Privacy Policy

Effective Date: 08/04/2026 | Last Updated: 09/04/2026

Surge Growth Technologies Private Limited ("Surge Growth", "we", "us", "our") is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we collect, use, store, disclose, and protect personal data when you access or use surgegrowth.io ("Platform").

This Policy complies with the Digital Personal Data Protection Act, 2023 (DPDPA) and IT (Intermediary Guidelines) Rules, 2021 (India); the General Data Protection Regulation (GDPR) (EU) 2016/679 (European Union); and the California Consumer Privacy Act (CCPA) (United States), as applicable.

This is a B2B platform. The Platform collects and processes data of authorised business representatives - not end consumers. Please share this Policy with your nominated representative(s) accessing the Platform.

1. WHO WE ARE & SCOPE

Data Controller / Data Fiduciary: Surge Growth Technologies Private Limited, B-501, Sumadhura Essenza, Hosa Road Junction, Begur, Electronics City, Bangalore, Karnataka – 560100, India. GSTIN: 29ABNCS4910L1ZR.

This Policy applies to all business customers, their authorised representatives, and visitors who access surgegrowth.io. It does not apply to personal data that Customer employees or end-users provide to their own clients through campaigns managed via the Platform.

2. DATA WE COLLECT

2.1 Personal Data Collected Directly

Full name of authorised representative
Business email address
Profile photo or avatar (if voluntarily uploaded)
Billing and payment information (processed and tokenised by DodoPayments / Razorpay - Surge Growth does not store full card details)
Customer support and chat conversation logs

2.2 Platform & Technical Data

Google / Meta ad account data and OAuth access tokens (required to manage ad campaigns)
IP address and device information (browser type, OS, screen resolution)
Analytics cookies and platform usage data (pages visited, features used, session duration)
Workflow execution logs and automation activity records

2.3 How We Collect Data

Account registration and onboarding forms
OAuth 2.0 login (Google Sign-In, Meta Login)
Third-party API integrations (Google Ads API, Meta Marketing API, Google Suite, Vertex AI)
Customer support communications (chat, email)
Voluntary surveys and feedback forms

3. LEGAL BASIS FOR PROCESSING

We process personal data on the following lawful bases:

Contract (Art. 6(1)(b) GDPR / DPDPAS.4) - Processing is necessary to deliver services under the Terms of Service - account creation, ad management, workflow execution, billing.

Legal Obligation (Art. 6(1)(c) GDPR / DPDPAS.4) - Compliance with Indian tax law (GST), IT Act requirements, government orders, and court directions.

Legitimate Interests (Art. 6(1)(f) GDPR / DPDPAS.4) - Platform security, fraud prevention, abuse detection, and improving service quality - where these interests are not overridden by your rights.

Consent (Art. 6(1)(a) GDPR / DPDPAS.6) - Analytics cookies only - collected via an explicit opt-in cookie consent banner. Consent may be withdrawn at any time without affecting prior processing.

GDPR Note: For EU-based representatives, "consent" is only used for analytics cookies. All core service processing is based on contract or legitimate interests, which are more robust legal bases for B2B SaaS and cannot be withdrawn arbitrarily.

4. HOW WE USE YOUR DATA

Personal data is used strictly for the following purposes:

Creating and maintaining your account and platform access
Delivering contracted services (ad management, automation workflows, content creation)
Processing payments, generating invoices, and maintaining billing records
Providing customer and technical support
Sending transactional communications (account alerts, security notices, billing updates)
Detecting, investigating, and preventing fraud, abuse, and security threats
Complying with legal and regulatory obligations
Improving platform features and performance (using anonymised/aggregated analytics data)

We do not use Customer data, ad account data, or campaign data to train internal AI or machine learning models.

5. DATA SHARING & THIRD-PARTY SUB-PROCESSORS

We may share personal data with the following sub-processors strictly as necessary to deliver our services. All sub-processors are bound by data processing agreements:

Sub-Processor / Integration	Purpose
Google (Ads API, GSuite, Vertex AI, Analytics)	Ad management, cloud infrastructure, AI automation
Meta / Facebook (Marketing API)	Ad account management and campaign delivery
OpenAI and other AI/LLM providers	AI-powered workflow automation and content generation
DodoPayments / Razorpay	Payment processing and invoicing (PCI-DSS compliant)
Email & Communication Tools (e.g. SendGrid, Mailchimp)	Transactional and support emails
Analytics Tools (e.g. Mixpanel, Amplitude, Hotjar)	Platform usage analytics (anonymised where possible)
Customer Support Tools (e.g. Freshdesk, Zendesk)	Support ticket and conversation management

We do not sell, rent, or trade your personal data to any third party. All sub-processors are contractually bound to process data solely as instructed and in compliance with applicable data protection law.

6. DATA STORAGE, SECURITY & RETENTION

6.1 Storage Location. All personal data is stored exclusively on AWS (Mumbai region, India) and Google Cloud (East region, India). All data remains within India and is not transferred to servers outside Indian territory.

6.2 Security Measures. We implement the following technical and organisational security measures:

End-to-end encryption in transit (TLS 1.2+) and at rest (AES-256)
Role-based access controls and principle of least privilege
Secure OAuth 2.0 token storage with regular rotation
Regular internal security audits and vulnerability assessments
Multi-factor authentication (MFA) for administrative access

6.3 Data Retention. We retain personal data for the duration of the service relationship. Upon account termination or deletion request, personal data is retained for a maximum of 30 days to enable data export. After 30 days, all data is permanently and irrecoverably deleted. Legal and compliance records (e.g. billing records) may be retained as required by Indian tax law (typically 7 years).

7. COOKIES

7.1 surgegrowth.io uses analytics cookies to understand platform usage and improve user experience. We do not use advertising, behavioural tracking, or retargeting cookies.

7.2 Cookie Consent. A cookie consent banner is in the process of being implemented. Until the banner is live:

Indian users: Analytics cookies are used for platform improvement under our legitimate interests.
EU users (GDPR/ePrivacy): We acknowledge that non-essential cookie processing requires explicit prior consent. EU users may disable analytics cookies via their browser settings until the consent banner is deployed. No data collected via analytics cookies from EU users will be used for any purpose other than anonymised platform analytics.
US users (CCPA): Cookie data is not sold. California users may opt out of any "sharing" of personal information for cross-context behavioural advertising.

7.3 You may configure your browser to block or delete cookies at any time. Blocking strictly necessary cookies may affect Platform functionality.

GDPR Compliance Note (Revised): The previous version of this policy stated that "continued use implies acceptance of cookies." This statement has been removed. Under GDPR Art. 7 and the ePrivacy Directive, consent to non-essential cookies must be freely given, specific, informed, and unambiguous - it cannot be implied by continued use.

8. YOUR DATA RIGHTS

8.1 Rights Under Indian Law (DPDPA 2023)

Right to Access - obtain a summary of personal data held by Surge Growth (DPDPA S.12)
Right to Correction - rectify inaccurate or incomplete personal data (DPDPA S.12)
Right to Erasure - request deletion of your personal data and account (DPDPA S.12)
Right to Data Portability - receive a machine-readable copy of your data (DPDPA S.12)
Right to Withdraw Consent - withdraw consent for consent-based processing at any time, without affecting prior processing (DPDPAS.6)
Right to Nominate - nominate a person to exercise data rights in case of death or incapacity (DPDPA S.14)

8.2 Additional Rights for EU Users (GDPR)

Right of Access (Art. 15) - obtain a copy of all personal data we hold about you
Right to Rectification (Art. 16) - correct inaccurate data without undue delay
Right to Object (Art. 21) - object to processing based on legitimate interests
Right to Restriction (Art. 18) - restrict processing in specific circumstances
Right to Lodge a Complaint (Art. 77) - file a complaint with your national Data Protection Authority (DPA)

8.3 Additional Rights for California Users (CCPA / CPRA)

Right to Know - what categories of personal information are collected and how they are used
Right to Delete - request deletion of personal information
Right to Opt-Out - opt out of any "sale" or "sharing" of personal information (we do not sell data)
Right to Correct - correct inaccurate personal information
Right to Non-Discrimination - we will not discriminate against you for exercising CCPA rights

To exercise any right, contact the Grievance Officer (Section 9). We will respond within the timeframes required by applicable law.

9. GRIEVANCE OFFICER

In compliance with the IT (Intermediary Guidelines) Rules, 2021 and DPDPA 2023, Surge Growth has designated:

Name: Vaibhav Dusad
Designation: Co-Founder, Surge Growth Technologies Private Limited
Email: vaibhav@surgegrowth.io
Address: B-501, Sumadhura Essenza, Hosa Road Junction, Begur, Electronics City, Bangalore, Karnataka – 560100, India
Response Time: Acknowledgement within 24 hours; Resolution within 15 days of receipt.

For GDPR-related complaints from EU users that remain unresolved, you may escalate to your national Data Protection Authority (DPA).

10. DATA BREACH NOTIFICATION

In the event of a personal data breach:

India (DPDPA 2023): Surge Growth will notify the Data Protection Board and affected Data Principals as required under applicable rules.
EU (GDPR Art. 33–34): Surge Growth will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Affected individuals will be notified without undue delay where the breach poses a high risk.
US (State Laws): Affected users in US states with mandatory breach notification laws will be notified within applicable statutory timelines.

11. CHILDREN'S DATA

The Platform is a B2B service restricted to users aged 18 and above. We do not knowingly collect personal data from individuals under 18. If we discover that data of a minor has been inadvertently collected, it will be deleted immediately. Surge Growth complies with DPDPAS.9 (India), GDPR Art. 8 (EU), and COPPA (US) in this regard.

12. INTERNATIONAL USERS

12.1 EU Users. All personal data is stored within India. Surge Growth currently does not transfer personal data to servers outside India. If any cross-border transfer becomes necessary in the future, Surge Growth will implement appropriate GDPR-compliant transfer mechanisms (such as Standard Contractual Clauses) and update this Policy accordingly.

Correction from v1.0: The previous version referenced Standard Contractual Clauses (SCCs) as a current mechanism. This has been corrected - SCCs are not currently in use as all data remains within India. SCCs will be implemented if and when cross-border transfers occur.

12.2 US Users. Customers accessing the Platform from the United States are subject to this Policy. California-specific rights are addressed in Section 8.3.

13. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. Changes are posted on this page with a revised "Last Updated" date. For material changes that affect how we process your personal data, we will provide at least 30 days advance notice via email to the address registered with your account. Continued use of the Platform after the effective date of changes constitutes acceptance.

14. CONTACT

Surge Growth Technologies Private Limited
B-501, Sumadhura Essenza, Hosa Road Junction, Begur, Electronics City, Bangalore, Karnataka – 560100
Email: vaibhav@surgegrowth.io | Website: surgegrowth.io

SCHEDULE A - APPLICABLE LAWS & COMPLIANCE REFERENCE

Jurisdiction	Law / Regulation	Key Provisions Covered
🇮🇳 India	DPDPA, 2023	Data principal rights, fiduciary obligations, breach notification
🇮🇳 India	IT (Intermediary Guidelines) Rules, 2021	Grievance officer, 24-hr acknowledgement
🇮🇳 India	IT Act, 2000 S.43A	Reasonable security practices & procedures
🇪🇺 EU	GDPR (EU) 2016/679	Legal basis, data subject rights, DPA, breach notification (72 hrs)
🇪🇺 EU	ePrivacy Directive 2002/58/EC	Cookie consent requirements
🇺🇸 US	CCPA / CPRA (California)	Right to know, delete, opt-out, correct, non-discrimination
🇺🇸 US	COPPA	No collection of data from users under 13
🌍 Global	ISO/IEC 27001 (aligned)	Information security management standards