Privacy Policy

1.Collection of Personal Data

PT Interna Cipta Asia (“Scalev”, “we”) collects Personal Data when you register, access the Platform, or use features of the Service. The Personal Data we collect includes:

• Basic information: full name, email address, phone number, password.
• Company data: business registration documents, tax identification numbers, and related legal records.
• Payment and financial information: bank account details, payment methods, provider references, payment tokens or instructions, and transaction records. Scalev does not directly store full card numbers or CVV codes.
• Usage data: transaction history, device information, IP address, user agent, cookies, and activity logs.
• Location and delivery data: billing addresses, shipping addresses, and approximate geolocation where required for specific features.
• Device and security logs: timestamps, application activity records, and security events.
• Information you voluntarily provide through forms, reviews, support messages, or other communications.

You warrant that the Personal Data you provide is accurate, belongs to you, or was lawfully obtained with appropriate consent from the data subject. You are responsible for updating Personal Data if it changes.

2.Use and Processing of Personal Data

Scalev processes Personal Data based on:

1. your consent;
2. performance of a contractual relationship and provision of the Service;
3. compliance with legal obligations; and/or
4. Scalev's legitimate interests, to the extent not inconsistent with applicable laws and regulations.

Scalev processes Personal Data for the following purposes:

• Account management and Service delivery.
• Facilitating transactions, processing orders, and surfacing product recommendations.
• Communications about Platform usage, feature updates, and promotions.
• Security monitoring, abuse detection, and fraud investigation.
• Service improvement, product development, and aggregate analytics.
• Compliance with applicable legal obligations in the Republic of Indonesia.

In certain cases, Scalev may process Personal Data without your explicit consent where required for legal compliance, Platform security, or fraud prevention.

Scalev limits the collection of Personal Data to data that is relevant and necessary for the processing purposes.

3.Sharing of Personal Data with Third Parties

Scalev may share your Personal Data with Selected Third Parties for operational purposes, including payment processors, logistics partners, communications providers, and technology infrastructure providers.

In providing certain Services, Scalev may act as a Personal Data Controller and/or Personal Data Processor depending on the legal relationship, type of service, feature configuration, and instructions from users or Third Parties.

Scalev does not sell your Personal Data to third parties.

Merchant-enabled applications and webhooks

If you authorize a third-party application through OAuth or configure a webhook endpoint, Scalev may send data to that application or endpoint according to the scopes, business, and events you approved. Once the data is received by that application or endpoint, its processing is governed by the recipient's privacy policy, security settings, and legal obligations.

Processing of Personal Data by Third Parties is subject to each provider's own policies and security measures. We encourage you to review the privacy policies of relevant Third Parties before enabling integrations.

Scalev may disclose your Personal Data in order to:

1. Comply with court orders, subpoenas, or other legal obligations.
2. Respond to lawful requests from law enforcement authorities.
3. Prevent, investigate, or act against fraud and policy violations.
4. Protect the rights, property, or reputation of Scalev and Service users.

Aggregate and anonymized data that cannot be used to identify individuals may be shared with Third Parties for development and research purposes.

4.Subprocessors and Service Providers

To operate the Service, Scalev uses service providers and integrations that may process Personal Data. Some providers act as Scalev subprocessors, while others are active only when a merchant enables a particular feature, channel, payment gateway, courier, webhook, or application. Use of each provider depends on region, business configuration, and enabled features.

• Core providers: DigitalOcean for production compute and database services in Singapore; Cloudflare for DNS, CDN, WAF, Workers, R2, and TLS; Sentry for error monitoring; Better Stack and status pages for monitoring and service status; Crisp for customer support; AWS SES and Mailgun for email; Google services; and Firebase Cloud Messaging for notifications.
• Payment, financial, and KYC: Xendit, Moota, VIDA, and Iluma, depending on the payment, verification, or reconciliation flow used.
• Tax: KlikPajak/Mekari as a subprocessor for tax invoices issued by Scalev.
• Logistics: Ninja Van/Ninja Xpress, Lincah, Mengantar, and RajaOngkir/Komerce, depending on the merchant's or buyer's shipping choice.
• Communications and marketing: Meta/Facebook/WhatsApp Business Platform, TikTok, Kwai/SnackVideo, Birdsend, Mailketing, Woowa, Starsender, Telegram, and Google Tag Manager and Google Analytics, where the related feature or pixel is enabled.
• Developer, docs, and community: Mintlify and ProductLift, where those services are active for documentation or product feedback.

Scalev applies appropriate contractual, technical, and organizational safeguards where applicable. Integrations you enable yourself, or providers selected by a merchant, may also be governed by the provider's own terms and privacy policy.

5.Cookies and Third-Party Services

The Platform uses cookies and similar technologies to record your preferences, maintain login sessions, and improve the user experience. You may disable cookies through your browser settings; however, this may limit some Platform functionality.

We use Third-Party analytics services including Google Analytics to understand aggregate usage patterns. Data processed by Third-Party analytics services is subject to those providers' respective privacy policies.

Merchants may enable additional analytics or marketing services such as Google Tag Manager, Meta/Facebook pixels, TikTok pixels, or Kwai/SnackVideo pixels on channels they control. Collection by those services depends on merchant configuration and is subject to the relevant provider's policies.

6.AI Assistant Integrations and MCP Connectors

Scalev provides an official Model Context Protocol (MCP) connector that allows third-party AI assistants — such as Anthropic Claude, OpenAI ChatGPT, and other MCP clients — to access the Scalev API on your behalf through an authorized OAuth connection.

