Data Controller

ScaleWaveAI Private Limited
G2, C556-A, 4C Scheme, Naveen Vihar Colony, New Loha Mandi Road, Jaipur, Rajasthan, India
CIN: U85490RJ2025PTC105152

Data Protection Officer/Grievance Officer

Name: Yuvraj Garg
Designation: Director
Email: yuvraj@scalewaveai.com

Account Information:

• Email address (required)
• Organization name (required)
• Website URL (optional)
• Password (encrypted and hashed)
• Profile information from Google OAuth (if used)

Important: Data Deletion Policy

We delete all user content data immediately after processing. We do not retain, store, or use your content data for any purpose other than providing the requested service.

• Images uploaded for processing (current)
• Future data types: text, audio, video, 3D models
• Metadata associated with uploaded content

Cloud Infrastructure

Amazon Web Services (AWS): Data processing and storage in Oregon, USA

Purpose: Secure data processing and temporary storage
Data types: All user data during processing (deleted immediately after)

Payment Processing

Razorpay: Payment gateway services

Purpose: Processing credit and debit card transactions and managing payments
Data types: Payment information, billing details, transaction history

Analytics and Monitoring

Google Analytics: Website usage analytics

Purpose: Understanding website traffic and user behavior
Data types: Anonymized usage data, device information

Authentication Services

Google OAuth: Third-party authentication (optional)

Purpose: Enabling sign-in with Google account
Data types: Email address, profile information (name, profile picture)

Scheduling Services

Calendly: Meeting scheduling widget (optional, only loaded with consent)

Purpose: Scheduling customer consultations and support calls
Data types: Name, email, meeting preferences

• We never sell personal information to third parties
• We do not share user content data with anyone
• We do not use personal data for advertising purposes
• We do not provide user lists to marketing companies

Types of Cookies We Use

Essential Cookies:

• Session management and authentication
• Service functionality and security

Analytics Cookies:

• Google Analytics: Website traffic and usage patterns
• User journey and feature utilization
• Performance metrics and error tracking

Third-Party Service Cookies:

• Calendly: Meeting scheduling and calendar integration (Optional)
• Razorpay: Payment processing and transaction security (Essential)
• These services may set their own cookies as per their privacy policies

Security Measures

Technical Safeguards:

• End-to-end encryption for data transmission
• Strong encryption for data at rest
• Secure API authentication and authorization

Administrative Safeguards:

• Limited access to personal data on a need-to-know basis
• Employee training on data protection
• Background checks for personnel with data access
• Incident response procedures and breach protocols

We are actively pursuing industry-standard security certifications:

• SOC 2 Type II: In progress
• ISO 27001: Planned for 2025
• AWS Security Standards: Compliant with AWS security frameworks

Current Status

• No Automated Decision-Making: We do not use automated decision-making systems that significantly affect your rights (e.g., automatic account approvals, credit decisions)
• Fraud Detection: We use automated systems to detect suspicious activity and potential fraud, but final decisions involve human review
• No Profiling: We do not create detailed user profiles for marketing or other purposes
• Service Analytics: We use aggregated, anonymized data to improve Services, but this does not involve individual profiling

If we introduce automated decision-making in the future, we will update this policy and provide appropriate safeguards including the right to human review.

Content Data - Immediate Deletion Policy

• User Content: Deleted immediately after processing
• API Responses: Not retained beyond service delivery
• Processing Logs: Temporary logs deleted within 24 hours

Your Data Rights

Access and Portability

• Right to Access: Request copies of your personal data
• Data Portability: Receive your data in a machine-readable format
• Account Dashboard: View and manage your personal information online

Correction and Updates

• Right to Rectification: Correct inaccurate or incomplete personal data
• Profile Updates: Update account information through your dashboard

Deletion and Erasure

• Right to Deletion: Request deletion of your personal data
• Account Closure: Delete your entire account and associated data

Object and Restrict Processing

• Right to Object: Object to processing of your data for direct marketing, legitimate interests, or research purposes
• Right to Restrict: Request restriction of processing in certain circumstances (e.g., while disputing accuracy or during investigation)
• Withdraw Consent: Withdraw previously given consent for optional data processing (affects future processing only)

Supervisory Authority

• Right to Complain: Lodge a complaint with the appropriate data protection authority if you believe we've violated your privacy rights
• Indian Users: Ministry of Electronics and Information Technology (MeitY) or designated Data Protection Authority
• EU Users: Your local Data Protection Authority (DPA) or supervisory authority

Data Processing Locations

• Primary Processing: AWS Oregon, USA
• User Access: Services available globally
• Legal Jurisdiction: Governed by Indian law

For European Union, European Economic Area, and United Kingdom users:

• Data Transfer Mechanisms: We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for data transfers from the EU/EEA/UK to the United States
• Adequacy Decisions: We monitor and comply with adequacy decisions and frameworks
• GDPR Rights: You have all rights under GDPR including access, rectification, erasure, restriction, portability, objection, and automated decision-making
• UK GDPR: We comply with UK GDPR for users in the United Kingdom
• Data Protection Impact: We conduct assessments for high-risk processing activities

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)

If you are a California resident, you have additional rights under the CCPA/CPRA:

Your California Rights:

• Right to Know: Request details about the personal information we collect, use, disclose, and sell (we do not sell personal information)
• Right to Delete: Request deletion of your personal information (subject to exceptions)
• Right to Opt-Out: We do not sell personal information, so no opt-out is necessary
• Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your CCPA rights
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit: Limit use and disclosure of sensitive personal information (we only use such data for providing Services)

California-Specific Disclosures:

• Personal Information Collected: Identifiers (email, name), account information, payment data, usage data, device information
• Sources: Directly from you, automatically from your device, from third parties (OAuth providers, payment processors)
• Business Purpose: Providing Services, account management, payment processing, customer support, security, legal compliance
• Third Parties: Service providers (AWS, Razorpay, Google Analytics) - we do not sell or share for cross-context behavioral advertising
• Retention: Account data while active + 3 years; content data immediately deleted; logs within 24 hours

Designated Methods for Requests: Email support@scalewaveai.com with "CCPA Request" in the subject line. We will verify your identity and respond within 45 days (may extend by 45 days with notice if needed).

