Privacy Policy

Operator of this platform:

Contact: Cem Cinar
Email: cemcinar@advancedfunnels.de

“Scaled” is the product name of the CRM platform operated by CA Marketing LLC. This platform is operated by a U.S.-based entity. For users accessing from the EU, the GDPR applies extraterritorially under Art. 3(2) GDPR.

We process our users’ personal data only to the extent necessary to provide a functional website together with our content and services. Processing takes place on the basis of the user’s consent or a statutory permission (Art. 6 GDPR).

3.1 Vercel

This website is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. Vercel processes technical connection data (IP address, timestamp, user agent) for the purpose of delivering the website. Legal basis: Art. 6(1)(f) GDPR (legitimate interest). Transfer to the USA is based on the EU Standard Contractual Clauses.

Vercel privacy policy: https://vercel.com/legal/privacy-policy

3.2 Supabase

Our database and authentication backend is provided by Supabase Inc. The database cluster in use is located in the EU region (Ireland), and the content stored in the database remains there. A transfer to a third country does, however, occur as part of the AI-powered features (see section 4.4) and the U.S. services named in sections 3.1 and 4.

Supabase privacy policy: https://supabase.com/privacy

4.1 Account Data

On registration we process: email address, name, hashed password. Purpose: provision of the platform. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

4.2 Instagram Integration

We offer an integration with the Instagram Graph API (Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin, Ireland). When you connect your Instagram Business account, the following data is processed:

• Account metadata (username, account ID, profile picture)
• Direct messages between the account and its contacts (content, timestamps, sender IDs)
• Comments on the account’s own posts

Legal basis: Art. 6(1)(b) GDPR (performance of a contract) together with consent given via the OAuth flow (Art. 6(1)(a) GDPR).

Purpose of processing: displaying incoming messages in the platform’s inbox; sending manual replies by the account owner.

Retention: messages are stored until the account connection is removed or upon request.

Meta privacy policy: https://www.facebook.com/privacy/policy

4.3 Calendly Integration

When the Calendly integration is used, appointment metadata (time, participant, appointment status) is processed via the Calendly API. Provider: Calendly LLC, USA. Legal basis: Art. 6(1)(b) GDPR. Transfer to a third country is based on the EU Standard Contractual Clauses.

Calendly privacy policy: https://calendly.com/privacy

4.4 AI-Powered Features (OpenAI & Anthropic)

To automatically categorize incoming messages (topics, purchase intent, priority) and to draft reply suggestions, we process the content of Instagram direct messages using AI services. Processors / sub-processors involved:

• OpenAI (OpenAI, L.L.C., USA) — message classification.
• Anthropic (Anthropic PBC, USA) — generation of reply suggestions.

As part of this, message content is transferred to the USA. Before any transfer, the data passes through an automated redaction step that removes direct contact details (email addresses, phone numbers, access tokens). The providers process the content solely to deliver the described feature; the content is not used to build training datasets.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Transfer to the USA is based on the EU Standard Contractual Clauses (Art. 46 GDPR). Where available, a contractual zero-data-retention arrangement is sought.

Privacy policies: OpenAI · Anthropic

We use technically necessary cookies for session management (session cookies, authentication). These are deleted at the end of the browser session and are strictly required for the platform to function. Legal basis: Art. 6(1)(f) GDPR in conjunction with § 25(2)(2) TTDSG.

No tracking or marketing cookies are used.

When webhook events are received (e.g. Instagram messages, Calendly appointments), technical logs are stored (timestamp, event type, status). These logs are used for error diagnosis and are deleted after 30 days. Legal basis: Art. 6(1)(f) GDPR.

You have the right to:

• Access the data stored about you (Art. 15 GDPR)
• Rectification of inaccurate data (Art. 16 GDPR)
• Erasure of data (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Object to processing (Art. 21 GDPR)
• Lodge a complaint with a supervisory authority (Art. 77 GDPR)

To exercise these rights, or to request deletion of your Instagram data, please contact: cemcinar@advancedfunnels.de

Data is transmitted encrypted via TLS 1.2+. Access tokens to third-party APIs (e.g. Instagram) are stored encrypted (AES-256-GCM). Access to production data is limited to authorized personnel.

We reserve the right to amend this Privacy Policy to reflect changes in the legal situation or in our features. The current version is always available at this URL.