AI Setter

Datenschutzerklärung

Stand: 18. April 2026 (Version 1.1)

Operator / Anbieter / Responsible Entity

The entity responsible for the data processing described in this document is:

Scaleupsystems UG (haftungsbeschränkt), also known as Scaleupsystems UG haftungsbeschränkt.
Krumbacher Straße 2, 86424 Dinkelscherben, Germany
Handelsregister: HRB 42235, Amtsgericht Augsburg

References in this document to "Scaleupsystems," "Scaleupsystems UG," "the Provider," "we," or "us" mean Scaleupsystems UG (haftungsbeschränkt). The user-facing brand mark ScaleUpSystems (camelCase) is a stylization of the same entity; any product surface bearing that mark is operated by Scaleupsystems UG (haftungsbeschränkt).

1. Data Controller

The entity responsible for data processing on this website and through our services is Scaleupsystems UG (haftungsbeschränkt).

Data Protection Officer (Datenschutzbeauftragter): Scaleupsystems UG is currently not required to appoint a Data Protection Officer under § 38 BDSG (fewer than 20 persons permanently engaged in automated personal-data processing) nor under Art. 37 GDPR (no large-scale processing of special-category data, no core monitoring activity). Should the threshold be reached, a DPO will be appointed and named here without delay. For all data-protection inquiries, please contact contact@scaleupsystems.ai.

2. Data Collection and Processing

We collect and process personal data to provide our AI automation services, communicate with users, and ensure the security of our systems.

  • Website Data: IP addresses, browser types, and access times (log files).
  • Account Data: Names, email addresses, and billing information for users creating an account.
  • Messaging Data: Content of messages, phone numbers, and user IDs processed through our AI on behalf of our clients.
  • AI-generated metadata: Qualification scores, conversation state classifications, lead intelligence inferences, voice profile match metrics.

2a. Legal Basis for Processing (GDPR Art. 6)

We process personal data on the following legal bases:

| Processing purpose | Legal basis | |---|---| | Provision of messaging automation to end-users on behalf of our Client (follower message data) | Art. 6(1)(b) — processing on behalf of the controller under Art. 28 | | Account creation, billing, and service administration for Clients | Art. 6(1)(b) — performance of contract | | Security logging, fraud prevention, and system monitoring | Art. 6(1)(f) — legitimate interest in operating and securing the service | | Client support and service-update communications | Art. 6(1)(b) contract performance; Art. 6(1)(f) legitimate interest | | Compliance with legal, tax, and commercial-law obligations (e.g. invoice retention) | Art. 6(1)(c) — legal obligation | | Marketing emails (where applicable) | Art. 6(1)(a) — consent |

Marketing emails are sent only after explicit double-opt-in confirmation (Art. 6(1)(a) GDPR, § 7 Abs. 2 Nr. 3 UWG). Every marketing email contains a one-click unsubscribe link; opt-out takes effect immediately and is logged. Account- and service-related transactional emails (billing, security alerts, outage notices) are sent on the basis of Art. 6(1)(b) and (f) GDPR and are not subject to opt-out for the duration of the contract.

3. Processing of Data via Meta APIs & Sub-Processors

Meta Integration: ScaleUpSystems AI Setter utilizes Meta's APIs to facilitate automated conversations, meaning messages are received via Meta's webhook system, processed on our servers (hosted by Hetzner Online GmbH in Germany, Falkenstein/Nuremberg regions), and outbound responses transmitted through Meta's Graph API. By using our services to connect to Meta, you acknowledge that user data will be subject to Meta's Privacy Policy.

Roles regarding Meta: For automated 1:1 messaging via the Instagram Graph API, Scaleupsystems acts as processor on behalf of the Client (controller) under Art. 28 GDPR, and Meta Platforms Ireland Ltd. acts as an independent controller for its own platform-operation purposes (security, abuse detection, platform analytics). Where Meta processes Page-Insights or comparable aggregated metrics, Meta and the Client act as joint controllers within the meaning of Art. 26 GDPR; the essence of that joint-controller arrangement is set out in Meta's Page Insights Controller Addendum, which the Client accepts directly with Meta.

Our services are not directed to children under 16. We do not knowingly process personal data of users under 16. If discovered, such data is deleted immediately.

End-User Consent: Clients are solely responsible for obtaining the necessary GDPR-compliant opt-ins and legal basis from their end-users before initiating automated messaging via Instagram, as required under AGB Part 1 §3.

Sub-processors: The Client agrees that data (including chat logs and follower details) will be processed by the following sub-processors:

| Sub-processor | Purpose | Jurisdiction | Transfer mechanism | |---|---|---|---| | Hetzner Online GmbH | Hosting + object storage | Germany (EU) | — | | Cortecs AI GmbH | AI gateway | EU | — | | Anthropic PBC | LLM (via Cortecs) | USA | SCCs, Commission Decision 2021/914 | | OpenAI L.L.C. | LLM + Whisper transcription (via Cortecs) | USA | SCCs, Commission Decision 2021/914 | | Google LLC | LLM (optional, via Cortecs) | USA | SCCs, Commission Decision 2021/914 | | Meta Platforms Ireland Ltd. | Instagram Messaging API | Ireland (with global Meta infrastructure) | Adequacy + Meta standard addenda | | Calendly LLC | Appointment scheduling | USA | SCCs, Commission Decision 2021/914 | | Stripe Payments Europe Ltd. | Payment processing | Ireland | — |

A Data Processing Agreement (Auftragsverarbeitungsvertrag) governing this relationship is available on request from contact@scaleupsystems.ai.

4. Data Security & Sharing

We protect personal data with industry-standard safeguards: TLS 1.2+ encryption in transit for all API and web traffic, AES-256 encryption at rest for database volumes and object storage on Hetzner infrastructure, secrets stored in environment-isolated vaults, and least-privilege access controls with audit logging. Database backups are encrypted and stored in geographically separated EU data centres.

We do not sell personal data. We only share data with sub-processors required for our infrastructure (e.g., cloud hosting providers, AI model providers) and integration partners (like Meta) strictly for the fulfillment of the messaging services.

5. Data Retention

We retain personal data as follows: active conversations 24 months, closed/ended 12 months, deleted account data purged within 30 days, logs 90 days, AI logs 180 days. Chat logs processed on behalf of clients are retained according to the client's data retention settings.

6. Cross-Border Data Transfers

Certain sub-processors (Anthropic, OpenAI, Google, Calendly) process data in the United States. All such transfers are protected by Standard Contractual Clauses (SCCs) pursuant to European Commission Implementing Decision (EU) 2021/914. Meta Platforms Ireland Ltd. processes data primarily in Ireland, with global Meta infrastructure governed by Meta's standard addenda and, where applicable, SCCs. All other sub-processors process data within the European Union.

7. Automated Decision-Making

Our service uses automated processing (AI-based qualification scoring) to assist in conversation routing. This processing has no legal or similarly significant effect on the data subject. The Client (account owner) reviews and may override all AI-generated outcomes.

8. Your Rights (GDPR Art. 15–22 and Art. 77)

Under the GDPR, you have the right to:

  • Access your personal data (Art. 15)
  • Request correction of inaccurate data (Art. 16)
  • Request deletion / "right to be forgotten" (Art. 17)
  • Restrict processing (Art. 18)
  • Object to processing (Art. 21)
  • Data portability (Art. 20)
  • Not be subject to a decision based solely on automated processing (Art. 22)

To exercise any of these rights, contact us at contact@scaleupsystems.ai. You may request deletion at scaleupsystems.ai/data-deletion or by email; we honour deletion requests within 30 days per Art. 17.

Right to lodge a complaint (Art. 77): You have the right to lodge a complaint with a supervisory authority. The authority competent for Scaleupsystems UG is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) Promenade 18, 91522 Ansbach, Germany Phone: +49 (0)981 180093-0 Web: lda.bayern.de

You may also contact the supervisory authority of your country of residence.

9. Cookies and Similar Technologies

The scaleupsystems.ai website uses only technically necessary cookies required to deliver the service (session, authentication, CSRF protection, language preference). These are set on the basis of Art. 6(1)(f) GDPR (legitimate interest) and do not require consent under § 25(2) Nr. 2 TTDSG.

We do not use tracking cookies, advertising cookies, or cross-site analytics cookies. If this changes, a consent banner will be introduced and this policy updated.

For provider information per § 5 TMG, please refer to our Imprint. Our General Terms and Conditions are available in the AGB.