Privacy Policy

ScaleDux Software Innovations Private Limited

Last Updated: 04/06/2026

This Privacy Policy tells you exactly what personal data ScaleDux collects, why it is collected, how it is used, who it is shared with, how long it is kept, and what rights you have over it.

This Policy is governed by the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and all other applicable Indian laws.

ScaleDux operates with a commitment to honest, transparent data practices. Every statement in this Policy describes something ScaleDux actually does.

1. About This Policy and Who We Are

ScaleDux Software Innovations Private Limited is the Data Fiduciary for all personal data collected through the ScaleDux Platform, within the meaning of Section 2(i) of the Digital Personal Data Protection Act, 2023. As Data Fiduciary, ScaleDux determines the purpose and means of processing your personal data and is responsible for ensuring that processing is lawful.

This Policy applies to the ScaleDux web platform, mobile applications, and all associated services (collectively the ‘Platform’). By registering on the Platform or by using it in any capacity, you acknowledge that you have read this Policy and consent to the processing of your personal data as described here.

2. Scope – Who This Policy Applies To

This Privacy Policy applies to all individuals and entities who interact with the Platform in any capacity, including:

• Founders and Aspiring Founders who use the Platform to access services, mentorship, investor connections, and SCORE™ evaluations;
• Service Providers who offer and deliver professional services through the Platform;
• Mentors who provide advisory and guidance services through the Platform;
• Investors who use the Platform to discover and evaluate startup opportunities;
• Visitors who access publicly available portions of the Platform without registering; and
• Any other person whose personal data is processed by ScaleDux in connection with the Platform’s operation.

This Policy does not apply to third-party platforms, websites, or services that are linked from the Platform. Each linked service has its own privacy policy and ScaleDux is not responsible for their data practices.

The Platform is restricted to individuals aged 18 years and above. ScaleDux does not knowingly collect or process the personal data of any person under 18 years of age. If ScaleDux becomes aware that personal data of a person under 18 has been collected, it will be deleted without undue delay.

3. What Personal Data We Collect

The personal data we collect depends on how you use the Platform and which role you hold. We collect only the data necessary for the purposes described in Section 5 of this Policy.

3.1 Registration and Account Data – All Users

When you create an account on the Platform, we collect:

• Your full legal name;
• Your email address, which serves as your primary account identifier;
• Your mobile number for OTP verification and account security;
• Your chosen password, stored only in a securely hashed form – ScaleDux never stores plain-text passwords;
• Your role selection – Founder, Service Provider, Mentor, or Investor;
• Your IP address and basic device information at the time of registration; and
• The date and time of account creation and most recent login.

Where ScaleDux derives anonymized and aggregated data from SCORE™ assessments for benchmarking and research purposes, ScaleDux will not attempt to re-identify that data, except solely to verify the effectiveness of its anonymization process or where required by law.

3.2 KYC Identity Verification Data

All users who wish to make or receive payments or access certain Platform features must complete our KYC verification process. We collect:

For Individuals:

• Permanent Account Number (PAN) – mandatory for TDS compliance under Section 194-O of the Income-tax Act, 1961;
• Government-issued photo identification – Aadhaar number (via UIDAI-authorized eKYC only – ScaleDux does not store your raw Aadhaar number), Passport, Driving License, or Voter ID; ScaleDux maintains a record of the consent you give for Aadhaar-based verification, as required by the guidelines of the Unique Identification Authority of India. This record contains no Aadhaar number. It records only that consent was given, the date and time of consent, and the purpose for which verification was conducted. This record is maintained separately from your identity verification result.
• Date of birth;
• Residential address; and
• Bank account details (account number, IFSC code, and account holder name) for receiving settlements.

For Business Entities (Incorporated Founders, Agencies):

• Company Identification Number (CIN) or LLP Identification Number;
• GSTIN;
• Details of authorized signatory or director;
• Registered office address; and
• Certificate of Incorporation and GST registration certificate.

Aadhaar-Based eKYC: Where Aadhaar-based verification is used, it is conducted exclusively through UIDAI-authorised Authentication User Agencies or KYC User Agencies. ScaleDux receives only the authentication result – a confirmation of identity. ScaleDux does not store, retain, or collect your Aadhaar number in its own systems.

3.3 Role-Specific Profile Data

Founders:

• Startup name, description, industry, and stage of development;
• Team size and composition;
• Revenue and funding history (for SCORE™ assessment inputs);
• Pitch materials, financial projections, and documents uploaded to the investor data room; and
• SCORE™ assessment inputs across all assessment categories.

Service Providers:

• Professional skills, expertise, and service categories;
• Portfolio work samples and case studies;
• Professional experience and work history;
• Pricing and availability; and
• Certifications and qualifications claimed on the Platform profile.

Mentors:

• Professional credentials, qualifications, and industry expertise;
• Professional body registrations claimed (e.g., ICAI, Bar Council of India, SEBI);
• Session pricing and calendar availability; and
• LinkedIn profile URL if linked voluntarily.

Investors:

• Investment focus area, preferred stage, and ticket size range;
• Portfolio companies disclosed voluntarily; and
• NDA execution records for Founder data room access.

3.4 Transactional Data

For all payment-related activities, we collect:

• Payment amounts and timestamps;
• Transaction reference numbers received from the Payment Gateway;
• Payment status records – pending, completed, failed, or refunded;
• Tax Deducted at Source amounts and associated PAN records;
• Commission and Marketplace Fee deduction records;
• Settlement records – amounts, dates, and destination bank account;
• Refund and chargeback records;
• GST invoice numbers and details; and
• Form 16A issuance records for Service Providers and Mentors.

ScaleDux does not collect or store raw payment card numbers, card verification values, UPI PINs, or net banking credentials. Payment instrument details are processed and stored by our Payment Gateway providers – Razorpay and/or PayU – under their own security infrastructure and RBI authorization.

UPI transaction data processed through the Platform is handled in compliance with the National Payments Corporation of India guidelines applicable to UPI transactions and the Payment Gateway’s own obligations as an NPCI-authorized entity. ScaleDux does not store your UPI ID or VPA beyond what is necessary to process the specific transaction.

3.5 Platform Usage Data

When you use the Platform, we automatically collect:

• Pages and features accessed, and session duration;
• Search queries entered;
• Projects created and their details; messages sent through the Platform;
• Files uploaded and documents submitted;
• Dispute submissions and history; reviews and ratings submitted;
• Login and logout timestamps;
• Device type, operating system, and browser type and version;
• IP address at each login; and
• Notification interaction data – whether in-app notifications were opened or dismissed.

3.6 SCORE™ and AI Analysis Data

If you use the SCORE™ evaluation framework or AI Analysis features (when available), we collect:

• All assessment inputs submitted across every assessment category – these include detailed business data about your startup;
• Your SCORE™ numerical results, category scores, and Data Confidence Index values;
• SCORE™ report unlock payment records and assessment history;
• AI Analysis inputs and outputs for each analytical framework purchased; and
• Documents tagged as SCORE™ evidence in your document repository.

SCORE™ assessment inputs are among the most sensitive data you submit to the Platform. This data is used exclusively for the purposes described in Section 5 and is never shared with investors or other users without your explicit action.

3.7 Investor Data Room Data

For Founders who use the investor data room, we collect and maintain:

• All documents you upload to your data room;
• Investor access logs – recording which investor accessed which document and at what time;
• NDA (Platform Confidentiality Agreement) execution records with timestamps;
• Document download records; and
• Access grant and revoke actions.

These records are maintained as evidence of disclosure for your protection. They are available to you through your account dashboard and may be used as electronic records evidence under Section 65B of the Indian Evidence Act, 1872.

3.8 Communications and Dispute Data

We collect and retain:

• All messages exchanged through the Platform’s messaging infrastructure between users;
• Dispute submissions, descriptions, and supporting evidence submitted;
• ScaleDux’s determinations and responses in dispute processes; and
• Correspondence with ScaleDux’s support team.

3.9 Compliance and Regulatory Data

To meet our legal obligations, we collect and maintain:

• AML screening results and KYC verification records;
• Politically Exposed Person (PEP) screening results;
• Records required under the Prevention of Money-Laundering Act, 2002;
• Grievance submissions and responses under the IT Rules, 2021; and
• Records produced in response to court orders or regulatory directions.

Important: ScaleDux is legally prohibited under Section 73 of the Prevention of Money-Laundering Act, 2002 from disclosing to any person that a Suspicious Transaction Report has been filed in respect of their account or that an investigation is underway. If your account is suspended for compliance reasons, ScaleDux may be unable to provide a full explanation by reason of this statutory restriction.

3.10 Public Profile Data

Information you choose to make publicly visible on the Platform including your name, professional credentials, skills, portfolio items, and profile description may be indexed by external search engines and accessible to any internet user, not only registered Platform users. ScaleDux does not control how search engines or third parties access or use publicly visible information. Do not include information you consider private or sensitive in any publicly visible section of your profile.

3.11 Marketing Communications

Where you have given explicit consent, ScaleDux may contact you by email, WhatsApp, and push notification with Platform updates, new features, and relevant offers. Your consent to marketing communications is separate from your acceptance of this Policy and can be withdrawn at any time by clicking the unsubscribe link in any marketing email, by replying STOP to any WhatsApp marketing message, or by updating notification preferences in your account settings.

Transactional communications including payment confirmations, TDS certificates, settlement statements, dispute notifications, account security alerts, and any communication required to perform the Terms of Service are sent on the basis of contractual and legal necessity. They are not marketing communications and continue regardless of your marketing consent status.

WhatsApp and SMS marketing messages are sent only through sender IDs and message templates registered on the Telecom Regulatory Authority of India’s Distributed Ledger Technology platform, in compliance with the TRAI Telecom Commercial Communications Customer Preference Regulations, 2018. WhatsApp and SMS marketing messages are sent only through TRAI DLT registered sender IDs and message templates.

4. How We Collect Your Data

4.1 Data You Give Us Directly

You provide data directly when you register for an account, complete KYC verification, fill out your role profile, create a project or submit a Statement of Work, send messages to other users, submit a SCORE™ assessment, upload documents to your data room, file a dispute, or contact our support team.

4.2 Data We Collect Automatically

When you access and use the Platform, our servers and technology infrastructure automatically collect technical data about your session including your IP address, device type, operating system, browser, pages visited, features used, session duration, and interaction patterns. This collection is necessary for Platform security, detecting fraudulent activity, and improving the Platform’s functionality.

We also use cookies and similar tracking technologies. The types of cookies we use and how you can control them are described in Section 10 of this Policy.

4.3 Data We Receive From Third Parties

We receive data about you from third parties in the following specific circumstances:

• eKYC Vendor: Our UIDAI-authorised eKYC vendor provides us with the result of your identity verification – confirming that your identity was verified – but does not provide us with your raw Aadhaar number or biometric data;
• Payment Gateway: Razorpay provide us with transaction confirmation data, reference numbers, and payment status – but not your complete card number or banking credentials;
• Government Databases: Where we verify your PAN, GSTIN, or company details through government systems, we receive the verification result from those systems; and
• Other Users: Other users may provide information about you when they submit projects, send messages, post reviews, or file disputes. All such information is subject to this Policy.

5. Why We Process Your Data – Purposes and Legal Bases

The Digital Personal Data Protection Act, 2023 requires ScaleDux to identify a lawful basis for each type of processing activity. The table below maps every significant processing purpose to the data used and its legal basis.

The lawful bases we rely on are:

• Consent [S.6]: You have given us clear, specific, informed consent for the specific purpose;
• Contract [S.7(b)]: Processing is necessary to perform the Terms of Service contract with you;
• Legal Obligation [S.7(c)]: Processing is required by Indian law; and
• Legitimate Interest [S.7(j)]:Processing is necessary for ScaleDux’s or a third party’s legitimate interests, provided those interests are not overridden by your rights.

ScaleDux does not sell your personal data to any third party. ScaleDux does not use your personal data for targeted advertising by third parties. ScaleDux does not profile you for automated decision-making that produces legal or similarly significant effects without human review.

6. Who We Share Your Data With

ScaleDux shares personal data only to the extent necessary for the purposes described in this Policy. We do not sell personal data. The categories of recipients are set out below.

6.1 Payment Gateways

We share transaction data with our Payment Gateway providers – currently Razorpay and/or PayU – to process payments, execute settlements, and handle refunds. The Payment Gateway receives the data necessary to execute the transaction. The Payment Gateway processes this data under its own privacy policy and RBI authorisation. ScaleDux is not responsible for the Payment Gateway’s data practices.

6.2 eKYC and Identity Verification Vendors

We share identity documents and verification requests with our UIDAI-authorised eKYC vendor to conduct KYC verification. The vendor processes your identity data under its own obligations as a UIDAI-authorised agency. ScaleDux receives only the verification result.

6.3 Cloud Infrastructure and Technology Providers

ScaleDux uses third-party technology providers – including cloud hosting, email delivery, SMS delivery, and platform monitoring services – to operate the Platform. These providers act as data processors on ScaleDux’s instructions and process your data only to the extent necessary to provide their service.

ScaleDux does not currently commit to using specific named providers, as our infrastructure evolves with our stage of development and commercial requirements. When we use specific third-party tools, we update our Cookie Notice (see Section 10) to reflect this. Our commitment is to use reputable, security-conscious providers and to hold them to contractual data protection standards consistent with the DPDP Act, 2023. For technology service providers used specifically in connection with SCORE™ and AI Analysis features, see Section 13 of this Policy.

6.4 Tax and Regulatory Authorities

We are legally required to share certain personal data with government authorities, including:

• The Income Tax Department of India – TDS deduction records, PAN data, and Form 26AS entries under Section 194-O of the Income-tax Act, 1961;
• GST Authorities – TCS collection records and GST invoice data under Section 52 of the CGST Act, 2017; and
• Any other authority where disclosure is required by a valid court order, statutory obligation, or regulatory direction.

Such disclosures are statutory obligations. ScaleDux will, where lawfully practicable, inform you before making any such disclosure.

6.5 Law Enforcement and Regulatory Bodies

ScaleDux may disclose personal data to law enforcement agencies, financial intelligence units, or regulatory authorities where required by Applicable Law or where ScaleDux has a good-faith belief that disclosure is necessary to investigate or prevent fraud, money laundering, or other criminal activity. This includes the Financial Intelligence Unit-India (FIU-IND) under the Prevention of Money-Laundering Act, 2002.

6.6 Other Platform Users – Only What You Choose to Share

ScaleDux shares your data with other users only to the extent you have chosen to make it visible:

• Your public profile data – including your name, profile photo, skills, portfolio, and ratings – is visible to other registered users in the manner you configure;
• Founders: documents you publish to your investor data room are accessible to investors with active subscriptions, subject to any NDA-gating you apply; and
• Messages you send to another user through the Platform are visible to the recipient.

ScaleDux does not share your SCORE™ assessment inputs, unpublished documents, bank account details, PAN, or KYC documents with any other user under any circumstances.

6.7 Arbitrators and Legal Proceedings

Where a dispute is referred to formal arbitration, relevant platform records may be shared with the appointed arbitrator. All arbitration proceedings are subject to the strict confidentiality obligations in Section 16.12 of the Terms of Service.

6.8 Corporate Transactions

If ScaleDux undergoes a merger, acquisition, or sale of assets, personal data may be transferred to the acquirer or successor entity as part of that transaction. Any acquirer will be required to honour the commitments in this Privacy Policy or give users advance notice of any changes. ScaleDux will notify registered users of any such assignment within 30 days of its completion.

7. Cross-Border Data Transfers

The DPDP Act 2023 includes provisions governing the transfer of personal data outside India. However, as of the date of this Policy, the Central Government has not yet notified the specific rules restricting cross-border transfers. Until those rules are notified, ScaleDux’s cross-border transfer obligations are governed by the IT Act 2000 and existing regulatory frameworks.

As a startup at an early stage of infrastructure development, ScaleDux may use third-party cloud and technology providers whose servers are located partially or wholly outside India. Where this occurs:

• Payment system data – meaning transaction records, payment instrument details, and settlement records – is processed and stored by our RBI-authorised Payment Aggregators (Razorpay and/or PayU) in India, in compliance with the RBI circular on Storage of Payment System Data dated 6 April 2018.
• Non-payment personal data – such as profile data, communications, and platform usage data – may be processed by technology providers whose infrastructure includes servers outside India. We select providers with internationally recognised security certifications and contractual data protection standards.

ScaleDux commits to comply with all data localisation and cross-border transfer requirements applicable to it under the DPDP Act 2023 and its rules as and when those requirements are notified by the Government of India. We will update this Policy with at least 30 days’ advance notice if our cross-border transfer practices change materially.

8. How Long We Keep Your Data

We retain personal data for the minimum period necessary to fulfil the purpose for which it was collected or as required by law. After the applicable period, data is securely deleted or irreversibly anonymised.

Retention periods may be extended where ScaleDux is required to preserve data in connection with active legal proceedings, a regulatory investigation, or a court order.

9. Your Rights Under the DPDP Act, 2023

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights in respect of your personal data. You may exercise any of these rights by contacting us at [email protected].

Non-Discrimination: ScaleDux will not discriminate against any user for exercising any right described in this Section. Exercising your data rights will not result in denial of Platform access, different pricing, reduced service quality, or any account consequence. If you believe ScaleDux has discriminated against you for exercising a data right, contact [email protected].

Authorised Agent Provision:You may also exercise these rights through an authorised representative a person you have explicitly authorised in writing to act on your behalf for data rights purposes. Where a request is made by an authorised representative, ScaleDux will verify both the representative’s identity and the written authorisation before processing the request. ScaleDux cannot process requests from unverified representatives.

Verifying Your Identity: Before processing any access, correction, or erasure request, ScaleDux will verify your identity by sending a confirmation link to your registered email address. Requests that cannot be verified will not be processed. ScaleDux will inform you if additional verification is needed for requests involving sensitive data categories.

9.1 Right to Access Your Data – Section 11

You have the right to obtain from ScaleDux a summary of the personal data we hold about you and information about the processing activities performed on it. Email [email protected]with the subject line ‘Data Access Request’. We will respond within 30 days of receiving a valid request.

9.2 Right to Correction and Erasure – Section 12

You have the right to request correction of any inaccurate or incomplete personal data we hold. Where your personal data is no longer necessary for the purpose for which it was collected, or where you withdraw consent and there is no other lawful basis for processing, you may request erasure.

Erasure requests are subject to one important limitation: ScaleDux cannot erase data that it is legally required to retain. This includes KYC documents (5 years under PMLA), tax records (7-8 years under the Income-tax Act), and GST records (5 years under the CGST Act). We will inform you of any such retention obligations in our response.

9.3 Right to Withdraw Consent – Section 6(4)

Where ScaleDux processes your personal data on the basis of your consent, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of any processing carried out before you withdrew it.

To withdraw consent for marketing communications, click the unsubscribe link in any marketing email or WhatsApp message, or update your notification preferences in your account settings. To withdraw consent for other processing, email [email protected] describing the specific processing activity.

9.4 Right to Grievance Redressal – Section 13

You have the right to have your grievances in respect of personal data processing addressed promptly by ScaleDux. The process for submitting a data-related grievance is described in Section 15 of this Policy.

9.5 Right to Nominate – Section 14

You may nominate another individual to exercise your rights under the DPDP Act on your behalf in the event of your death or incapacity. To register a nominee, email [email protected]with the nominee’s full name, contact details, and your relationship to them.

9.6 Right to Complain to the Data Protection Board

If you are not satisfied with ScaleDux’s response to your grievance, you have the right to make a complaint to the Data Protection Board of India, once it is constituted and operational under the DPDP Act 2023. The Board’s contact details will be published on the Ministry of Electronics and Information Technology’s website when it becomes operational.

9.7 Appeals – If ScaleDux Denies Your Request

If ScaleDux denies your data rights request in whole or in part, ScaleDux will explain the reason for the denial in writing, including the specific legal or factual basis on which the request was declined.

If you disagree with the decision, you may submit an appeal by emailing [email protected]with the subject line ‘Data Rights Appeal’, setting out why you believe the denial was incorrect. ScaleDux will review your appeal and respond within 30 Days.

If your appeal is not resolved to your satisfaction, you may escalate to the Data Protection Board of India as described in Section 9.6.

10. Cookies and Tracking Technologies

Cookies are small text files placed on your device when you access a website or application. ScaleDux uses cookies and similar tracking technologies for the purposes described below.

10.1 Types of Cookies We Use

10.2 Third-Party Analytics Tools

ScaleDux uses third-party analytics and performance monitoring tools to help us understand Platform usage and improve user experience. The specific tools we use are listed in our Cookie Notice, published at www.scaledux.com and updated whenever we change tools. The Cookie Notice is also accessible from the footer of every page on the Platform. When ScaleDux adds, changes, or removes any tracking tool, the Cookie Notice is updated to reflect the change. The Privacy Policy does not need to be updated when tools change within the same category.

As a startup at an early stage, ScaleDux may use different analytics tools at different stages of its development, depending on cost, features, and data protection standards. Our Cookie Notice is the single source of truth for which specific tools are currently active. It is accessible from the footer of every page on the Platform.

10.3 Managing Your Cookie Preferences

When you first access the Platform, a cookie consent banner will allow you to accept or decline non-essential cookies. You may change your preferences at any time through the cookie preference centre accessible from the footer of every page on the Platform. You may also manage cookies through your browser settings.

11. Security

• ScaleDux takes reasonable steps to protect the personal data it holds from unauthorised access, accidental loss, alteration, and destruction. The measures we currently have in place include the following.
• All data transmitted between your device and the Platform travels over an encrypted connection using TLS (Transport Layer Security).
• Passwords are stored in a securely hashed form. ScaleDux never stores your password in plain text and our systems cannot retrieve it.
• Access to personal data within ScaleDux’s systems is restricted. Only personnel who need access to perform a specific function can access that data.
• Identity verification including Aadhaar and PAN verification is handled entirely by IDto, a third-party verification provider. ScaleDux does not receive, store, or process your raw Aadhaar number, PAN number, or any government-issued identity document. ScaleDux receives only the verification result confirmed or not confirmed.
• Payment processing is handled by third-party Payment Gateway providers authorised by the Reserve Bank of India. ScaleDux does not receive, store, or process your payment card details, UPI PIN, or net banking credentials. Those details are entered directly into the Payment Gateway’s own secure environment and never pass through ScaleDux’s systems.
• ScaleDux monitors platform activity for unusual access patterns and suspected fraud.
• We require third-party service providers who process data on our behalf to maintain appropriate security standards for the services they provide.
• ScaleDux is an early-stage company. We are honest about the fact that our security infrastructure will improve as we grow. We review and strengthen our security measures continuously and with each significant development in our operations. We will not make claims about our security that go beyond what we actually have in place.
• No security system can guarantee complete protection against all possible threats. If a security incident occurs that is likely to affect your personal data, ScaleDux will notify you and the Data Protection Board of India as required by Section 8(6) of the Digital Personal Data Protection Act, 2023. We will tell you what happened, what data was affected, and what steps we have taken in response.
• If you suspect that your account has been accessed without your authorization, contact us immediately at [email protected].

You are responsible for maintaining the confidentiality of your account credentials. Never share your password, OTP, or login details with anyone including anyone claiming to represent ScaleDux. We will never ask for your password.

If you believe your account has been accessed without your authorisation, report it to us immediately at [email protected]. Prompt reporting helps us act quickly to protect your data and limit any potential impact.

Passwords must meet ScaleDux’s Password Policy requirements including minimum length, complexity, and uniqueness standards. Using a strong, policy-compliant password is not optional; it is a condition of using your account securely.

ScaleDux shall not be held liable for any loss or damage arising from your failure to safeguard your account credentials.

12. Data Security Incidents and Notification

12.1 Scope and Applicability

This clause applies to Security Incidents that originate within ScaleDux’s own systems, infrastructure, and directly controlled data processing environments. ScaleDux does not assume notification obligations for security incidents occurring within the independent systems of third-party service providers, payment processors, cloud infrastructure providers, or other external vendors except to the extent expressly required under applicable law. Where such third-party incidents may affect your personal data, ScaleDux will make reasonable efforts to communicate available information once received from the relevant third party.

12.2 Definition of Security Incident

For the purposes of this Policy, a “Security Incident” means a confirmed, material breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data processed by ScaleDux which ScaleDux, in its reasonable assessment, determines is likely to result in significant harm to affected individuals. Not every anomaly, technical error, or suspected event constitutes a Security Incident triggering notification obligation. ScaleDux retains the sole and reasonable discretion to make this determination based on the facts available at the time of assessment.

12.3 Notification to Affected Users

Where a Security Incident is confirmed and determined to meet the threshold described in Clause 12.2, ScaleDux will endeavour to notify affected users at their registered email address within a reasonable timeframe after confirming the incident subject to the following conditions:

(a) Notification may be delayed where required by applicable law, or where directed by a competent law enforcement authority, regulatory body, or judicial order investigating the incident;

(b) The content of the notification will reflect information available and verifiable at the time of communication. ScaleDux does not warrant the completeness or finality of information provided in an initial notification, and may issue supplementary communications as the investigation progresses;

(c) Where individual notification is not reasonably practicable due to the scale of the incident or operational constraints, ScaleDux may, at its discretion, issue a prominent public notice on its official website or platform as a substitute or supplement to direct notification.

12.4 Regulatory Reporting

ScaleDux will report confirmed Security Incidents to the Data Protection Board of India in accordance with the obligations and timelines applicable under the Digital Personal Data Protection Act, 2023, and the rules and regulations notified thereunder from time to time. Where rules remain pending notification, ScaleDux will act in accordance with the best available regulatory guidance and industry standards.

12.5 No Admission of Liability

The issuance of a Security Incident notification by ScaleDux shall not, under any circumstances, be construed as an admission of fault, negligence, or legal liability on the part of ScaleDux, its directors, officers, employees, or agents. ScaleDux’s notification obligations are undertaken in good faith and in the interest of user transparency, and do not create any independent cause of action against ScaleDux.

12.6 Limitation of Liability

To the fullest extent permitted under applicable law, ScaleDux’s liability arising out of or in connection with any Security Incident including any delay in notification, any inaccuracy in preliminary notification content, or any consequences flowing from the incident itself shall be limited as set out in the Limitation of Liability clause of this Policy. Users are encouraged to maintain independent safeguards for their personal data, including strong account credentials, as detailed in Clause 11.

12.7 Good Faith Compliance

ScaleDux is an early-stage technology company operating in full compliance with applicable Indian laws. Our security practices are implemented in good faith and are continuously evolving. We commit to acting responsibly, transparently, and promptly in the event of any confirmed Security Incident, within the bounds of what is operationally and legally feasible at the relevant time.

13. SCORE™ and AI Analysis – Data Practices

13.1 How Your Data Is Used

When you complete a SCORE™ assessment, the answers and information you submit are processed by ScaleDux to generate your SCORE™ result and report. ScaleDux holds your assessment inputs, your scores, and your report in your account. Your assessment data is not used for any purpose other than generating and maintaining your SCORE™ result and, where you have purchased AI Analysis, the analytical content requested.

