GI
GCC Intelligence
UP & NCR Edition
Back

Privacy Notice

GCC Intelligence — UP & NCR Edition · Effective 7 June 2026 · Issued under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

1. Who we are

This platform is operated by MarshallRidge Consulting Private Limited (“MarshallRidge”, “we”), Unit No. 52, 2nd Floor, C-39A, Gami Industrial Park, MIDC, Thane, Navi Mumbai 400705, India. We act as the data fiduciary for personal data processed on this platform.

2. What personal data we collect

We collect only what the service needs (data minimisation):

  • Account data — username/email, organisation (tenant), role, hashed password, optional MFA enrolment status. Passwords and MFA secrets are never stored in plaintext.
  • Usage & security logs — sign-in events, administrative actions and API usage metadata (timestamps, request identifiers), retained for security and legal compliance.
  • Business contact details you enter — e.g., recipient names/titles typed into proposal documents you generate.

We do not collect sensitive personal data (financial, health, biometric), and we do not use advertising or tracking cookies. The only cookie set is the strictly-necessary, encrypted session cookie.

3. Purposes of processing

  • Providing and securing the platform (authentication, role-based access, fraud/abuse prevention);
  • Generating the documents and analyses you request;
  • Meeting legal obligations (including CERT-In log-retention and incident-reporting directions);
  • Service communications related to your account.

4. Where data lives & cross-border disclosure

All platform data is stored and processed in AWS Asia Pacific (Mumbai), India, encrypted at rest and in transit. One exception: when you use the optional AI assistant features, the text of your query and the deterministic figures needed to answer it are processed by Anthropic (our AI sub-processor, United States) under contractual data-protection terms; Anthropic does not train models on this data. If you do not use AI features, no data leaves India.

5. Retention

  • Account data — for the life of the account, deleted on verified erasure request or account deletion;
  • Security and access logs — 180 days (CERT-In direction), then deleted automatically;
  • Backups — rolling 14-day cycle, after which erased data ages out automatically.

6. Your rights (data principals)

Under the DPDP Act you may request access to, correction of, or erasure of your personal data, withdraw consent, nominate a representative, and raise a grievance. Write to the Grievance Officer below; we acknowledge within 72 hours and resolve within 30 days. If unsatisfied, you may complain to the Data Protection Board of India.

7. Grievance Officer

Grievance Officer — MarshallRidge Consulting Private Limited
Email: contact@marshallridgeconsulting.in (subject: “Privacy Grievance”)
Phone: +91 77188 66506 · Address: Unit No. 52, 2nd Floor, C-39A, Gami Industrial Park, MIDC, Thane, Navi Mumbai 400705, India

8. Security measures

AES-256 encryption at rest (managed keys), TLS 1.2+ in transit, web application firewall, multi-factor authentication, role-based access control, scrypt password hashing, signed sessions, rate limiting, continuous threat monitoring (CloudTrail, GuardDuty, Security Hub, AWS Config) and 180-day tamper-evident security logs — all within India. See the Trust Centre for the full controls map.

9. Breach notification

Personal-data breaches are notified to the Data Protection Board of India and affected users as required by the DPDP Act, and cyber incidents are reported to CERT-In within six hours of noticing, per the CERT-In Directions of 28 April 2022.

10. Changes

Material changes to this notice will be posted here with a new effective date.