MaestroGRC ("we", "us", "our") is an enterprise compliance orchestration platform operated by GRCfy Technologies Private Ltd ("the Company"). The platform enables audit firms and their client organisations to manage audits, controls, findings, and evidence in a structured, role-based environment.
This Privacy Policy applies to all users of the MaestroGRC web application, including audit administrators, auditors, compliance reviewers, and client-side users. It describes how we collect, process, store, and protect personal information in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the Digital Personal Data Protection Act 2023 (DPDP Act), and other relevant regulations.
For questions about this policy or to exercise your rights, contact our Data Protection Officer at privacy@maestrogrc.in.
When an administrator creates a user account on your behalf, or when you register directly, we collect:
We collect information about your organisation to provision and manage your account:
As part of the service, users upload and generate compliance data including audit control assessments, findings, remediation notes, and evidence files (documents, spreadsheets, images). This content belongs to your organisation and is processed by us solely to operate the platform.
We automatically collect technical data to operate and secure the platform:
If your organisation configures SSO (SAML 2.0, OIDC, or LDAP), we receive identity attributes from your Identity Provider (e.g., name, email, group memberships) solely to authenticate you and provision your account. We do not retain IdP tokens beyond the session.
| Purpose | Data Used |
|---|---|
| Account authentication and access control | Name, email, hashed password, roles, SSO attributes |
| Delivering the compliance management service | Audit content, findings, evidence, control data |
| Subscription and billing management | Organisation details, subscription plan, credit usage |
| Platform security, fraud prevention, and audit logging | IP address, user-agent, session data, activity logs |
| Sending transactional notifications | Email, name — for audit assignments, evidence flags, renewal reminders |
| Compliance with legal obligations (including DPDP Act, GDPR) | Identity data, activity logs, deletion records |
| Improving the platform (aggregated, anonymised analytics only) | Anonymised usage patterns — no individual tracking |
We do not use personal data for advertising, sell it to third parties, or use it to train AI models.
Where GDPR or similar laws apply, we rely on the following legal bases:
We do not sell personal data. We share data only in the following circumstances:
Audit content and user information is visible to authorised members of your audit firm or client organisation in accordance with the role-based access controls you configure.
We engage a limited number of sub-processors to operate the platform (cloud hosting, transactional email, monitoring). All sub-processors are bound by data processing agreements and may only process data on our documented instructions.
We may disclose data if required to do so by law, court order, or to protect the rights, property, or safety of the Company, our users, or the public.
We implement industry-standard technical and organisational measures to protect your data:
While we take extensive precautions, no system can guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for promptly notifying us of any suspected unauthorised access at security@maestrogrc.in.
We retain personal data for as long as your organisation's account is active and for a defined period thereafter:
Platform administrators can initiate permanent deletion ("force delete") of records via the Recovery Vault. All such actions are logged immutably with a mandatory reason.
Depending on your jurisdiction, you may have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Correction | Update inaccurate or incomplete personal data via your profile settings or by contacting us. |
| Erasure | Request deletion of your personal data where there is no overriding legal obligation to retain it. |
| Portability | Receive a structured, machine-readable export of data you have provided to us. |
| Restriction | Request that we limit how we use your data in certain circumstances. |
| Objection | Object to processing based on legitimate interests. |
| Withdraw consent | Where processing is based on consent, withdraw it at any time without affecting prior processing. |
To exercise any of these rights, contact privacy@maestrogrc.in. We will respond within 30 days. Note that some rights may be limited where we are required by law to retain data or where the request conflicts with the rights of other users.
If you believe we have not handled your data lawfully, you have the right to lodge a complaint with your local data protection authority.
MaestroGRC uses strictly necessary cookies only:
maestrogrc_session) — maintains your authenticated session. Expires when you close your browser or log out.XSRF-TOKEN) — protects against cross-site request forgery. Session-scoped.We do not use analytics cookies, tracking pixels, or third-party advertising cookies. No cookie consent banner is required for strictly necessary cookies under most jurisdictions, but we disclose their use here for full transparency.
MaestroGRC is a professional B2B compliance platform intended solely for use by organisations and their authorised employees and contractors. We do not knowingly collect personal data from individuals under the age of 18. All accounts must be created and managed by adults acting in a professional capacity on behalf of their organisation.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:
Your continued use of the platform after the effective date of a revised policy constitutes your acceptance of the changes.
For all privacy-related enquiries, please contact: