Privacy policy.

Small Scale Labs AB (“Newly,” “we,” “us,” or “our”) provides tools that help developers and non-technical users design, build, and ship native iOS and Android applications using natural-language prompts and an AI agent. We are headquartered at Agavägen 19, 181 55, Lidingö, Sweden.

This Privacy Policy (“Policy”) explains how we collect, use, share, and otherwise process Personal Data from users of our website, dashboard, mobile preview, and related services (collectively, the “Services”). It is designed to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss Federal Act on Data Protection (FADP), Canada’s PIPEDA, and applicable U.S. federal and state privacy laws (including the CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, and equivalent statutes).

By using the Services you acknowledge this Policy. If you do not agree, please stop using the Services. This Policy is incorporated into our Terms of Service. Customers on enterprise plans may also have a signed Data Processing Agreement (DPA) which prevails where it conflicts with this Policy.

• Data Protection Laws means the GDPR, UK GDPR, Swiss FADP, Canada’s PIPEDA, and all applicable U.S. federal and state privacy statutes, together with any implementing or supplementary legislation.
• Personal Data (also “personal information” under U.S. state laws) means any information that relates to an identified or identifiable natural person, or that is reasonably capable of being linked to a particular consumer or household. Examples include your name, business email, username, IP address, device identifiers, authentication tokens, and usage telemetry.
• Customer Data means content you upload to or generate within Newly — for example prompts, project files, generated source code, configuration, and build artefacts. We process Customer Data on your behalf to operate the Services.
• Service Data means data about how the Services are used, supported, and operated (security telemetry, billing meters, aggregated analytics). Service Data is processed by Newly as an independent controller for security, billing, analytics, and product-improvement purposes.

When you create an account, subscribe, contact support, or otherwise interact with the Services, we collect a few categories of information:

• Account information. Name, business email, profile photo, and authentication identifiers, provided through our authentication partner (Clerk).
• Billing information. Plan, subscription status, invoices, credit balances, and tax data. Card numbers are collected and stored by Stripe under Stripe’s privacy policy; Newly never stores full card details.
• Customer Data and project artefacts. Natural-language prompts, generated code, project files, build configuration, app icons, store-listing assets, screenshots, and other content you provide. Customer Data is used to operate your workspace and is never used to train general-purpose AI models that benefit other customers without your explicit permission.
• Usage and analytics data. How you engage with key features (e.g. prompts submitted, builds triggered, store submissions, integrations enabled), pages visited, timestamps, performance metrics, and click events. We use first-party analytics (PostHog) and limited third-party measurement tooling.
• Device and log data. IP address, approximate (city-level) location derived from IP, browser type and version, operating system, device identifiers, error and debug logs, and unique session identifiers.
• Communications. Support tickets, chat transcripts, survey responses, and feedback you send to us.
• Integration data. If you connect third-party services (e.g. Apple App Store Connect, Google Play Console, GitHub, Supabase, MCP servers), we receive only the minimum data needed to provide the integration, scoped to the permissions you granted.

Sensitive data. Newly is not intended for the collection of special-category or sensitive Personal Data (such as biometric identifiers, health information, government IDs, or precise geolocation), and you must not upload such data through the Services.

We process Personal Data for the following purposes:

• To provide, operate, and maintain the Services — storing your projects, generating code, running builds, deploying applications, and marketing your app.
• To personalise your experience and tune AI-driven features for your workspace. You can withdraw consent for AI personalisation at any time by emailing [email protected].
• To process payments, manage subscriptions, and meter usage credits.
• To analyse usage patterns and improve performance, reliability, and the quality of our AI agent.
• To detect, prevent, and investigate fraud, abuse, or security incidents.
• To send service-related communications (security alerts, billing notices, product updates) and, with your consent, marketing emails about new features.
• To provide customer support and respond to your enquiries.
• To comply with legal, regulatory, export-control, sanctions, accounting, and audit obligations in the jurisdictions where we operate.

Newly does not engage in automated decision-making that produces legal or similarly significant effects on individuals (Article 22 GDPR).

For users in the EEA, UK, and Switzerland, Newly relies on the following legal bases:

• Performance of a contract — to provide the Services you have requested under our Terms of Service.
• Legitimate interests — to secure the platform, prevent fraud, generate aggregate analytics, and improve the AI agent, where these interests are not outweighed by your privacy rights.
• Consent — for non-essential cookies, marketing communications, and any other processing that requires consent. You may withdraw consent at any time without affecting prior processing.
• Legal obligation — to comply with bookkeeping, export-control, sanctions, court orders, and similar requirements.
• Vital interests — in rare cases, to prevent serious harm or respond to an emergency.

Newly’s AI agent forwards your prompts and selected project context to third-party AI providers (which may include OpenAI, Anthropic, Google, and models accessed via OpenRouter) to generate responses, code, and assets. These transmissions occur on a pass-through basis: we only retain the inputs and outputs that are necessary to operate your workspace, debug issues, and provide the agent’s memory of your project.

Our contracts with these AI providers prohibit them from using your Customer Data to train their general-purpose models. We do not use raw or identifiable Customer Data to train our own models. Where we use anonymised or aggregated data to improve our AI features, the data is no longer linked to you. To opt out of any product-improvement use of your Customer Data, email [email protected].

You are responsible for the prompts and assets you submit, and for reviewing the privacy policies of any AI provider you reach via Newly’s integrations. We cannot control third-party providers’ data practices.

To deliver the Services, Newly engages a small set of trusted sub-processors. Each is bound by contractual obligations equivalent to those in our DPA and is required to implement appropriate technical and organisational security measures. Categories include:

• Authentication. Clerk — user identity and session management.
• Payments. Stripe — card processing, invoicing, and tax.
• Compute and hosting. Modal, Vercel, Amazon Web Services (AWS), and Google Cloud Platform (GCP) — serverless containers, web hosting, build infrastructure, object storage (S3 / GCS), and managed PostgreSQL.
• AI providers. Large-language model providers including OpenAI, Anthropic, and Google, and models accessed via OpenRouter, used to power the Newly agent.
• Analytics and monitoring. PostHog (product analytics), Sentry (error monitoring), and other operational tooling.
• Customer communications. Email and notification providers used to send transactional and account messages.

Newly does not sell your Personal Data, and we do not “share” it for cross-context behavioural advertising as those terms are defined under U.S. state privacy laws. We will give reasonable notice before adding a new sub-processor so that customers with a DPA can object.

Small Scale Labs AB is established in Sweden. To deliver the Services, your Personal Data may be transferred to and processed in countries outside the EEA, UK, or Switzerland, including the United States. Where the destination country has not been deemed “adequate” by the European Commission, the UK ICO, or the Swiss FDPIC, we rely on the following legally recognised transfer mechanisms:

• EU Standard Contractual Clauses (Module 2, Controller-to-Processor) per Commission Decision 2021/914.
• UK International Data Transfer Addendum (Version B1.0, issued by the UK ICO under s.119A DPA 2018).
• Swiss Addendum adapting the SCCs to the revised Swiss FADP, naming the FDPIC as the competent authority.

We supplement these with technical and organisational measures (encryption in transit and at rest, access controls, and contractual obligations on sub-processors).

We and selected partners use cookies, pixels, and similar technologies to operate, secure, and analyse the Services. We use four types of cookies:

• Strictly necessary — sign-in, session routing, fraud prevention, and consent storage. These do not require consent.
• Analytics & performance — first-party analytics (PostHog) and limited third-party measurement to diagnose errors and improve the product. We obtain prior consent in the EEA/UK/CH and honour CPRA opt-out signals (e.g. Global Privacy Control) in the United States.
• Functional — remember your preferences such as theme, layout, and language.
• Marketing — conversion tracking and campaign measurement. These require consent in the EEA/UK/CH and respect opt-out preferences elsewhere. We do not sell or share Customer Personal Data for cross-context behavioural advertising.

