Privacy Policy — Apex-Scale

Apex-Scale ("we", "us", "our") operates apex-scale.com and the Apex Overlay product. This policy explains what personal data we collect, why we collect it, how we use it, and your rights. It applies to visitors and users in the United Kingdom, European Union, and United States.

If you have questions, contact us at caius@apex-scale.com before using our services.

01 Who we are

Apex-Scale is operated by Caius Seemann, based in the United Kingdom. For the purposes of UK GDPR and EU GDPR, Apex-Scale is the data controller for personal data collected through this website and our products.

Contact: caius@apex-scale.com

02 What data we collect

Category	Data collected	Source
Account & signup	Name, email address	Early access / signup forms
Payment	Billing name, email, payment method (card details processed by Stripe — we never store raw card data)	Stripe checkout
Usage & analytics	Pages visited, session duration, browser type, IP address, referral source, click events	Google Analytics, reb2b
Campaign data	Email variant performance metrics (open rates, click rates, reply rates) processed via Instantly.ai API on your behalf	Instantly.ai API (user-authorised)
Technical	Log data, error reports, device information	Server logs / Supabase

We do not collect sensitive personal data (health, ethnicity, religion, biometrics) and we do not knowingly collect data from anyone under 18.

03 How we handle your campaign data

Apex Overlay connects to your Instantly.ai or Smartlead account via API to run bandit optimisation. Your lead and campaign data is handled as follows:

Temporary processing only — lead data is processed in memory for optimisation decisions and is never stored long-term.
Automatic clearing — lead data is automatically cleared when you Stop or Pause a campaign.
30-day deletion — any residual engagement data is deleted on a rolling 30-day cycle.
Full purge on closure — all campaign data is permanently deleted within 30 days of account closure.
Anonymisation — company names are anonymised during processing. Lead PII is never stored long-term.
Encryption — API keys are encrypted at rest and in transit using AES-256.
No third-party sharing — your campaign data is never shared with third parties. You control all data flows.

Your Instantly.ai or Smartlead data stays in your account. We only receive engagement signals (opens, clicks, replies) necessary to run the optimisation algorithm — we do not access, store, or process your contact lists beyond what is required to assign variant allocations.

04 Why we collect it (legal basis)

Contract performance — to provide Apex Overlay and process payments (name, email, billing data).
Legitimate interests — to improve our product and understand how users interact with the site (analytics, usage data). Our interests are balanced against your privacy rights.
Consent — where required by law (e.g. non-essential cookies and tracking via Google Analytics and reb2b). You may withdraw consent at any time.
Legal obligation — to comply with applicable laws, including financial record-keeping requirements.

For US users: we do not sell your personal data to third parties. We do not share data for cross-context behavioural advertising without your consent.

05 How we use your data

To create and manage your account and provide access to Apex Overlay.
To process payments securely via Stripe.
To operate the bandit optimisation engine on your Instantly.ai campaign data (only data you authorise via API connection).
To send transactional emails (account confirmation, billing receipts, product updates). We do not send marketing email without explicit consent.
To analyse product usage and improve performance.
To identify and prevent fraud, abuse, or security incidents.
To comply with legal obligations.

06 Third-party processors

We share data with the following third-party processors only to the extent necessary to provide our services. Each is bound by appropriate data processing agreements.

Processor	Purpose	Location
Supabase	Database — stores signup data and user records	EU (AWS)
Stripe	Payment processing — handles card transactions	US / EU
Instantly.ai	Email campaign data accessed via your authorised API connection	US
Google Analytics	Website analytics and usage tracking	US
reb2b	Visitor identification and analytics	US
Microsoft Clarity	Behavioural analytics — session replay, heatmaps, and interaction tracking to improve site usability	US (Microsoft)

We do not sell your data to any third party. We do not share your data with advertisers.

07 International transfers

Some of our processors (including Google, Stripe, and reb2b) are based in the United States. Where we transfer personal data from the UK or EU to the US, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, and the UK International Data Transfer Agreement (IDTA) where applicable.

08 Cookies and tracking

We use cookies and similar technologies for:

Essential cookies — required for the product to function. These cannot be disabled.
Analytics cookies — Google Analytics collects anonymised usage data to help us understand traffic and improve the site.
Identification tracking — reb2b may identify company-level visitors by IP address for B2B analytics purposes.
Behavioural analytics — Microsoft Clarity captures how you use and interact with our website and product dashboard through behavioural metrics, heatmaps, and session replay to improve and market our products and services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of content and online activity. We also use this information for site optimisation, fraud and security purposes. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.

By using our site, you agree that we and Microsoft may collect and use this data as described above.

You can opt out of Google Analytics at tools.google.com/dlpage/gaoptout. You can opt out of Microsoft Clarity at clarity.microsoft.com/opt-out. Most browsers also allow you to block or delete cookies via settings.

09 Data retention

Account data — retained for the duration of your account plus 12 months after closure, unless legal obligations require longer retention.
Payment records — retained for 7 years to comply with financial regulations.
Analytics data — retained per Google Analytics default settings (up to 14 months).
Campaign performance data — retained for the period of your active subscription plus 90 days.

10 Your rights

Depending on your location, you have the following rights regarding your personal data:

Right	UK / EU	US (California CCPA)
Access	✓ Request a copy of your data	✓ Right to know
Rectification	✓ Correct inaccurate data	✓ Correct inaccurate data
Erasure	✓ Request deletion	✓ Right to delete
Portability	✓ Receive data in machine-readable format	✓ Where technically feasible
Objection	✓ Object to processing based on legitimate interests	✓ Opt out of sale / sharing
Restriction	✓ Restrict processing in certain circumstances	—

To exercise any of these rights, email caius@apex-scale.com. We will respond within 30 days. You also have the right to lodge a complaint with the UK ICO (ico.org.uk) or your local EU supervisory authority.

11 Security

We take reasonable technical and organisational measures to protect your data, including encrypted storage via Supabase, HTTPS across all pages, and restricted access to personal data. No system is 100% secure — if you believe your data has been compromised, contact us immediately.

12 Changes to this policy

We may update this policy as our product evolves. Material changes will be communicated by updating the "last updated" date above and, where appropriate, by email. Continued use of our services after changes constitutes acceptance.

13 Contact

Caius Seemann — Apex-Scale

Email: caius@apex-scale.com

Website: apex-scale.com

For data protection enquiries, include "Privacy Request" in your subject line and we will respond within 30 days.