Revised: February 01, 2026
Effective date: January 03, 2023
Introduction:
This Privacy Policy explains how You Scale LLC, doing business as iClosed (“iClosed”, “we”, “us”, or “our”) collects, uses, and protects personal information when we act as an independent data controller. This Privacy Policy applies to iClosed-controlled data (as defined below), including information we process to operate our websites, manage accounts, provide support, maintain security, and comply with legal obligations.
This Privacy Policy does not govern Customer Personal Data that a customer (our business customer) submits to, stores in, or processes through the iClosed platform (for example, the customer’s leads, contacts, scheduling data, messages, or other CRM information). Where iClosed processes Customer Personal Data on behalf of a customer, iClosed acts as a processor/service provider and such processing is governed by the Data Processing Agreement (DPA) and the customer’s documented instructions.
This Privacy Policy is intended to meet transparency requirements under applicable global privacy and data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and other applicable U.S. state and international privacy laws, as amended from time to time.
Relationship to the DPA
Processor/Service Provider processing. When iClosed processes Customer Personal Data strictly on behalf of a customer (for example, data submitted through customer-configured booking pages, scheduling links, embedded forms/widgets, or related customer-facing interfaces, and related scheduling and communications workflows), iClosed acts as a processor/service provider under the DPA and the customer’s documented instructions.
Controller processing. This Privacy Policy governs only iClosed-controlled data, meaning personal information we process as an independent controller to operate, secure, administer, and improve our websites and platform, and to manage our relationship with account holders and authorized users.
Customer notice and responsibilities. The customer remains responsible for determining the appropriate lawful basis for its processing of Customer Personal Data, providing required notices to its leads/end users, and obtaining any required consents or permissions for its communications and activities.
1. Scope and Purpose
This Privacy Policy applies to personal information processed by iClosed when you:
Visit or interact with iClosed websites (including iclosed.io and its subdomains);
Create, access, or administer an iClosed account (including as an account owner, team member, administrator, or billing contact);
Communicate with iClosed support or sales teams;
Receive marketing or product-related communications from iClosed (where permitted by law).
This Privacy Policy does not apply to individuals who interact with customer-facing booking pages, scheduling links, hosted pages, forms, widgets, or similar interfaces configured by a customer. In those scenarios, personal data submitted through those interfaces is processed on behalf of the customer as Customer Personal Data, and the customer’s privacy notice governs the interaction.
If you are an end user/lead/contact interacting with a customer via a customer-facing interface, and you have questions about how your information is used or wish to exercise applicable privacy rights, you should contact the customer directly. iClosed will assist the customer as required under the DPA and applicable law.
For clarity: Customer-facing interfaces may display iClosed branding or links (for example, “Powered by iClosed” and links to iClosed legal pages) for platform transparency. Those links do not replace or supplement the customer’s privacy notice for the interaction and do not change the customer’s role as the controller of Customer Personal Data submitted through those interfaces.
Definitions
Personal Data (or “personal information”) – any information that identifies or relates to an identified or identifiable individual.
iClosed‑controlled data – limited categories of personal data processed by iClosed as an independent controller for platform administration, billing, security, analytics and compliance.
Customer Personal Data – personal data uploaded or generated by customers in the course of using iClosed’s scheduling and CRM services. iClosed processes Customer Personal Data solely on documented instructions and acts as a processor/service provider.
Applicable Data Protection Laws – means all privacy, data protection, and data security laws and regulations that apply to our processing activities, including, where applicable, the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and other applicable U.S. state and international privacy laws.
Roles and Responsibilities
3.1 iClosed as Independent Controller
iClosed acts as an independent data controller when it determines the purposes and essential means of processing for certain activities. This includes processing personal data for:
Account administration and authentication – creating user accounts, managing roles and permissions, and keeping access records (e.g., login time stamps, session metadata);
Billing and subscription management – maintaining billing contact details, subscription plans, payment status, processing refunds, and verifying billing-related claims (including fraud prevention);
Security, abuse prevention and compliance – maintaining IP logs, audit trails, fraud detection signals, rate‑limiting, incident response records and compliance logs;
Platform telemetry and operational analytics – collecting usage and performance metrics (which may include identifiers such as IP address and session/device identifiers), error diagnostics and performance indicators, and applying aggregation/de-identification where feasible;
Consent and preference management – recording cookie consent, marketing preferences, consent withdrawal timestamps and related regulatory logs;
Customer communications – handling support emails, ticket correspondence and in‑platform messages initiated by account holders.
3.2 iClosed as Processor or Service Provider
For all Customer Personal Data including leads, appointments, deal values, sales notes, and automation workflows, iClosed acts solely on documented instructions from the customer. Those activities are governed by the DPA and applicable data protection laws. iClosed:
Does not determine the purposes or essential means of processing Customer Personal Data;
Does not sell or share Customer Personal Data for cross‑context behavioral advertising;
Does not combine Customer Personal Data with other data except as permitted by law and customer instructions;
Does not use Customer Personal Data to train general-purpose or third-party AI models.
Customers remain solely responsible for providing privacy notices to their leads/end users and obtaining any necessary consents or permissions (including where required for transactional email or SMS communications). Where customers configure consent checkboxes, disclosures, or preference mechanisms in the Services, iClosed implements those configurations and may store related consent records (such as consent status and timestamps) solely on the customer’s behalf and under the DPA.
iClosed may capture limited contact information you enter into a customer’s iClosed-hosted scheduling link, booking page, or embedded form (such as email address and/or phone number) after you finish interacting with the relevant input field (for example, when you leave the field), even if you do not submit the full form.
The customer (as controller) determines the purposes and lawful basis for this processing. Depending on the customer’s configuration and use case, the customer may rely on legitimate interests (for example, to prevent data loss and enable scheduling continuity) or another lawful basis as appropriate. iClosed stores this limited information securely and uses it only to support the customer’s scheduling workflow and to continue or complete the interaction you initiated, and does not use it for iClosed’s own independent purposes.
Where a customer enables optional features such as iScore, iClosed processes any related enrichment inputs and outputs as Customer Personal Data solely on the customer’s behalf under the DPA (including applicable feature addenda) and the customer’s documented instructions.
What Personal Data We Collect as Controller
When acting as an independent controller, iClosed collects limited categories of personal data that are necessary to operate, administer, secure, and improve our platform. The specific types of personal data we collect depend on how you interact with iClosed and are limited in accordance with data minimization principles and applicable privacy laws.
Where aggregated or anonymized information is combined with personal data, we treat the combined information as personal data in accordance with applicable data protection laws.
You may choose not to provide certain personal data; however, some information is required to create an account, administer subscriptions, and provide the Services.
The categories of personal data we collect as an independent controller may include the following:
4.1 Account & Authentication Data
Names, email addresses and basic contact information of account owners and authorized users;
Team member identifiers, assigned roles and permissions;
Encrypted authentication credentials (password hashes) and session metadata.
4.2 Billing & Subscription Data
Billing contact details, company name and email address;
Subscription plan information and invoicing metadata;
Payment status, last four digits of card numbers and Stripe customer identifiers (full payment card information is handled directly by our payment processor and never stored by iClosed).
4.3 Security, Abuse Prevention & Compliance Data
IP addresses, device identifiers and login logs for access control;
Rate‑limiting, anomaly detection and fraud‑prevention data (including risk signals and machine‑generated alerts);
Audit trails, incident response records and compliance documentation required by law.
4.4 Usage Data, Telemetry & Operational Analytics
Limited technical, usage, and performance data generated through the operation of the Services (“Usage Data”). This may include information such as feature usage events, timestamps, error logs, performance metrics, device and browser characteristics, session identifiers, IP addresses, and similar diagnostic or operational data.
Usage Data is processed for purposes such as maintaining and securing the Services, diagnosing technical issues, monitoring performance, improving functionality, and developing new features. Where feasible, iClosed applies aggregation, de-identification, or minimization techniques to reduce the identifiability of such data.
Usage Data is not used to identify individual end users for marketing purposes, nor is it sold or shared for cross-context behavioral advertising. Usage Data may be processed by trusted analytics, monitoring, and infrastructure service providers acting on iClosed’s behalf and subject to contractual confidentiality and data protection obligations.
