Privacy Policy

Definitions

• "Personal Data" means any information that relates to an identified or identifiable natural person, including but not limited to name, email address, phone number, IP address, location data, or device identifiers.
• "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• "Data Subject" means the identified or identifiable natural person to whom the personal data relates.
• "Data Controller" means GMAV Technologies, the entity that determines the purposes and means of processing personal data under this Policy.
• "Data Processor" means a third party that processes personal data on behalf of GMAV pursuant to documented instructions and a binding data processing agreement.
• "Sensitive Personal Data" means personal data that warrants heightened protection, including data revealing racial or ethnic origin, health information, biometric data, or financial account details.

Personal Data We Collect

We collect personal data through your direct interactions with us, through automated technical means, and in some cases from third-party sources. The categories of personal data we process include:

• Identity Data: Full name, job title, company name, and professional role provided when you contact us, submit an enquiry, or enter into a service engagement.
• Contact Data: Email address, telephone number, postal address, and country of residence used to communicate with you and deliver our services.
• Technical Data: IP address, browser type and version, operating system, device type, time zone, session duration, and referral URLs collected automatically when you visit our website via cookies and analytics tools.
• Usage Data: Pages viewed, click-through paths, time spent on pages, and other behavioural data collected through website analytics to understand how our site is used and to improve our digital experience.
• Communications Data: Content of emails, contact form submissions, meeting notes, project briefs, and support queries exchanged between you and GMAV.
• Financial Data: Billing name, billing address, and invoice correspondence. Payment card data is processed exclusively by our certified payment processors (e.g., Stripe) and is never transmitted to or stored by GMAV.

We do not intentionally collect Sensitive Personal Data unless strictly required for a specific service and only with your explicit consent or as otherwise permitted by law.

Lawful Basis for Processing

We process personal data only where we have a valid lawful basis to do so. The lawful bases we rely upon are:

• Performance of a Contract: Where processing is necessary to take steps prior to entering into a contract with you or to perform our obligations under an existing contract, such as delivering agreed services or issuing invoices.
• Legitimate Interests: Where we have a compelling legitimate business interest, such as improving our services, securing our systems, responding to prospective client enquiries, and conducting business development activities, provided that such interests do not override your fundamental rights and freedoms.
• Consent: Where you have provided freely given, specific, informed, and unambiguous consent, for example for marketing communications or the use of non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal Obligation: Where processing is required for us to comply with a legal or regulatory obligation, such as tax record-keeping or responding to a lawful regulatory request.

How We Use Your Personal Data

We use personal data for the following specific purposes, each supported by one or more lawful bases described in Section 03:

• Delivering, managing, and improving our professional services and website
• Responding to enquiries, project briefs, and support requests in a timely and effective manner
• Preparing proposals, issuing invoices, processing payments, and managing client accounts
• Sending transactional communications, including project updates, invoices, and service notifications
• Sending marketing and thought-leadership communications to existing clients and opted-in contacts (with a clear opt-out mechanism in every message)
• Analysing website traffic and user behaviour to improve content, navigation, and conversion performance
• Detecting, investigating, and preventing fraud, security incidents, and unauthorised access to our systems
• Maintaining records necessary to satisfy our legal, regulatory, and tax obligations
• Exercising or defending legal claims

We will not use your personal data for purposes that are incompatible with those for which it was originally collected without providing you with prior notice and, where required, obtaining your consent.

Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies (including pixels and local storage) to operate the site, understand how it is used, and deliver relevant content. We categorise cookies as follows:

• Strictly Necessary: Required for the website to function correctly, for example, maintaining session state. These cannot be disabled and do not require your consent.
• Analytics and Performance: Collect aggregated, anonymised data on how visitors use our site (e.g., via Google Analytics). Enabled only with your consent and subject to your ability to opt out at any time.
• Functional: Allow the site to remember your preferences and personalise your experience. Enabled only with your consent.
• Marketing and Targeting: Used to deliver interest-based content and measure the effectiveness of campaigns. Enabled only with your explicit consent.

You may manage your cookie preferences via our cookie consent banner at your first visit, or at any time through your browser settings. Please note that disabling certain cookies may limit website functionality. For queries about our cookie practices, contact us at privacy@gmavtech.com.

Data Sharing and Disclosure

GMAV does not sell, rent, or trade your personal data to third parties for their own commercial purposes. We may share personal data with the following categories of recipients, strictly as necessary:

• Data Processors: Trusted third-party vendors engaged to support our operations, including cloud infrastructure providers, payment processors, email delivery platforms, CRM software, and analytics tools. All processors are bound by written data processing agreements obligating them to process data only on our documented instructions and to maintain appropriate security measures.
• Professional Advisers: Lawyers, accountants, auditors, and insurers, subject to duties of confidentiality, where necessary for legal, compliance, or financial purposes.
• Business Transfers: In the event of a merger, acquisition, restructuring, or sale of all or part of our business, personal data may be transferred to the acquiring entity subject to equivalent confidentiality and data protection obligations.
• Regulatory and Law Enforcement Authorities: Where we are under a legal or regulatory obligation to disclose personal data, or where disclosure is necessary to protect the rights, property, or safety of GMAV, our clients, or third parties.

International Data Transfers

As a globally operating technology company serving clients across more than 40 countries, GMAV may transfer personal data to countries outside your jurisdiction, including India, the United States, South Africa, and the United Arab Emirates. Where we transfer personal data from the European Economic Area (EEA) or the United Kingdom to a country that has not been deemed to provide an adequate level of protection, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission or UK equivalent
• Adequacy decisions issued by the European Commission or the UK Secretary of State, where applicable
• Binding Corporate Rules or other lawful transfer mechanisms permitted under applicable data protection law

You may request details of the specific transfer mechanisms applicable to your personal data by contacting us at privacy@gmavtech.com.

Data Retention

We retain personal data only for as long as is necessary to fulfil the purposes set out in this Policy, to meet our legal and regulatory obligations, and to resolve disputes or enforce our agreements. Our standard retention periods are:

• Client and contract records: 7 years from the end of the contract or project (required for tax and statutory purposes)
• Marketing and prospecting data: Until you withdraw consent or opt out, subject to a maximum active period of 3 years from last meaningful engagement
• Website analytics data: 26 months from collection (aligned with Google Analytics default retention)
• Support and correspondence records: 3 years from the date of last interaction
• Job application data: 6 months from the date of application if unsuccessful; for the duration of employment and 7 years thereafter if successful

At the end of the applicable retention period, personal data is securely deleted, destroyed, or irreversibly anonymised in accordance with our internal data management procedures.

Data Security

GMAV implements a layered set of technical and organisational security measures designed to protect personal data against accidental or unlawful loss, alteration, unauthorised disclosure, or access. These measures include:

• Encryption of data in transit using TLS 1.2 or higher (HTTPS) across all GMAV-operated web properties
• Encryption of sensitive data at rest on managed infrastructure
• Role-based access controls enforcing the principle of least privilege across all internal systems
• Multi-factor authentication for access to systems holding personal data
• Regular internal security reviews and periodic third-party penetration testing
• Mandatory data protection and information security training for all GMAV personnel
• A documented incident response plan covering detection, containment, assessment, notification, and post-incident review

In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify you and the relevant supervisory authority within the timeframes required by applicable law. Despite our precautions, no data transmission or storage system is entirely secure. If you have reason to believe your interaction with us has been compromised, please notify us immediately at privacy@gmavtech.com.

Your Rights as a Data Subject

Depending on your country of residence and applicable law, you may be entitled to exercise one or more of the following rights in relation to your personal data:

• Right of Access (Art. 15 GDPR): Obtain confirmation of whether we process your personal data and, if so, receive a copy of that data along with information about how it is used.
• Right to Rectification (Art. 16 GDPR): Request correction of any inaccurate or incomplete personal data we hold about you.
• Right to Erasure (Art. 17 GDPR): Request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent, or where processing is unlawful, subject to our legal retention obligations.
• Right to Restriction of Processing (Art. 18 GDPR): Request that we temporarily limit the processing of your personal data in certain defined circumstances.
• Right to Data Portability (Art. 20 GDPR): Receive your personal data in a structured, commonly used, machine-readable format and, where technically feasible, have it transmitted directly to another data controller.
• Right to Object (Art. 21 GDPR): Object to processing based on legitimate interests or for direct marketing purposes at any time, with immediate effect for direct marketing.
• Rights in Relation to Automated Decision-Making (Art. 22 GDPR): Not be subject to decisions made solely on the basis of automated processing, including profiling, that produce legal or similarly significant effects on you.
• CCPA Rights (California residents): Right to know what personal information is collected and how it is used, right to delete personal information, right to opt out of any sale of personal information (GMAV does not sell personal information), and right to non-discrimination for exercising your CCPA rights.
• DPDP Act Rights (India): Right to access, correct, and erase personal data; right to grievance redressal; and right of nomination under the Digital Personal Data Protection Act 2023.

To exercise any of the above rights, please submit a written request to privacy@gmavtech.com. We will acknowledge your request promptly and respond within 30 days, or within the shorter period required by applicable law. We may need to verify your identity before processing your request to prevent unauthorised disclosure or deletion.

Marketing Communications

We may send you marketing communications about our services, industry insights, case studies, and events where you have given us consent to do so or where we have a legitimate interest as an existing or recent client or professional contact. Every marketing communication includes a clear and simple mechanism to opt out. You may also withdraw your consent or object to marketing at any time by:

• Clicking the "Unsubscribe" or "Manage Preferences" link in any marketing email
• Emailing us at privacy@gmavtech.com with the subject "Marketing Opt-Out"

Opting out of marketing will not affect any transactional or service communications that are necessary to fulfil an active engagement, such as project updates, invoices, or contractual notices.

Third-Party Links and Integrated Services

Our website may contain hyperlinks to external websites, social media profiles, or third-party content. This Policy applies only to personal data processed by GMAV and does not extend to any third-party websites or platforms. We have no control over, and accept no responsibility for, the privacy practices or content of those external sites. We encourage you to read the privacy policy of any third-party site you visit.

Our website and services integrate tools provided by third parties, including Google Analytics for website analytics, Stripe for payment processing, and email delivery platforms. Each of these providers operates under its own privacy policy and, where required, we have entered into data processing agreements with them. Where these providers process data independently as data controllers, their own privacy notices will apply.

Amendments to this Policy

We review and update this Privacy Policy periodically to reflect changes in our data practices, the services we offer, applicable legal requirements, or guidance from supervisory authorities. The current version is always available on our website with the "Last Updated" date at the top of this page. For changes that materially affect how we use your personal data or your rights in relation to it, we will provide prominent notice on our website and, where appropriate, notify you by email with reasonable advance notice before the changes take effect. Your continued use of our services after any such changes constitutes your acceptance of the updated Policy.

Governing Law and Supervisory Authority

This Privacy Policy is governed by the laws of India without regard to its conflict of law provisions. Any disputes arising from or relating to this Policy shall be subject to the exclusive jurisdiction of the competent courts in Chandigarh, India, except where applicable law confers jurisdiction on another court or authority.

This limitation does not restrict EU or UK data subjects from lodging a complaint with their applicable supervisory authority. EU residents may contact their national data protection authority; UK residents may contact the Information Commissioner's Office (ICO). GMAV will cooperate fully with any supervisory authority in relation to the exercise of their powers.

Contact & Data Protection Officer