Privacy Policy

Last updated: February 7th, 2025

1. SCOPE AND UPDATES TO THIS PRIVACY POLICY

This Privacy Policy describes how Scaalr, Inc. (“Scaalr,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards personal data in connection with our website (scaalr.com), software‑as‑a‑service platform, APIs, and related online or offline offerings (collectively, the “Services”).

We may revise this Privacy Policy from time to time in our sole discretion. If there are material changes, we will notify you as required by applicable law. You understand and agree that your continued use of the Services after the effective date of any update constitutes acceptance of the revised Privacy Policy.

Important Note – Client Data: This Privacy Policy does not apply to personal data that we process on behalf of our clients through their use of the Services (“Client Data”). For Client Data, Scaalr acts as a data processor (or sub‑processor, as applicable) and our clients act as data controllers. Our processing of Client Data is governed by the applicable contract(s) with clients, including any Data Processing Agreement (“DPA”), not this Privacy Policy. Questions about Client Data should be directed to the relevant client.

2. ROLES UNDER DATA PROTECTION LAW

2.1 Scaalr as Controller. Scaalr is the data controller for personal data it collects and determines the purposes and means of processing (e.g., website visitors, account owners, billing contacts, marketing contacts).

2.2 Scaalr as Processor. For Client Data (e.g., end‑user information uploaded by or collected on behalf of a client within the Services, including conversational transcripts), Scaalr acts as a data processor and processes such data only on documented instructions of the client, as set out in the DPA.

3. DEFINITIONS

“Applicable Data Protection Law” means the EU GDPR, UK GDPR, and any other data protection laws that apply to the processing described herein.
“Personal Data” means any information relating to an identified or identifiable natural person.
“Process”, “Processed”, “Processing” have the meanings given under Applicable Data Protection Law.
“Special Categories of Data” means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade‑union membership, genetic/biometric data for unique identification, health data, or data concerning a natural person’s sex life or sexual orientation.

4. CATEGORIES OF PERSONAL DATA WE COLLECT

4.1 Data You Provide Directly. Identification and contact data (name, company, job title, email, phone, address); account and authentication data (username, password); content you upload or submit (documents, property records, tenant information, conversation prompts and messages); communications (support tickets, email, chat); and billing information (billing address, transaction details). Payment card data is processed by third‑party payment processors; Scaalr does not store full card numbers.

4.2 Data Collected Automatically. Device and technical data (IP address, device identifiers, browser/OS, approximate location derived from IP); usage data (pages viewed, features used, session metadata, timestamps); cookies and similar technologies (see Section 10); and conversational interaction metadata generated when using AI agents.

4.3 Data from Third Parties. We may receive personal data from vendors, integration partners, and service providers (e.g., cloud hosting, communications, analytics, payments), as well as publicly available sources and business partners.

4.4 Special Categories and Sensitive Data. Scaalr does not intentionally seek to collect Special Categories of Data or government identifiers. If such data is submitted to the Services by you or at a client’s direction, it will be processed only as necessary to provide the Services and as permitted by law and the applicable DPA.

5. PURPOSES AND LEGAL BASES OF PROCESSING (WHEN SCAALR IS CONTROLLER)

We process personal data for the following purposes and legal bases:

(a) Service Delivery and Administration (contract necessity): to create and manage accounts; provide and support the Services; process transactions; communicate regarding the Services and policy changes.

(b) Security and Compliance (legal obligation; legitimate interests): to secure the Services; detect, investigate, and prevent fraud, abuse, and security incidents; comply with legal obligations and requests from authorities.

(c) Service Improvement and Analytics (legitimate interests): to monitor performance; improve features; perform quality assurance and service analytics.

(d) Marketing and Communications (consent or legitimate interests, as required): to send product news, events, and promotions; you may opt out at any time.

Note on AI Improvement: We may use de‑identified or aggregated conversational data to evaluate, improve, and develop models and system performance. We do not use identifiable personal data for model training without appropriate consent or a separate lawful basis and safeguards.

