Privacy Policy

1. Who we are

ScaleLayR is responsible for the processing of personal data as described in this privacy policy.

• Company name: ScaleLayR
• Chamber of Commerce (KVK): 42031323
• Address: De Nieuwe Erven 3, Unit 14705, 5431 NV Cuijk, The Netherlands
• Email: contact@scalelayr.com

2. What data we collect

We only collect data that you voluntarily provide through our forms or email:

• Blueprint / lead-magnet download: first name, email address, company or project name, self-selected profile (business owner, freelancer/self-employed, aspiring founder, or other), language (NL/EN), source of the request (which landing page) and IP address
• Strategy session request: name, email address, company name (optional), phone (optional), selected services, country, website URL, description of your situation and goals, budget indication, timeline and IP address
• Newsletter and master subscriber list: email address, self-selected profile (if you indicated one during an earlier download) and IP address. Only with your explicit consent (opt-in)
• Email-sequence tracking: we store per recipient which emails in our automated series have been sent, scheduled or cancelled. This prevents duplicate sends and enables correct cancellation of pending emails when you unsubscribe
• Unsubscribe feedback (optional): when you unsubscribe you can voluntarily select one click-based reason. We store only your email address and the chosen reason, nothing else
• Email communication: name, email address, content of correspondence
• Business clients (legal entities): company name, registered address, Chamber of Commerce (KVK) number, VAT identification number, name of the authorized signatory and contact person. These details are only requested from clients who contract with us as a legal entity (BV, VOF, foundation, sole proprietorship), for the lawful conclusion and performance of the project agreement and to comply with our tax administration obligations
• AI Agents (clients with an agent subscription): the prompts, knowledge-base content, configurations, conversation logs and associated metadata that you or your end users process via the AI agent delivered to you. ScaleLayR stores this data in an environment managed by ScaleLayR or designated by you, uses it solely for delivering and improving the service provided to you, and does not use it to train its own or third-party models, unless otherwise agreed with you in writing. Where personal data is processed via an AI agent, we will conclude a data processing agreement (DPA) with you in accordance with article 28 GDPR

3. Why we collect this data

We process your data for the following purposes. By giving consent on the form you agree to all of them. You can withdraw consent at any time via the unsubscribe link in every email or by contacting us.

• Direct service delivery: to respond to your request, deliver the content you asked for (such as the Blueprint), prepare a proposal and perform our services
• Automated nurture emails: after requesting a lead magnet like the Blueprint you receive a sequence of follow-up emails (approximately 7 mails over 14 days) with tips, examples, case notes and offers that build on the content you downloaded. Every email includes a 1-click unsubscribe link
• Newsletter and product updates: periodic emails with new tips, case examples, product announcements and ScaleLayR updates
• Targeted announcements and offers: based on the profile you self-selected on the form, we may send you specific announcements that are relevant. Examples: book launches (such as "Launch Anyway"), service updates for your category, seasonal offers or workshops
• Segmentation: we use your self-selected profile and behaviour (open rates, clicks) to make sure you do not receive irrelevant emails. No automated profiling with legal effects: all segmentation exists so you get fewer but more relevant emails
• Customer communication: to contact you about your project, request or question
• Customer database: to maintain our relationship with you and serve you for future projects or launches
• Invoicing: to send invoices and process payments (for paying clients)
• Legal obligation: to comply with tax and accounting requirements
• Quality improvement: anonymised analysis of open rates, clicks and unsubscribe feedback to improve our content and segmentation

4. Legal basis

We process your data based on:

• Consent: you give consent when submitting a form and checking the privacy checkbox
• Performance of a contract (art. 6(1)(b) GDPR): for delivering the services you engage us for, including the processing of KVK number, VAT identification number and the name of the authorized signatory for business clients. These details are necessary to conclude a legally valid project agreement, issue correct invoices and establish the identity of the contracting party
• Legitimate interest: for maintaining our customer database and improving our services
• Legal obligation: for tax and accounting purposes

5. Retention periods

• Contact details and project data: maximum 2 years after last contact, unless there is an active client relationship
• Customer database: for the duration of the client relationship and maximum 2 years after
• Invoicing data: 7 years (legal retention requirement)
• Blueprint lead data and master subscriber list: until you unsubscribe. Your email address is removed from our active list within 24 hours
• Nurture-sequence tracking records: until the end of the series, after which they are kept for up to 90 days for audit purposes (to prove no emails were sent after unsubscribe)
• Unsubscribe feedback: maximum 12 months, anonymised after 3 months (only the reason is kept, not the email address)
• Newsletter and marketing: until you unsubscribe or withdraw your consent. You can unsubscribe at any time via the link at the bottom of each email, the native unsubscribe button in Gmail/Yahoo (RFC 8058 one-click), or by contacting us

6. Sharing with third parties

We do not share your data with third parties unless it is necessary for our services or we are legally required to do so. Where applicable, we use:

• Cloudflare (US): for hosting, security, bot verification (Turnstile), database storage (D1) and website analytics (Cloudflare Web Analytics). Cloudflare processes limited technical data (IP address, browser, page views) in accordance with their privacy policy. Cloudflare Web Analytics does not use cookies and does not track individual visitors. Cloudflare is EU-US Data Privacy Framework certified.
• Resend (US): for sending email notifications, confirmations and newsletters. Resend processes email addresses and message content in accordance with their privacy policy.
• Calendly (US): for scheduling strategy sessions. After completing the request form, you can choose a time slot via a Calendly widget. Calendly processes your name and email address in accordance with their privacy policy.
• OpenAI (US) and Anthropic (US): only for clients with an active AI Agents subscription. Prompts, conversation context and relevant knowledge-base fragments are sent to the chosen LLM provider to generate a response. Both providers are EU-US Data Privacy Framework certified, apply a no-training-by-default policy for API data and retain API input for a maximum of 30 days for abuse monitoring. Which provider is used for your agent is recorded in the project agreement and (where personal data is processed) in the data processing agreement concluded with you.
• Vector database / knowledge-base storage (EU/US): only for clients with an active AI Agents subscription. For storing and querying knowledge-base content, ScaleLayR uses a vector database (such as Pinecone, Qdrant or similar). The chosen provider and region are recorded in the project agreement. Where personal data is processed, ScaleLayR opts for an EU region whenever possible.
• Google Ireland Limited (IE/US), LinkedIn Ireland Unlimited Company (IE/US) and Meta Platforms Ireland Limited (IE/US): only for website visitors who give explicit consent for marketing cookies. We send anonymized events (PageView, Lead) and pseudonymous cookie IDs to these providers to measure and optimize advertising. We do not send email addresses, phone numbers or names (Advanced Matching is disabled). Transfers outside the EEA may take place under Standard Contractual Clauses and (where applicable) the EU-US Data Privacy Framework.

We never sell your data to third parties.

7. Cookies and analytics

Our website uses cookies. On your first visit, we ask for your consent via a cookie banner. You can adjust your preferences at any time via the settings icon in the bottom-left corner of the page.

7.1 Necessary cookies (always active)

These cookies are essential for the operation of the website and do not require consent under GDPR.

7.2 Analytics cookies (optional)

With your consent, we use Google Analytics 4 to collect anonymous visitor statistics. This helps us improve the website. We also use Cloudflare Web Analytics, which does not use cookies.

We have configured Google Analytics with IP anonymization and Google Consent Mode v2, ensuring no data is collected without your explicit consent.

7.3 Marketing cookies (optional)

With your consent, we use Google Ads, the LinkedIn Insight Tag and the Meta Pixel (Facebook) to measure the effectiveness of our advertisements and to attribute conversions (such as downloads or contact requests) to the ad you clicked on.

Our Google Ads conversion tag (account ID AW-18116257302) uses Google Consent Mode v2 with the parameters ad_storage, ad_user_data and ad_personalization. These default to denied; only after your explicit consent does this switch to granted and conversion pings are sent to Google. The data is retained by Google for a maximum of 24 months for ad measurement (no profiling beyond measurement). Legal basis: consent (article 6(1)(a) GDPR and article 11.7a Dutch Telecommunications Act).

Our Meta Pixel (ID 1323665519684547) is provided by Meta Platforms Ireland Limited. The pixel only loads after your explicit consent for marketing cookies and uses the native fbq('consent', 'grant') / 'revoke' consent API to control data exchange. We only use the standard PageView and Lead events; we do not send email addresses or phone numbers to Meta (Advanced Matching is disabled). Upon withdrawal, _fbp and _fbc are deleted immediately. Transfers outside the EEA may take place under Meta's Standard Contractual Clauses. Legal basis: consent (article 6(1)(a) GDPR and article 11.7a Dutch Telecommunications Act).

7.4 Adjusting your preferences

You can change your cookie preferences at any time by clicking the settings icon in the bottom-left corner of the page. You can also delete all non-essential cookies by clearing your browser data.

8. Security

We take appropriate technical and organizational measures to protect your data against unauthorized access, loss or misuse. Our website is hosted on Cloudflare with HTTPS encryption, and form data is protected by Cloudflare Turnstile and multiple anti-spam measures.

9. Your rights

Under the GDPR, you have the following rights:

• Access: you may request which data we hold about you
• Rectification: you may have incorrect data corrected
• Erasure: you may request deletion of your data
• Restriction: you may request restriction of processing
• Data portability: you may request your data in a structured format
• Objection: you may object to processing based on legitimate interest
• Withdraw consent: you may withdraw your consent at any time

Contact us at contact@scalelayr.com to exercise your rights. We will respond within 30 days.

10. Complaints

If you have a complaint about how we handle your data, please contact us at contact@scalelayr.com. You also have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

11. Changes

We may update this privacy policy from time to time. The most recent version is always available on this page. For significant changes, we will notify you via email or a notice on our website.