6.1 Consent and scope of access

When you connect an AI assistant or MCP client, you approve an OAuth connection in Scalev, select the business to authorize, and review the requested scopes (permissions). Once you approve, Scalev issues an OAuth bearer token bound to the MCP connector, the scopes you approved, and the business(es) you selected. The AI assistant stores that token on its own infrastructure and uses it to request data or actions from the Scalev API. The Scalev API validates the token, scopes, and business on every call.

6.2 Data the AI assistant can access

An AI assistant can only access data covered by the scopes you approved at OAuth time. Scopes are granular and split per data domain (e.g., page:list, order:read, order:update). You can review active scopes at any time through your Scalev settings.

The MCP connector does not grant access to the following, regardless of requested scopes:

• Your password or login credentials.
• OAuth, internal administrative, or dashboard-only routes.
• Direct payment-gateway routes or developer payout routes.

6.3 Audit logging

The MCP connector logs operational metadata — request id, tool name, operation id, status, and error code — but does not record the bearer token, request body, or response payload in MCP connector logs. The Scalev API also logs machine-to-machine calls made with OAuth and API keys. Scalev API logs may include metadata and sanitized request and response bodies; bearer tokens, credentials, and sensitive fields are redacted before storage. These machine API logs are subject to retention controls and a two-week retention partition.

6.4 Revoking access

You can revoke AI assistant access at any time through either of the following:

• From Scalev: through the Apps settings in Scalev.
• From the AI assistant: through the connection management UI of the relevant AI assistant or MCP client.

After revocation, the OAuth token is no longer valid for the affected business. The AI assistant must complete the OAuth flow again to regain access.

6.5 AI assistant privacy policies

7.Cross-Border Data Transfers

Scalev's processing of Personal Data may occur in Indonesia, Singapore, the United States, and other provider jurisdictions depending on infrastructure, core providers, and enabled integrations. For example, Scalev production compute and database services are in Singapore, while some observability, communications, analytics, AI, payment, or marketing providers may process data in other jurisdictions.

Concrete examples:

• The Claude AI assistant is operated by Anthropic, PBC. When you use the Scalev MCP connector through Claude, request and response data may transit Anthropic's infrastructure.
• ChatGPT is operated by OpenAI, and other MCP clients have their own processing locations and rules under their respective policies.
• Payment gateways, KYC providers, messaging platforms, analytics services, or webhook endpoints you enable may process data in locations determined by those providers.

By enabling an integration, you consent to the cross-border transfer of Personal Data that is necessary for the integration to function. Scalev applies reasonable safeguards including encryption in transit, but the level of protection after data reaches Third-Party infrastructure is subject to that Third Party's policies and legal obligations.

8.Security and Technical Practices

Scalev applies reasonable technical and organizational security measures to protect Personal Data, including encryption in transit, access controls, OAuth authorization for third-party integrations, rate limiting and abuse detection, audit logs with sensitive-data redaction, and vulnerability-reporting processes.

These measures may vary depending on the service, host, integration, and relevant risk. For security reports, see mcp.scalev.com/.well-known/security.txt and api.scalev.com/.well-known/security.txt.

Although we apply these measures, no system is entirely risk-free. You are responsible for the security of your own passwords, devices, and credentials.

For technical security commitment details (TLS version, HSTS preload, OAuth 2.1 with PKCE S256, CAA, and vulnerability reporting), see scalev.com/security-en.

9.Your Rights and Transparency

As a Personal Data subject, you have the right to:

• Access and view the Personal Data we hold about you.
• Update or correct inaccurate Personal Data.
• Request deletion of your Personal Data, subject to applicable legal retention obligations.
• Request an export of your Personal Data in a machine-readable format (e.g., JSON or CSV).
• Opt out of marketing communications without affecting your access to the core Service.
• Withdraw your consent, understanding that doing so may limit or terminate your access to the Service.
• Review and revoke active OAuth authorizations at any time through the Apps settings in Scalev.

To exercise these rights, send a written request to cs@scalev.com. We will respond within a reasonable time in accordance with applicable legal obligations.

10.Retention, Deletion, and Destruction of Personal Data

Scalev retains your Personal Data for as long as your account is active and as required to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements.

If you request account deletion, send a written request to cs@scalev.com. Some Personal Data may be retained as required by applicable law (e.g., transaction records for tax and audit obligations) or as needed to protect Scalev's legitimate interests (e.g., fraud case records).

Scalev may delete or deactivate accounts that violate the Terms of Service, engage in fraudulent activity, or are subject to a court order.

11.Limitations of Liability

You are responsible for the confidentiality of your account credentials and the security of devices you use to access the Service. Scalev is not responsible for unauthorized access, loss, or leakage of Personal Data caused by user negligence, compromise of a user's device, or actions by third parties outside Scalev's reasonable control, provided that Scalev has applied reasonable safeguards in accordance with applicable law.

Scalev is not responsible for the processing of Personal Data by AI assistants, Third-Party applications, or webhook endpoints after you approve a connection, enable an integration, or direct data outside Scalev infrastructure. Review the Third Party's privacy policy before enabling an integration.

After data is forwarded to a third-party application, webhook, or AI assistant enabled by a user, processing by that party is outside Scalev's direct control and is subject to that party's policies and security practices.

12.Miscellaneous

This Privacy Policy may be amended from time to time. Changes will be announced on the Platform and are deemed effective from the publication date. We encourage you to review the Privacy Policy periodically.

In the event of merger, acquisition, corporate restructuring, or bankruptcy, your Personal Data may be transferred to the successor entity under protection obligations at least equivalent to this Privacy Policy.

If any provision of this Privacy Policy is deemed invalid by a competent authority, the remaining provisions remain in full force.

13.Contact Us

For questions, data rights requests, or security reports related to this Privacy Policy, contact: