Privacy Policy
Last Updated: February 23, 2026
Scenario Inc. ("Scenario," "we," "us," or "our") provides an AI-powered platform that helps game developers create consistent art assets, including images, textures, sprites, 3D models, and videos. This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you visit our website at scenario.com, use our platform at app.scenario.com, access our API at docs.scenario.com, or interact with us in any other way.
Scenario Inc. is a Delaware corporation located at 440 N Barranca Ave #9893, Covina, CA 91723, USA. For privacy-related inquiries, please contact us at privacy@scenario.com.
The short version
- We collect your name, email, and usage data to run the platform.
- We do not sell your personal information.
- We process your content to deliver the services you request. We may use aggregated insights to improve our AI — but we never share your content with other users.
- Customers with an Enterprise plan and Master Services Agreement (MSA) receive a contractual guarantee: none of the content you upload or generate will ever be used to train or improve other models or tools. This covers all models and tools marked “Enterprise Ready” in the Scenario console — over 95% of our platform as of February 2026.
- You can access, correct, or delete your data at any time by emailing privacy@scenario.com.
- We are SOC 2 Type II certified. All data is encrypted in transit and at rest.
The full policy below provides the legal details.
1. Information We Collect
We collect information in the following categories:
1.1 Information You Provide to Us
- Account Information. When you create a Scenario account, we collect your name, email address, and authentication credentials (managed through our authentication provider, Clerk). If you sign up using a third-party identity provider (e.g., Google, GitHub), we receive your name and email address from that provider.
- Payment Information. When you subscribe to a paid plan, we collect billing details such as your credit card number, billing address, and related payment information. Payment processing is handled by Stripe. Scenario does not store your full credit card number on our servers.
- Communications. When you contact us for support, provide feedback, or communicate with us by email or through the platform, we collect the content of those communications along with your name and email address.
- Content You Submit. When you use our platform, you may upload reference images, provide text prompts, configure AI models, and generate assets. We process this content to deliver the Services.
1.2 Information We Collect Automatically
- Usage Data. We collect information about how you interact with our platform, including features used, generation history, timestamps, frequency and duration of activities, and actions taken within the platform.
- Device and Connection Information. We collect your IP address, device type, operating system, browser type and version, and general location derived from your IP address.
- Web Log Data. Our servers automatically record information including your IP address, referring domain, pages visited, access dates and times, and URLs accessed.
- Cookies and Similar Technologies. We use cookies and similar tracking technologies to operate our platform and collect usage information. See Section 9 for details.
1.3 Information from Third Parties
We may receive information about you from third-party services you use to interact with our platform (e.g., identity providers for single sign-on) or from publicly available sources.
2. How We Use Your Information
We use the personal information we collect for the following purposes:
- Providing and operating the Services. Creating and managing your account, processing your requests, generating AI assets, delivering platform features, and providing customer support.
- Processing payments. Managing subscriptions, processing payments, and administering billing.
- Improving our Services. Analyzing usage patterns to improve platform performance, develop new features, and enhance user experience.
- Communicating with you. Sending service-related notices, responding to your inquiries, and providing technical support.
- Security and fraud prevention. Detecting, investigating, and preventing fraudulent, unauthorized, or illegal activity, and protecting the security of our platform and users.
- Legal compliance. Complying with applicable laws, regulations, legal processes, or enforceable governmental requests.
- Analytics. Understanding how users interact with our Services to improve and optimize the platform.
Your Content and Our AI
Your content is processed to deliver the services you request. To improve our Platform and AI capabilities, we may use aggregated insights derived from how content is processed across the Platform. We do not sell your content or share it with other users. We may use anonymized, aggregated, non-content metadata (such as feature adoption metrics and system performance data) to improve the Platform.
Customers with an Enterprise plan and Master Services Agreement (MSA) receive a contractual guarantee: none of the content they upload or generate will ever be used to train or improve other models or tools. This guarantee covers all models and tools marked “Enterprise Ready” in the Scenario console — over 95% of the Platform as of February 2026.
We do not use your personal information for automated decision-making that produces legal or similarly significant effects without human involvement.
3. How We Share Your Information
We do not sell your personal information. We share personal information only in the following circumstances:
3.1 Service Providers (Sub-Processors)
We engage third-party service providers to perform functions on our behalf. These providers process personal information only as necessary to provide their services to us, under contracts that require them to protect your information consistent with this Privacy Policy and applicable law.
