Privacy Policy
Last updated: 28th October 2025
1. Introduction
SCALE GRP LTD ("we," "us," or "our") operates ELEVATE (the "Service"), designed to assist media buying agencies and e-commerce brands in managing Meta advertising campaigns through streamlined ad creation, file management, and campaign analytics. We are committed to protecting your privacy and ensuring the security of your personal information in accordance with UK data protection laws.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
Data Controller:
SCALE GRP LTD
UNIT 2A SWORDFISH BUSINESS PARK, HIGGINS LANE, BURSCOUGH, UNITED KINGDOM, L40 8JW
Email: admin@scalegroup.co
ICO Registration Number: ZB691192
2. Information We Collect
We collect and process the following types of information:
2.1 Personal Identification Information
Name, email address, and contact details
Organization name and business information
Job title and role within your organization
2.2 Account Credentials
Email and password (encrypted) for Service access
User role and permissions within your organization
2.3 OAuth and Platform Integration Data
When you connect third-party services to ELEVATE, we access and store:
Meta/Facebook Integration:
Ad account information, IDs, and permissions
Campaign, ad set, and ad data
Creative assets and performance metrics
Facebook Pages and Instagram business accounts you manage
OAuth access tokens (encrypted and securely stored)
Google Drive Integration:
File names, sizes, types, and folder structures
File access permissions
OAuth access tokens (encrypted and securely stored)
Dropbox Integration:
File names, sizes, types, and folder structures
File access permissions
OAuth access tokens (encrypted and securely stored)
2.4 File and Media Data
Files uploaded to our Service (images, videos, documents)
File metadata including names, sizes, types, upload timestamps
Storage location references in our cloud storage
Folder organization and file groupings
2.5 Usage Data
Access times, pages viewed, and feature usage patterns
Ad build history and campaign configurations
Support ticket communications and attachments
Feature requests and feedback
2.6 Device and Technical Information
IP address, browser type, and operating system
Device identifiers and screen resolution
Session data and authentication tokens
2.7 Payment and Billing Information
Subscription plan details and billing cycle
Payment status and transaction history
Stripe customer ID (payment processing handled by Stripe)
Invoice data (processed through Xero for accounting)
Note: We do not store credit card details. All payment card information is processed and stored by Stripe, our payment processor.
3. Legal Basis for Processing (UK GDPR)
We process your personal data under the following legal bases:
Contract Performance: Processing necessary to provide the Service you've subscribed to, including account management, ad creation services, and platform integrations.
Legitimate Interests: Improving our Service, preventing fraud, maintaining security, and conducting business operations.
Consent: Marketing communications (where you've opted in) and optional platform integrations.
Legal Obligation: Compliance with tax, accounting, and other legal requirements.
You have the right to withdraw consent at any time where we rely on consent as the legal basis.
4. How We Collect Information
We collect information through:
Direct Interactions: When you register for an account, configure settings, upload files, create support tickets, or communicate with us.
Third-Party OAuth Integrations: When you authorize connections to Meta/Facebook, Google Drive, or Dropbox, we access data from these platforms as permitted by you and their respective APIs. OAuth access tokens are encrypted and securely stored to maintain these connections. Tokens are refreshed automatically and expire based on platform policies (Meta tokens require periodic reauthorization).
Automated Technologies: Through essential cookies and local storage for authentication, session management, user preferences, and cookie consent tracking. We do not use analytics, tracking, or advertising cookies.
Payment Processors: Stripe provides us with subscription status, customer IDs, and payment outcomes (but not card details).
5. Use of Your Information
We use collected information to:
Provide, operate, and maintain the Service
Authenticate users and manage account access
Facilitate OAuth connections to Meta, Google Drive, and Dropbox
Store and manage media files for ad creation
Create and launch advertising campaigns on Meta platforms
Generate campaign analytics and performance reports
Process subscriptions and billing through Stripe
Issue invoices via Xero for accounting purposes
Communicate with you about Service updates, support requests, and account matters
Send transactional emails (account verification, password resets, subscription changes)
Send service emails (build completion notifications, error alerts, trial expiry notices)
Send marketing emails (with your consent) including product updates and feature announcements
Improve and personalize user experience
Provide customer support and respond to inquiries
Ensure security and prevent fraud
Comply with legal obligations and protect against legal claims
6. Cookies and Local Storage
We use essential cookies and browser local storage for:
Authentication: Maintaining your login session
Session Data: Preserving navigation state and user preferences
Cookie Consent: Recording your cookie acceptance status
UI Preferences: Theme selection (light/dark mode) and interface settings
We do not use:
Analytics or tracking cookies
Advertising or marketing cookies
Third-party tracking technologies
You can manage cookies through your browser settings, though disabling essential cookies may affect Service functionality.
7. Sharing Your Information
We share your information only in the following circumstances:
7.1 Service Providers and Third-Party Platforms
We work with trusted third-party service providers to deliver and improve our Service. These providers process your information on our behalf and are contractually obligated to protect your data:
Payment Processing: We use Stripe to securely process subscription payments. Stripe handles all credit card details directly; we only receive transaction status and customer reference information.
Advertising Platforms: When you launch advertising campaigns through our Service, we transmit your ad creative data and campaign configurations to Meta (Facebook and Instagram) platforms in accordance with the permissions you've granted.
Cloud Storage: We use Amazon Web Services (AWS) to securely store your uploaded media files and assets with enterprise-grade security standards.
File Import Services: When you connect Google Drive or Dropbox to import media, we access only the files you've specifically authorized through secure OAuth authentication.
Accounting and Invoicing: We use Xero to generate invoices and maintain financial records for billing purposes.
Email Communications: We use third-party email delivery services to send you transactional emails (such as account invitations, notifications, and support communications).
Backend Infrastructure: We use cloud database and authentication services to host your data securely and manage user access to the Service.
Internal Operations: We use communication tools for internal notifications related to critical system events and support ticket management. These tools only access information necessary to provide you with support.
All service providers are carefully selected based on their security practices and compliance with applicable data protection regulations.
7.2 Legal Obligations
We may disclose your information to authorities when required by law, court order, or governmental regulation, or to protect our rights, safety, or property.
7.3 Business Transfers
In connection with mergers, acquisitions, or asset sales, your information may be transferred to the acquiring entity. We will ensure the receiving party agrees to protect your personal data consistently with this Privacy Policy and will notify you before any transfer.
8. International Data Transfers
Your data is primarily stored within the UK/EU. Where data is transferred to service providers outside the UK/EU (such as AWS S3 or Supabase), we ensure appropriate safeguards are in place, including:
Standard Contractual Clauses (SCCs) approved by the UK ICO
Adequacy decisions recognizing equivalent data protection standards
Service provider certifications and security commitments
9. Data Retention
We retain your personal data as follows:
Active Accounts: Data retained while your account is active and you continue using the Service.
Trial Accounts: If your trial expires without conversion to a paid plan, data is retained for 14 days, then marked for deletion.
Paid Subscriptions (Canceled): After subscription cancellation, data is retained for 6 months to allow for potential reactivation, then permanently deleted.
Account Deletion Requests: Upon request, your account is soft-deleted immediately (you lose access), then permanently deleted after 90 days along with all associated data.
Temporary File Deletion: Files moved to trash are soft-deleted for 24 hours before permanent removal from storage.
Legal Retention: Where required by law (e.g., tax, accounting records), we retain data for the legally mandated period (typically 6-7 years for financial records).
10. User Roles and Access Control
Within your organization's account:
Admin Users: Have full access to all data, settings, clients, team members, billing, and integrations. Admins are responsible for managing team access and ensuring appropriate permissions.
Standard Users: Have access only to data and features assigned to them by admins, with restricted permissions based on their role.
Admins are responsible for managing user access appropriately and ensuring team members only access data necessary for their roles.
11. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
Encryption of data in transit (TLS/SSL) and at rest
Secure encryption of OAuth access tokens
Role-based access controls and authentication mechanisms
Regular security assessments and monitoring
Secure backup procedures
Staff training on data protection practices
However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.
Breach Notification: In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the ICO within 72 hours of becoming aware of the breach, as required by UK GDPR.
12. Your Data Protection Rights (UK GDPR)
Under UK data protection laws, you have the following rights:
Right of Access: Request copies of your personal data.
Right to Rectification: Request correction of inaccurate or incomplete data.
Right to Erasure: Request deletion of your personal data under certain conditions (e.g., data no longer necessary, withdrawal of consent).
Right to Restrict Processing: Request restriction of processing under certain conditions.
Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
Right to Data Portability: Request transfer of your data to another organization or directly to you in a structured, commonly used format.
Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
Right to Lodge a Complaint: You have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: https://ico.org.uk/
Telephone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
To exercise any of these rights, please contact us at admin@scalegroup.co.
13. Automated Decision Making
We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.
14. Marketing Communications
With your consent (provided during signup), we may send you periodic emails with:
Product updates and new feature announcements
Service improvements and enhancements
Industry insights and best practices
You can opt out of marketing emails at any time by:
Clicking the "unsubscribe" link in any marketing email
Contacting us at admin@scalegroup.co
Updating your communication preferences in your account settings
Transactional and service emails (account verification, password resets, subscription changes, ad build notifications) cannot be opted out of as they are essential to Service operation.
15. Third-Party Links and Services
Our Service integrates with and may contain links to third-party platforms:
Meta/Facebook (https://www.facebook.com/privacy/policy/)
Google Drive (https://policies.google.com/privacy)
Dropbox (https://www.dropbox.com/privacy)
Stripe (https://stripe.com/privacy)
We have no control over and assume no responsibility for the content, privacy policies, or practices of these third-party services. We encourage you to review their privacy policies.
16. Children's Privacy
Our Service is intended for business use only and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal data from a child under 18 without parental consent, we will take steps to delete that information promptly.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:
Posting the updated policy on our website with a new "Last Updated" date
Sending an email notification to your registered email address
Displaying a prominent notice within the Service