13.2 Technology Service Providers

Where a service provider is involved in processing data in connection with your SCORE™ or AI Analysis purchase, that provider receives only the data necessary to deliver the specific service requested. That provider does not receive your name, email address, PAN, Aadhaar details, KYC documents, bank account information, or the answers you submitted in your assessment questionnaire.

Each technology service provider engaged in connection with SCORE™ or AI Analysis is bound by a data processing agreement that restricts them to processing your data solely for the specific purpose for which ScaleDux has engaged them. They are not permitted to use your data to improve their own systems, share it with other parties, or retain it beyond the period required to complete the service.

13.3 What SCORE™ Is Not

SCORE™ outputs – including numerical scores, category scores, report content, and recommendations – are not credit ratings, investment research, financial advice, valuation reports, or any instrument regulated by the Securities and Exchange Board of India, the Reserve Bank of India, or any other regulatory authority. ScaleDux is not registered with SEBI in any capacity. No SCORE™ output constitutes a professional opinion or a guarantee of any business outcome. Any person who uses a SCORE™ output in connection with an investment, funding, or commercial decision does so at their own risk and without any advisory relationship with ScaleDux.

13.4 Your Rights in Relation to SCORE™ Data

You may request a summary of the personal data ScaleDux holds from your SCORE™ assessments and a description of how that data was processed. Send your request to [email protected]. ScaleDux will respond within 30 Days. Your rights in respect of correction, erasure, and other SCORE™-related data are governed by Section 9 of this Policy.

14. Investor Data Room – Specific Data Practices

The investor data room involves personal data about Founders being made accessible to Investors. Founders control the data room entirely. Only documents that a Founder explicitly publishes to their data room are accessible to investors. No document is automatically transferred from the SCORE™ evidence context to the data room.

Investors who access a Founder’s data room are bound by the Platform Confidentiality Agreement they execute before access. ScaleDux maintains access logs recording which investor accessed which document and at what time. These logs are available to Founders through their account dashboard and may be used as electronic records evidence under Section 65B of the Indian Evidence Act, 1872.

ScaleDux’s access logs record which investor accessed which Founder’s document and at what time. These records may constitute relevant evidence in proceedings under the Securities and Exchange Board of India (Prohibition of Insider Trading) Regulations, 2015, where an investor’s access to a Founder’s non-public information through the data room is in question. ScaleDux will produce these records in response to a valid court order, regulatory direction, or written request from a party to an active legal or arbitral proceeding, as provided in Section 6.5 of this Policy.

ScaleDux does not review, verify, or take responsibility for the content of any document in any Founder’s data room. ScaleDux’s role is to provide the infrastructure, maintain the access logs, and facilitate NDA execution.

15. Grievance Mechanism

ScaleDux has designated a Grievance Officer in accordance with Rule 3(2) of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the requirements of the DPDP Act, 2023. All complaints and grievances relating to your personal data, this Privacy Policy, or ScaleDux’s data practices should be directed to the Grievance Officer.

Your complaint must include your full name, your registered email address, a description of the specific concern, the personal data to which the grievance relates, and any supporting information you consider relevant.

If you are not satisfied with ScaleDux’s response, you may escalate to the Data Protection Board of India once it is constituted under the DPDP Act 2023.

16. Changes to This Privacy Policy

ScaleDux may update this Privacy Policy from time to time as the Platform evolves, as our data practices change, or as the law requires.

The effective date at the top of this Policy indicates when the current version came into force. ScaleDux will maintain a version history of this Policy. Previous versions are retained for a minimum of 3 years from the date they were superseded and are available on written request to [email protected]. Each version is identified by its effective date.

Your continued use of the Platform after any change to this Policy takes effect constitutes your acceptance of the updated Policy.

17. Contact Us

For any query, concern, or communication relating to this Privacy Policy or ScaleDux’s data practices, please use the appropriate contact below: