GRC Index ("we", "us", "our") is committed to protecting the privacy and personal data of everyone who interacts with our platform. This Privacy Policy explains how we collect, use, store, and protect your personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
The data controller responsible for your personal data is GRC Index, registered at 63–66 Hatton Garden, London, EC1N 8LE, United Kingdom. Our ICO registration number is {{ICO REGISTRATION NUMBER}}. If you have any questions about this policy or how we handle your data, please contact us at info@grci.net.
We collect personal data in the following categories, depending on how you interact with our platform:
Examples
How Collected
We collect personal data in the following categories, depending on how you interact with our platform:
Under UK GDPR, we must identify a lawful basis for each purpose for which we process your personal data. The lawful bases we rely on are:
Lawful Basis
Detail
We do not sell or rent your personal data to third parties. We may share your data with the following categories of recipients where strictly necessary:
All third parties processing data on our behalf are required to enter into a Data Processing Agreement and to implement appropriate technical and organisational security measures.
GRC Index is based in the United Kingdom. Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place as required by UK GDPR Chapter V. These include:
Our principal hosting and analytics providers may process data in the United States and EU/EEA. We have verified that UK-compliant transfer mechanisms are in place for these services. Please contact info@grci.net for details of the specific safeguards applicable to any transfer.
We use cookies and similar technologies on our website in accordance with the Privacy and Electronic Communications Regulations 2003 (PECR). A cookie is a small file placed on your device that helps us provide a better experience.
Purpose
Legal Basis
Examples
You can manage your cookie preferences at any time via our cookie consent banner. You can also control cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our platform.
We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by applicable law. Our standard retention periods are:
Retention Period
Rationale
Under UK GDPR, you have the following rights in relation to your personal data. To exercise any of these rights, please contact us at info@grci.net. We will respond within one calendar month (which may be extended by a further two months in complex cases — we will notify you if this is the case).
What It Means
GRC Index implements appropriate technical and organisational security measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. Our security measures include:
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, and notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms.
Our website may contain links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. We encourage you to read the privacy notice of every website you visit.
Our services are intended for use by professionals and organisations. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at info@grci.net and we will delete it promptly.
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. When we make significant changes, we will notify registered users by email and update the "Last Updated" date at the top of this page. We encourage you to review this policy periodically. Your continued use of our platform following the posting of changes constitutes your acknowledgement of those changes.
If you have any questions about this Privacy Policy, wish to exercise a data subject right, or have a concern about how we handle your personal data, please contact us:
Details
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:
We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.
© 2025 GRC Index. All rights reserved.