Privacy Policy
Effective Date: March 13, 2026 · Last Updated: March 13, 2026
1. Introduction
WeScale ("Company," "we," "us," or "our") operates WeScale Uploader ("Service"), a web-based tool for print-on-demand store owners to import designs, generate product mockups, and publish products to e-commerce platforms.
This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have. By using the Service, you agree to the collection and use of information as described in this policy.
2. Information We Collect
2.1 Information You Provide Directly
| Data | Purpose | Required |
|---|---|---|
| Email address | Account creation, authentication (magic link sign-in), and communication | Yes |
| Display name | Personalization within the Service | No |
| Profile picture | Avatar display in the Service interface | No |
| Third-party API tokens and OAuth credentials | Connecting your print-on-demand and e-commerce accounts so the Service can operate on your behalf | Yes (for integrations) |
| Design files (images) | Processing, format conversion, and upload to your connected platforms | Yes |
| Mockup template images | Generating composite mockup images | Yes (for mockup generation) |
| Product configuration | Saving your workflow preferences and creating products | Yes (for product creation) |
2.2 Information Collected Automatically
When you use the Service, we automatically collect certain information:
- Device and browser information — Browser type and version, operating system, device type, screen resolution, and language preferences.
- Usage data — Pages visited, features used, actions taken within the Service, import activity, and interaction patterns.
- Log data — IP address, access timestamps, referring URLs, page URLs, and HTTP request metadata.
- Performance data — Page load times, error rates, and application performance metrics.
- Approximate location — General geographic location derived from your IP address (city/region level, not precise GPS coordinates).
- Session recordings — On a sampled basis, we may record anonymized user sessions (clicks, scrolls, page navigation) to diagnose bugs and improve the user experience. These recordings do not capture text input in sensitive fields.
2.3 Information We Do NOT Collect
- Passwords — We use passwordless magic link authentication; no passwords are ever stored.
- Payment or financial information — We do not process payments through the Service.
- Precise geolocation — We do not use GPS or fine-grained location tracking.
- Contact lists or address books — We do not access contacts from your email or device.
3. How We Use Your Information
We use the information we collect to:
- Provide and operate the Service — Authenticate you, import your designs, create products, generate mockups, and publish to your connected platforms.
- Store and secure your credentials — Encrypt and manage your third-party API tokens so you can connect your print-on-demand and e-commerce accounts.
- Process and transform your images — Convert file formats, resize, compress, and composite images as part of the design import and mockup generation workflows.
- Maintain your preferences — Save your product presets, design placements, shop defaults, and UI preferences.
- Analyze and improve the Service — Understand how the Service is used, identify trends, measure feature adoption, diagnose errors, and improve performance and reliability.
- Communicate with you — Send you authentication magic links and, when necessary, important service-related notices.
- Ensure security — Detect and prevent fraud, abuse, and unauthorized access.
- Generate aggregate insights — Compile anonymized, aggregate usage metrics for internal analysis and product decisions.
We do not use your information for advertising, behavioral profiling, or selling to third parties.
4. How We Store and Protect Your Data
4.1 Credential Security
All third-party API tokens are encrypted using AES-256 encryption before storage. We never store plaintext tokens in our database. A database-level constraint enforces this requirement. Tokens are decrypted only at the moment they are needed to perform an action on your behalf, and the decrypted value is never persisted.
4.2 Access Control
All database tables containing user data are protected by Row-Level Security (RLS) policies, ensuring that each user can only access their own data at the database level.
4.3 Authentication Security
- Magic link tokens are single-use and expire after one hour.
- Session tokens are stored in HTTP-only cookies that are not accessible to client-side JavaScript.
- Sessions are automatically validated on every request.
4.4 File Storage
Your design files and generated mockups are stored on encrypted, S3-compatible object storage and served over HTTPS through a CDN. Temporary files (such as ZIP downloads) are automatically deleted after 24 hours.
4.5 Infrastructure
The Service is hosted on infrastructure that enforces HTTPS on all connections. All data in transit is encrypted via TLS.
5. Cookies and Similar Technologies
5.1 What Are Cookies
Cookies are small data files stored on your device when you visit a website. We use cookies and similar technologies to operate the Service and understand how it is used.
5.2 Types of Cookies We Use
| Category | Purpose |
|---|---|
| Essential cookies | Required for the Service to function. These enable authentication, session management, and security protections. You cannot opt out of essential cookies. |
| Analytics cookies | Help us understand how the Service is used, which features are popular, and where users encounter issues. This data is used to improve the Service. |
| Functional cookies | Remember your preferences and settings to provide a personalized experience. |
5.3 Managing Cookies
Most web browsers allow you to control cookies through their settings. You can configure your browser to refuse non-essential cookies. However, disabling essential cookies may prevent you from using the Service.
We do not use advertising or cross-site tracking cookies.
5.4 Do Not Track
Some browsers offer a "Do Not Track" (DNT) signal. We currently do not respond to DNT signals, but we do not engage in cross-site tracking.
6. Third-Party Services and Data Sharing
We work with third-party service providers to operate, maintain, and improve the Service. We do not sell, rent, or trade your personal data to anyone.
6.1 Categories of Service Providers
We share data with the following categories of providers, each receiving only the data necessary for their specific function:
- Infrastructure and hosting providers — Host the Service, store application data, manage authentication, and encrypt sensitive credentials. These providers have access to all data necessary to run the Service, including account information, encrypted tokens, and session data.
- Cloud storage providers — Store your design image files, mockup images, generated composites, and temporary file downloads. Files are stored encrypted at rest and served over HTTPS.
- Print-on-demand platforms — When you connect your account and initiate product creation, we transmit your design image URLs, product titles, descriptions, tags, and variant configurations to the platform to create products on your behalf.
- E-commerce platforms — When you connect your store and initiate publishing, we transmit mockup image URLs, product variant assignments, and metadata to publish products and media to your store.
- File import services — When you import designs from external file storage services, we send file identifiers to retrieve your files. We access these services in read-only mode.
- Background job orchestration providers — Process long-running tasks (imports, mockup generation, publishing) asynchronously. These providers receive only record identifiers, never tokens, images, or personal data.
- Error monitoring and performance providers — Receive error reports, performance traces, and sampled session recordings to help us diagnose bugs and improve reliability. These providers may receive request metadata including IP addresses, page URLs, and browser information.
- Analytics providers — Collect anonymized usage data to help us understand how the Service is used, measure feature adoption, and identify areas for improvement.
- Internal communication tools — Receive aggregate usage statistics for internal team awareness. No individual user data or personally identifiable information is included.
6.2 Platform Integrations (User-Directed)
Certain data sharing occurs only when you explicitly connect a third-party account and initiate an action:
- Print-on-demand product creation — Your design images and product configurations are sent to the connected platform.
- E-commerce publishing — Your mockup images and product data are sent to the connected store.
- File imports — File identifiers are sent to the connected storage service to retrieve your files.
You can disconnect any third-party integration at any time through the Settings page, which immediately revokes the Service's access.
6.3 Legal and Safety Disclosures
We may disclose your information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of WeScale, our users, or the public.
6.4 Business Transfers
If WeScale is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account and profile data | Until you delete your account |
| Design assets and mockup images | Until you delete them or your account |
| Import history and product records | Until you delete your account |
| API tokens and credentials | Until you disconnect the integration, delete the token, or delete your account |
| Temporary file downloads | Automatically deleted after 24 hours |
| Error monitoring data | Per our monitoring provider's retention policy (typically 90 days) |
| Analytics data | Retained in aggregate form; individual session data per our provider's standard retention |
| Server and access logs | Per our hosting provider's retention policy |
8. Your Rights
Depending on your jurisdiction (including under the GDPR, CCPA/CPRA, LGPD, and other applicable privacy laws), you may have the following rights:
8.1 Access and Portability
You can access your data at any time through the Service interface. Your design assets can be downloaded individually or in bulk. Your import history and product records are viewable through the History page. You may request a copy of your personal data by contacting us.
8.2 Correction
You can update your display name and profile picture through the Profile page. For other corrections, contact us at support@wescale.ai.
8.3 Deletion
You can delete individual assets, presets, mockup packs, and connected credentials at any time through the Service. You can permanently delete your entire account and all associated data through the Profile page. Account deletion removes:
- All design files from our storage
- All generated mockup files
- All encrypted API tokens and credentials
- Your profile, import history, and all associated records
- Your authentication identity
Account deletion is irreversible. Products already created on third-party platforms are not affected and must be managed on those platforms directly.
8.4 Opt-Out of Analytics
You may opt out of non-essential analytics collection by contacting us at support@wescale.ai or adjusting your cookie preferences, where available in the Service.
8.5 Objection and Restriction
You may object to certain data processing activities or request that we restrict how your data is used. Contact us at support@wescale.ai.
8.6 Non-Discrimination
We will not discriminate against you for exercising any of your privacy rights.
8.7 Exercising Your Rights
To exercise any of these rights, you can:
- Use the self-service features within the Service (delete assets, delete account, manage preferences).
- Contact us at support@wescale.ai.
We will respond to verifiable data rights requests within 30 days (or sooner if required by applicable law).
9. International Data Transfers
The Service uses infrastructure providers that may process data in multiple regions, including the United States. By using the Service, you consent to the transfer and processing of your data in these jurisdictions.
Our service providers maintain appropriate security certifications and data protection measures. Where required by applicable law, we ensure appropriate safeguards are in place for international data transfers, such as standard contractual clauses or equivalent mechanisms.
10. Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at support@wescale.ai and we will promptly delete it.
11. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know — You may request details about the categories and specific pieces of personal information we have collected about you.
- Right to Delete — You may request deletion of your personal information, subject to certain exceptions.
- Right to Opt-Out of Sale/Sharing — We do not sell or share your personal information for cross-context behavioral advertising.
- Right to Non-Discrimination — We will not discriminate against you for exercising your CCPA/CPRA rights.
To exercise these rights, contact us at support@wescale.ai.
12. European Economic Area and UK (GDPR)
If you are located in the EEA or UK, the following applies:
12.1 Legal Bases for Processing
| Processing Activity | Legal Basis |
|---|---|
| Providing the Service (authentication, imports, product creation, publishing) | Performance of a contract (Article 6(1)(b)) |
| Storing encrypted API tokens | Performance of a contract (Article 6(1)(b)) |
| Error monitoring and performance tracking | Legitimate interest in maintaining service quality (Article 6(1)(f)) |
| Analytics and usage insights | Legitimate interest in improving the Service (Article 6(1)(f)) |
| Security monitoring | Legitimate interest in protecting the Service and users (Article 6(1)(f)) |
| Legal compliance | Legal obligation (Article 6(1)(c)) |
12.2 Data Protection Officer
For data protection inquiries, contact us at support@wescale.ai.
12.3 Supervisory Authority
You have the right to lodge a complaint with your local data protection supervisory authority.
13. Brazilian Users (LGPD)
If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including the right to access, correct, delete, and port your data. To exercise your LGPD rights, contact us at support@wescale.ai.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through the Service and update the "Last Updated" date at the top. Your continued use of the Service after the effective date of the updated policy constitutes acceptance of the changes.
15. Contact Us
If you have any questions about this Privacy Policy or our data practices, contact us at:
WeScale
Email: support@wescale.ai