Privacy Policy

At GRCTrack, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our compliance management platform and related services.

1. Information We Collect

1.1 Information You Provide

We collect information you provide directly to us, including:

• Account Information: Name, email address, company name, job title, and password when you create an account.
• Profile Information: Professional credentials, certifications (such as QSA numbers), and contact preferences.
• Compliance Data: Assessment information, evidence files, policies, and other compliance-related documentation you upload to the platform.
• Communications: Information you provide when contacting our support team or participating in surveys.
• Payment Information: Billing details processed through our secure payment providers.

1.2 Information Collected Automatically

When you use our platform, we automatically collect:

• Usage Data: Pages visited, features used, time spent on the platform, and interaction patterns.
• Device Information: Browser type, operating system, device identifiers, and IP address.
• Log Data: Access times, error logs, and referring URLs.

2. How We Use Your Information

We use the collected information to:

• Provide, maintain, and improve our compliance management services
• Process transactions and send related information
• Send technical notices, security alerts, and support messages
• Respond to your comments, questions, and support requests
• Develop new features and services based on user needs
• Monitor and analyse usage patterns to improve user experience
• Detect, prevent, and address technical issues and security threats
• Comply with legal obligations and enforce our terms of service

3. Information Sharing

We do not sell your personal information. We may share information in the following circumstances:

• With Your Consent: When you explicitly authorise sharing with third parties.
• Service Providers: With vendors who assist in providing our services (hosting, payment processing, analytics), bound by confidentiality agreements.
• Business Transfers: In connection with mergers, acquisitions, or asset sales, with appropriate confidentiality protections.
• Legal Requirements: When required by law or to protect rights, safety, or property.
• Aggregated Data: De-identified, aggregated information that cannot identify individuals.

4. Data Security

We implement industry-standard security measures to protect your information, including:

• End-to-end encryption for data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Continuous monitoring for security threats
• SOC 2 Type II certified infrastructure
• Regular backups and disaster recovery procedures

5. Data Retention

We retain your information for as long as your account is active or as needed to provide services. Upon account termination, we retain data for a reasonable period to comply with legal obligations, resolve disputes, and enforce agreements. You may request deletion of your data subject to legal retention requirements.

6. Your Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data (subject to legal requirements)
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to certain processing activities
• Restriction: Request limited processing of your data

To exercise these rights, please contact us at privacy@grctrack.com.

7. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by relevant data protection authorities, to protect your information during such transfers.

8. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete such information promptly.

9. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email. Your continued use of our services after changes become effective constitutes acceptance of the revised policy.

10. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact:

GRCTrack Data Protection
Email: privacy@grctrack.com
Address: GRCTrack Ltd, London, United Kingdom