
d) Access and Technical Data
IP address
Browser type
Operating system
Device identifiers
Date and time of access
Error logs
Usage metrics
This information is processed primarily for system stability, service performance, and security monitoring.
2. Use of AI
The Service uses artificial intelligence models to analyze Customer-uploaded documents and generate insights and recommendations.
The AI engine is powered by Google Vertex AI by default. Where a Customer configures a third-party AI provider, processing is subject to that provider's terms.
AI may encounter personal data incidentally present in uploaded documents. It does not extract, profile, or store personal data separately from the documents themselves.
AI processing involves automated analysis of documents that may incidentally contain personal data. The Service is not designed to profile individuals or evaluate personal aspects of data subjects.
AI outputs are advisory only and do not produce legal or similarly significant effects on individuals. All business decisions remain the responsibility of human users at the Customer.
To the extent that such automated analysis could be interpreted as profiling under applicable law, data subjects have the right to object to such processing under GDPR Article 21.
Scale's default AI provider (Google Vertex AI) is contractually prohibited from using Customer Data to train or optimize its general AI models.
Where the Customer configures a third-party AI provider, the Customer is responsible for reviewing that provider's data usage terms.
All AI processing occurs within EU infrastructure by default. If a Customer configures a third-party AI provider, processing location is determined by that provider's terms.
3. Storage Duration as a Processor
Scale retains Customer Data only as long as necessary to provide the Service and fulfill contractual obligations.
Data Category
Retention Period
Customer Data
Deleted no later than 120 days after contract termination, unless required longer for legal claims
User Account Data
Deleted no later than 120 days after contract termination
Technical Logs
Deleted within 120 days
III. Scale as a Controller
Scale acts as the Controller for personal data processed for its own business purposes, including:
account management
billing
communications
customer support
marketing
website operation
1. Categories of Data Processed as a Controller
a) Account and Contact Data
Names, job titles, business email addresses, and Customer billing information.
Payment transactions are processed by Stripe. Scale does not store payment card data directly.
b) Support and Communication Data
Information from support requests, administrative correspondence, or other communications with Scale, including messages sent via our website chat.
c) Website and Marketing Data
Cookies and analytics information collected through our website
Newsletter or product update subscription information
d) Prospect Data
Contact information of potential business customers, such as:
names
job titles
business email addresses
company names
These may be collected from public sources or through sales outreach.
Scale processes prospect data based on its legitimate interest in developing business relationships with potential customers. Individuals may object to such processing at any time.
2. Legal Bases for Processing as a Controller
Scale processes personal data under the following GDPR legal bases (Art. 6).
Purpose of Processing
Legal Basis
Providing and administering the Service, including account creation and management
Contract (Art. 6(1)(b))
Customer support and operational communications
Legitimate Interest (Art. 6(1)(f))
Security monitoring and service reliability
Legitimate Interest (Art. 6(1)(f))
Product improvement and operational analytics
Legitimate Interest (Art. 6(1)(f))
Billing, accounting, and compliance with statutory obligations
Legal Obligation (Art. 6(1)(c))
Marketing communications and product updates
Consent (Art. 6(1)(a))
Website analytics and marketing cookies
Consent (Art. 6(1)(a))
Scale’s legitimate interests include:
operating and improving the Service
ensuring system security and reliability
providing customer support
communicating relevant service updates
developing business relationships with prospective customers, including limited B2B outreach
Data subjects may object to such processing at any time.
3. How We Use Your Information
We use the information we process for the following purposes.
To Provide and Improve the Service
Customer Data enables delivery of the intelligence platform and technical data helps improve system performance and reliability.
For Security and Troubleshooting
We monitor our systems to prevent security incidents and resolve technical issues.
To Communicate With You
We use contact information to send:
service updates
support communications
administrative messages
marketing communications (where consent has been provided)
To Create Anonymized Insights
We may anonymize and aggregate data to analyze usage trends and improve our product.
This anonymized data cannot identify any individual or company.
Benchmarking features are enabled by default and can be disabled through the Service settings.
4. International Transfers
Scale Company Oy is based in Finland and primarily uses EU-based infrastructure.
Platform data (customer-uploaded content and user accounts) is hosted within the EU on Google Cloud Platform:
europe-north1 (Finland)
europe-west3 (Frankfurt)
Some website analytics and marketing data may be transferred to the United States (Google Analytics, Google Ads) only with the user's prior consent via our cookie consent mechanism.
Where personal data is transferred outside the EU/EEA, we rely on appropriate safeguards including, but not limited to:
Standard Contractual Clauses (SCCs) approved by the European Commission
EU-U.S. Data Privacy Framework (DPF) where applicable
5. Storage Duration as a Controller
Data Category
Retention Period
Account and billing data
Stored for the duration of the contractual relationship and thereafter as required by law (e.g., Finnish Accounting Act)
Marketing data
Retained until consent is withdrawn or the user opts out
Support and communications data
Retained as long as necessary to resolve the issue and for legitimate record-keeping
Website analytics data
Retained according to cookie retention periods (maximum 2 years)
IV. How We Share Your Information
We do not sell personal data. Personal data is shared only with trusted service providers who help us operate the Service.
Service Providers Processing Platform Data (Processor Role)
Provider
Purpose
Location
Google Cloud Platform (incl. Vertex AI)
Cloud hosting, AI-powered document analysis
EU (Finland / Frankfurt)
Auth0 (Okta, Inc.)
Platform authentication
EU
Slack (Salesforce, Inc.)
Customer communication channel
EU
Stripe Technology Europe, Limited
Payment processing
EU (Ireland) / US
Microsoft Ireland Operations Limited
Max Scale application for Microsoft Teams — chat UI and document access
EU (North Europe / West Europe)
Brevo (Sendinblue SAS)
Customer communication
EU (France)
Where the Customer configures enterprise single sign-on (SSO) through their own identity provider (e.g., Microsoft Entra), that provider processes authentication data under the Customer's own agreement. Scale integrates with customer-configured identity providers but does not engage them as sub-processors.
Stripe processes payment data in the EU (Ireland) and may transfer certain data to the United States for fraud prevention and regulatory compliance purposes, subject to the EU-U.S. Data Privacy Framework and Standard Contractual Clauses. Scale does not store payment card data directly; card data is tokenized and held by Stripe.
Service Providers for Scale's Own Operations (Controller Role)
Provider
Purpose
Location
Google Workspace
Internal email and collaboration
EU
Slack (Salesforce, Inc.)
Internal communication
EU
Brevo (Sendinblue SAS)
Email marketing and website chat
EU
Linear
Incident management and product management
EU
Zero.inc
CRM
EU
Google Analytics / Google Ads
Website analytics and conversion tracking
US (consent-gated)
Framer
Website hosting
EU
Tana
Internal documentation
US
Notion
Internal documentation
US / EU
GitHub
Source code management
US
Scytale
Compliance automation
EU
Stripe Technology Europe, Limited
Payment processing
EU (Ireland) / US
Anthropic, PBC
AI-assisted development and internal operations
US
All sub-processors are bound by Data Processing Agreements.
Personal data may also be disclosed where required by applicable law, regulation, court order, or binding request from a competent authority, or in connection with a merger, acquisition, financing, asset sale, or other corporate transaction, provided appropriate safeguards are implemented.
V. Data Security
Scale implements appropriate technical and organizational measures designed to protect personal data against unauthorized or unlawful access, disclosure, alteration, or destruction. Such measures are intended to ensure a level of security appropriate to the risk, taking into account the nature, scope, context, and purposes of processing, as well as the potential risks to individuals’ rights and freedoms.
Access to personal data is restricted to personnel who have a legitimate business need for such access and who are subject to applicable confidentiality obligations.
Further information regarding Scale’s security practices and controls is available in our Trust Center: https://trust.scale-company.com/
While Scale maintains safeguards designed to protect personal data, no method of transmission over the internet or electronic storage is entirely secure, and absolute security cannot be guaranteed.
VI. Data Protection Officer and Contact
If you have any questions about this Privacy Policy or our data processing practices, please contact:
Data Protection Officer
Scale Company Oy
Business ID: 3193447-1
Fenixinrinne 4 C 34
00580 Helsinki
Finland
Email: gdpr@scale-company.com
VII. Your Rights
As a data subject, you have the following rights under the GDPR (depending on the processing context and legal basis):
Right
Description
Right of access
Obtain confirmation whether your personal data is processed and receive a copy (Art. 15 GDPR)
Right to rectification
Correct inaccurate or incomplete personal data (Art. 16 GDPR)
Right to erasure
Request deletion of personal data under certain conditions (Art. 17 GDPR)
Right to restriction of processing
Request limitation of processing under certain conditions (Art. 18 GDPR)
Right to data portability
Receive your personal data in a structured, machine-readable format (Art. 20 GDPR)
Right to object
Object to processing based on legitimate interest, including profiling (Art. 21 GDPR)
Right to withdraw consent
Withdraw consent at any time where processing is based on consent (Art. 7(3) GDPR)
For Customer Data processed by Scale as a Processor (e.g., uploaded documents or project data), please contact your employer, who acts as the Controller.
For account, billing, or website data processed by Scale as a Controller, please contact us at gdpr@scale-company.com.
You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) or with the supervisory authority in the EU Member State of your residence or workplace.
VIII. Cookies and Tracking Technologies
Our website (www.scale-company.com) uses cookies and similar technologies.
We implement Google Consent Mode v2, meaning analytics and marketing cookies are blocked by default until consent is provided through our cookie banner.
Essential cookies (required)
Framer (website platform functionality)
Analytics cookies (require consent)
Google Analytics 4 — website usage analysis
Framer Analytics — website usage statistics
Marketing cookies (require consent)
Google Ads — conversion tracking and advertising
Brevo — marketing automation
Functional cookies
Brevo — chat widget functionality
You can manage cookie preferences at any time using the cookie banner on our website or by adjusting your browser settings. Disabling certain cookies may affect website functionality.
IX. Changes to This Policy
We may update this Privacy Policy from time to time.
If material changes are made, we will notify Customers' designated administrators by email or through the Service with reasonable advance notice before the changes take effect.
The most recent version will always be available at:
scale-company.com/privacy.