Our current sub-processors include:
| Category | Providers | Purpose |
|---|---|---|
| Infrastructure & Hosting | Amazon Web Services (AWS) | Cloud infrastructure, hosting, storage, and compute |
| Serverless Compute | Modal | Serverless GPU compute for AI model inference |
| Cloud Services | Google Cloud | Certain AI model hosting and processing |
| Payments | Stripe | Payment processing and billing |
| Authentication | Clerk | User authentication and identity management |
| Analytics | PostHog | Product analytics and usage insights |
| Error Monitoring | Sentry | Application error tracking and monitoring |
| Search | Meilisearch | Platform search functionality |
| AI Model Providers | Fal, Replicate, Meshy, Tencent Cloud, Vidu, Freepik, Hitem3D, Photoroom | AI asset generation capabilities |
| AI Support | OpenAI | Customer support assistance |
| AI Support | Inkeep | AI-powered QA and documentation assistant |
A current list of our sub-processors is maintained at trust.scenario.com. We notify customers of changes to our sub-processor list in accordance with our Data Processing Agreement.
3.2 Legal Requirements
We may disclose your personal information if required to do so by law, or if we believe in good faith that such disclosure is necessary to: (a) comply with a legal obligation, court order, or lawful request by public authorities, including to meet national security or law enforcement requirements; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing; or (d) protect the personal safety of users or the public.
3.3 Business Transfers
In connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.
3.4 With Your Consent
We may share your personal information with third parties when you have given us your explicit consent to do so.
4. EU-U.S. Data Privacy Framework
Scenario Inc. is committed to complying with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. Scenario intends to self-certify under these frameworks; upon certification, our participation will be listed at dataprivacyframework.gov.
This Section 4 describes how Scenario adheres to the DPF Principles with regard to the processing of personal data received from the European Union, the United Kingdom (and Gibraltar), and Switzerland. If there is any conflict between the terms in this Privacy Policy and the DPF Principles, the DPF Principles shall govern.
4.1 Notice
Scenario collects and processes personal data from individuals in the European Union, United Kingdom, and Switzerland as described in Section 1 and Section 2 of this Privacy Policy. We may disclose personal information to the categories of third parties and sub-processors described in Section 3 for the purposes stated there. Individuals have the right to access their personal data as described in Section 6.
We may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Upon certification, Scenario’s DPF participation will cover non-human-resources data only.
4.2 Choice
Where we process personal data received under the DPF, we provide individuals with the opportunity to opt out before their personal information is: (a) disclosed to a third-party controller (other than a sub-processor acting on our behalf); or (b) used for a purpose that is materially different from the purposes for which it was originally collected or subsequently authorized by the individual.
We do not process sensitive personal data (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation) without first obtaining the individual’s affirmative express (opt-in) consent.
To exercise your choice, please contact us at privacy@scenario.com.
4.3 Accountability for Onward Transfer
When we transfer personal data received under the DPF to third parties, we do so only for the purposes described in this Privacy Policy and under contracts that require the third party to provide the same level of protection as the DPF Principles require. We enter into data processing agreements with our sub-processors that restrict their use, retention, and disclosure of personal data.
Scenario remains liable under the DPF Principles if a third party that we have engaged to process personal data on our behalf processes that data in a manner inconsistent with the DPF Principles, unless we can prove that we are not responsible for the event giving rise to the damage.
4.4 Security
Scenario takes reasonable and appropriate technical and organizational measures to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the personal data. Our security practices are described in Section 11.
4.5 Data Integrity and Purpose Limitation
Scenario limits the personal data we collect and process to what is relevant for the purposes of processing. We do not process personal data in a way that is incompatible with the purposes for which it was collected or subsequently authorized by the individual. We take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.
We retain personal data in a form that identifies or renders an individual identifiable only for as long as it serves the purpose(s) for which it was collected or subsequently authorized, consistent with the DPF Principles.
4.6 Access
Individuals in the EU, UK, and Switzerland whose personal data we process under the DPF have the right to obtain from us confirmation of whether we are processing their personal data, and to access that data. Individuals also have the right to correct, amend, or delete personal data that is inaccurate or has been processed in violation of the DPF Principles.
To exercise these rights, please submit a request to privacy@scenario.com.
