Data Policy for GCredit™

This Data Policy (“Policy”) forms an integral and binding part of the applicable Master Services Agreement, subscription terms, statement of work, proposal, order form, or other governing instrument executed or accepted for the use of GCredit™ (“Platform”, “Tool”, or “Services”). It defines the permitted handling, lifecycle treatment, operational limitations, deletion logic, and restricted use principles applicable to assessment-related data and associated outputs generated through the Services.

This Policy is intended to be read together with the Platform Privacy Policy, report policy, any accepted commercial terms, and any signed enterprise arrangement. In the event of a conflict, the stricter data protection or confidentiality obligation shall apply unless a separately executed written agreement expressly provides otherwise.

• “Session Data” means information temporarily processed during an active browser or application session for assessment delivery, response handling, in-session calculations, or report rendering.
• “Personal Data” / “Personally Identifiable Information (PII)” means any data relating to an identified or identifiable natural person, whether by direct or indirect identifier.
• “Anonymous Data” means information that cannot reasonably be linked to an identified or identifiable natural person.
• “Aggregated Data” means data grouped into organisational or cohort-level summaries without revealing individual identity.
• “Client” means the subscribing organisation, institution, employer, or authorised customer using the Services.

GCredit™ is intended to operate on a strict zero-retention and zero-reuse model for individual-level assessment input. The Platform is not designed to store, preserve, archive, reuse, publish, sell, license, transfer, or repurpose data entered by any individual participant for future individual tracking, longitudinal identity mapping, behavioural profiling, or subsequent reissuance of personal reports.

Except for transient in-session processing required to render the assessment or immediate output, individual-level input is intended not to be retained in persistent storage for later recovery. What is not retained cannot later be regenerated, reissued, or reused for personal tracking or identity-linked monitoring.

The Platform is intended to process assessment input in-session only. In the ordinary service model, once the browser is closed or the session is terminated, the personal session data is intended to be deleted or otherwise cease to remain available for further processing, retrieval, regeneration, or operational use.

Accordingly, users and clients acknowledge that personal assessment reports may not be capable of regeneration after browser closure because the Platform does not intend to preserve identity-linked input for future access. This architectural constraint is deliberate and forms part of the Platform’s privacy-first data design.

Where the Platform generates dashboards, trend summaries, wellness indicators, CALM Index outputs, or other organisational-level reports, such outputs are intended to be anonymised and aggregated. They are made available solely for lawful organisational insight, internal leadership understanding, and non-clinical workplace improvement purposes.

No individual employee report is intended to be sent to management, individual leaders, third-party agencies, or unrelated recipients. The Client shall not attempt to use aggregated outputs to infer individual identity, isolate a natural person, or conduct covert disciplinary or retaliatory action.

This Policy is drafted with reference to widely recognised privacy, security, and data-governance frameworks. These references are included for governance alignment and policy design and do not, by themselves, constitute a warranty of formal certification unless separately and expressly represented in writing by the Company.

• Regulation (EU) 2016/679 (GDPR): Article 5(1)(b), Article 5(1)(c), Article 5(1)(e), Article 25, and Recital 26.
• ISO/IEC 27001:2022: Annex A Control 5.14, Annex A Control 5.33, Annex A Control 5.34, and related access, logging, and security governance controls.
• ISO/IEC 27701:2019: Clause 7.2.1, Clause 7.4.1, Clause 7.4.4, and related privacy information management principles.
• ISO/IEC 20889:2018: guidance relevant to de-identification, anonymisation, and privacy-enhancing treatment of data.
• ISO 45003:2021: workplace psychological health and safety guidance, relevant to the responsible and non-clinical use of organisational wellness signals.
• Information Technology Act, 2000 (India) and the Digital Personal Data Protection Act, 2023 (India), to the extent applicable in the relevant deployment context.

The Client shall indemnify, defend, and hold harmless the Company, its directors, officers, employees, affiliates, licensors, and service providers from and against all claims, losses, liabilities, costs, damages, penalties, expenses, and reasonable legal fees arising out of or relating to: (a) misuse of the Services; (b) any attempt to identify an individual from anonymised or aggregated outputs; (c) unlawful capture, recording, or preservation of assessment data by the Client or its representatives outside the intended Platform architecture; (d) breach of this Policy, applicable law, or third-party rights; or (e) employment or organisational decisions made by the Client based wholly or partly on Platform outputs.

To the maximum extent permitted under applicable law, the Company shall not be liable for any indirect, incidental, special, exemplary, punitive, or consequential damages, nor for loss of profit, goodwill, reputation, anticipated savings, employee relations, business opportunity, or claims arising from an inability to regenerate individual reports after browser closure or session expiry.

Subject to non-excludable liability under applicable law, the aggregate cumulative liability of the Company arising out of or relating to this Policy, the Services, or related use of the Platform shall not exceed the total fees actually paid by the Client to the Company for the relevant Services during the three (3) months immediately preceding the event giving rise to the claim. If no fee was paid during such period, aggregate liability shall be limited to INR 10,000.

Nothing in this clause shall exclude liability that cannot lawfully be excluded under applicable law; all limitations and exclusions shall otherwise be interpreted to the maximum extent legally enforceable.

This Policy, and any dispute, claim, controversy, or proceeding arising out of or relating to this Policy, the Services, or use of the Platform, shall be governed by and construed in accordance with the laws of India, without regard to conflict-of-law principles.

The courts having territorial jurisdiction at Chennai, Tamil Nadu, India shall have exclusive jurisdiction over all disputes arising from or in connection with this Policy, the Services, or any related commercial relationship, subject always to the Company’s right to seek interim, injunctive, equitable, or protective relief before any court of competent jurisdiction where such relief is necessary to protect confidential information, systems, intellectual property, or legal rights.

For legal notices, governance clarifications, authorised policy correspondence, or data-handling enquiries relating to this Policy, please contact:

GreenSignature Services Private Limited
Email: support@gcreditwellness.com
Website: https://greensignature.org

Any legal notice intended to create, modify, waive, or dispute rights under this Policy should be made in writing by an authorised representative and sent through a verifiable communication channel.