Privacy Policy
Last updated: 9 April 2026 · Effective: 9 April 2026
This policy applies to all users of the SRP AI Labs platform globally, including users in Malaysia, Singapore, the EU, UK, and other jurisdictions.
1. Who We Are
SRP AI Labs Sdn. Bhd. ("SRP AI Labs", "we", "us", "our") operates the recruitment and sales automation platform at growth.srpailabs.com. We are the data controller for account and platform usage data, and a data processor for candidate and contact data you upload or import.
Data Protection contact: dpo@srp-ai-labs.com
2. Data We Collect
2.1 Account & Platform Users
- Name, work email address, phone number (optional)
- Company name, industry, country
- Job title (optional, stored in profile settings)
- Authentication data (password hash, Google OAuth tokens) — passwords are never stored in plain text
- Usage data: pages visited, features used, API call logs
- IP address, browser type, device information
- Email verification codes (OTP) — deleted immediately upon use or after a short expiry window, then permanently removed
2.2 Candidate & Contact Data (Customer Data)
When you import, upload, or enter candidate or contact records into the Platform, that data is processed on your behalf. This may include:
- Full name, email, phone number, LinkedIn profile URL
- Work history, skills, education (from CVs/resumes)
- Company, job title, industry, location
- Communication history (outreach emails, responses)
- AI-generated screening scores, summaries, and notes
- Visa status, nationality (for international placement roles — where you explicitly provide this)
As our customer, you are the data controller for candidate and contact data. You are responsible for ensuring you have a valid lawful basis (e.g. consent, legitimate interest) for processing this data, in compliance with GDPR, PDPA, and other applicable laws.
3. How We Use Your Data
| Purpose | Lawful Basis |
|---|---|
| Providing and operating the Platform | Contract performance |
| Account registration and email verification | Contract performance |
| Sending OTP security codes | Contract performance / Legal obligation |
| Product updates and feature announcements | Legitimate interest (opt-out available) |
| Security monitoring and fraud prevention | Legitimate interest / Legal obligation |
| Analytics and platform improvement | Legitimate interest |
| Legal compliance and responding to lawful requests | Legal obligation |
| Owner notifications (new signups) | Legitimate interest — internal operations only |
4. Data Sharing & Third Parties
We do not sell your personal data. We share data only in the following circumstances:
- Service Providers: Cloud hosting (our VPS provider), database services, email delivery — bound by data processing agreements
- Third-Party Integrations: Only when you explicitly connect services (Apollo.io, LinkedIn, Hunter.io, etc.) — API calls are made with your credentials on your behalf
- AI Processing: AI features are used to assist with screening, scoring, and drafting. Processing occurs within our secure infrastructure. We do not send candidate personal data to third-party AI APIs without disclosure in our Data Processing Agreement
- Legal requirements: When required by law, court order, or to protect rights and safety
- Business transfer: In connection with a merger or acquisition, with data protection obligations maintained
5. Data Retention
- Account data: Retained while your account is active + 90 days after deletion request
- OTP codes: Deleted immediately upon use or after 10-minute expiry
- Candidate/contact records: Retained as long as your account is active. Deleted within 30 days of a verified deletion request
- Audit logs: Retained for 12 months for security and compliance purposes
- Backups: Encrypted backups retained for 30 days
6. Security
We implement appropriate technical and organisational measures to protect your data, including:
- All passwords hashed using a strong, industry-standard cryptographic algorithm
- Email OTP verification for new account registrations
- TLS/HTTPS encryption for all data in transit
- Encrypted database backups
- Access controls and role-based permissions
- Regular security audits and dependency updates
If you discover a security vulnerability, please report it responsibly to security@srp-ai-labs.com.
7. Your Rights
Depending on your location and applicable law, you may have the following rights:
- Access: Request a copy of your personal data
- Correction: Update inaccurate or incomplete data (directly via your profile settings)
- Erasure: Request deletion of your account and associated data
- Portability: Receive your data in a machine-readable format
- Restriction: Request we limit processing in certain circumstances
- Object: Object to processing based on legitimate interests
- Withdraw consent: Where processing is based on consent
To exercise your rights, email privacy@srp-ai-labs.com. We will respond within 30 days. We may need to verify your identity before fulfilling requests.
8. International Data Transfers
Your data may be processed in countries outside your home country, including countries without equivalent data protection laws. When transferring data internationally, we rely on appropriate safeguards such as Standard Contractual Clauses (EU/UK), or equivalent mechanisms.
9. Cookies & Tracking
We use only essential cookies required for authentication (access token, refresh token) stored as secure, same-site cookies. We do not use third-party advertising trackers. Our minimal analytics are anonymised and do not track individual users across websites.
10. Children's Privacy
The Platform is not intended for individuals under 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, please contact us immediately.
11. Changes to This Policy
We will notify you of material changes to this Privacy Policy via email and/or platform notification at least 14 days before they take effect. The updated date at the top of this page reflects the latest version.
12. Contact & Complaints
If you are in the EU/UK and believe your rights have been violated, you have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your national DPA in the EU).