Privacy policy

1. Data controller

The data controller for personal data is ScaleUp S.R.L., with registered office at Corso Magenta 25, 20123 Milano, VAT no. 13743690961 (hereinafter "Controller" or "we"). The Controller is established in Italy and processes personal data in accordance with Regulation (EU) 2016/679 (GDPR) and Italian data protection legislation (D.Lgs. 196/2003 as amended).

Where users process personal data of third parties through the Service, they act as independent data controllers.

2. Data we collect

We collect and process the following categories of data in connection with the Encer platform:

• Account and identity: first name, last name, email address, password (stored in hashed form), role (user/admin), and whether your email has been verified.
• Company data: where you use the service in a company context: company name, sector, logo, website and product URLs, and — if you use the company profile feature — data derived from analysis of your company website (e.g. description, products, brand tone, target audience) performed by automated means (see section on AI below).
• Creator and content data: profiles of virtual creators (name, demographic and physical descriptors such as age, gender, ethnicity, appearance; style and clothing preferences; reference photos and images you upload or that are generated; voice settings and voice identifiers used for synthetic speech); outfits and wardrobe items (images and metadata); scripts, prompts, and other text you enter; generated images and videos; campaign and calendar/scheduling data (titles, dates, platforms, notes).
• Billing and usage: subscription and plan data, credit usage and balance, and — where you choose paid plans — payment-related data processed by our payment provider (e.g. Stripe), in accordance with their privacy policy.
• Technical and security data: IP address, browser type and user-agent, device fingerprint (hash), country of login, timestamps of access and actions; logs for security (e.g. failed logins, suspicious activity), troubleshooting, and compliance. We may retain security events and, where necessary, block IP addresses for a limited time to protect the service.
• Communications and preferences: service-related emails (e.g. verification, password reset); where you have given consent, marketing and newsletter preferences.

We also use session and authentication mechanisms (e.g. session cookies or similar technical identifiers) that are strictly necessary for the operation and security of the platform. We do not use non-essential tracking or advertising cookies for the core service without your consent where required by law.

3. Purposes and legal basis

Your data are processed for the following purposes and on the following legal bases (GDPR Art. 6):

• Performance of contract: to provide the Encer service (account management, creator and content management, AI-assisted script and media generation, scheduling, billing and subscription), including service communications (e.g. email verification, password reset).
• Legitimate interest: to improve the service, ensure security (e.g. detection of abuse, impossible-travel checks, device/location changes), operate and maintain the platform, and send important service-related notices where not strictly contractual.
• Legal obligation: to comply with applicable laws (e.g. tax, accounting, responding to lawful requests from authorities).
• Consent: where we rely on your consent (e.g. marketing emails, non-essential cookies where applicable), you may withdraw it at any time without affecting the lawfulness of processing based on consent before its withdrawal.

We do not process biometric data for the purpose of uniquely identifying a person.

4. Artificial intelligence (AI) and compliance with the EU AI Act

The Encer platform uses artificial intelligence in several ways. In line with Regulation (EU) 2024/1689 (EU AI Act) and best practices on transparency, we inform you of the following:

• AI uses: We use AI (including large language models and generative models) for: (1) generating and suggesting video scripts based on your inputs and company context; (2) synthesising speech (text-to-speech) for your chosen creator voices; (3) generating or adapting images (e.g. creator reference photos, scene-adapted images, marketing images); (4) generating or adapting video content (e.g. lip-sync, avatar-style or image-to-video outputs); (5) analysing company websites you indicate to suggest profile data (e.g. brand tone, products); (6) suggesting calendar or content ideas where that feature is used. These functions involve sending your inputs (text, images, voice parameters, URLs) to external AI providers that act as our data processors under GDPR. By function, we use in particular: speech synthesis (e.g. ElevenLabs); video generation (e.g. Kling via Kie.ai, Hedra); transcription (e.g. AssemblyAI); image and script generation (e.g. Google Gemini). A current list of AI processors is available on request.
• Transparency and disclosure: Content produced with the service (videos, images, audio, text) may be fully or partly generated or manipulated by AI. Where applicable law (including the EU AI Act and codes of practice on AI-generated content) requires that users be informed that they are viewing or listening to AI-generated or manipulated content, or that such content be labelled, you are responsible for ensuring that any content you publish or distribute complies with those requirements (e.g. by labelling or disclosing that it is AI-generated where required).
• Limitations and human oversight: AI outputs can be imperfect or inaccurate. The service is designed to support human oversight: you can review, edit, and approve scripts and content before publication. We do not guarantee the accuracy, quality, or suitability of AI-generated content for any particular use. Company profile data derived from automated analysis of websites is indicative only and should be verified by you.
• Data sent to AI providers: To provide the above features, we transmit to the AI providers referred to above (and their sub-processors) only the data necessary for each task (e.g. prompts, scripts, reference images, voice identifiers, URLs). These providers are bound by data processing agreements and technical safeguards; where they process data outside the European Economic Area (EEA), we rely on adequacy decisions, standard contractual clauses approved by the European Commission, or equivalent mechanisms, in accordance with Chapter V GDPR.