When you visit our websites, Usage Data may also include pages and links you view, referring/exit pages, time and date of access, and time spent on pages.
4.5 Consent & Preference Management Data
Cookie consent records, such records may include information generated by our consent management platform (Cookiebot), such as consent status and timestamps.
Consent withdrawal records and marketing preference settings.
4.6 Communications & Support Data
Support tickets, emails, chat logs and similar communications initiated by users;
Internal support notes used solely for troubleshooting or compliance purposes.
4.7 Sensitive Personal Information (CPRA)
iClosed does not intentionally collect or process “Sensitive Personal Information” as defined under the California Privacy Rights Act (“CPRA”), such as government-issued identification numbers, precise geolocation, financial account credentials, health data, biometric data, or information concerning racial or ethnic origin, religious or philosophical beliefs, union membership, or sexual orientation.
Limited technical data (such as IP addresses, device identifiers, and security-related logs) may be processed strictly for permitted purposes, including security, fraud prevention, system integrity, and compliance, as allowed under the CPRA.
iClosed does not use or disclose Sensitive Personal Information for purposes other than those expressly permitted by applicable law and does not use such information to infer characteristics about individuals.
How We Collect Personal Data
iClosed collects personal data in the following ways when acting as an independent data controller:
Information you provide directly – such as when you create an account, manage subscription details, communicate with our sales or support teams, or otherwise interact with iClosed in a business or administrative capacity.
Information collected automatically – such as technical data, log files, usage metrics, device information, and similar data collected through cookies and comparable technologies when you access or use our websites or platform.
Information generated through support and communications – including records of communications, support tickets, and related correspondence.
Information from service providers – such as billing status, payment confirmations, or fraud-prevention signals provided by our payment processors or infrastructure vendors in connection with your use of the services.
We do not intentionally collect personal data beyond what is necessary for the purposes described in this Privacy Policy.
How and Why We Use Personal Data (Purposes & Legal Bases)
6.1 Purposes
iClosed processes iClosed‑controlled data for the following limited purposes:
Operate and maintain the platform – to provide access to services, ensure reliability and improve performance.
Manage accounts and subscriptions – to register users, authenticate access, manage roles, and administer billing.
Ensure security and prevent fraud – to detect and mitigate abuse, enforce rate limits, investigate incidents and monitor system integrity.
Comply with legal obligations – to meet tax, accounting, and regulatory requirements, respond to lawful requests and enforce our agreements.
Maintain consent and preferences – to record cookie consents, handle withdrawals, and demonstrate compliance with cookie regulations.
Provide support and communicate with customers – to respond to inquiries, issues or feedback.
Develop and improve our services – to analyze aggregated usage and performance metrics, enhance user experience and build new features.
Communications and Marketing
iClosed may send service-related and administrative communications to account holders and authorized users that are necessary to provide the Services, including account notifications, security alerts, billing messages, and support-related correspondence. These communications are sent on the basis of contractual necessity or legitimate interests and are not subject to marketing opt-out.
Communications delivery and shared infrastructure. Certain Service features (including notifications and other communications) may use shared delivery infrastructure and may be aggregated or routed through shared email addresses, phone numbers, domains, or similar communication resources. As a result, deliverability and timing may be affected by factors outside of iClosed’s control (including carrier availability, third-party email/SMS provider policies, recipient network conditions, and spam/abuse controls). To protect the platform, deliverability, and other customers, iClosed may implement reasonable safeguards, including throttling, rate-limiting, restricting functionality, or suspending access to communications/notification features where necessary.
Where permitted by applicable law, iClosed may also send marketing or promotional communications relating to our Services. Such communications are sent either on the basis of your consent or our legitimate interests in promoting our Services in a business-to-business context, as permitted by law. You may opt out of marketing communications at any time by using the unsubscribe link included in such messages or by contacting us.
6.2 Legal Bases
Our processing of personal data as a controller is justified under one or more of the following legal bases:
Contractual necessity (Article 6(1)(b) GDPR) – processing necessary to enter into or perform a contract, e.g., creating accounts, providing services, billing and customer support.
Legal obligation (Article 6(1)(c) GDPR) – processing required to comply with laws, regulations or court orders (such as tax, accounting, know‑your‑customer, anti‑fraud and security obligations).
Legitimate interests (Article 6(1)(f) GDPR) – processing necessary for our legitimate interests (or those of third parties) provided such interests are not overridden by your rights. Our legitimate interests include protecting the platform from fraud and abuse, ensuring service reliability, improving performance and maintaining records of consents. We balance these interests with individuals’ privacy rights and implement appropriate safeguards.
Where required by applicable law, we provide appropriate mechanisms to exercise opt-out rights or honor automated privacy signals in connection with processing based on legitimate interests.
6.3 Purpose-by-Purpose Mapping (EEA/UK – GDPR/UK GDPR)
For individuals located in the EEA/UK, we rely on the following lawful bases under Article 6 GDPR/UK GDPR, depending on the purpose:
1) Operate and maintain the platform (service delivery, reliability, performance)
Lawful basis: Contractual necessity (Art. 6(1)(b)) and/or Legitimate interests (Art. 6(1)(f)).
2) Manage accounts and subscriptions (registration, authentication, roles, billing administration)
Lawful basis: Contractual necessity (Art. 6(1)(b)); and where needed for record-keeping, Legal obligation (Art. 6(1)(c)).
3) Ensure security and prevent fraud (abuse prevention, incident investigation, monitoring integrity)
Lawful basis: Legitimate interests (Art. 6(1)(f)) and, where applicable, Legal obligation (Art. 6(1)(c)).
4) Comply with legal obligations (tax, accounting, regulatory requirements, lawful requests, enforcing agreements)
Lawful basis: Legal obligation (Art. 6(1)(c)); and in some cases Legitimate interests (Art. 6(1)(f)) (e.g., establishing, exercising, or defending legal claims).
5) Maintain consent and preferences (cookie consent logs, withdrawals, compliance records)
Lawful basis: Legitimate interests (Art. 6(1)(f)) for maintaining compliance records; and Consent (Art. 6(1)(a)) where required for setting non-essential cookies/trackers.
6) Provide support and communicate with customers (support inquiries, service communications)
Lawful basis: Contractual necessity (Art. 6(1)(b)) and/or Legitimate interests (Art. 6(1)(f)).
7) Develop and improve our services (aggregated usage/performance analytics, feature improvement)
Lawful basis: Legitimate interests (Art. 6(1)(f)); and Consent (Art. 6(1)(a)) where required by applicable law for non-essential analytics cookies/trackers.
Marketing communications
Where permitted by applicable law, we may send marketing communications on the basis of your Consent (Art. 6(1)(a)) or our Legitimate interests (Art. 6(1)(f)) in a B2B context, as permitted by law. You can opt out of marketing at any time.
How We Share Personal Data
iClosed does not sell personal data. Where advertising cookies or similar technologies are used, we provide required notices and choices, including the ability to opt out of ‘sharing’ for cross-context behavioral advertising where required by applicable law. We may share personal data in the following circumstances:
Service providers and sub‑processors – We engage trusted third parties to provide infrastructure, hosting, analytics, fraud detection, customer support and payment processing. These providers access personal data only to perform services on our behalf and under contractual obligations requiring confidentiality and data protection.
Corporate transactions – In the event of a merger, acquisition or asset sale, personal data may be transferred to the acquiring entity, subject to an obligation to honour this Privacy Policy.
Legal requirements – We may disclose personal data where required to comply with applicable law, regulation, court order, or lawful request from competent authorities, or to protect the rights, property, or safety of iClosed, our customers, or others.
With your consent – We may share personal data for other specific purposes where you have provided explicit consent (for example, to display your company logo as a customer testimonial).
Affiliates – We may share personal data within the iClosed corporate group (subsidiaries and affiliates) for purposes consistent with this Privacy Policy, including security, operations, and customer/account management.
Where applicable, we will enter into agreements that incorporate SCCs or other legally approved transfer mechanisms for cross‑border data sharing.
