About This Policy
GRC3 operates the GRC3 compliance management platform (the "Platform"). As a company dedicated to helping organizations achieve compliance with the DPDP Act, we hold ourselves to the highest standards of data protection. This Privacy Policy explains our practices as a Data Fiduciary under the DPDP Act 2023, detailing how we collect, process, store, and protect the personal data of our users (Data Principals).
By using our Platform, you provide your free, specific, informed, unconditional, and unambiguous consent to the processing of your personal data as described in this Policy, in accordance with Section 6 of the DPDP Act.
Personal Data We Collect
We collect personal data from two categories of individuals. We follow the principle of data minimization and do not collect data beyond what is necessary for the stated purposes.
A. Signed-In Users (Platform Accounts)
When you create an account and sign in to GRC3, the following data is collected via our authentication provider (Clerk):
Account & Profile Data
- Full name
- Email address
- Profile picture (if provided)
- Organization/company name (if provided)
Platform Usage Data
- Compliance assessment responses and scores
- Uploaded policy documents for AI analysis
- AI chatbot conversation logs
- Remediation progress and action items
B. Contact Form & Inquiry Submissions
When you submit an inquiry through our contact forms, callback request, readiness quiz, support ticket, or similar forms, we collect:
Contact & Inquiry Data
- Full name
- Email address
- Phone number (if provided)
- Company/organization name (if provided)
- Area of interest or inquiry details
Technical Data (All Visitors)
- IP address
- Browser type and device information
- Pages visited and session duration
- Consent records and audit trail
C. Granular Consent
All contact forms and data collection points on our Platform provide purpose-specific consent. You can separately consent to:
Inquiry processing (required) will be used solely to respond to your specific inquiry or request
Marketing communications (optional) you may opt in to receive product updates, compliance news, and promotional content
Consent for each purpose is collected separately and can be withdrawn at any time by contacting dpo@GRC3.com.
Purpose & Lawful Basis for Processing
Under Section 4 of the DPDP Act, we process personal data only for lawful purposes for which you have given consent, or which are deemed legitimate under the Act:
Your Rights as a Data Principal
Under the DPDP Act 2023, you are a Data Principal and enjoy the following rights. We are committed to honoring these rights promptly and transparently:
Right to Access
Request a complete summary of your personal data, processing activities, and the identities of all Data Fiduciaries with whom your data has been shared.
Right to Correction
Request correction, completion, or updating of any inaccurate or misleading personal data we hold about you.
Right to Erasure
Request deletion of your personal data when it is no longer necessary for the purpose it was collected, subject to legal retention requirements.
Right to Withdraw Consent
Withdraw your consent for data processing at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right to Grievance Redressal
Lodge a complaint with our Grievance Officer or escalate to the Data Protection Board of India if your concerns are not resolved within 30 days.
Right to Nominate
Nominate any other individual to exercise your rights under the DPDP Act in the event of your death or incapacity, as provided under Section 14.
To exercise any of these rights, contact our Data Protection Officer at dpo@GRC3.com. We will acknowledge your request within 48 hours and resolve it within 30 days, as mandated by the DPDP Act.
Data Security Measures
As a Data Fiduciary, we implement reasonable security safeguards as required under Section 8 of the DPDP Act to protect your personal data against unauthorized access, use, modification, disclosure, or destruction:
Technical Safeguards
- Industry-standard encryption for data in transit (TLS) and at rest
- HSTS, Content Security Policy, and comprehensive security headers
- Regular vulnerability assessments
- Secure authentication mechanisms for all access
- Automated security monitoring and alerting
Organizational Safeguards
- Role-based access controls with the least-privilege principle
- Data protection awareness for all personnel
- Data processing agreements with all sub-processors
- Incident response procedures aligned with DPDP Act requirements
- Periodic internal reviews of data handling practices
Data Retention
We retain your personal data only for as long as necessary to fulfill the purpose for which it was collected, or as required by applicable law. Our retention schedule:
Upon withdrawal of consent or account deletion, we will erase your personal data within 30 days, except where retention is required by law or for the establishment, exercise, or defense of legal claims.
Data Sharing & Third-Party Processors
We do not sell your personal data. We share data with third parties only when necessary to provide our services, and only under strict contractual protections:
All Data Processors are bound by written agreements that require them to process data only on our instructions, maintain appropriate security measures, and comply with the DPDP Act requirements.
Cross-Border Data Transfers
Your personal data may be transferred to and processed in countries outside India for cloud hosting and AI processing services. Such transfers are made only to countries or territories not restricted by the Central Government under Section 16 of the DPDP Act. We ensure that adequate safeguards are in place, including contractual protections and encryption, to protect your data during and after such transfers.
Consent Management
In accordance with Section 6 of the DPDP Act, we obtain your consent through clear, affirmative action before processing your personal data. Our consent practices include:
A clear notice in English (and 22+ Indian languages where applicable) describing the data collected and its purpose, provided at the time of collection
Purpose-specific (granular) consent on every form: each processing purpose has its own checkbox (e.g., "respond to my inquiry" vs. "marketing communications")
Easy-to-use mechanisms to withdraw consent at any time through your account settings or by contacting our Grievance Officer
No bundled consent — consent for each purpose is obtained separately; marketing consent is always optional
Complete audit trail of all consent actions (with timestamps, purposes, and consent version) for regulatory compliance
Children's Data Protection
In strict compliance with Section 9 of the DPDP Act, GRC3 implements comprehensive safeguards for the protection of personal data of children under 18 years of age. Our Platform is designed for business use and is not intended for children.
Our Children's Data Protection Commitments
Verifiable Parental Consent
Before processing any personal data of children under 18, we require verifiable parental consent as mandated by Section 9 of the DPDP Act. No data of a child is processed without obtaining prior consent from their parent or lawful guardian.
No Tracking or Profiling
We do not engage in tracking, behavioral monitoring, or targeted advertising directed at children under 18. No detailed profiling of children is conducted through our services.
No Harmful Processing
We do not process children's personal data in any manner that is likely to causea detrimental effect on the well-being of a child, in accordance with DPDP Act provisions.
Immediate Deletion
If we become aware that personal data of a child has been collected without verifiable parental consent, we will take immediate steps to delete such data and notify the relevant parent or guardian.
Parental Rights
Parents or lawful guardians may exercise all data principal rights on behalf of children under 18 by contacting our Data Protection Officer at dpo@GRC3.com.
Data Breach Notification
In accordance with Section 8(6) of the DPDP Act, in the event of a personal data breach that is likely to cause harm to a Data Principal, we will:
Notify the Data Protection Board of India within the prescribed timeframe
Notify affected Data Principals without undue delay
Provide details of the nature of the breach, the data affected, and the remedial measures taken
Document the breach and our response in our internal breach register
Your Duties as a Data Principal
Under Section 15 of the DPDP Act, Data Principals also have certain duties:
Ensure that any personal data you provide to us is accurate and complete
Do not impersonate another person or provide false information
Do not file false or frivolous complaints with the Data Protection Board
Comply with applicable laws when exercising your rights
Data Protection Officer (DPO)
In accordance with the DPDP Act, we have appointed a Data Protection Officer (DPO) to oversee data protection strategy, ensure compliance, and address your concerns regarding the processing of your personal data:
Designation
Data Protection Officer
dpo@GRC3.com
Phone
+91-XXXX-XXXXXX
Address
GRC3Mumbai, MAH, India
Response time
Acknowledgment within 48 hours, resolution within 30 days.
If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India as established under Section 18 of the DPDP Act.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you via email or a prominent notice on our Platform before the changes become effective. We encourage you to review this policy periodically. Your continued use of the Platform after changes are posted constitutes your acceptance of the revised policy.