You can manage or withdraw cookie preferences at any time through your browser controls, our in-product cookie settings, or by enabling an authorised browser signal such as the Global Privacy Control. Disabling non-essential cookies will not affect core functionality but may limit analytics-based improvements. Cookie identifiers are retained no longer than thirteen (13) months for analytics purposes, after which they are deleted or irreversibly anonymised.

Newly applies industry-standard administrative, technical, and physical safeguards designed to protect Personal Data:

• Encryption. TLS for data in transit and AES-based encryption at rest for primary data stores.
• Access controls. Role-based access, least-privilege defaults, single sign-on, and required multi-factor authentication for staff with access to production systems.
• Monitoring. Centralised logging, anomaly detection, and continuous vulnerability scanning.
• Resilience. Regular backups, tested restore procedures, and recovery objectives designed to minimise downtime.
• Vendor oversight. Sub-processors are vetted for security posture and contractually bound to equivalent protections.
• Incident response. A documented incident-response process, with notification to affected customers without undue delay (and within 72 hours where required) after we confirm a notifiable breach.

No system is perfectly secure. You play an essential role: keep your account credentials confidential, enable multi-factor authentication, and let us know if any account information is incorrect so we can update it. Our infrastructure depends on third-party providers (such as Modal, Vercel, AWS, GCP, and our AI partners), and we cannot guarantee uninterrupted availability or freedom from incidents caused by their actions or events beyond our control.

We retain Personal Data only as long as necessary to fulfil the purposes set out in this Policy, or as required by law. As a guide:

• Account data is retained for the life of your account.
• Customer Data (projects, files, generated outputs) is retained while your account is active. After account termination, we delete or isolate it within 30 days, subject to a backup retention window of up to 90 days.
• Operational logs and telemetry are retained for up to 90 days, unless a longer period is required to investigate security incidents or comply with the law.
• Billing and tax records are retained for the period required by Swedish and applicable tax law (typically up to seven years).

To request deletion of your data, email [email protected]. We will honour valid erasure requests in accordance with applicable Data Protection Laws.

Depending on where you live, you may have some or all of the following rights with respect to your Personal Data:

• Access and portability — request a copy of the Personal Data we hold about you.
• Correction — ask us to correct inaccurate or incomplete information.
• Deletion — request that we erase your Personal Data, subject to legal exceptions.
• Restriction and objection — ask us to limit certain processing, including processing based on legitimate interests.
• Withdraw consent — withdraw consent for processing that relies on it, at any time, without affecting prior processing.
• Opt out of sale or sharing — Newly does not sell or share Personal Data as those terms are defined under U.S. state privacy laws.
• Lodge a complaint — with your local supervisory authority (for example, the Swedish IMY for residents of Sweden, the UK ICO, or the Swiss FDPIC).

You can update much of your account information directly in your dashboard. To exercise any other right, email [email protected]. We will verify your identity and respond within 30 days, or the period required by your local law. We will not discriminate against you for exercising your privacy rights.

The Services are not directed to individuals under the age of eighteen (18), and we do not knowingly collect Personal Data from anyone under that age. If you believe a minor has provided us with Personal Data, please contact [email protected] and we will promptly delete it.

We may update this Policy from time to time to reflect changes in our practices, the Services, or applicable law. We will post any revised Policy at this URL and update the “Last updated” date. For material changes that reduce your rights or expand our processing purposes, we will give at least thirty (30) days’ advance notice by email or through an in-product banner. Your continued use of the Services after the new Policy takes effect constitutes acceptance of it.

For privacy questions, requests, or to exercise your rights, contact us at:

• Privacy enquiries: [email protected]
• General support: [email protected]
• Postal: Small Scale Labs AB, Agavägen 19, 181 55, Lidingö, Sweden

Small Scale Labs AB is the controller of Personal Data processed under this Policy. If your concerns are not resolved, you may lodge a complaint with your local supervisory authority — for example, the Swedish Authority for Privacy Protection (IMY), the UK Information Commissioner’s Office, or the Swiss FDPIC.