This Privacy Policy explains how Scalica Ltd ("Scalica", "we", "us", "our") collects, uses, shares, and protects personal data when you use any product offered under the Scalica.ai brand, including ContentTagger, Real UGC from Customers, Release Radar, and Inventory Forecast (each a "Service" and together the "Services").
This policy applies whether you access the Services through a web browser, an app installation (e.g. our Shopify app), or any future native client. It does not apply to third-party services we integrate with, which are governed by their own privacy policies.
The data controller for customer and account data is:
When you create an account we receive, from Google OAuth or Shopify OAuth depending on the Service:
| Service | Data we collect and process | Our role |
|---|---|---|
| ContentTagger | Metadata of image files in Google Drive folders you explicitly connect (filename, MIME type, size, Drive file ID, thumbnail URL). The image bytes themselves are sent to our AI tagging provider (see Section 4) at the moment of tagging, then discarded. We store the AI-generated tags, confidence scores, your approvals, and a synced copy of these tags in the Drive file description (only if you choose to sync). | Controller for your account data; processor for any personal data of individuals appearing in your images. |
| Real UGC from Customers | Shopify shop domain, order metadata for invited customers (order ID, fulfilment status, customer email), customer-uploaded photos and videos submitted to your Shopify store, AI moderation results, reward tracking events. End-customer email addresses are processed solely to deliver invite messages and reward confirmations on your behalf. | Processor for your end-customers' data; controller for your account data. |
| Release Radar | Storefront URLs you monitor, deploy webhook payloads, build review history. | Controller for your account data; processor for any personal data in payloads you send. |
| Inventory Forecast | Sales history, SKU metadata, supplier lead times, and forecast inputs you provide. | Controller for your account data; processor for any personal data in inputs you provide. |
If you subscribe to a paid plan, payment is processed by Stripe Inc. and Stripe Payments Europe Ltd. We never see or store your full card number. We receive from Stripe: subscription status, plan tier, billing email, billing country, last four digits of the card, and Stripe customer/subscription identifiers.
We collect minimal technical data necessary to operate the Services: IP address (for security and rate limiting), browser and device type, pages viewed within the app, errors encountered (via our error monitoring provider), and timestamps of actions you take.
Under UK GDPR and EU GDPR, we rely on the following legal bases when we act as controller:
| Purpose | Legal basis |
|---|---|
| Authenticating you and providing the Services you signed up for | Performance of a contract |
| Accessing your Google Drive folders to tag images (ContentTagger) | Performance of a contract + explicit consent at the OAuth scope grant |
| Accessing your Shopify orders to send UGC invites (Real UGC) | Performance of a contract + Shopify OAuth scope grant |
| Sending you transactional emails (account verification, billing receipts, password resets) | Performance of a contract |
| Sending you product update emails about Services you use | Legitimate interest, with opt-out in every email |
| Security, fraud prevention, abuse detection | Legitimate interest |
| Compliance with legal obligations (e.g. tax records) | Legal obligation |
| Improving the Services and aggregate analytics | Legitimate interest, with safeguards |
Where we act as your processor (see the callout above and our Data Processing Addendum), we process personal data only on your documented instructions; you are responsible for the legal basis for that processing.
We share data only with carefully selected service providers ("sub-processors") that help us operate the Services. They process data on our instructions and are bound by Data Processing Agreements.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage, edge function hosting | EU (Ireland / Frankfurt) |
| Anthropic | AI image analysis for tag generation (ContentTagger) and content moderation (Real UGC) | USA, with EU data processing addendum; does not train on our data |
| Stripe | Payment processing, subscription management | Ireland (Stripe Payments Europe Ltd) and USA |
| Resend | Transactional email delivery | USA, with EU SCCs |
| Cloudflare | DNS, content delivery, DDoS protection | Global edge network |
| Google LLC | OAuth authentication, Drive API access (only when you connect Drive) | Governed by your Google account settings |
| Shopify Inc. | OAuth authentication, store data access (only for Real UGC users) | Governed by your Shopify merchant agreement |
| Sentry | Error monitoring and diagnostic logging | EU region |
An up-to-date list of sub-processors, including any AI providers we use, is maintained at scalica.ai/subprocessors. We will give at least 30 days' notice via email before adding a new sub-processor that materially changes the data flow, so that you can object before the change takes effect.
Some sub-processors are located outside the UK and EEA. Where personal data is transferred outside the UK or EEA, we rely on UK International Data Transfer Agreements (or the UK Addendum to the EU Standard Contractual Clauses), EU Standard Contractual Clauses, or adequacy decisions to safeguard your data. You may request a copy of the safeguards by emailing [email protected].
ContentTagger's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, in ContentTagger:
https://www.googleapis.com/auth/drive scope (or a more narrowly scoped variant where Google's policy and our feature set allow).We retain personal data only as long as needed to provide the Services:
If you are in the UK or EEA, you have the following rights under UK/EU GDPR in respect of personal data for which we are the controller:
If your request concerns data for which one of our customers is the controller (for example, you are an end-customer who submitted UGC to a merchant), we will refer your request to that customer, who is responsible for responding.
To exercise any of these rights, email [email protected]. We will respond within one month.
We take appropriate technical and organisational measures to protect your data:
No system is perfectly secure. If we become aware of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by GDPR. Where we act as processor, we will notify the relevant controller (our customer) without undue delay so that they can meet their own obligations.
We use only essential cookies necessary for authentication and session management. We do not use third-party advertising cookies, analytics trackers that build cross-site profiles, or fingerprinting techniques. Because we do not use non-essential cookies, we do not display a cookie consent banner.
The Services are intended for business use and are not directed at children. Our Terms require all account holders to be at least 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us and we will delete it. Where you submit content through a Service (for example UGC), you are responsible for ensuring you have any consents required where that content concerns a minor.
We may update this policy from time to time. For material changes, we will email registered users at least 14 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision.
For any privacy question, request, or complaint: