Legal Document

Privacy Policy

Effective date: 15 May 2026  ·  Version: 1.0  ·  Last reviewed: 15 May 2026
Contents
  1. 1. Who We Are
  2. 2. Information We Collect
  3. 3. How We Use Your Information
  4. 4. Legal Basis for Processing
  5. 5. Data Sharing & Disclosure
  6. 6. Data Storage & Security
  7. 7. Data Retention
  8. 8. Your Rights
  9. 9. Cookies
  10. 10. Children's Privacy
  11. 11. Changes to This Policy
  12. 12. Contact Us & Grievance Officer
Plain-language summary: GRCfy Maestro is a B2B compliance (Audit) management platform. We collect and process data strictly to operate the service, fulfil contractual obligations to your organisation, and comply with applicable law. We do not sell personal data or use it for advertising.
Section 01

Who We Are

GRCfy Maestro ("we", "us", "our") is an enterprise compliance orchestration platform operated by GRCfy Technologies Private Ltd ("the Company"). The platform enables audit firms and their client organisations to manage audits, controls, findings, and evidence in a structured, role-based environment.

This Privacy Policy applies to all users of the GRCfy Maestro web application, including audit administrators, auditors, compliance reviewers, and client-side users. It describes how we collect, process, store, and protect personal information in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the Digital Personal Data Protection Act 2023 (DPDP Act), and other relevant regulations.

For questions about this policy or to exercise your rights, contact our Data Protection Officer at privacy@grcfy.com.

Section 02

Information We Collect

2.1 Account & Identity Data

When an administrator creates a user account on your behalf, or when you register directly, we collect:

2.2 Organisation Data

We collect information about your organisation to provision and manage your account:

2.3 Audit & Compliance Content

As part of the service, users upload and generate compliance data including audit control assessments, findings, remediation notes, and evidence files (documents, spreadsheets, images). This content belongs to your organisation and is processed by us solely to operate the platform.

2.4 Usage & Technical Data

We automatically collect technical data to operate and secure the platform:

2.5 Single Sign-On Data

If your organisation configures SSO (SAML 2.0, OIDC, or LDAP), we receive identity attributes from your Identity Provider (e.g., name, email, group memberships) solely to authenticate you and provision your account. We do not retain IdP tokens beyond the session.

Section 03

How We Use Your Information

Purpose Data Used
Account authentication and access control Name, email, hashed password, roles, SSO attributes
Delivering the compliance management service Audit content, findings, evidence, control data
Subscription and billing management Organisation details, subscription plan, credit usage
Platform security, fraud prevention, and audit logging IP address, user-agent, session data, activity logs
Sending transactional notifications Email, name — for audit assignments, evidence flags, renewal reminders
Compliance with legal obligations (including DPDP Act, GDPR) Identity data, activity logs, deletion records
Improving the platform (aggregated, anonymised analytics only) Anonymised usage patterns — no individual tracking

We do not use personal data for advertising, sell it to third parties, or use it to train AI models.

AI-Assisted Processing (optional feature)

On AI-enabled subscription tiers, auditors may optionally trigger AI analysis of accepted evidence files against individual audit controls. When this feature is used:

For full details, see our AI Processing Disclosure and the AI Processing Addendum (Section 17) to our DPA.

Section 04

Legal Basis for Processing

Where GDPR or similar laws apply, we rely on the following legal bases:

Section 05

Data Sharing & Disclosure

We do not sell personal data. We share data only in the following circumstances:

5.1 Within Your Organisation

Audit content and user information is visible to authorised members of your audit firm or client organisation in accordance with the role-based access controls you configure.

5.2 Service Providers (Sub-processors)

We engage a limited number of sub-processors to operate the platform. All sub-processors are bound by data processing agreements and may only process data on our documented instructions.

Sub-processor Purpose Data Location Safeguards
Squarebrothers Internet Services
Chennai, India
Platform application and database hosting Chennai, India Data encrypted in transit (TLS 1.2+); databases not publicly accessible; MFA-restricted admin access
Amazon Web Services (AWS) S3
ap-south-1, Mumbai, India
Evidence file storage; daily database backups; application log archives ap-south-1 (Mumbai, India) AES-256 server-side encryption (SSE-S3); S3 Object Lock enabled; access restricted to a dedicated IAM user with least-privilege policy; data does not leave India
Cloudflare DDoS protection, TLS termination, CDN Global edge network (no data stored) Traffic only; no customer data persisted at edge
Hosting Raja
Maharashtra, India
Transactional email delivery (notifications, alerts, invoices) India Only recipient address and message content transmitted; no passwords or audit data included
Anthropic PBC
via AWS Bedrock, ap-south-1
AI evidence analysis — optional feature on AI-enabled subscription tiers only. Processes scrubbed evidence text to generate compliance findings against audit controls. ap-south-1 (Mumbai, India) Structured PII (email, phone, Aadhaar, PAN, etc.) is removed by our internal scrubber before transmission. Named entities (names, addresses) are filtered by an AWS Bedrock Guardrail. Anthropic does not train its models on API-submitted data. No evidence text is stored post-inference.
Amazon Web Services — Textract
ap-south-1, Mumbai, India
OCR text extraction from image files and scanned PDFs submitted as audit evidence — used only when AI analysis is triggered on image-type evidence. ap-south-1 (Mumbai, India) Image/scan is transmitted for OCR only; AWS Textract does not retain the file after extraction. Text output is then PII-scrubbed before being passed to the AI model.

5.3 Legal Requirements

We may disclose data if required to do so by law, court order, or to protect the rights, property, or safety of the Company, our users, or the public.

Company-hosted & client-hosted databases: If your organisation has configured GRCfy Maestro to store audit data on your own database server, that data resides under your direct control and infrastructure. The Company only processes data necessary to operate the application layer.
Section 06

Data Storage & Security

We implement industry-standard technical and organisational measures to protect your data:

While we take extensive precautions, no system can guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for promptly notifying us of any suspected unauthorised access at security@grcfy.com.

Data localisation: All personal data processed through GRCfy Maestro is stored exclusively within India — platform databases on servers hosted by Squarebrothers Internet Services (Chennai), and evidence files and backups on Amazon Web Services S3 (ap-south-1, Mumbai). We do not transfer personal data to servers outside India. Any future cross-border transfer will only occur in compliance with applicable Indian law, including any adequacy frameworks or conditions notified under the DPDP Act 2023.

Section 07

Data Retention

We retain personal data for as long as your organisation's account is active and for a defined period thereafter:

Platform administrators can initiate permanent deletion ("force delete") of records via the Recovery Vault. All such actions are logged immutably with a mandatory reason.

Section 08

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Right Description
Access Request a copy of the personal data we hold about you.
Correction Update inaccurate or incomplete personal data via your profile settings or by contacting us.
Erasure Request deletion of your personal data where there is no overriding legal obligation to retain it.
Portability Receive a structured, machine-readable export of data you have provided to us.
Restriction Request that we limit how we use your data in certain circumstances.
Objection Object to processing based on legitimate interests.
Withdraw consent Where processing is based on consent, withdraw it at any time without affecting prior processing.
Nomination Under the DPDP Act 2023 (Section 14), you may nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity. Submit nomination requests to privacy@grcfy.com.

To exercise any of these rights, contact privacy@grcfy.com. We will respond within 30 days. Note that some rights may be limited where we are required by law to retain data or where the request conflicts with the rights of other users.

If you believe we have not handled your data lawfully, you have the right to lodge a complaint with your local data protection authority (in India: the Data Protection Board of India).

Section 09

Cookies

GRCfy Maestro uses strictly necessary cookies only:

We do not use analytics cookies, tracking pixels, or third-party advertising cookies. No cookie consent banner is required for strictly necessary cookies under most jurisdictions, but we disclose their use here for full transparency.

Section 10

Children's Privacy

GRCfy Maestro is a professional B2B compliance platform intended solely for use by organisations and their authorised employees and contractors. We do not knowingly collect personal data from individuals under the age of 18. All accounts must be created and managed by adults acting in a professional capacity on behalf of their organisation.

Section 11

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

Your continued use of the platform after the effective date of a revised policy constitutes your acceptance of the changes.

Section 12

Contact Us & Grievance Officer

For all privacy-related enquiries or to exercise your rights, please contact our Data Protection Officer:

Grievance Officer (DPDP Act 2023 — Section 13):
In accordance with the Digital Personal Data Protection Act 2023, we have designated a Grievance Officer to address complaints and queries relating to personal data processing. If you believe your data rights have not been respected, you may raise a grievance with:

If your grievance is not resolved to your satisfaction, you may escalate the matter to the Data Protection Board of India once it is constituted under the DPDP Act 2023.