Privacy Policy

Effective date: 6 June 2026 · Last updated: 6 June 2026 · Governing law: India

This Privacy Policy explains how Green Curve ("we", "us", "our") collects, uses, and protects personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000. By using our website or services, you consent to the practices described here.

1. Who We Are

Green Curve is an ESG analytics platform that provides informational tools and research on Indian listed companies' publicly filed BRSR disclosures. We are not a SEBI-registered Research Analyst, ESG Rating Provider, or Credit Rating Agency. Our contact for privacy matters is available via LinkedIn.

2. Data We Collect and Why

2.1 Website Visitors (All Pages)

When you browse our website, Google Analytics 4 (GA4) collects anonymised usage data including pages visited, time on page, and device/browser type. This data is processed by Google LLC (US-based) and is subject to Google's Privacy Policy. We use this data solely to understand how our tools are used and to improve the service.

Legal basis: Your explicit consent via the cookie consent banner. If you decline, GA4 is not activated.

2.2 Newsletter Subscribers

If you subscribe to our newsletter, we collect your email address. It is stored in Google Workspace (Google LLC, US) and used only to send you ESG research updates. You can unsubscribe at any time via the link in any email we send you.

Legal basis: Your explicit consent at the point of subscription.

Retention: Until you unsubscribe, after which your email is deleted within 30 days.

2.3 Supplier ESG Questionnaire Respondents

If you complete a supplier ESG questionnaire via our Value-Chain tool (supplier-form.html), we collect:

Company name and Corporate Identification Number (CIN)
Industry sector and employee headcount
Environmental data: energy use, GHG emissions (Scope 1 & 2), water withdrawal, waste generated
Social data: workplace injury rates, fatality count, LTIFR, child/forced labour declarations
Governance data: anti-corruption policy status, whistleblower mechanism, regulatory violations
Product data: EPR obligations, lifecycle assessment, packaging details
Contact email (if provided voluntarily)

This data is collected under SEBI BRSR Core value-chain disclosure requirements (FY2026-27 mandate). Your responses are shared only with the specific company that invited you (the "principal entity") and are used by them for their BRSR filing. Green Curve does not use supplier response data for its own commercial analytics or share it with any other party.

Legal basis: Your explicit informed consent, given via the consent screen presented before you begin the form.

Retention: Supplier responses are retained for 3 years (aligned to BRSR audit periods), after which they are permanently deleted from our systems.

2.4 Company ESG Analytics Data (Public BRSR Filings)

Our ESG Quotient tool processes publicly available BRSR disclosures filed by Indian listed companies with SEBI, BSE, and NSE. This data is entirely in the public domain. We do not collect or process any personal data in relation to this analytics function.

3. Third-Party Processors

Processor	Purpose	Country	Data Shared
Google LLC (GA4)	Website usage analytics	United States	Anonymised usage data (if consent given)
Google LLC (Workspace / Apps Script)	Newsletter email storage	United States	Email address (if subscribed)
Green Curve API Backend	Supplier form data storage & scoring	United Kingdom (EU-equivalent protection)	Supplier ESG questionnaire responses

All third-party processors are contractually bound to process data only for the stated purpose and to maintain appropriate security standards.

4. International Data Transfers

Some of your data may be transferred to and stored on servers located outside India — specifically in the United States (Google) and the United Kingdom (API backend). These countries maintain data protection frameworks recognised under international standards. By using our services and consenting to this policy, you expressly consent to these transfers in accordance with Section 16 of the DPDP Act, 2023.

5. Your Rights Under DPDP Act 2023

As a Data Principal under the DPDP Act, 2023, you have the following rights:

Right to access: Request a summary of personal data we hold about you.
Right to correction: Request correction of inaccurate personal data.
Right to erasure: Request deletion of your personal data, subject to legal retention obligations.
Right to withdraw consent: Withdraw consent at any time without affecting the lawfulness of prior processing.
Right to grievance redressal: File a complaint with us, and if unresolved, with the Data Protection Board of India.
Right to nominate: Nominate another person to exercise rights on your behalf in the event of your death or incapacity.

To exercise any of these rights, contact us via LinkedIn. We will respond within 30 days.

6. Cookies

We use one first-party cookie/localStorage key (gc_cookie_consent) to store your analytics consent preference. If you accept analytics cookies, Google Analytics sets its own cookies (_ga, _ga_*) to distinguish users. You can clear these at any time via your browser settings.

We do not use advertising cookies, retargeting pixels, or third-party tracking beyond GA4.

7. Data Security

We implement reasonable technical and organisational measures to protect data against unauthorised access, alteration, disclosure, or destruction. Supplier form data is transmitted over HTTPS and stored with access controls. However, no internet transmission is 100% secure, and we cannot guarantee absolute security.

In the event of a data breach that is likely to affect your rights, we will notify you and the Data Protection Board of India as required under DPDP Act, 2023.

8. Children's Privacy

Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has submitted personal data to us, please contact us immediately for deletion.

9. Links to Third-Party Sites

Our website contains links to external sites (e.g., MCA portal, BSE/NSE, LinkedIn). We are not responsible for the privacy practices of those sites and recommend you review their policies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of our services after an update constitutes acceptance of the revised policy. For material changes, we will notify newsletter subscribers by email.

11. Grievance Redressal

If you have any complaints or concerns about how we handle your personal data, please contact our Grievance Officer:

Name: Neha Kumari
Contact: LinkedIn
Response time: Within 30 days of receipt

If your grievance is not resolved within 30 days, you may approach the Data Protection Board of India once constituted under the DPDP Act, 2023.

12. Governing Law

This Privacy Policy is governed by the laws of India. Any disputes shall be subject to the exclusive jurisdiction of courts located in India.