If you have questions about how AI is used in a specific feature or about your rights in relation to AI processing, you can contact us using the details in section 11 below.

5. Retention

We retain your data only for as long as necessary for the purposes set out above. Account and content data are kept for the duration of your account and, after closure or deletion request, for the period necessary to comply with legal obligations (e.g. tax, disputes) or to enforce our terms; thereafter they are deleted or anonymised. Upon account deletion, user-generated content is deleted or anonymised within a reasonable timeframe, unless retention is required by law. Technical and security logs are retained for a limited period (typically as required for security and incident response). Billing-related data may be retained as required by applicable law. You may request erasure of your personal data subject to any overriding legal retention requirements.

6. Recipients and international transfers

Personal data may be processed by service providers acting on our behalf as processors (or, where applicable, sub-processors), including: hosting and infrastructure; email delivery; AI and content-generation services — such as speech synthesis (e.g. ElevenLabs), video generation (e.g. Kling via Kie.ai, Hedra), transcription (e.g. AssemblyAI), and image and script generation (e.g. Google Gemini); payment processing (e.g. Stripe); storage and content delivery (e.g. Cloudflare R2, Stream); and other operational tools. We select providers that offer appropriate guarantees and, where they process data outside the European Economic Area (EEA), we ensure adequate safeguards (e.g. adequacy decisions, standard contractual clauses approved by the European Commission, or equivalent mechanisms) in accordance with Articles 44–50 GDPR.

A current list of processors (including AI providers by function) can be provided on request. We do not sell your personal data to third parties.

7. Your rights

Under the GDPR, and within the limits of the law, you have the right to: access your personal data; rectification of inaccurate data; erasure ("right to be forgotten") where applicable; restriction of processing in certain cases; data portability (where processing is based on contract or consent and is carried out by automated means); object to processing based on legitimate interests, including profiling where applicable; withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal. You also have the right to lodge a complaint with a supervisory authority — in particular in the EU Member State of your residence, place of work, or place of the alleged infringement. In Italy, the competent authority is the Garante per la protezione dei dati personali (garanteprivacy.it).

To exercise your rights, please contact us at the Controller's address above or through the contact channels indicated on the Encer platform. We will respond within the time limits provided by applicable law (e.g. one month under the GDPR, extendable where necessary).

8. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration, in line with the state of the art and the requirements of the GDPR (Art. 32). These include access controls, encryption where appropriate, secure development practices, and procedures to assess and manage risks to the rights and freedoms of data subjects.

9. Minors

The service is not intended for individuals under 18 years of age. You must be at least 18 years old to register and use the Encer platform; we do not accept registrations from users under 18. We do not knowingly collect personal data from minors. If you become aware that a minor has provided us with personal data, please contact us so that we can take steps to delete such information.

10. Changes to this policy

This policy may be updated from time to time to reflect changes in the service, law, or our practices. Material changes will be communicated by notice on the platform and/or by email where appropriate. The "Last updated" date at the top of this page indicates the latest revision. We encourage you to review this page periodically.

11. Contact

For any questions about this privacy policy, the processing of your personal data, or to exercise your rights: ScaleUp S.R.L., registered office at Corso Magenta 25, 20123 Milano, or by email at hello@scaleupstudio.ai.