1. Introduction and Who We Are

GRC Index ("we", "us", "our") is committed to protecting the privacy and personal data of everyone who interacts with our platform. This Privacy Policy explains how we collect, use, store, and protect your personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The data controller responsible for your personal data is GRC Index, registered at 63–66 Hatton Garden, London, EC1N 8LE, United Kingdom. Our ICO registration number is {{ICO REGISTRATION NUMBER}}. If you have any questions about this policy or how we handle your data, please contact us at info@grci.net.

2. What Personal Data We Collect

We collect personal data in the following categories, depending on how you interact with our platform:

Data Category

Examples

How Collected

Identity Data
Full name, job title, organisation name
Registration forms, contact enquiries, assessment submissions
Contact Data
Email address, telephone number, postal address
Account creation, contact forms, booking enquiries
Assessment Data
GRC questionnaire responses, uploaded evidence documents, GRC Index Scores
Completion of GRC maturity assessment on our platform
Transaction Data
Invoice details, payment history (payment card data processed by payment processor — not stored by us)
Purchase of training courses or assessment services
Technical Data
IP address, browser type and version, operating system, device identifiers, session duration, pages visited
Automatically collected via cookies and analytics tools
Communications Data
Emails and messages sent to us, records of calls and enquiries
Direct communication with our team
Marketing Preferences
Consent choices, communication preferences, unsubscribe records
Account settings, opt-in/opt-out actions

We collect personal data in the following categories, depending on how you interact with our platform:

3. Lawful Bases for Processing (UK GDPR Article 6)

Under UK GDPR, we must identify a lawful basis for each purpose for which we process your personal data. The lawful bases we rely on are:

Processing Purpose

Lawful Basis

Detail

Providing GRC assessment and benchmarking services
Contract (Art. 6(1)(b))
Processing is necessary to perform the assessment contract you have entered into with us
Delivering GRC training courses
Contract (Art. 6(1)(b))
Processing is necessary to deliver the training course you have purchased
Processing payments for services
Contract (Art. 6(1)(b))
Processing is necessary to complete the transaction and issue invoices
Sending marketing communications (newsletters, course updates)
Consent (Art. 6(1)(a))
We only send marketing communications where you have opted in — you can withdraw consent at any time
Improving our platform and services
Legitimate Interests (Art. 6(1)(f))
We have a legitimate interest in improving our platform; this does not override your rights
Analysing website usage via analytics tools
Legitimate Interests (Art. 6(1)(f)) / Consent
Analytics used to improve user experience; consent obtained for non-essential cookies per PECR
Complying with legal obligations (e.g. financial records, VAT)
Legal Obligation (Art. 6(1)(c))
Required by UK law including HMRC rules, Companies Act 2006
Responding to your enquiries and support requests
Legitimate Interests (Art. 6(1)(f))
Necessary to respond to your communications with us

4. How We Share Your Information

We do not sell or rent your personal data to third parties. We may share your data with the following categories of recipients where strictly necessary:

  • IT and Hosting Providers — our platform is hosted on secure cloud infrastructure. Our hosting provider processes data as a data processor under a Data Processing Agreement.
  • Payment Processors — card payments are processed by our payment processor. We do not store payment card data. Payment processing is subject to the processor's own PCI-DSS compliance and privacy policy.
  • Analytics Providers — we use analytics tools (such as Google Analytics) to understand how our platform is used. Data is pseudonymised or anonymised where possible.
  • Email and Communications Platforms — we use third-party email service providers to send transactional and marketing communications where you have consented.
  • Legal and Regulatory Authorities — we may disclose personal data to the police, courts, regulators (including the ICO), or other government authorities where required by law or where we believe in good faith that disclosure is necessary to prevent harm or comply with a legal obligation.
  • Professional Advisers — our legal, accounting, and insurance advisers may process personal data where necessary to provide their services, bound by professional confidentiality obligations.

All third parties processing data on our behalf are required to enter into a Data Processing Agreement and to implement appropriate technical and organisational security measures.

5. International Data Transfers

GRC Index is based in the United Kingdom. Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place as required by UK GDPR Chapter V. These include:

  • Transfers to countries with UK adequacy regulations in force (e.g. EU/EEA member states, under the UK-EU adequacy decision)
  • Transfers to organisations that have provided appropriate safeguards through UK Standard Contractual Clauses (UK SCCs) or binding corporate rules
  • Transfers where derogations under UK GDPR Article 49 apply (e.g. explicit consent, performance of a contract)

Our principal hosting and analytics providers may process data in the United States and EU/EEA. We have verified that UK-compliant transfer mechanisms are in place for these services. Please contact info@grci.net for details of the specific safeguards applicable to any transfer.

6. Cookies and Tracking Technologies (PECR)

We use cookies and similar technologies on our website in accordance with the Privacy and Electronic Communications Regulations 2003 (PECR). A cookie is a small file placed on your device that helps us provide a better experience.

Cookie Type

Purpose

Legal Basis

Examples

Strictly Necessary
Essential for the website and platform to function — cannot be disabled
Necessary (no consent required)
Session cookies, authentication cookies, security tokens
Performance / Analytics
Measure how visitors use our site to improve the user experience
Consent (PECR)
Google Analytics (_ga, _gid), Hotjar
Functional
Remember your preferences and settings
Consent (PECR)
Language preferences, cookie consent preferences
Marketing
Track visits across websites to display relevant advertising (only if applicable)
Consent (PECR)
LinkedIn Insight Tag, Google Ads conversion tracking

You can manage your cookie preferences at any time via our cookie consent banner. You can also control cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our platform.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law. Our standard retention periods are:

Data Category

Retention Period

Rationale

Assessment data (GRC questionnaire responses, evidence, scores)
5 years from last assessment
To enable reassessment benchmarking and track GRC maturity improvement over time
Training records and course completion certificates
5 years from course completion
CPD certification records; recommended by CPD Certification Service
Contract and transaction records (invoices, payment records)
7 years from transaction date
UK HMRC requirement — Taxes Management Act 1970
Marketing consent records
3 years from last interaction or withdrawal of consent
ICO guidance on consent record-keeping; PECR compliance
Website analytics data (pseudonymised)
26 months (Google Analytics default)
Industry standard for year-over-year analytics comparison
Correspondence and enquiries
2 years from last communication
Limitation Act 1980 — simple contract claims within 6 years; 2 years is proportionate for enquiries
Account data (registered users)
Duration of account + 1 year from deletion request
Contractual performance; fraud prevention during transition period

8. Your Data Subject Rights (UK GDPR Articles 15–22)

Under UK GDPR, you have the following rights in relation to your personal data. To exercise any of these rights, please contact us at info@grci.net. We will respond within one calendar month (which may be extended by a further two months in complex cases — we will notify you if this is the case).

Right

What It Means

Right of Access (Art. 15)
You have the right to request a copy of the personal data we hold about you and information about how we process it. We will provide this in a portable, commonly used format (Subject Access Request — SAR).
Right to Rectification (Art. 16)
You have the right to request that we correct inaccurate or incomplete personal data we hold about you. We will action this without undue delay.
Right to Erasure (Art. 17)
You have the right to request that we delete your personal data where there is no legitimate reason for us to continue processing it. Note: this right does not apply where we are required to retain data by law.
Right to Restriction (Art. 18)
You have the right to request that we restrict processing of your personal data in certain circumstances — for example, while we verify the accuracy of data you have contested.
Right to Data Portability (Art. 20)
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format.
Right to Object (Art. 21)
You have the right to object to processing of your personal data where we rely on legitimate interests as the lawful basis. You also have an absolute right to object to processing for direct marketing purposes.
Rights re: Automated Decision-Making (Art. 22)
You have the right not to be subject to a decision based solely on automated processing that produces significant legal effects. Our GRC Index Score involves human expert review and is not solely automated.
Right to Withdraw Consent (Art. 7)
Where processing is based on your consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

9. Security of Your Personal Data

GRC Index implements appropriate technical and organisational security measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. Our security measures include:

  • Encryption of personal data in transit using TLS 1.2 or higher
  • Encryption of personal data at rest on our hosting infrastructure
  • Access controls and role-based permissions limiting staff access to personal data on a need-to-know basis
  • Regular security assessments and penetration testing of our platform
  • Staff training on data protection and information security
  • Incident response procedures for identifying, reporting, and managing personal data breaches

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, and notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms.

10. Third-Party Links

Our website may contain links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. We encourage you to read the privacy notice of every website you visit.

11. Children's Privacy

Our services are intended for use by professionals and organisations. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at info@grci.net and we will delete it promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. When we make significant changes, we will notify registered users by email and update the "Last Updated" date at the top of this page. We encourage you to review this policy periodically. Your continued use of our platform following the posting of changes constitutes your acknowledgement of those changes.

13. Contact Us and the Right to Complain

If you have any questions about this Privacy Policy, wish to exercise a data subject right, or have a concern about how we handle your personal data, please contact us:

Contact Method

Details

Email
info@grci.net — Subject line: "Data Protection Enquiry"
Post
Data Protection, GRC Index, 63-66 Hatton Garden, London, EC1N 8LE, UK

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.