Last Updated: January 26, 2026
This Privacy Policy describes how Scaalr, Inc. (formerly known as Xolo Security Inc.) ("Scaalr," "we," "us," or "our") collects, uses, discloses, and safeguards personal data in connection with our website (scaalr.com), software-as-a-service platform, APIs, and related online or offline offerings (collectively, the "Services").
We may revise this Privacy Policy from time to time. If we make material changes, we will post the updated Privacy Policy and, where required by applicable law, provide additional notice or obtain consent. The effective date of the updated Privacy Policy will be the date it is posted (unless otherwise stated).
Important Note — Client Data: This Privacy Policy does not apply to personal data that we process on behalf of our clients through their use of the Services ("Client Data"). For Client Data, Scaalr acts as a data processor (or sub-processor, as applicable) and our clients act as data controllers. Our processing of Client Data is governed by the applicable contract(s) with clients, including any Data Processing Agreement ("DPA"), not this Privacy Policy. Questions about Client Data should be directed to the relevant client. If you are an end user interacting with a client's AI agent or workflow, the client is responsible for providing you with appropriate privacy notices and for responding to requests regarding your personal data. Scaalr will assist clients with such requests in accordance with the applicable DPA.
Scaalr is the data controller for personal data it collects and determines the purposes and means of processing (e.g., website visitors, account owners, billing contacts, marketing contacts).
For Client Data (e.g., end-user information uploaded by or collected on behalf of a client within the Services, including conversational transcripts), Scaalr acts as a data processor and processes such data only on documented instructions of the client, as set out in the DPA.
Identification and contact data (name, company, job title, email, phone, address); account and authentication data (username, password); content you upload or submit (documents, property records, tenant information, conversation prompts and messages); communications (support tickets, email, chat); and billing information (billing address, transaction details). Payment card data is processed by third-party payment processors; Scaalr does not store full card numbers.
Device and technical data (IP address, device identifiers, browser/OS, approximate location derived from IP); usage data (pages viewed, features used, session metadata, timestamps); cookies and similar technologies (see Section 10); and conversational interaction metadata generated when using AI agents.
We may receive personal data from vendors, integration partners, and service providers (e.g., cloud hosting, communications, analytics, payments), as well as publicly available sources and business partners.
Scaalr does not intentionally seek to collect Special Categories of Data or government identifiers. If such data is submitted to the Services by you or at a client's direction, it will be processed only as necessary to provide the Services and as permitted by law and the applicable DPA.
We process personal data for the following purposes and legal bases:
Note on AI Improvement: We may use de-identified or aggregated conversational data to evaluate, improve, and develop models and system performance. We do not use identifiable personal data for model training without appropriate consent or a separate lawful basis and safeguards.
We may disclose personal data to:
Your personal data may be transferred to and processed in jurisdictions outside your own, including the United States. Where required, we implement appropriate safeguards such as the EU Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, and Swiss-specific provisions, along with technical and organizational measures (e.g., encryption, access controls). Transfer impact assessments are maintained as appropriate.
We retain personal data for as long as reasonably necessary to fulfill the purposes for which it was collected, including to provide the Services and to comply with legal, accounting, tax, or reporting requirements. Retention periods may vary based on the type of data, how the Services are configured and used, contractual requirements (including with clients), and applicable law.
In general, we retain account and billing records for the duration of the customer relationship and thereafter for an appropriate period to satisfy legal and audit requirements. We retain logs, support records, and analytics data for periods that are reasonably necessary for security, troubleshooting, and service improvement, subject to configuration and vendor settings. We may retain de-identified or aggregated data for longer for analytics, security, and service improvement. We may also retain limited copies of data in backups for a reasonable period in accordance with our backup and disaster recovery practices.
Subject to Applicable Data Protection Law, you may have the rights to access, rectify, erase, restrict, and object to processing; to data portability; and to withdraw consent (where processing is based on consent). You may also lodge a complaint with a supervisory authority. To exercise rights, contact info@scaalr.com. For Client Data processed on behalf of our clients, please direct requests to the relevant client/controller; Scaalr will assist as required under the applicable DPA. We may need to verify your identity. We will respond without undue delay and within one month of receipt, extendable by two months in complex cases.
We use cookies, pixels, and similar technologies to operate and personalize the Services, analyze usage, and (where permitted) for marketing. You can manage cookies through your browser settings and, where available, through any cookie preference tools we provide on the site. If you disable certain cookies, some features may not function.
The Services are not directed to individuals under eighteen (18) years of age, and we do not knowingly collect personal data from minors. If we learn that we have collected such data, we will delete it.
We implement reasonable and appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
Depending on the nature of the data and how the Services are used, these measures may include, for example, encryption (in transit and/or at rest), access controls, network security measures, logging and monitoring, vulnerability management, and secure development practices. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.
Scaalr's AI agents may process inputs and draft or send communications (including by voice or email) as configured by the client. Clients are solely responsible for (i) assessing whether the Services are appropriate for their use cases, (ii) determining what content is sent, (iii) implementing any required approvals or human review, and (iv) complying with all applicable laws and obligations. Scaalr does not make, and is not responsible for, clients' decisions or actions, including any decisions that may produce legal or similarly significant effects on individuals.
The Services may contain links to or integrations with third-party sites, platforms, or applications. Scaalr is not responsible for the privacy practices of such third parties. We encourage you to review their privacy policies.
In the event of a personal data breach impacting personal data for which Scaalr is a controller, we will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of and confirming the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
Where Scaalr acts as a processor, we will notify the client/controller without undue delay in accordance with the DPA so the controller can fulfill its legal obligations, including any notification to individuals and authorities.
Where the Personal Information Protection and Electronic Documents Act ("PIPEDA") applies and Scaalr is an organization in control of the personal information involved, we will report breaches of security safeguards to the Office of the Privacy Commissioner of Canada and notify affected individuals as required by law, including where it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm. Notifications to individuals will be provided as soon as feasible after we determine that such a breach has occurred. We will also maintain records of breaches as required by applicable law.
We maintain processes to implement data protection by design and by default, including access minimization, role-based permissions, and secure development practices. We perform data protection impact assessments ("DPIAs") where processing is likely to result in high risk to individuals (e.g., large-scale processing of personal data via conversational AI agents), and we cooperate with clients regarding DPIAs for Client Data processing.
Scaalr maintains records of processing activities where required by law, including the categories of data subjects and personal data, purposes, recipients, transfers, and technical and organizational security measures.
Controller: Scaalr, Inc.
Email: info@scaalr.com