We collect the following categories of personal data:

• Service delivery — to create your account, authenticate your sessions, process your content generation requests, and deliver the core ScalitOS experience.
• Personalization — to tailor written for you outputs to your brand profile, voice DNA, and content preferences.
• Analytics and improvement — to understand platform usage patterns and improve our features, performance, and user experience.
• Billing — to process payments, manage subscriptions, and send transaction-related communications.
• Communication — to send you service updates, security alerts, and (with your consent) product announcements. You can opt out of marketing communications at any time.
• Legal compliance — to meet our legal obligations, respond to lawful requests, and protect our rights.

ScalitOS uses third-party AI services, including OpenAI's language models (GPT-5.2), image generation (GPT Image 1), video generation (Sora 2), and text-to-speech services to power its features. When you use features:

• Your input prompts and content are sent to these providers for processing.
• These providers process data in accordance with their own privacy policies and data processing agreements we hold with them.
• We do not use your content to train AI models. Your inputs are processed transiently to generate outputs and are not retained by third-party providers beyond what is necessary for content delivery.
• written for you outputs are stored in your account for your access and are not shared with other users.

We do not sell, rent, or trade your personal data to any third party. We share data only with:

• Infrastructure providers — cloud hosting and database services that store your data securely under strict data processing agreements.
• Payment processor — Stripe processes payment transactions on our behalf under PCI-DSS compliance.
• AI service providers — OpenAI processes your content inputs for generation purposes only, as described above.
• Legal requirements — we may disclose data if required by law, court order, or to protect the safety and rights of our users or the public.

We implement robust technical and organizational measures to protect your data:

• All data in transit is encrypted using TLS 1.2+ (HTTPS).
• Passwords are hashed using bcrypt with unique salts — we never store plain-text passwords.
• Authentication uses time-limited JWT tokens with secure session management.
• Access to production systems is restricted to authorized personnel only.
• We conduct regular security reviews and follow industry best practices.
• Login attempt rate limiting and brute-force protection are active on all accounts.

As a data subject in the EU, you have the following rights:

• Right of access — you can request a copy of the personal data we hold about you.
• Right to rectification — you can update or correct inaccurate data directly in your account settings or by contacting us.
• Right to erasure — you can request deletion of your account and all associated data. We will process this within 30 days.
• Right to data portability — you can request your data in a structured, machine-readable format.
• Right to restrict processing — you can request that we limit how we process your data in certain circumstances.
• Right to object — you can object to data processing based on our legitimate interests.
• Right to withdraw consent — where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, contact us at legal@scalitos.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

We retain your personal data for as long as your account is active or as needed to provide our services. Specifically:

• Account data — retained until you delete your account.
• Generated content — retained in your account until you delete it or close your account.
• Usage analytics — aggregated and anonymized data may be retained indefinitely for service improvement.
• Billing records — retained for 7 years as required by Romanian tax and accounting regulations.
• Login and security logs — retained for 90 days for security and fraud prevention.

After account deletion, we will remove your personal data within 30 days, except where retention is required by law.

Your data may be processed outside the European Economic Area (EEA) by our AI service providers. In such cases, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, to protect your data to the same standard required within the EEA.

For privacy-related inquiries, data requests, or complaints: