GuardKat Privacy Policy

This Policy applies to:

• The GuardKat website, web application, and related services.
• Individuals reporting cases (anonymously or identified), case reviewers, administrators, and organizational stakeholders.
• Visitors who access our informational content (e.g., blogs and videos).

This Policy does not apply to third-party websites or services that we do not control.

• Operate the platform: Capture reports, manage cases, enable secure role-based access, and support custom workflows.
• Facilitate communication: Allow secure chat/messaging between reporters and authorized reviewers.
• Provide analytics: Identify patterns and trends across departments, locations, and organizations primarily in aggregated or anonymized form to help prevent escalation and inform corrective actions (analytics are typically aggregated or anonymized where feasible).
• Ensure safety & integrity: Detect misuse, prevent fraud, protect against unauthorized access, and maintain audit trails.
• Improve the service: Enhance features, performance, accessibility, and multi-language support; develop educational content to guide ethical behavior.
• Comply with legal obligations: Respond to lawful requests and enforce our terms.

We rely on one or more of the following:

• Consent (e.g., when reporters voluntarily submit identified information).
• Legitimate interests (e.g., enabling organizations to investigate and resolve cases ethically and securely).
• Contractual necessity (e.g., providing services to participating organizations).
• Legal compliance (e.g., responding to lawful requests).

We will provide appropriate notice and, where required, obtain consent before collecting or using personal information, and offer choices consistent with applicable data protection laws (including India’s Digital Personal Data Protection Act (DPDP), where applicable).

• Authorized personnel within the participating organization (role-based, least-privilege access).
• Service providers strictly necessary for operations—e.g., Microsoft Azure for hosting and infrastructure—in accordance with contractual confidentiality and security obligations.
• Legal or regulatory authorities when required by law (with careful review).
• Aggregated or anonymized insights (non-identifiable) to help organizations improve safety and culture.

We do not sell personal data.

• Encryption: All data is encrypted at rest and in transit.
• Access controls: Granular role-based permissions ensure only authorized users can view or act on cases.
• Audit & logging: Security and activity logs monitor access and changes.
• Secure development practices: Early-stage controls aligned with industry best practices; we continuously improve our security posture.

As we scale, we plan to align with recognized standards, including GDPR alignment, SOC 2 certification, and ISO 27001 for information security management.

GuardKat is hosted on Microsoft Azure.

Primary storage region: Azure Central India.

Core services (application, database, storage) are provisioned within this region. Any change to storage regions will be communicated to participating organizations.

• Users from the organization will have read-only access for 2 months to review historical case data if the organization does not continue.
• After the read-only period, data will be retained for up to 2 years to allow the organization to return and resume service without losing history.

Upon a verified request from the organization or an individual (as applicable), we will delete or minimize data subject to legal, contractual, and safety obligations.

Retention periods may vary where specific laws or contracts require longer or shorter retention.

• Our default storage region is Azure Central India.
• If data is processed or accessed from outside India—for support, redundancy, or integrations—we will implement safeguards (e.g., encryption, strict access controls, and contractual protections with service providers) consistent with applicable data protection laws.
• We will disclose any material cross-border transfer practices to participating organizations upon request.
• We do not transfer case data outside the primary region unless operationally necessary. In such cases, we will ensure appropriate safeguards are in place.

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete or restrict processing in certain cases.
• Object to processing based on legitimate interests.
• Withdraw consent where consent is the basis for processing.

To exercise rights, contact us at privacy@guardkat.in. We may need to verify your identity and coordinate with the relevant organization (e.g., your employer) for case-related data.

GuardKat is intended for workplace and institutional reporting by adults. If you believe a minor’s personal data has been submitted inappropriately, please contact privacy@guardkat.in so we can address it promptly and safely.

• Maintain session security and authentication.
• Improve performance and reliability.
• Provide basic usage analytics.

You can adjust browser settings to limit cookies, but some features may not function properly.

Our platform and blog may link to external sites or embed third-party content (e.g., videos). We are not responsible for their privacy practices. Please review their policies before interacting.

• We will investigate, mitigate risks, and restore service integrity.
• Notify impacted organizations and, where required, individuals and authorities consistent with applicable laws.

privacy@guardkat.in

support@guardkat.in

We may update this Privacy Policy to reflect changes in our practices or legal requirements. If changes are material, we will provide a clear notice. The “Last updated” date at the top will always show the latest version.