4.7 Recourse, Enforcement, and Liability
Independent Recourse Mechanism
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Scenario commits to resolve complaints about our collection or use of your personal information transferred to the United States pursuant to the applicable DPF.
EU, UK, and Swiss individuals with inquiries or complaints regarding this Privacy Policy should first contact Scenario at privacy@scenario.com.
Cooperation with EU Data Protection Authorities (DPAs)
If we are unable to resolve your complaint directly, Scenario has committed to cooperate and comply with the advice of the panel established by the EU data protection authorities (“DPAs”) with regard to unresolved complaints concerning personal data transferred from the EU under the EU-U.S. DPF. This independent dispute resolution mechanism is provided at no cost to you.
Cooperation with the UK Information Commissioner’s Office (ICO)
For complaints concerning personal data transferred from the United Kingdom under the UK Extension to the EU-U.S. DPF, Scenario has committed to cooperate and comply with the advice of the UK Information Commissioner’s Office (“ICO”). This dispute resolution mechanism is provided at no cost to you.
Cooperation with the Swiss Federal Data Protection and Information Commissioner (FDPIC)
For complaints concerning personal data transferred from Switzerland under the Swiss-U.S. DPF, Scenario has committed to cooperate and comply with the advice of the Swiss Federal Data Protection and Information Commissioner (“FDPIC”). This dispute resolution mechanism is provided at no cost to you.
Binding Arbitration
Under certain conditions, more fully described on the Data Privacy Framework website at dataprivacyframework.gov, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
FTC Enforcement
Scenario is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”). The FTC has jurisdiction over Scenario’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.
5. International Data Transfers
Scenario is based in the United States and processes personal data on servers located in the United States (hosted on AWS in US regions). If you are accessing our Services from outside the United States, please be aware that your personal information will be transferred to, stored, and processed in the United States.
5.1 Transfers from the EU, UK, and Switzerland
For personal data transferred from the European Economic Area (“EEA”), United Kingdom, and Switzerland to the United States, Scenario relies on the following transfer mechanisms:
- Data Privacy Framework. Once certified, we will rely on our certification under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF as described in Section 4.
- Standard Contractual Clauses (SCCs). Where required, we enter into the European Commission’s Standard Contractual Clauses (as adopted under Implementing Decision 2021/914) with our customers and partners to provide appropriate safeguards for international data transfers. For transfers from the United Kingdom, the International Data Transfer Addendum issued by the UK Information Commissioner supplements the SCCs.
5.2 Sub-Processor Transfers
When we transfer personal data to sub-processors located outside the EEA, UK, or Switzerland, we ensure that appropriate safeguards are in place through contractual protections requiring the sub-processor to protect personal data to a standard consistent with the DPF Principles and applicable data protection law.
6. Your Rights and Choices
Depending on your location and applicable law, you may have the following rights regarding your personal information:
- Access. Request access to the personal data we hold about you.
- Correction. Request that we correct inaccurate or incomplete personal data.
- Deletion. Request that we delete your personal data, subject to certain exceptions.
- Data Portability. Request a copy of your personal data in a structured, commonly used, machine-readable format.
- Opt-Out of Communications. Unsubscribe from marketing emails by clicking the “unsubscribe” link in any marketing email, or by contacting us. Service-related communications are not subject to opt-out.
- Restrict Processing. Request that we restrict the processing of your personal data in certain circumstances.
- Object to Processing. Object to our processing of your personal data where we rely on legitimate interests as our legal basis.
- Withdraw Consent. Where we process your personal data based on consent, you may withdraw that consent at any time.
To exercise any of these rights, please contact us at privacy@scenario.com.
7. European Data Subject Rights (GDPR)
If you are located in the European Economic Area (“EEA”), the United Kingdom, or Switzerland, the following additional provisions apply to our processing of your personal data under the General Data Protection Regulation (“GDPR”) and equivalent UK and Swiss legislation.
7.1 Data Controller
Scenario Inc. is the data controller for personal data we collect directly from you (e.g., account information, usage data). When we process personal data on behalf of our enterprise customers, we act as a data processor under our Data Processing Agreement with the customer.
7.2 Lawful Bases for Processing
We process your personal data on the following lawful bases under Article 6 of the GDPR:
| Purpose | Lawful Basis |
|---|---|
| Providing and operating the Services | Performance of a contract (Art. 6(1)(b)) |
| Processing payments | Performance of a contract (Art. 6(1)(b)) |
| Responding to support requests | Performance of a contract (Art. 6(1)(b)) |
| Improving our Services and analytics | Legitimate interests (Art. 6(1)(f)) — improving platform quality and user experience |
| Security and fraud prevention | Legitimate interests (Art. 6(1)(f)) — protecting our platform and users |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
7.3 Data Subject Rights
Under the GDPR, you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate personal data (Art. 16)
- Erase your personal data (“right to be forgotten”) (Art. 17)
- Restrict the processing of your personal data (Art. 18)
- Data portability — receive your data in a structured, commonly used, machine-readable format (Art. 20)
- Object to processing based on legitimate interests (Art. 21)
- Withdraw consent at any time where processing is based on consent (Art. 7(3))
- Lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement
To exercise these rights, please contact us at privacy@scenario.com.
We will respond within one month, as required by Article 12(3) of the GDPR. This period may be extended by up to two additional months where necessary.
7.4 International Transfers
Personal data transferred from the EEA, UK, or Switzerland to Scenario in the United States is protected by the transfer mechanisms described in Section 5, including Standard Contractual Clauses and, once certified, our DPF certification.
7.5 Data Protection Officer
Under Article 37 of the GDPR, appointment of a Data Protection Officer is required for organizations that: (a) are public authorities; (b) carry out large-scale systematic monitoring of individuals; or (c) process special categories of personal data on a large scale. Scenario does not meet any of these criteria. Accordingly, Scenario has not appointed a formal Data Protection Officer. For all data protection inquiries, please contact our privacy team at privacy@scenario.com.
7.6 EU Representative
Pursuant to Article 27 of the GDPR, Scenario has appointed the following representative in the European Union for data protection matters:
DataRep — The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland. Email: scenario@datarep.com. Online request: www.datarep.com/data-request
8. California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”), provides you with specific rights regarding your personal information.
8.1 Categories of Personal Information
In the preceding twelve months, we have collected the following categories of personal information as defined by the CCPA:
| Category | Examples |
|---|---|
| Identifiers | Name, email address, IP address, account credentials |
| Commercial Information | Subscription plan, transaction history, payment records |
| Internet or Electronic Network Activity | Browsing history on our platform, interactions with our Services, usage logs |
| Geolocation Data | General location derived from IP address |
We may also collect the following category of sensitive personal information as defined by the CPRA:
| Category | Examples |
|---|---|
| Account Log-In Credentials | Email address in combination with authentication credentials (managed through Clerk) |
We do not use or disclose sensitive personal information for purposes other than those permitted by the CPRA. You have the right to limit the use of your sensitive personal information by contacting us at privacy@scenario.com.
8.2 Your California Privacy Rights
Under the CCPA, you have the right to:
- Know. Request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business or commercial purposes for collection, and the categories of third parties with whom we shared it.
- Delete. Request that we delete the personal information we have collected from you, subject to certain exceptions.
- Correct. Request that we correct inaccurate personal information that we maintain about you.
- Opt-Out of Sale or Sharing. You have the right to opt out of the “sale” or “sharing” of your personal information. Scenario does not sell your personal information and does not share your personal information for cross-context behavioral advertising purposes.
- Non-Discrimination. We will not discriminate against you for exercising any of your CCPA rights.
8.3 How to Exercise Your Rights
To submit a request, please contact us at privacy@scenario.com.
We will respond to your request within 45 days, as required by the CCPA, and may extend that period by an additional 45 days where reasonably necessary.
8.4 Service Provider Status
When Scenario processes personal data on behalf of our enterprise customers, we act as a “service provider” under the CCPA. In that capacity, we process personal information solely on behalf of and under the instructions of the business customer, and we do not sell or share such personal information.
9. Cookies and Tracking Technologies
9.1 Types of Cookies We Use
We use the following types of cookies and similar technologies:
- Essential Cookies. Required for the platform to function properly. These include session cookies for authentication and security. You cannot opt out of essential cookies.
- Analytics Cookies. Used to understand how visitors interact with our platform, enabling us to improve user experience. We use PostHog for product analytics.
- Functional Cookies. Used to remember your preferences and settings across sessions.
The specific cookies we use include:
| Cookie | Provider | Purpose | Type | Duration |
|---|---|---|---|---|
| Session cookies | Scenario (via Clerk) | Authentication and session management | Essential | Session |
| CSRF token | Scenario | Cross-site request forgery protection | Essential | Session |
| Cookie consent | Scenario | Remembering your cookie preferences | Essential | 12 months |
| PostHog analytics | PostHog | Product analytics and usage insights | Analytics | 12 months |
9.2 Your Cookie Choices
When you first visit our website, you will be presented with a cookie consent banner that allows you to accept or decline non-essential cookies. You can update your cookie preferences at any time through our cookie settings, accessible via the link in the footer of our website.
Most web browsers are set to accept cookies by default. You can modify your browser settings to block or delete cookies. Please note that if you disable cookies, some features of our platform may not function properly.
9.3 Do Not Track
Some browsers transmit “Do Not Track” signals. Because there is no industry consensus on how to respond to these signals, our platform does not currently respond to “Do Not Track” signals.
Global Privacy Control (GPC). We honor Global Privacy Control signals transmitted by your browser. When we detect a GPC signal, we treat it as a valid opt-out of any sale or sharing of personal information for the user associated with that browser, as required by the California Consumer Privacy Act.
10. Data Retention
We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, including to provide our Services, comply with legal obligations, resolve disputes, and enforce our agreements.
Specifically:
- Account Data. Retained for the duration of your account and for 90 days thereafter to allow for account reactivation, after which it is deleted unless retention is required by applicable law.
- Usage Data. Retained in identifiable form for up to 24 months, after which it is aggregated or deleted. Aggregated or pseudonymized usage data may be retained indefinitely for analytics purposes.
- Payment Data. Transaction records retained as required by tax and financial regulations (typically 7 years). Full payment card details are not stored by Scenario — they are handled by Stripe.
- Generated Content. Your generated assets, prompts, and related content are retained in your account for as long as your account is active, and deleted within 60 days after account termination, unless otherwise required by law or agreed upon with enterprise customers.
- Support Communications. Retained for up to 24 months after the support case is closed to provide continuity and improve our support quality, after which they are deleted or anonymized.
When personal data is no longer needed, we securely delete or anonymize it in accordance with our data retention and deletion procedures.
11. Security
Scenario is SOC 2 Type II certified, demonstrating our commitment to maintaining rigorous security controls. Our current SOC 2 Type II audit report is available through our Trust Center at trust.scenario.com.
We implement and maintain appropriate technical and organizational measures to protect your personal information, including:
- Encryption in Transit. All data transmitted between clients and Scenario’s systems is encrypted using TLS 1.2 or higher.
- Encryption at Rest. Personal data stored by Scenario is encrypted at rest using AES-256 encryption.
- Access Controls. Role-based access controls limit access to personal data to authorized personnel on a need-to-know basis. Multi-factor authentication is required for administrative and privileged access to production systems.
- Infrastructure Security. All production systems are hosted on Amazon Web Services (AWS) infrastructure in US regions. AWS data centers maintain ISO 27001, SOC 1, SOC 2 Type II, and SOC 3 certifications.
- Workspace Isolation. Each customer’s workspace is logically isolated from other customers’ workspaces within the platform.
- Monitoring and Logging. Access and activity logs are maintained for systems processing personal data.
- Vulnerability Management. Regular vulnerability scanning and penetration testing of production systems.
- Incident Response. Documented security incident response and escalation procedures.
While we implement industry-standard security measures, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security of your data.
12. Children’s Privacy
Scenario’s Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to promptly delete such information. If you believe that a child under 16 has provided personal information to us, please contact us at privacy@scenario.com.
13. Third-Party Links
Our Services may contain links to third-party websites or services that are not operated by Scenario. This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any third-party sites or services that you visit.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by posting the updated Privacy Policy on our website and updating the “Last Updated” date at the top of this page. For material changes that significantly affect how we process your personal data, we will provide additional notice, such as an email notification or a prominent notice on our platform.
15. Contact Us
If you have any questions, concerns, or complaints about this Privacy Policy or our privacy practices, please contact us:
Scenario Inc. — Attn: Privacy — 440 N Barranca Ave #9893, Covina, CA 91723, USA
- General Support: support@scenario.com
- Privacy Inquiries: privacy@scenario.com
- Copyright / DMCA: dmca@scenario.com
- Trust & Safety: trust@scenario.com
- Website: scenario.com
Privacy Contact: Emmanuel de Maistre, Chief Executive Officer
Trust Center: trust.scenario.com.
This Privacy Policy is effective as of February 23, 2026.