6. DISCLOSURE OF PERSONAL DATA

We may disclose personal data to:

(a) Service Providers/Processors who support the Services (e.g., cloud hosting, analytics, communications, payments, AI infrastructure). Such parties are bound by written contracts and process personal data only under our instructions.

(b) Business Partners for joint offerings or integrations you choose to use.

(c) Affiliates and Successors in connection with a merger, acquisition, financing, reorganization, or asset sale, subject to this Privacy Policy.

(d) Law Enforcement/Legal Recipients as required by law or to protect rights, safety, or property.

(e) With Consent or at Your Direction, including when you connect third‑party integrations.

We do not sell personal data.

7. INTERNATIONAL DATA TRANSFERS

Your personal data may be transferred to and processed in jurisdictions outside your own, including the United States. Where required, we implement appropriate safeguards such as the EU Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, and Swiss‑specific provisions, along with technical and organizational measures (e.g., encryption, access controls). Transfer impact assessments are maintained as appropriate.

8. RETENTION

We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to comply with legal, accounting, or reporting requirements. Unless otherwise agreed or required by law:

Account and billing records: active term plus up to 6 years.
Conversational interaction logs: up to 24 months, unless earlier deletion is requested by the client or user where applicable.
Support tickets and operational logs: typically up to 24 months.
Web analytics data: typically up to 12 months.
We may retain de‑identified or aggregated data for longer for analytics, security, and service improvement.

9. YOUR RIGHTS

Subject to Applicable Data Protection Law, you may have the rights to access, rectify, erase, restrict, and object to processing; to data portability; and to withdraw consent (where processing is based on consent). You may also lodge a complaint with a supervisory authority. To exercise rights, contact info@scaalr.com. We may need to verify your identity. We will respond without undue delay and within one month of receipt, extendable by two months in complex cases.

10. COOKIES AND SIMILAR TECHNOLOGIES

We use cookies, pixels, and similar technologies to operate and personalize the Services, analyze usage, and (where permitted) for marketing. You can manage cookie preferences via your browser or our consent tools. If you disable certain cookies, some features may not function.

11. CHILDREN’S INFORMATION

The Services are not directed to individuals under eighteen (18) years of age, and we do not knowingly collect personal data from minors. If we learn that we have collected such data, we will delete it.

12. SECURITY

We implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Measures include encryption in transit and at rest, access controls, network security, logging and monitoring, vulnerability management, and secure development practices. No system is completely secure.

13. AUTOMATED PROCESSING

Scaalr’s AI agents automatically process inputs to generate responses. Scaalr does not engage in automated decision‑making that produces legal or similarly significant effects without human involvement.

14. THIRD‑PARTY SITES AND INTEGRATIONS

The Services may contain links to or integrations with third‑party sites, platforms, or applications. Scaalr is not responsible for the privacy practices of such third parties. We encourage you to review their privacy policies.

15. PERSONAL DATA BREACH NOTIFICATION

In the event of a personal data breach impacting personal data for which Scaalr is a controller, we will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware, unless the breach is unlikely to result in a risk to rights and freedoms. Where Scaalr acts as a processor, we will notify the client/controller without undue delay per the DPA so the controller can fulfill its legal obligations, including any notification to individuals and authorities.

16. DATA PROTECTION BY DESIGN AND DPIA

We maintain processes to implement data protection by design and by default, including access minimization, role‑based permissions, and secure development practices. We perform data protection impact assessments (“DPIAs”) where processing is likely to result in high risk to individuals (e.g., large‑scale processing of personal data via conversational AI agents), and we cooperate with clients regarding DPIAs for Client Data processing.

17. RECORDS OF PROCESSING

Scaalr maintains records of processing activities where required by law, including the categories of data subjects and personal data, purposes, recipients, transfers, and technical and organizational security measures.

18. CONTACT DETAILS

Controller: Scaalr, Inc.

Email: info@scaalr.com