7.1 Third-Party Service Providers
We use well-known third-party service providers to support our operations, such as payment processors and analytics providers. These providers process personal data only on our behalf and under contractual obligations consistent with applicable data protection laws.
For transparency, information about some of these providers’ privacy practices may be available on their respective websites (for example, Stripe for payment processing).
iClosed is not responsible for the privacy practices of third-party websites, and such providers’ privacy policies apply independently of this Privacy Policy.
7.2 Google Gmail API
We use the Google Gmail API solely to send scheduling-related emails from the connected accounts of our users to individuals who book a call with that user (e.g., confirmations, updates, and reminders).
We do not access or use Gmail data for advertising, profiling, or any other purpose unrelated to sending these scheduling emails. We do not store email content obtained via the Gmail API.
Where necessary to operate and support this feature (e.g., troubleshooting and delivery tracking), we may store limited metadata such as message identifiers, timestamps, recipient address, and delivery status. We retain such metadata only for as long as reasonably necessary for support, deliverability, and compliance purposes, and we do not use it for advertising or profiling.
Our access to and use of information received from Google APIs complies with the Google API Services User Data Policy (including the Limited Use requirements): https://developers.google.com/terms/api-services-user-data-policy
7.3 Categories of Third Parties
Depending on the context of processing, iClosed may disclose personal data to the following categories of third parties for business or operational purposes:
Cloud hosting and infrastructure providers;
Payment processors and billing service providers;
Analytics, monitoring, and performance measurement providers;
Security, fraud detection, and abuse prevention vendors;
Customer support, communication, and ticketing service providers;
Professional advisers (such as legal, accounting, or audit firms) where necessary to comply with legal obligations;
Corporate transaction counterparties in connection with a merger, acquisition, or asset sale, subject to appropriate confidentiality and data protection obligations.
All such third parties process personal data only for specified purposes and under contractual obligations consistent with applicable data protection laws.
Cookies and Tracking Technologies
We use cookies and similar technologies (such as pixels, tags, local storage, session storage, and scripts) to operate our websites and Services, maintain security, remember preferences, and understand performance.
We use Cookiebot (a consent management platform provided by the Usercentrics group) to manage cookie preferences, obtain consent where required by law, and help prevent non-essential cookies from being set before you make a choice.
Cookies are categorized as follows:
Necessary (Strictly Necessary) – required for core functionality, authentication, security, and to store and honor your cookie consent preferences.
Preferences – used to remember your settings (such as language or interface preferences). These cookies are optional.
Statistics (Analytics) – used to collect aggregated information about how visitors use our website and Services (e.g., feature usage, performance, and error diagnostics). Where required by law, Statistics cookies are set only with your consent. We may use tools such as Google Analytics, PostHog, and Datadog for these purposes. We may also use error monitoring and diagnostics tools (e.g., Sentry or Raygun) for reliability and security purposes.
Marketing – used for marketing measurement, attribution, and (where applicable) advertising-related functionality. Where required by law, Marketing cookies are set only with your consent and can be managed through our cookie settings.
For example, marketing cookies may be associated with advertising and measurement partners such as Meta (Facebook), where enabled.
In some cases, our consent management platform may temporarily display certain cookies or similar technologies as “Unclassified” while their purpose is being determined. Any such items will appear in the Cookie Declaration, and we work to review and categorize them appropriately.
Where customers integrate third-party marketing pixels or tracking technologies into customer-controlled pages (such as customer-configured scheduling links, forms, or hosted pages), those technologies are controlled by the customer and are outside of iClosed’s control. In such cases, the customer is responsible for providing notices and obtaining required consents.
8.1 Consent Management
Cookiebot provides our cookie consent banner and preference center. You can accept, reject, or customize cookie categories, and you can change or withdraw your consent at any time through the cookie settings available on our website. Cookiebot also helps us maintain consent logs (such as consent status and timestamps) to demonstrate compliance with applicable cookie laws. Where required by applicable law, we recognize and honor automated preference signals such as Global Privacy Control (GPC) as an opt-out signal for non-essential cookies.
Do Not Track Signals: Some browsers offer a “Do Not Track” (“DNT”) signal. Because there is no widely adopted, consistent industry standard for recognizing and responding to DNT signals, our websites do not respond to DNT signals. You can manage cookie preferences at any time through our Cookiebot banner and settings, and where required by applicable law we honor Global Privacy Control (GPC) as described above.
8.2 Managing Cookies
You can manage cookies through the Cookiebot banner and preference center, including by accepting, rejecting, or customizing cookie categories, and you can change or withdraw your consent at any time through the cookie settings available on our website.
You may also control cookies through your browser or device settings, including by deleting existing cookies or blocking future cookies. Please note that disabling certain cookies may affect the functionality or availability of parts of the website or Services.
For more detailed information about the cookies and similar technologies used on our websites, including their purposes, providers, and expiration periods, please see our Cookie Policy and the Cookie Declaration available through the Cookiebot banner or settings.
Analytics, Security & Fraud Prevention
To ensure the reliability, security and integrity of our platform, we use analytics and security tools to:
Detect unusual activity, spam or abuse (e.g., rate‑limiting and risk scoring);
Monitor performance and error rates;
Investigate and respond to incidents;
Comply with legal obligations (e.g., records for audits and regulators).
These tools may process IP addresses, device information and session metadata. We implement encryption and access controls to protect this data and retain it only as long as necessary for security and compliance. We do not use this data to profile individuals for marketing or credit decisions, consistent with new state laws restricting profiling and targeted advertising.
AI & Automated Decision‑Making
iClosed does not:
Train general-purpose or third-party AI models on Customer Personal Data or other personal data processed through the Services;
Currently use personal data for automated decision-making that produces legal or similarly significant effects on individuals (e.g., eligibility or credit decisions);
Intentionally deploy AI systems designed to produce legal or similarly significant effects on individuals within the meaning of applicable AI regulations.
If in the future we introduce features involving automated decision‑making, we will update this policy and our systems to provide meaningful information, human review and the right to contest such decisions as required by GDPR and state laws.
Clarification (Controller vs Customer use): The statements in this section describe iClosed’s processing when iClosed acts as an independent Controller. Customers may enable optional features (such as iScore) that process Customer Personal Data. In those cases, iClosed acts as a Processor/Service Provider under the DPA, and the Customer determines whether and how any outputs are used.
International Data Transfers
We primarily host our core platform and storage within the European Union. However, limited international transfers may occur:
When support, security or development personnel located outside your region access data for operational reasons;
When we use global service providers for infrastructure or analytics.
Where we transfer personal data to countries that have not been deemed adequate by the European Commission or other regulators, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs), data transfer impact assessments, encryption and role‑based access controls. We also respect U.S. state requirements for contracted service providers and cross‑border transfers.
For purposes of applicable U.S. state privacy laws, including the California Privacy Rights Act (CPRA), iClosed discloses personal data only to contracted service providers or processors that are subject to written agreements prohibiting the sale, sharing, or use of personal data for purposes other than providing services on iClosed’s behalf, except as permitted by law.
Data Retention
We retain personal data processed as a controller only for as long as necessary to fulfil the purposes described above.
Retention rationale. We set retention periods based on the principles of data minimization and storage limitation, and we retain personal data only for as long as reasonably necessary to: (a) provide and operate the Services; (b) maintain security, detect and prevent fraud/abuse, and investigate incidents; (c) comply with legal and regulatory obligations (including tax/accounting and compliance recordkeeping); (d) maintain evidence of consent and preferences where required; (e) resolve disputes, enforce agreements, and establish, exercise, or defend legal claims; and (f) meet reasonable operational needs (including troubleshooting and service reliability). Where possible, we delete, aggregate, and/or de-identify data earlier. Retention may be extended where required by law, a legal hold, or a documented customer instruction under the DPA.
Our retention practices are as follows:
Account, billing, security and log data: retained for the duration of your account and thereafter only as required to meet applicable legal, accounting, security, and compliance obligations (such as fraud prevention and audit requirements).
Security and diagnostic logs: retained for a limited period based on operational and security needs, and then deleted or aggregated.
Aggregated analytics and de-identified data: may be retained for extended periods for statistical analysis and service improvement, provided such data cannot reasonably be used to identify any individual.
Communications and support data: retained for the period necessary to respond to your request and for legitimate interests (e.g., to demonstrate compliance), then archived or deleted as appropriate.
We periodically review our retention schedules to ensure compliance with evolving data protection laws. Account holders can request early deletion of specific data categories where allowed by law.
We retain personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy, as required or permitted by applicable law, and subject to legal holds and dispute/litigation preservation requirements.
Retention periods vary depending on (i) the type of personal data, (ii) whether iClosed acts as a controller or a processor, (iii) the purposes of processing, and (iv) applicable legal and contractual requirements.
Controller data (iClosed-controlled data)
When iClosed processes personal data as a controller (for example, account administration, billing, security, support, and website operations), our default retention periods are generally as follows:
Account and authentication records: retained for the duration of your account and up to 24 months after account closure.
Billing and finance records: retained for up to 7 years (e.g., invoices and payment-related records), as required for accounting/tax recordkeeping.
Communications and support data: retained for up to 24 months after ticket closure (or equivalent conclusion of the request), then deleted or archived with access restrictions where appropriate.
Cookie consent logs (website CMP): retained for up to 24 months for compliance evidence (proof of consent), after which they are deleted or rotated in accordance with vendor retention controls.
Security/auth/audit logs: retained for up to 12 months.
Application/API logs and WAF/CDN logs: retained for up to 90 days.
Monitoring/APM/error data: retained for up to 90 days.
Product analytics events (pseudonymous): retained for up to 13 months; analytics may also be aggregated and/or de-identified and retained for longer periods where it cannot reasonably be used to identify any individual.
Data subject request (DSAR) case records: retained for up to 3 years after case closure to demonstrate compliance.
Breach/incident records: retained for up to 6 years after incident closure for compliance, audit, and security accountability.
Processor data (Customer Personal Data)
When iClosed processes Customer Personal Data on behalf of a customer (as a processor/service provider under the DPA), retention and deletion are governed by the DPA and the customer’s instructions. By default:
During an active subscription, Customer Personal Data is retained in active systems to provide the Services.
Following customer deletion actions and/or termination or expiration of the Services (as applicable), Customer Personal Data is placed into a soft-deleted/inaccessible state and is permanently deleted from active systems as soon as reasonably practicable and, in any event, no later than 180 days, unless a shorter period is required by the DPA/customer instructions or retention is required/permitted by applicable law (including a legal hold).
Customer Personal Data may remain in encrypted backups for a rolling period of up to 180 days, expiring through normal backup rotation.
We periodically review retention schedules and may update these periods where required to reflect changes in law, contractual obligations, security needs, or our systems.
Your Rights and Choices
Depending on your location, you may have the following rights with respect to personal data that iClosed processes as a controller:
Right of access – to request information about personal data we hold about you;
Right of rectification – to correct inaccurate or incomplete data;
Right to delete – to request deletion of your personal data, subject to certain legal exceptions;
Right to restrict or object – to request that we stop processing your data or object to certain processing based on legitimate interests;
Right to portability – to receive your data in a machine‑readable format and transmit it to another controller;
Right to withdraw consent – where we rely on consent, you may withdraw it at any time;
Right to opt out of sale, sharing or profiling – to opt out of the sale or sharing of personal data or automated profiling that produces significant effects, as defined under the CPRA/CCPA and other state laws.
You may exercise these rights by emailing hello@iclosed.io. We will verify your identity before responding to protect your data. If your request relates to Customer Personal Data, we will forward it to the relevant customer for handling, consistent with our role as a processor.
If you are an Invitee and have questions about a booking page or communications you received from a customer, please contact the customer directly, as they control those interactions.
Response Timelines
We will respond to verified data subject or consumer rights requests without undue delay and, in any event, within the timeframes required by applicable law.
For requests subject to the GDPR or UK GDPR, this is generally within one (1) month of receipt, subject to lawful extensions. For requests subject to U.S. state privacy laws such as the CPRA/CCPA, this is generally within forty-five (45) days of receipt, subject to extensions where permitted by law. Where an extension is required, we will inform you of the reason and applicable timeframe.
Automated Preference Signals
We recognise and honour automated privacy preference signals, such as Global Privacy Control, for opt-out requests where required by applicable law.
Appeals
Some U.S. state laws (e.g., Colorado CPA, Virginia CDPA) provide a right to appeal if we decline to take action on your request. To appeal a decision, please email hello@iclosed.io with the subject line "Appeal of Data Rights Request". We will review your appeal and respond within the timeframe required by applicable law.
We will review and respond to appeals within the timeframe required by applicable law, which is generally forty-five (45) days from receipt, unless a longer period is permitted or required by law, in which case we will notify you accordingly.
Supervisory Authorities
If you believe our processing of your personal data infringes the GDPR or other applicable laws, you have the right to lodge a complaint with a supervisory authority, particularly in the EU member state or UK where you reside, work or where the alleged infringement occurred. For residents of certain U.S. states, you may contact your state Attorney General or the relevant privacy authority.
Additional Information for U.S. State Privacy Laws
Where required by applicable U.S. state privacy laws, you may also exercise your rights through an alternative request method, such as a web-based privacy request form if made available by iClosed.
You may designate an authorized agent to submit a request on your behalf. We may require verification of your identity and confirmation of the agent’s authority before processing such requests.
iClosed will not discriminate against you for exercising any privacy rights granted to you under applicable law.
14. Information Security
We implement administrative, technical and physical safeguards designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure and access. These measures include:
Encryption in transit and at rest;
Access controls and authentication mechanisms;
Network monitoring and intrusion detection;
Secure development practices and regular security testing;
Incident response and breach notification procedures.
Although we strive to use commercially acceptable means to protect personal data, no method of transmission or storage is 100% secure. In the event of a data breach affecting iClosed-controlled data, we will notify affected individuals and regulators where and to the extent required by applicable law.
15. Links to Other Sites
Our websites or Services may contain links to third-party websites or services that are not operated or controlled by iClosed. If you click on a third-party link, you will be directed to that third party’s website.
We encourage you to review the privacy policies of any third-party websites you visit. iClosed has no control over, and assumes no responsibility for, the content, privacy policies, or practices of any third-party websites or services.
The display of iClosed branding, platform legal links, or operational disclosures on customer-facing pages does not replace or supplement the customer’s privacy notices.
16. Children’s Data
The Services are not directed to children under the age of thirteen (13), and iClosed does not knowingly collect Personal Data from children under 13 in its capacity as an independent controller.
Account registration and Authorized User access to the Service are intended only for individuals who are at least eighteen (18) years of age, as further described in our Terms & Conditions.
If we become aware that we have inadvertently collected Personal Data from a child under 13 as a controller, we will take reasonable steps to promptly delete such information.
Where customers use the Services to process Personal Data relating to minors (including children under 16), iClosed acts solely as a processor/service provider on the customer’s behalf. In such cases, the customer is responsible for providing appropriate privacy notices, obtaining any required parental or lawful consent, and ensuring compliance with applicable children’s privacy laws.
If you believe iClosed has collected Personal Data from a child in violation of this section, please contact us at hello@iclosed.io.
17. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in technology, law, our services or how we process personal data. We will post the updated policy with a new “Last Updated” date and, where required, provide additional notice (e.g., via email or a prominent banner). Where required by applicable law, we will provide additional notice or seek consent for material changes. Continued use of the services after the effective date may constitute acceptance of the updated policy to the extent permitted by applicable law.
18. Contact Information
Controller Identity (iClosed-Controlled Data)
For personal data processed under this Privacy Policy (i.e., iClosed-controlled data where iClosed determines the purposes and essential means of processing), You Scale LLC, doing business as iClosed (“iClosed”) is the data controller.
Controller Details:
Legal Name: You Scale LLC (d/b/a iClosed)
Email: hello@iclosed.io
Customer Personal Data (Processor/Service Provider Role) For personal data processed by iClosed strictly on behalf of a customer (such as leads, contacts, scheduling data, or CRM records), the relevant customer acts as the data controller. Requests relating to such data should be directed to the applicable customer. iClosed processes such data solely as a processor/service provider in accordance with the applicable Data Processing Agreement.