Data Protection
Last updated: 16 July 2026
Roothscale handles some of the most scrutinised data there is. This statement sets out our data protection commitments under India’s Digital Personal Data Protection Act, 2023 (DPDP) and the rules made under it.
1. Roles & accountability
The engaging campaign is the Data Fiduciary; Roothscale is its Data Processor. A written Data Processing Agreement governs every engagement and binds us to process personal data only on the campaign’s documented instructions.
2. Consent as a first-class control
- Consent is captured at the point of collection and stored as a consent artifact (who, when, script version, location).
- Outreach is tied to a consent record at the database level — a message cannot be sent without one.
- Consent can be withdrawn, and withdrawal is honoured going forward.
3. Data principal rights
Individuals may exercise the rights available under the DPDP Act, including:
- Access to a summary of their personal data being processed;
- Correction, completion and updating of inaccurate data;
- Erasure of personal data that is no longer required;
- Grievance redressal, and nomination.
Requests are actioned together with the campaign as Data Fiduciary. Our erasure workflow is demonstrable on request.
4. Data localisation
All personal data is stored and processed within India (Central India region).
5. Security measures
- Encryption in transit (TLS) and at rest;
- Role-based access control and least-privilege access for staff;
- Tenant isolation so one campaign’s data is not accessible to another;
- An append-only audit trail on access to sensitive records;
- Regular backups within India, with tested restore procedures.
6. Data minimisation & purpose limitation
We collect only what the service needs, use it only for the agreed campaign purposes, and delete or return field data within 90 days after the result unless renewed.
7. Sub-processors
We use a limited set of contracted sub-processors (cloud hosting, SMS/IVR delivery) that are bound to equivalent obligations. A current list is available to clients on request.
8. Breach notification
In the event of a personal-data breach, we notify the affected campaign without undue delay and support notification to the Data Protection Board and affected individuals as required by law.
9. Grievance Officer
Data protection queries and grievances may be sent to our Grievance Officer at privacy@roothscale.com.
This statement describes our operating commitments and does not constitute legal advice; the governing terms for any engagement are those in the signed agreement and Data Processing Agreement.
Roothscale is a product of Reclevo Infotech. Questions about this document? privacy@roothscale.com.