Legal
Data Protection Policy
How GMAV Capital handles, secures, and governs sensitive client and business data.
1. Scope & Purpose
This Data Protection Policy ("Policy") describes how GMAV Capital collects, stores, processes, protects, and governs personal data and sensitive business information obtained through its advisory services and website operations.
This Policy applies to:
- All employees, partners, consultants, and contractors of GMAV Capital
- All personal data and sensitive personal data processed in the course of business operations
- All third-party service providers who process data on GMAV Capital's behalf
- Data collected through the Website at gmav.io and through client engagement processes
This Policy complements our Privacy Policy, which explains data practices to clients and website visitors. This Policy governs internal data handling standards and obligations.
2. Regulatory Framework
GMAV Capital's data protection practices are governed by the following legal instruments:
2.1 Indian Law
- Information Technology Act, 2000 (IT Act): Governs electronic records, digital signatures, cybersecurity offences, and corporate liability for data protection failures.
- IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules): Defines "sensitive personal data", prescribes security standards, and mandates consent and disclosure obligations.
- Digital Personal Data Protection Act, 2023 (DPDP Act): India's comprehensive data protection legislation. Provisions are being operationalised. GMAV Capital is committed to compliance with all notified provisions.
2.2 International Standards (Where Applicable)
- General Data Protection Regulation (GDPR): Applies to personal data of EU/EEA residents processed by GMAV Capital. We apply GDPR-compliant standards for EU data subjects.
- UK GDPR: Applies to personal data of UK residents.
GMAV Capital voluntarily adopts international best practices from ISO/IEC 27001 (information security management) and the NIST Cybersecurity Framework as guiding references, even where not legally mandated.
3. Data Categories
GMAV Capital processes the following categories of data in the course of its operations:
| Category | Examples | Classification |
|---|---|---|
| Client Contact Data | Name, email, phone, designation, company | Personal Data |
| Financial Information | Revenue figures, valuation, cap table, funding history | Sensitive Business Data |
| Business Documents | Pitch decks, financial models, term sheets, legal agreements | Confidential / Privileged |
| Investor Data | Investor profiles, ticket sizes, investment preferences | Personal Data / Confidential |
| Communication Records | Emails, meeting notes, call summaries | Confidential |
| Website Usage Data | IP address, pages visited, browser type | Personal Data (Pseudonymous) |
| Employee / Contractor Data | HR records, payroll, performance data | Personal Data / Sensitive |
We do not collect or process government identification numbers (Aadhaar, PAN, passport), biometric data, health or medical data, or financial account credentials as part of our advisory services.
4. Data Handling Principles
GMAV Capital processes all data in accordance with the following principles:
- Lawfulness, Fairness, and Transparency: Data is collected and processed only on a lawful basis, with clear notice to data subjects.
- Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes and not processed in ways incompatible with those purposes.
- Data Minimisation: We collect only the data that is necessary for the stated purpose. We do not seek information beyond what is required for the engagement.
- Accuracy: We take reasonable steps to ensure that data held is accurate and, where necessary, kept up to date. Clients are encouraged to notify us of any changes.
- Storage Limitation: Data is retained only for as long as necessary for the purpose for which it was collected. See Section 11 for retention schedules.
- Integrity and Confidentiality: Data is processed with appropriate security measures to protect against unauthorised or unlawful processing, accidental loss, destruction, or damage.
- Accountability: GMAV Capital takes responsibility for compliance with these principles and maintains records sufficient to demonstrate compliance.
5. Lawful Basis for Processing
GMAV Capital processes personal data on the following lawful bases:
- Consent: Where you have given explicit consent, including for marketing communications, newsletter subscriptions, or the sharing of your information with investors.
- Contractual Necessity: Where processing is necessary to perform the advisory engagement agreement with you.
- Legitimate Interests: Where processing is necessary for our legitimate business interests, such as maintaining business records, preventing fraud, and improving our services, provided these interests are not overridden by your rights.
- Legal Obligation: Where processing is required to comply with a legal or regulatory obligation under Indian law.
6. Access Controls
6.1 Need-to-Know Basis
Access to client data and sensitive business information is strictly limited to personnel who require it to perform their role. We operate a need-to-know access model. Client financial information, cap tables, and legal documents are accessible only to the engagement team handling that client.
6.2 Role-Based Access
Our internal systems implement role-based access controls (RBAC). Access permissions are reviewed periodically and revoked promptly when an employee or contractor ends their engagement with GMAV Capital.
6.3 Confidentiality Obligations
All employees, partners, and contractors are bound by confidentiality obligations via employment or service agreements. These obligations apply to client data, investor data, and all business information accessed during the course of their work.
7. Technical Safeguards
GMAV Capital implements the following technical measures to protect data:
7.1 Encryption
- All data in transit is encrypted using TLS 1.2 or higher
- Sensitive files stored in cloud systems are encrypted at rest
- Email communications containing sensitive data are sent via encrypted channels
7.2 Access Management
- Multi-factor authentication (MFA) is required for access to all systems storing client data
- Strong password policies are enforced across all organisational accounts
- Session management controls limit access duration and location
7.3 Infrastructure
- Cloud storage with reputable providers who maintain SOC 2 and ISO 27001 certifications
- Regular security patching and software updates across all systems
- Firewalls and intrusion detection measures on network infrastructure
7.4 Backups and Recovery
- Regular automated backups of critical data with encrypted storage
- Documented data recovery procedures tested periodically
8. Third-Party Processors
We engage third-party service providers who process data on our behalf, including cloud storage, email services, CRM software, and analytics tools. Before engaging any third-party processor, we:
- Conduct due diligence on their data security practices
- Execute data processing agreements (DPAs) where required by law
- Limit data shared to the minimum necessary for the service
- Ensure the processor does not use client data for its own purposes
We do not permit third-party processors to sell or share client data with other parties. We maintain an internal register of third-party processors and review it annually.
9. Cross-Border Data Transfers
Some of our third-party service providers operate servers outside India. Where personal data is transferred outside India, we take appropriate measures to ensure adequate protection, including:
- Selecting processors in jurisdictions with adequate data protection laws
- Using standard contractual clauses or other approved transfer mechanisms where required
- Informing clients of cross-border transfers where applicable
For EU/UK data subjects, we apply GDPR-compliant transfer mechanisms for any transfer of personal data outside the EEA/UK.
10. Data Breach Response
10.1 Detection and Containment
We maintain internal procedures for detecting, reporting, and responding to suspected or confirmed data breaches. All personnel are required to report any suspected data breach to the designated Data Protection contact immediately upon discovery.
10.2 Assessment
Upon receiving a breach report, we will assess the nature, scope, and likely consequences of the breach within 24 hours of discovery.
10.3 Notification
Where a breach is likely to result in a risk to the rights and freedoms of affected individuals, we will notify:
- Affected clients and data subjects without undue delay, and within 72 hours of discovery where feasible
- The relevant data protection authority if required by applicable law (including the Indian Computer Emergency Response Team (CERT-In) under the IT Act, and supervisory authorities under GDPR for EU/UK data subjects)
Notifications will include the nature of the breach, categories and approximate number of data subjects affected, contact details for queries, likely consequences, and measures taken or proposed to address the breach.
10.4 Post-Breach Review
Following resolution of any breach, we will conduct a root cause analysis and implement measures to prevent recurrence.
11. Retention & Deletion Schedule
| Data Type | Retention Period | Basis |
|---|---|---|
| Active engagement records | Duration of engagement + 3 years | Contract; legitimate interests |
| Financial and accounting records | 7 years from financial year-end | Companies Act 2013; Income Tax Act |
| Contractual agreements | 10 years from termination | Limitation Act 1963 (limitation period for contract claims) |
| Website enquiry data (no engagement) | 12 months from enquiry | Legitimate interests |
| Marketing preferences / newsletter | Until opt-out or deletion request | Consent |
| Website analytics data | 26 months (Google Analytics default) | Legitimate interests |
| Employee and contractor records | Duration of engagement + 5 years | Legal obligation; legitimate interests |
At the end of each retention period, data is securely deleted, destroyed, or anonymised. Secure deletion means overwriting electronic files using industry-standard methods; physical documents are cross-cut shredded.
12. Data Subject Rights
GMAV Capital respects the rights of individuals whose data we process. You may exercise the following rights by contacting our Data Protection contact:
- Right to Access: Request a copy of personal data we hold about you.
- Right to Rectification: Request correction of inaccurate data.
- Right to Erasure: Request deletion of data where no longer necessary or where consent is withdrawn, subject to retention obligations.
- Right to Restriction: Request that we restrict processing in certain circumstances.
- Right to Data Portability: Receive data in a structured, machine-readable format where technically feasible.
- Right to Object: Object to processing based on legitimate interests.
- Right to Withdraw Consent: Withdraw consent for consent-based processing at any time, without affecting the lawfulness of prior processing.
We will respond to all valid requests within 30 days. We may request verification of identity before processing requests. We reserve the right to refuse requests that are manifestly unfounded, excessive, or that conflict with our legal retention obligations.
13. Staff Training and Awareness
All employees and contractors with access to personal or sensitive business data receive:
- Onboarding training on this Policy, confidentiality obligations, and data handling procedures
- Annual refresher training on data protection obligations and emerging threats
- Specific guidance on recognising and responding to phishing, social engineering, and other security threats
Compliance with this Policy is a condition of continued employment or engagement. Breaches of this Policy may result in disciplinary action, up to and including termination.
14. Policy Review
This Data Protection Policy is reviewed annually and updated as necessary to reflect changes in applicable law, regulatory guidance, our business operations, or best practice. Material changes are communicated to relevant personnel and, where applicable, to clients.
Responsibility for maintaining and implementing this Policy rests with the designated Data Protection contact at GMAV Capital.
15. Contact
For data protection queries, to exercise your rights, or to report a suspected data breach, contact:
GMAV Capital
Data Protection Contact
SCO 179-180, Second Floor, Sector 8C
Madhya Marg, Chandigarh, India, 160009
Email: info@gmav.io