Privacy Policy

1. About Us — Data Fiduciary

Company Name: thegr8labs
Website: https://www.thegr8labs.com
Contact Email: info@thegr8labs.com
Country of Incorporation: India

For the purposes of the Information Technology Act, 2000, the SPDI Rules, 2011, and the Digital Personal Data Protection Act, 2023, thegr8labs acts as the Data Fiduciary — the entity that determines the purpose and means of processing your personal data.

2. Grievance Officer (Mandatory under IT Act, 2000 and DPDP Act, 2023)

In accordance with Section 5(9) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023, the details of our designated Grievance Officer are as follows:

If you have any complaints or grievances with respect to our website or concerning the processing of your personal data, you may contact our Grievance Officer using the details above.

3. What Personal Data We Collect

We collect the following categories of personal data from you:

3.1 Data You Provide Directly

• Contact Information: Your name, email address, phone number, company name, and job title when you fill in our contact or inquiry forms.
• Communication Data: The content of messages and emails you send us, including project requirements and business inquiries.
• Account Data: If you create an account on any of our platforms or products, your username, password (stored in encrypted form), and profile information.

3.2 Data We Collect Automatically

• Technical Data: IP address, browser type and version, operating system, device identifiers, time zone setting, and browser plug-in types and versions.
• Usage Data: Pages visited, links clicked, time spent on pages, referral URLs, and interaction data with our website.
• Cookie Data: As described in our Cookie Policy.

3.3 Sensitive Personal Data or Information (SPDI)

Under the SPDI Rules, 2011, “sensitive personal data or information” includes passwords, financial information, health data, biometric data, and more. thegr8labs does not ordinarily collect SPDI through its website. If a specific engagement requires it (e.g., for a project build), we will obtain your explicit written consent and this Policy will be updated accordingly.

4. Purpose of Collection and Use of Your Data

We collect and process your personal data only for specific, lawful purposes. Under the DPDP Act, 2023, we rely on consent and legitimate use as our lawful bases. Specifically, we use your data to:

• Respond to your inquiries, project requests, and consultation bookings
• Provide, operate, and maintain our services and products
• Send you service-related communications, updates, and confirmations
• Send you marketing communications where you have consented to receiving them
• Analyse website usage to improve our website, content, and offerings
• Detect, prevent, and address technical issues, fraud, and security threats
• Comply with applicable legal obligations under Indian law
• Enforce our Terms of Service and protect our legal rights

5. Legal Basis for Processing (DPDP Act, 2023)

Under the Digital Personal Data Protection Act, 2023, we process your personal data on the following bases:

• Consent: You have given clear, free, specific, informed, and unambiguous consent for us to process your personal data for the stated purpose.
• Legitimate Use: Processing is necessary for the performance of a contract you are party to, or for taking steps at your request prior to entering a contract.
• Legal Obligation: Processing is necessary to comply with a legal obligation under Indian law.
• Vital Interests: Processing is necessary to protect the vital interests of you or another natural person.

6. Disclosure and Sharing of Your Personal Data

We do not sell, trade, or rent your personal data to third parties. We may share your data in the following limited circumstances:

• Service Providers: Trusted third-party service providers who assist us in operating our website and conducting our business (e.g., cloud hosting providers, email service providers, analytics platforms). These parties are contractually obligated to keep your information confidential and use it only for the services they provide to us.
• Legal Requirements: If required by Indian law, court order, governmental authority, or law enforcement request.
• Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website.
• Protection of Rights: To protect and defend the rights, property, or safety of thegr8labs, our clients, or the public.

6.1 Cross-Border Data Transfers

Some of our service providers are located outside India. When we transfer your personal data internationally, we ensure it is protected by appropriate safeguards, including contractual clauses or adequacy decisions as permitted under the DPDP Act, 2023 and rules notified thereunder. Countries to which your data may be transferred include but are not limited to: the United States, the United Kingdom, the European Union, and Singapore.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements under Indian law.

• Contact/Inquiry Data: Retained for 3 years from the date of last contact, unless a contractual relationship exists.
• Client Project Data: Retained for 7 years after project completion for contractual and accounting compliance under Indian law.
• Marketing Data: Retained until you withdraw consent or unsubscribe.
• Website Analytics Data: Retained in anonymised/aggregated form indefinitely; identifiable data retained for 13 months.

8. Your Rights as a Data Principal (DPDP Act, 2023)

Under the Digital Personal Data Protection Act, 2023, you have the following rights:

• Right to Access: The right to obtain a summary of personal data held by us and the processing activities undertaken with respect to your data.
• Right to Correction: The right to correct inaccurate or misleading personal data and to update your personal data.
• Right to Erasure: The right to erase your personal data when it is no longer necessary for the purpose for which it was collected, or when you withdraw consent.
• Right to Grievance Redressal: The right to have your grievances addressed by our Grievance Officer and, if unresolved, to escalate to the Data Protection Board of India.
• Right to Nominate: The right to nominate another individual who shall, in the event of your death or incapacity, exercise your rights.
• Right to Withdraw Consent: The right to withdraw your consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, contact us at info@thegr8labs.com with the subject line “Data Rights Request”. We will respond within 15 business days.

9. Security of Your Personal Data

We implement and maintain reasonable security practices and procedures as required under Section 43A of the Information Technology Act, 2000 and the SPDI Rules, 2011. Our security measures include:

• Encryption of data in transit using TLS/SSL protocols
• Encryption of sensitive data at rest using AES-256
• Access controls and role-based permissions limiting access to personal data
• Regular security assessments and vulnerability testing
• Employee training on data protection and security
• Incident response procedures for data breach notification

In the event of a data breach that is likely to cause harm to you, we will notify you and the appropriate authorities as required by applicable law.

10. Cookies

Our website uses cookies and similar tracking technologies. For detailed information about the cookies we use and how you can control them, please read our Cookie Policy.

11. Children's Privacy

Our website and services are not directed at children under the age of 18 years. We do not knowingly collect personal data from children. Under the DPDP Act, 2023, processing of data of children requires verifiable parental consent. If you believe we have inadvertently collected data from a child, please contact us immediately at info@thegr8labs.com and we will take immediate steps to delete such data.

12. Third-Party Websites and Services

Our website may contain links to third-party websites. This Privacy Policy does not apply to such websites. We strongly advise you to review the Privacy Policy of every website you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party websites.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy on this page with an updated “Last Updated” date, and by sending you an email notification if we have your contact details. We encourage you to review this Privacy Policy periodically. Your continued use of our website after the effective date of the updated Policy constitutes your acceptance of the updated terms.

14. Governing Law and Dispute Resolution

This Privacy Policy is governed by the laws of India, including the Information Technology Act, 2000, the SPDI Rules, 2011, the Digital Personal Data Protection Act, 2023, and any other applicable Indian legislation. Any dispute arising out of or relating to this Privacy Policy shall be subject to the exclusive jurisdiction of the competent courts in India.

If you have a complaint about our data processing practices that cannot be resolved by our Grievance Officer, you have the right to lodge a complaint with the Data Protection Board of India once it is constituted and operational under the DPDP Act, 2023.

15. Contact Us

For any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us at: