Privacy Policy

Last updated: March 3, 2026

Effective immediately for new users; existing users are bound 30 days after notice.

1. Introduction

Scalegrowth Digital Private Limited ("Scalegrowth", "Company", "we", "our", or "us") is committed to protecting your privacy. This Privacy Policy ("Policy") explains how we collect, use, disclose, retain, and safeguard your information when you access or use our platform at scalegrowth.digital, our APIs, embeddable scripts, mobile applications, and all related services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, you must not access or use the Service. This Policy should be read together with our Terms of Service.

Data Controller. Scalegrowth Digital Private Limited is the data controller responsible for your personal data. For questions about data processing, contact our Data Protection Officer at privacy@scalegrowth.digital.

2. Information We Collect

We collect information in the following categories:

2.1 Information You Provide Directly

  • Account Information: Name, email address, phone number (optional), organization name, job title, and password when you create an account.
  • Billing Information: Billing address, company name, GST/VAT number, and payment method details. Full payment card details are processed and stored by our payment processors (Stripe, Razorpay) and are not stored on our servers.
  • Content You Create: Landing pages, ad copy, campaign configurations, automation rules, templates, uploaded images, and other content you create through the Service.
  • Communications: Messages you send to us via email, support tickets, chat, or feedback forms.
  • Onboarding Data: Business URL, industry type, user intent, and preferences provided during the onboarding process.

2.2 Information From Connected Platforms

  • Ad Platform Data: Campaign performance metrics, ad spend data, audience data, keyword data, ad creative data, and conversion data synced from connected platforms (Google Ads, Meta Ads, LinkedIn Ads, TikTok Ads, and others).
  • CRM Data: Contact information, deal stages, and customer data synced from connected CRM systems.
  • E-commerce Data: Transaction data, product data, and customer data from connected e-commerce platforms (Shopify, WooCommerce, and others).
  • OAuth Tokens: Encrypted access and refresh tokens for connected platform integrations.

2.3 Information Collected Automatically

  • Usage Data: Pages visited, features used, clicks, session duration, navigation paths, search queries, and interaction patterns within the Service.
  • Device Information: Browser type and version, operating system, device type, screen resolution, and device identifiers.
  • Network Information: IP address, approximate geolocation (city/country level), ISP, and referring URL.
  • Log Data: Server access logs, error logs, API request logs, and security audit logs.
  • Cookies & Tracking Technologies: See Section 7 (Cookies) for details.

2.4 Information From Landing Page Visitors

When you use Scalegrowth to host landing pages, our tracking pixel may collect the following data from visitors to your landing pages:

  • Page views, scroll depth, time on page, and click events.
  • UTM parameters, referral source, and campaign attribution data.
  • Form submission data (which you configure and are responsible for).
  • IP address, browser type, device type, and approximate geolocation.

YOU ARE THE DATA CONTROLLER for personal data collected through your landing pages. You are solely responsible for providing appropriate privacy notices and obtaining necessary consents from your landing page visitors. Scalegrowth acts as a Data Processor on your behalf for such data.

2.5 AI Processing Data

When you use AI-powered features, your campaign data, content, and performance metrics may be processed by third-party AI and LLM providers (such as OpenAI, Anthropic, Google, and others) for the purpose of generating recommendations, optimizations, and content. We minimize the personal data sent to AI providers and contractually require them to not retain your data for their own training purposes.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Delivery

  • To provide, operate, maintain, and improve the Service.
  • To generate AI-powered optimization recommendations and execute automated actions for your campaigns.
  • To host and serve your landing pages and process form submissions.
  • To sync and display data from your connected advertising platforms and integrations.
  • To process payments and manage your subscription.
  • To provide customer support and respond to your inquiries.

3.2 Analytics & Improvement

  • To analyze usage patterns and improve the Service's functionality, performance, and user experience.
  • To generate aggregated, anonymized benchmarks and industry insights.
  • To conduct research and development for new features and products.
  • To train and improve our proprietary AI models using aggregated, de-identified data only.

3.3 Communications

  • To send service-related notifications, alerts, anomaly warnings, and system updates.
  • To send billing notifications and payment receipts.
  • To send onboarding guidance, feature announcements, and product tips (you may opt out).

3.4 Security & Compliance

  • To detect, prevent, and investigate fraud, abuse, security incidents, and terms violations.
  • To maintain audit logs for compliance and security purposes.
  • To comply with legal obligations, respond to lawful requests, and enforce our Terms.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions requiring a legal basis, we process your personal data on the following grounds:

  • Contract Performance: Processing necessary to provide the Service you requested (account management, service delivery, billing).
  • Legitimate Interests: Processing necessary for our legitimate interests (security, fraud prevention, service improvement, analytics), balanced against your rights and freedoms.
  • Consent: Where you have given explicit consent (marketing communications, optional cookies, AI processing of your data).
  • Legal Obligation: Processing necessary to comply with applicable laws (tax reporting, law enforcement requests, data retention requirements).

5. Data Sharing & Disclosure

We do not sell your personal data to third parties. We may share your information in the following circumstances:

5.1 Service Providers

We share data with trusted third-party service providers who assist us in operating the Service, subject to contractual obligations to protect your data:

  • Cloud Infrastructure: Railway, AWS, or similar providers for hosting and compute.
  • Payment Processing: Stripe, Razorpay for billing and subscription management.
  • Email Services: Resend (or similar) for transactional and notification emails.
  • AI/LLM Providers: OpenAI, Anthropic, Google, or similar for AI-powered features.
  • Analytics: Internal analytics systems for usage tracking (we do not use third-party analytics trackers on the Service).
  • Error Monitoring: Error tracking services for detecting and resolving software issues.

5.2 Connected Platforms

When you connect third-party platforms (Google Ads, Meta, etc.), data flows bidirectionally as authorized by you through OAuth consent. We send optimization changes (bid adjustments, audience modifications, etc.) back to these platforms on your behalf when you enable automation.

5.3 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to: (a) comply with applicable law; (b) protect the rights, property, or safety of Scalegrowth, our users, or the public; (c) detect, prevent, or address fraud, security, or technical issues; or (d) enforce our Terms of Service.

5.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, reorganization, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service before your data is transferred and becomes subject to a different privacy policy.

5.5 Agency & Multi-Tenant Access

If you are part of an organization or agency account, other authorized members of your organization may have access to your data based on their role and permissions within the Service's role-based access control system. Organization administrators can view activity logs, manage permissions, and access shared workspace data.

6. Data Retention

We retain your data for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods:

  • Account Data: Retained while your account is active and for 90 days after termination (to allow reactivation).
  • Campaign & Ad Platform Data: 24 months from collection. Configurable via Settings.
  • Lead Data: 12 months from collection. Configurable via Settings.
  • Landing Page Data: Retained while your account is active. Deleted 30 days after account termination.
  • Audit Logs: 36 months (required for compliance and security investigations).
  • Billing Records: 7 years (as required by applicable tax and accounting laws).
  • Anonymized/Aggregated Data: Retained indefinitely as it cannot identify you.

After the applicable retention period, data is permanently deleted or irreversibly anonymized. You may request earlier deletion subject to Section 8 (Your Rights).

7. Cookies & Tracking Technologies

7.1 Cookies We Use

  • Essential Cookies: Required for authentication, session management, security (CSRF tokens), and basic Service functionality. Cannot be disabled.
  • Functional Cookies: Remember your preferences (dark mode, language, timezone, dashboard layout). Can be disabled.
  • Analytics Cookies: Help us understand how you use the Service to improve it. Internal analytics only — we do not use third-party tracking cookies (no Google Analytics, no Facebook Pixel on our Service). Can be disabled.

7.2 Tracking Pixel on Your Landing Pages

Our embeddable tracking pixel (t.js) uses first-party cookies on your landing pages for A/B variant assignment, session tracking, and conversion attribution. As noted in Section 2.4, you are the data controller for data collected on your landing pages and are responsible for cookie consent compliance.

7.3 Managing Cookies

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent you from using the Service. For landing page visitor cookies, you must implement your own cookie consent mechanism.

8. Your Privacy Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:

8.1 Universal Rights

  • Right to Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete personal data.
  • Right to Deletion: Request deletion of your personal data, subject to legal retention requirements.
  • Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format (JSON or CSV).
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

8.2 GDPR Rights (EEA/UK Users)

  • Right to Restrict Processing: Request restriction of processing in certain circumstances.
  • Right to Object: Object to processing based on legitimate interests, including profiling.
  • Right Not to be Subject to Automated Decision-Making: Request human review of decisions made solely by automated means that significantly affect you.
  • Right to Lodge a Complaint: File a complaint with your local data protection authority.

8.3 CCPA/CPRA Rights (California Residents)

  • Right to Know: Request information about the categories and specific pieces of personal data collected, used, disclosed, and sold.
  • Right to Delete: Request deletion of personal data collected from you.
  • Right to Correct: Request correction of inaccurate personal data.
  • Right to Opt-Out of Sale/Sharing: We do not sell or share your personal data for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
  • Right to Limit Sensitive Data Use: We only collect sensitive personal data as necessary to provide the Service.

8.4 DPDP Act Rights (India)

  • Right to Information: Know what personal data is being processed and for what purpose.
  • Right to Correction & Erasure: Request correction of inaccurate data and erasure of data no longer necessary.
  • Right to Grievance Redressal: File a complaint with our Data Protection Officer or the Data Protection Board of India.
  • Right to Nominate: Nominate another individual to exercise your rights in case of death or incapacity.

8.5 How to Exercise Your Rights

Submit requests via: (a) Settings > Data & Privacy within the Service; (b) email to privacy@scalegrowth.digital; or (c) postal mail to our registered office. We will respond within 30 days (or shorter if required by applicable law). We may require identity verification before processing requests. Requests that are manifestly unfounded, excessive, or repetitive may be subject to a reasonable administrative fee.

9. International Data Transfers

Your data may be transferred to and processed in countries other than the country in which you reside. Our servers are primarily located in India. Data may also be processed in the United States, European Union, and Singapore through our cloud infrastructure and third-party service providers.

For transfers from the EEA/UK, we rely on: (a) Standard Contractual Clauses (SCCs) approved by the European Commission; (b) adequacy decisions; or (c) other lawful transfer mechanisms. For transfers from India, we comply with the cross-border transfer provisions of the DPDP Act 2023. You may request a copy of the applicable transfer safeguards by contacting privacy@scalegrowth.digital.

10. Data Security

We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

  • Encryption in Transit: All data is transmitted over TLS 1.2+ (HTTPS).
  • Encryption at Rest: AES-256 encryption for stored data and database backups.
  • Access Controls: Role-based access control (RBAC), principle of least privilege, and multi-factor authentication for internal systems.
  • Password Security: Passwords are hashed using bcrypt with salt. We never store passwords in plaintext.
  • API Security: JWT token authentication, API key management, rate limiting, and CORS protection.
  • Audit Logging: Comprehensive audit trails for all data access and modifications.
  • Infrastructure: Network isolation, firewall rules, automated vulnerability scanning, and regular security assessments.

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials.

11. Automated Decision-Making & Profiling

The Service uses automated systems and AI models for the following purposes:

  • Campaign Optimization: Automated bid adjustments, budget allocation, and audience targeting based on performance data.
  • Anomaly Detection: Automated alerts when campaign metrics deviate significantly from expected patterns.
  • Lead Scoring: Automated assessment of lead quality based on behavioral and demographic signals.
  • Content Recommendations: AI-generated suggestions for ad copy, landing page content, and creative variations.
  • A/B Testing: Automated traffic splitting and statistical analysis to determine winning variants.

These automated decisions relate to your advertising campaigns and marketing operations, not to decisions about you as an individual. You maintain control over autonomy levels and can review, override, or disable automated actions at any time through the Service settings. If you believe an automated decision has significantly affected your rights, you may request human review by contacting support@scalegrowth.digital.

12. Children's Privacy

The Service is not directed to and not intended for use by individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal data from children. If we discover that we have inadvertently collected data from a child, we will promptly delete it. If you believe a child has provided us with personal data, please contact us at privacy@scalegrowth.digital.

13. "Do Not Track" Signals

We do not currently respond to "Do Not Track" (DNT) browser signals because there is no universally accepted standard for interpreting DNT. However, we provide robust privacy controls within the Service, and we do not engage in cross-site tracking of our users.

14. Data Processor Obligations

Where Scalegrowth acts as a Data Processor on your behalf (e.g., processing landing page visitor data, lead data, or customer data you collect through the Service):

  • We process such data only on your documented instructions.
  • We implement appropriate technical and organizational security measures.
  • We assist you in responding to data subject access requests.
  • We notify you without undue delay of any personal data breach affecting your data.
  • We delete or return your data upon termination, subject to legal retention requirements.
  • We make available information necessary to demonstrate compliance with data processing obligations.

If you require a formal Data Processing Agreement (DPA), please contact legal@scalegrowth.digital. Enterprise customers may request custom DPA terms.

15. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify affected users without undue delay, and no later than 72 hours after becoming aware of the breach (where required by GDPR) or within the timeframe required by applicable law.
  • Notify applicable data protection authorities as required by law.
  • Provide information about the nature of the breach, the data affected, and the measures taken to address it.
  • Take immediate steps to contain and remediate the breach.

16. Third-Party Links & Services

The Service may contain links to or integrations with third-party websites, platforms, and services. We are not responsible for the privacy practices, content, or security of any third-party service. We encourage you to review the privacy policies of any third-party service before providing personal data to them.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or prominent notice within the Service at least 30 days before taking effect. Non-material changes may take effect upon posting. The "Last updated" date at the top indicates the most recent revision. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

18. Limitation of Liability for Data Processing

To the maximum extent permitted by applicable law, Scalegrowth's liability for data protection violations shall be limited as set forth in our Terms of Service (Section 12). We shall not be liable for any data breach, loss, or unauthorized access resulting from: (a) your failure to maintain adequate account security; (b) your failure to comply with data protection laws when collecting data through your landing pages; (c) actions of third-party platforms or service providers beyond our reasonable control; or (d) your failure to implement appropriate security measures for data you export from the Service.

19. Compliance Frameworks

We are committed to compliance with applicable data protection regulations:

  • DPDP Act 2023 (India): Full compliance with the Digital Personal Data Protection Act.
  • GDPR (EU/EEA/UK): Full compliance with the General Data Protection Regulation.
  • CCPA/CPRA (California): Full compliance with the California Consumer Privacy Act and California Privacy Rights Act.
  • IT Act 2000 (India): Compliance with the Information Technology Act and its associated rules.
  • SOC 2 Type II: Working toward certification for security, availability, and confidentiality.
  • ISO 27001: Working toward certification for information security management.

20. Contact Information

For privacy-related inquiries, data requests, or complaints:

  • Data Protection Officer: privacy@scalegrowth.digital
  • General Support: support@scalegrowth.digital
  • Legal: legal@scalegrowth.digital
  • Security Incidents: security@scalegrowth.digital

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

Scalegrowth Digital Private Limited. All rights reserved.