Authorized Agent: You may designate an authorized agent to submit requests on your behalf. We require written authorization and will verify both your and the agent's identity.

Age Restrictions

• Our Services are not intended for individuals under 18 years of age
• We do not knowingly collect personal information from children under 18
• Parental consent is required for users under 18 in jurisdictions where permitted

If you believe we have collected information from a child under 18, contact us immediately at support@scalewaveai.com. We will investigate and delete the information promptly.

Email Communications

We may send you the following types of emails:

Transactional Emails (Cannot Opt-Out):

• Account creation and verification
• Password resets and security alerts
• Payment confirmations and invoices
• Service notifications and important updates
• Legal notices and policy changes

Marketing Emails (Can Opt-Out):

• Product announcements and new features
• Educational content and best practices
• Special offers and promotions
• Surveys and feedback requests

How to Opt-Out:

• Unsubscribe Link: Click the unsubscribe link at the bottom of any marketing email
• Email Us: Contact support@scalewaveai.com with "Unsubscribe" in the subject line

Note: Opting out of marketing emails does not affect transactional emails necessary for account management and service delivery.

Our Response to Privacy Signals

• Cookie Consent System: We have implemented a comprehensive cookie consent management system that allows you to control optional cookies
• Essential Services: Essential cookies for authentication, security, and core functionality cannot be disabled as they're necessary for the Services to work
• Optional Cookies: Analytics and third-party service cookies are only loaded with your explicit consent via our cookie banner
• Browser Settings: You can control cookies through your browser settings in addition to our consent system
• Future GPC Support: We are monitoring GPC adoption and plan to implement automatic recognition of GPC signals for California residents

Recommended: Use our Cookie Settings page at /settings/cookie-preferences for granular control over your privacy preferences.

Legal Retention Requirements

While we delete user content data immediately after processing, we are legally required to retain certain financial and business records for compliance purposes:

• GST Records: Retained for 6 years from the end of the financial year as per GST law
• Income Tax Records: Retained for 7 years as per Income Tax Act requirements
• Payment Records: Transaction history, invoices, receipts, and payment gateway data
• Audit Trail: Financial transactions and accounting records for statutory audits
• Companies Act Compliance: Books of accounts retained as required under Companies Act, 2013

Important: This retention applies only to billing, payment, tax, and compliance records. Your uploaded content data (images, files, etc.) is still deleted immediately after processing.

Breach Notification Process

• Internal Detection: Immediate investigation upon discovering a potential breach
• Regulatory Notification: We will notify the Data Protection Board of India within 72 hours of becoming aware of a breach, as required by DPDP Act 2023
• User Notification: Affected users will be notified within 72 hours via email to registered email addresses
• GDPR Compliance: For EU/EEA users, notification to supervisory authorities within 72 hours and to affected individuals "without undue delay"
• Public Disclosure: If the breach affects a large number of users or poses significant risk, we will post a public notice on our website

If your personal data is involved in a breach, you have the right to:

• Receive timely and comprehensive information about the breach
• Request deletion of your compromised data (subject to legal retention requirements)
• File a complaint with the Data Protection Board or relevant supervisory authority
• Seek compensation for damages if the breach resulted from our negligence or non-compliance
• Terminate your account without penalty

Note: No refunds will be provided for unused credits even in the event of a breach, as per our no-refund policy. However, we may offer service credits or extended access at our discretion in exceptional circumstances.

• Primary Processing: Deleted from primary processing servers within 60 seconds of API response delivery
• Temporary Storage: Deleted from any temporary storage or cache within 5 minutes
• Processing Logs: Metadata logs (without actual content) retained for 24 hours for debugging, then permanently deleted
• CDN Caches: If applicable for outputs, purged within 15 minutes
• Backup Systems: Content data is NOT included in our backup systems

We cannot delete data that we are legally required to retain:

• Financial records for tax compliance (GST, Income Tax): 6-7 years
• Data subject to legal hold, court orders, or ongoing investigations
• Data necessary to establish, exercise, or defend legal claims
• Anonymized or aggregated data that cannot identify you

General Privacy Inquiries

Email: support@scalewaveai.com

Data Protection Officer / Grievance Officer

Name: Yuvraj Garg
Designation: Director
Email: yuvraj@scalewaveai.com
Address: G2, C556-A, 4C Scheme, Naveen Vihar Colony, New Loha Mandi Road, Jaipur, Rajasthan, India - 302015

Response Timeframes:

• Acknowledgment: Within 48 hours of receiving your inquiry
• Resolution: Within 15 business days for grievances
• Data Subject Requests: Within 30 days for GDPR/CCPA/DPDP requests (may extend by 30-45 days with notice if complex)