This Privacy Policy ("Policy") describes how Green Carbon Credit ("GCC", "we", "our", or "us") collects, uses, stores, and protects personal information when you access or use our platform, website, and associated services (collectively, the "Platform"). This Policy is to be read together with our Terms & Conditions. By using the Platform, you consent to the practices described in this Policy. If you do not agree, please discontinue use of the Platform.
Green Carbon Credit (GCC) is the operator of this Platform. We are the data controller responsible for determining the purposes and means of processing personal data collected through this Platform.
Green Carbon Credit (GCC)
For all privacy-related enquiries, please contact our Grievance Officer through the official Contact page on the Platform. We are committed to acknowledging all written privacy-related requests within 7 business days.
This Policy applies to all users of the Platform, including visitors, registered account holders, buyers, sellers, and anyone interacting with GCC's digital services.
We collect information in the following categories, limited to what is necessary for the operation of the Platform and delivery of our services.
| Category | Examples | When Collected |
|---|---|---|
| Identity Data | Full name, date of birth, government-issued ID (for KYC where applicable) | At registration or KYC verification |
| Contact Data | Email address, mobile number | At registration |
| Financial Data | UPI ID, bank account details (for refunds only), transaction history | At point of purchase or refund |
| Account Data | Username, vault holdings, retirement history, staking records, tier status | Continuously during platform use |
| Technical Data | IP address, browser type, device type, operating system, session data | Automatically, on each visit |
| Usage Data | Pages visited, features accessed, time on platform, click patterns | Automatically, on each visit |
| Communications Data | Support tickets, emails, chat messages sent to GCC | When you contact us |
What we do NOT collect: We do not collect sensitive personal data such as biometric data, caste, religion, political opinions, or health information unless explicitly required by law and with your separate, informed consent. We do not store full payment card numbers. All financial transactions are processed through secure third-party payment gateways.
We use the personal data we collect only for specific, legitimate purposes. We will never use your data in a way that is incompatible with the purpose for which it was originally collected.
| Purpose | Data Used |
|---|---|
| Account creation & authentication | Identity Data, Contact Data |
| Processing voucher purchases & issuing invoices | Identity Data, Financial Data, Account Data |
| Facilitating P2P marketplace transactions | Account Data, Financial Data |
| Issuing Final Sequestration Certificates on retirement | Identity Data, Account Data |
| Customer support & grievance resolution | Identity Data, Contact Data, Communications Data |
| Platform security, fraud prevention & abuse detection | Technical Data, Usage Data |
| Compliance with legal and tax obligations | Identity Data, Financial Data, Account Data |
| Improving platform features & user experience | Usage Data, Technical Data (anonymised) |
| Sending transactional notifications (purchase confirmations, etc.) | Contact Data |
| Sending marketing communications (with consent) | Contact Data |
Marketing communications are sent only where you have opted in to receive them. You may withdraw this consent at any time by clicking "Unsubscribe" in any marketing email or by updating your notification preferences in your account settings.
We process your personal data under one or more of the following legal bases in accordance with applicable Indian data protection principles:
- Contractual Necessity: Processing required to deliver the services you have requested — such as issuing vouchers, processing payments, and generating certificates.
- Legal Obligation: Processing required to comply with applicable Indian law, including GST reporting, anti-money laundering obligations, and court orders.
- Legitimate Interests: Processing for fraud prevention, platform security, and improving our services, where these interests do not override your fundamental rights.
- Consent: For marketing communications and any non-essential data collection, where we have obtained your express, informed consent. You may withdraw this consent at any time.
We do not sell, rent, or trade your personal data to any third party for commercial or marketing purposes. Ever.
We may share your data with third parties only in the following limited and controlled circumstances:
We engage trusted third-party service providers who assist us in operating the Platform — including payment gateway processors, cloud hosting providers, email delivery services, and analytics tools. These parties are contractually bound to process your data only for the purpose of delivering their service to GCC, and are prohibited from using it for any other purpose.
We may disclose your information to government authorities, regulators, law enforcement agencies, or courts where we are required to do so by applicable Indian law, a lawful court order, or to protect the rights, property, and safety of GCC, its users, or the public.
In the event of a merger, acquisition, restructuring, or sale of all or a portion of our business assets, your personal data may be transferred as part of that transaction. We will notify affected users via the Platform or registered email prior to any such transfer and will ensure that the receiving entity is bound by privacy obligations no less protective than those described in this Policy.
All third parties with whom we share data are required to implement appropriate technical and organisational measures to protect your personal information.
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law.
| Data Type | Retention Period |
|---|---|
| Account & Identity Data | Duration of account + 5 years after closure |
| Transaction & Financial Records | 8 years (as required for tax and audit compliance) |
| KYC & Verification Documents | As mandated by applicable Indian law |
| Sequestration Certificates | Permanently retained as immutable environmental records |
| Technical & Usage Data | Up to 24 months, or as anonymised aggregates indefinitely |
| Support Communications | 3 years from date of last interaction |
| Marketing Consent Records | Until consent is withdrawn + 12 months |
Upon expiry of the applicable retention period, data will be securely deleted or anonymised in a manner that prevents reconstruction of individual identity.
We implement industry-standard technical and organisational security measures to protect your personal data against unauthorised access, loss, destruction, alteration, or disclosure.
- Encryption: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security). Sensitive data at rest is stored using AES-256 encryption.
- Access Controls: Access to personal data is restricted to authorised GCC personnel on a strict need-to-know basis. All staff with data access undergo privacy training.
- Secure Infrastructure: Our Platform is hosted on reputable, enterprise-grade cloud infrastructure with physical and logical security controls, regular vulnerability assessments, and intrusion detection systems.
- Payment Security: We do not store payment card data. All financial transactions are processed through PCI-DSS compliant payment gateway partners.
- Incident Response: We maintain a documented data breach response procedure. In the event of a breach that affects your rights and freedoms, we will notify you and relevant authorities as required by applicable law.
While we take all reasonable steps to protect your data, no system is completely immune to risk. We encourage you to use a strong, unique password for your GCC account and to enable any two-factor authentication features we may offer. Please notify us immediately at our official contact address if you suspect any unauthorised access to your account.
We use cookies and similar technologies on our Platform to ensure essential functionality, improve your experience, and analyse usage patterns. Cookies are small text files stored on your device.
| Cookie Type | Purpose | Can You Opt Out? |
|---|---|---|
| Essential / Strictly Necessary | Login sessions, security tokens, shopping cart, platform functionality | No — these are required for the Platform to function |
| Functional | Language preferences, display settings, remembered choices | Yes — via browser settings |
| Analytical / Performance | Anonymous usage statistics, page performance, feature usage patterns | Yes — via cookie consent settings |
| Marketing | Tracking for retargeted advertising (only where consent is given) | Yes — consent may be withdrawn at any time |
You may control cookie settings through your browser preferences at any time. Disabling essential cookies may impair certain features of the Platform. We do not use cookies to build advertising profiles for third-party commercial purposes without your explicit consent.
You have the following rights with respect to your personal data held by GCC. To exercise any of these rights, please contact us through the official Grievance / Contact channel listed on the Platform.
We will respond to all verified data rights requests within 30 days of receipt. We may need to verify your identity before processing your request. In some cases, legal obligations may limit our ability to fully comply with erasure or portability requests.
The GCC Platform is intended for use by persons who are 18 years of age or older. We do not knowingly collect, process, or store personal data from individuals under the age of 18.
If we become aware that personal data has been collected from a minor without verifiable parental consent, we will take immediate steps to delete that information from our systems. If you believe that a minor has registered on our Platform, please contact us immediately through our official grievance channel.
We may update this Privacy Policy periodically to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. All revisions will be published on this page with an updated effective date.
Where changes are material — such as a new category of data being collected, a new purpose for processing, or a new category of third-party recipient — we will notify registered users by email or via a prominent notice on the Platform prior to the changes taking effect.
Your continued use of the Platform after the effective date of any revised Policy constitutes your acceptance of those changes. We encourage you to review this Policy periodically.
If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please reach out to our designated Grievance Officer.
Please submit all privacy-related queries and requests through the official Contact / Grievance channel available on the Platform. We are committed to responding to all written privacy requests within 7 business days of acknowledgement.
If you are not satisfied with our response, you have the right to escalate your complaint to the relevant data protection authority or seek legal redress through the competent courts in India.