← Back to Help Center

Privacy & Compliance

How Scalegrowth handles data privacy, consent management, and regulatory compliance.

Compliance Frameworks

Scalegrowth is designed from day 1 for multi-framework compliance:

DPDP Act 2023 (India)

India's Digital Personal Data Protection Act. Scalegrowth implements consent management, data localization (Mumbai data region), and data principal rights (access, correction, erasure).

GDPR (EU)

Lawful basis tracking, data processing records, DPIA support, right to erasure, data portability, and breach notification procedures.

CCPA/CPRA (California)

Do Not Sell toggle, data access requests, opt-out mechanisms, and annual privacy audit support.

SOC 2 Type II

In progress. Controls for security, availability, processing integrity, confidentiality, and privacy. Audit trail on all data access.

ISO 27001

Information security management system. Risk assessment, access controls, incident management, and continuous improvement.

Consent Management

Every data processing activity in Scalegrowth is linked to a consent record:

  • • Consent is captured at the point of data collection (lead forms, signup)
  • • Each consent records: purpose, timestamp, method, and version of privacy notice
  • • Users can withdraw consent at any time via the privacy dashboard
  • • Consent withdrawal triggers automatic data processing restrictions

Data Subject Requests (DSR)

Data subjects (leads, users) can exercise their rights:

  • Right to Access: Request a copy of all personal data held. Fulfilled within 30 days.
  • Right to Correction: Request correction of inaccurate data.
  • Right to Erasure: Request deletion of personal data. Fulfilled within 30 days (72 hours for DPDP Act).
  • Right to Portability: Receive data in machine-readable format (JSON/CSV).
  • Right to Object: Object to specific processing activities.

DSRs can be submitted via Settings > Data & Privacy or via API. Deadlines are automatically calculated based on the applicable regulation.

Data Security

  • Encryption in transit: TLS 1.2+ for all API and web traffic.
  • Encryption at rest: AES-256 for database and file storage.
  • Access control: Role-based access with principle of least privilege.
  • Audit trail: Immutable logs of all data access and modifications.
  • Key management: API keys are SHA-256 hashed. JWT secrets are rotated regularly.
  • Breach notification: Automated breach detection with 72-hour notification to authorities and affected users.

Data Retention

Default retention periods (configurable in Settings > Privacy):

  • • Campaign performance data: 24 months
  • • Lead/contact data: 12 months
  • • Audit logs: 36 months (SOC 2 requirement)
  • • Session/auth logs: 6 months

Data is automatically deleted after the retention period. You can shorten (but not extend beyond regulatory maximums) the retention period for each category.