Privacy Policy for GCredit™

This Privacy Policy (“Policy”) forms an integral and binding part of the applicable Master Services Agreement, subscription arrangement, service order, proposal, or other governing commercial instrument executed or accepted in connection with the use of GCredit™ (“Platform”, “Tool”, or “Services”). In the event of a conflict between this Policy and a separately executed client agreement, the executed agreement shall prevail to the extent of such conflict, unless this Policy expressly provides a stricter privacy or confidentiality obligation.

This Policy governs the privacy, confidentiality, anonymisation, security, restricted use, disclosure controls, liability allocation, and jurisdictional treatment of data generated through the Services. This Policy is intended to be read alongside any applicable Terms of Use, report policy, data policy, statement of work, or enterprise order form.

• “Anonymous Data” means information that does not relate to an identified or identifiable natural person and cannot reasonably be attributed back to a specific individual.
• “Aggregated Data” means data grouped and presented at organisational, departmental, cohort, functional, or other collective level without identifying any individual employee, participant, or respondent.
• “Personal Data” / “Personally Identifiable Information (PII)” means any information relating to an identified or identifiable natural person, including direct and indirect identifiers.
• “Client” means the subscribing organisation, institution, employer, enterprise, or authorised commercial customer using the Services.
• “Authorised Representative” means the client-side person or function authorised to receive organisational outputs or administer access.

GCredit™ is designed on a strict zero-personal-data collection model. The Services are intended not to collect, store, map, preserve, publish, transfer, or intentionally process personal identifiers such as name, email address, designation, contact number, employee ID, personal profile information, or other direct identity markers.

The Platform is further intended not to maintain identity-linked user histories for individual monitoring, individual report regeneration, or longitudinal personal profiling. Because no personal identity mapping is intended to exist within the ordinary operating model of the Tool, individual reports generally cannot be reissued, recreated, recovered, or traced back to a specific participant after completion.

Any transient technical signals necessarily exchanged for secure service delivery, routing, basic session stability, fraud prevention, or cybersecurity protection shall not be treated by the Company as a basis for identity mapping, profiling, commercial exploitation, or disclosure, except where retention or use becomes strictly necessary for legal compliance, system defence, abuse prevention, or evidentiary preservation.

The Platform is structured for anonymous organisational wellness monitoring and related managerial insight generation. Reports made available through the Services are intended to be limited to aggregated, non-individualised, anonymised, and non-clinical outputs. No employee-level report is intended to be shared with management, line managers, human resources teams, subscribing entities, third-party agencies, or external recipients.

The Services are not intended to diagnose mental, medical, psychiatric, behavioural, or clinical conditions and shall not be construed as a diagnostic, therapeutic, or medical advice platform. Any outputs generated by the Platform are indicative organisational wellness signals and not a substitute for licensed clinical evaluation, occupational medical review, crisis intervention, or statutory HR enquiry.

All aggregated client-level outputs, organisational wellness summaries, internal dashboards, benchmark indicators, CALM Index outputs, narrative interpretations, or other organisationally attributable results shall be treated as confidential information of the relevant client, subject always to the Company’s intellectual property rights in the Platform, scoring framework, logic, templates, methodologies, and presentation systems.

The Company shall not publish, externally disclose, commercially showcase, publicly circulate, or knowingly share an organisation’s wellness status, internal indicators, or report contents without explicit written permission from an authorised representative of the relevant client, except where disclosure is required by applicable law, court order, governmental process, or lawful investigative demand.

The Company shall not use assessment data for marketing, testimonials, promotional claims, case studies, endorsements, or publicity material unless such usage has been expressly approved in writing by the relevant client. Silence, participation, subscription, payment, or operational use shall not be deemed consent for promotional disclosure.

The Company does not intentionally transfer individual participant information to third parties because the ordinary service model is designed not to collect or preserve individual participant identity data in the first place. The Company further does not intentionally provide individual assessment information to subscribing organisations, external consultants, advertisers, data brokers, recruitment intermediaries, or unrelated service providers.

Where infrastructure vendors, hosting providers, cybersecurity tools, communication systems, or technical processors are used for secure delivery of the Services, any such access shall be limited to what is technically necessary for service operation, security, backup integrity, or lawful compliance, subject to reasonable confidentiality and security controls. Such operational dependence shall not be interpreted as a sale, publication, or commercial transfer of personal assessment information.

The Client shall not attempt, encourage, facilitate, or permit any reverse identification, inferential identity matching, triangulation, singling out, micro-group analysis, covert surveillance, retaliatory decision-making, or other act intended to attribute aggregated outputs to a natural person or small identifiable subgroup.

The Client further agrees not to treat the Platform as an employee surveillance tool, disciplinary evidence system, or substitute for lawful HR process, grievance investigation, or statutory compliance enquiry. The Client remains solely responsible for its employment decisions, labour practices, managerial conduct, workplace interventions, and legal compliance obligations.

Even where the Platform operates on an anonymised architecture, the Company may implement commercially reasonable technical and organisational safeguards intended to preserve confidentiality, system integrity, access control, transmission security, anti-abuse resilience, and protection against unauthorised reconstruction or compromise.

Such measures may include access restrictions, role-based permissioning, transport layer security, controlled system administration, activity logging for security purposes, vulnerability management practices, secure hosting architecture, and incident response handling as reasonably appropriate to the nature of the Services.

This Policy is drafted with reference to widely recognised privacy, information security, and workplace psychosocial risk frameworks. Clause references below are included for governance alignment and policy framing; they do not constitute a representation that the Company or Platform is formally certified under every referenced standard unless expressly stated in a separate signed representation.

• Regulation (EU) 2016/679 (GDPR): Article 5(1)(c) (data minimisation), Article 5(1)(e) (storage limitation), Article 25 (data protection by design and by default), and Recital 26 (anonymous information not relating to an identified or identifiable natural person).
• ISO/IEC 27001:2022: Annex A Control 5.14 (information transfer), Annex A Control 5.33 (protection of records / retention-oriented governance context), Annex A Control 5.34 (privacy and protection of PII), and related information security governance controls.
• ISO/IEC 27701:2019: PIMS guidance for PII controllers and processors, including Clause 7.2.1 (purpose specification and processing conditions context), Clause 7.4.1 / 7.4.4 (PII minimisation guidance context), and privacy-by-design oriented control objectives.
• ISO/IEC 20889:2018: privacy enhancing data de-identification techniques relevant to anonymisation and de-identification framing.
• ISO 45003:2021: psychological health and safety at work, providing guidance for the management of psychosocial risks within an occupational health and safety system context.
• India – Digital Personal Data Protection Act, 2023: referred to for privacy governance context, while noting that the ordinary architectural model of the Platform is intended not to involve personal data processing as a core operating requirement.
• India – Information Technology Act, 2000 and applicable subordinate rules: referred to for cybersecurity, intermediary, electronic record, and legal compliance context, where relevant.

Where the Services are used in jurisdictions imposing stricter privacy, labour, sectoral, or employee-consultation obligations, the Client remains responsible for securing all consents, notices, works-council approvals, internal policy authorisations, or other lawful bases required for deployment within its organisation.

Except as may be expressly stated in a separately executed written agreement signed by an authorised signatory of the Company, the Services and all associated policies, reports, scores, dashboards, summaries, or outputs are provided on an “as is”, “as available”, and “with all faults” basis. The Company disclaims, to the maximum extent permitted by law, all implied warranties, representations, and conditions including merchantability, fitness for a particular purpose, uninterrupted availability, non-infringement, predictive certainty, clinical validity, employment suitability, or guaranteed business outcome.

The Company does not warrant that use of the Platform will prevent attrition, burnout, employee complaints, labour disputes, psychosocial incidents, legal claims, or productivity loss.

The Client shall defend, indemnify, and hold harmless the Company, its affiliates, promoters, directors, officers, employees, consultants, licensors, and authorised representatives from and against all losses, liabilities, damages, penalties, costs, and expenses (including reasonable legal fees) arising out of or relating to: (a) misuse of the Services; (b) any attempt to identify individuals from aggregated outputs; (c) employment, disciplinary, performance, termination, or retaliatory action taken by the Client based wholly or partly on Platform outputs; (d) breach by the Client of this Policy, applicable law, or third-party rights; or (e) false, unlawful, coercive, or non-compliant deployment of the Services within the Client environment.

To the maximum extent permitted under applicable law, the Company shall not be liable for any indirect, incidental, special, exemplary, punitive, or consequential damages, nor for loss of profit, revenue, goodwill, reputation, anticipated savings, business opportunity, employee relations, or data reconstruction claims, whether in contract, tort, negligence, strict liability, statute, or otherwise, even if advised of the possibility of such damages.

Subject to non-excludable liability under applicable law, the aggregate cumulative liability of the Company arising out of or in connection with the Services, this Policy, or related use of the Platform shall not exceed the total fees actually paid by the Client to the Company for the relevant Services during the three (3) months immediately preceding the event giving rise to the claim. If the Services were provided without fee during such period, the Company’s aggregate liability shall be limited to INR 10,000.

Nothing in this clause shall exclude liability that cannot lawfully be excluded under applicable law; however, all exclusions and limitations shall be interpreted to the broadest extent legally enforceable.

Nothing in this Policy shall prevent the Company from preserving, using, or disclosing information to the extent reasonably necessary to comply with applicable law, court order, subpoena, governmental request, law-enforcement process, regulatory direction, fraud prevention needs, abuse investigation, security incident handling, insurance reporting, or the establishment, exercise, or defence of legal claims.

Where legally permitted and reasonably practicable, the Company may notify the affected Client before producing organisationally attributable information in response to compulsory legal process.

This Policy, and any dispute, claim, controversy, or proceeding arising out of or relating to this Policy, the Services, or use of the Platform, shall be governed by and construed in accordance with the laws of India, without regard to conflict-of-law principles.

The courts having territorial jurisdiction at Chennai, Tamil Nadu, India shall have exclusive jurisdiction over all disputes arising from or in connection with this Policy, the Services, or any related commercial relationship, subject always to the Company’s right to seek interim, injunctive, equitable, or protective relief before any court of competent jurisdiction where such relief is necessary to protect confidential information, intellectual property, systems, or legal rights.

The Company may amend, revise, restate, or update this Policy from time to time to reflect operational, legal, regulatory, commercial, technical, or security changes. Any revised version may be published on the applicable webpage or otherwise communicated through reasonable business channels. Continued access to or use of the Services after the effective date of a revised version shall constitute acceptance of the revised Policy, to the extent permitted by applicable law and any governing written agreement.

For legal notices, privacy-related requests, governance clarifications, or authorised policy correspondence relating to this Policy, please contact:

My Brand
Email: support@gcreditwellness.com
Website: https://greensignature.org

Any legal notice intended to create, modify, waive, or dispute rights under this Policy should be made in writing by an authorised representative and sent through a verifiable communication channel.