Privacy Policy

1. Introduction

• Great Manager Research and Consultancy Private Limited (GMI), operating as Great Manager Institute®, is committed to upholding the highest standards of privacy, confidentiality, and responsible data governance. Trust is foundational to our relationships with managers, organizations, employees, and community members who participate in our programs.
• This Privacy Policy describes how GMI collects, processes, stores, uses, shares, transfers, and protects Personal Data across our assessments, manager excellence programs, recognition initiatives, research studies, organizational reports, and digital platforms.
• This Policy aligns with India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and the Digital Personal Data Protection Rules, 2025, which were officially notified on 14 November 2025 and fully operationalize the DPDP framework.
• GMI acts as a Data Fiduciary when determining the purpose and means of processing Personal Data. When processing information on behalf of a Client Organization, we act as a Data Processor and follow lawful, written instructions.
• This Policy applies to all individuals whose Personal Data GMI processes, including assessed managers, feedback providers, nominees, Client Organization representatives, platform users, event attendees, and website visitors.
• By interacting with GMI platforms or participating in our programs, you acknowledge that you have read and understood this Privacy Policy.

2. Key Definitions

• Personal Data means any data about an identifiable natural person, including data voluntarily provided, collected automatically, or supplied by a Client Organization.
• Data Principal refers to the individual to whom the Personal Data relates.
• Data Fiduciary means any entity determining the purpose and means of processing Personal Data. GMI acts as a Data Fiduciary when collecting data directly from Participants.
• Data Processor refers to any entity processing Personal Data on behalf of a Data Fiduciary. GMI plays this role when performing assessments on behalf of Client Organizations.
• Processing includes any operation performed on Personal Data, such as collection, storage, use, analysis, sharing, transfer, retention, or deletion.
• Consent means a clear, specific, unambiguous, informed, voluntary agreement for processing.
• Data Breach refers to unauthorized or accidental disclosure, acquisition, alteration, destruction, or loss of access to Personal Data.
• Anonymization means irreversibly transforming Personal Data so that no individual can be identified using reasonable means.
• Client Organization refers to an enterprise or institution that nominates participants or enables multi-rater assessments and recognitions for its workforce.
• Significant Data Fiduciary (SDF) refers to organizations designated by the Central Government that must meet additional compliance obligations, including audits, DPIAs, and stricter oversight measures.

3. Categories of Individuals Covered

• Participants / Managers — individuals assessed for leadership and managerial effectiveness through GMI programs.
• Feedback Providers — reportees, peers, supervisors, or stakeholders who offer multi-rater feedback.
• Client Representatives — HR leaders, L&D specialists, program coordinators, and other authorized contacts.
• Digital Platform Users — visitors or registered users on GMI’s portals, dashboards, websites, or email channels.
• Nominees and Recognition Applicants — individuals nominated (self or others) for awards or certification programs.
• Event Attendees and Subscribers — individuals attending webinars, downloading resources, or subscribing to updates.
• Any person communicating with GMI systems — including individuals seeking demos, support, or services.

4. Personal Data We Collect

• Identity and Professional Information — including name, email address, designation, department, organization name, employee ID, reporting structure, and related attributes.
• Assessment, Survey, and Feedback Data — including ratings, comments, qualitative feedback, behavioral insights, benchmarks, and participation status.
• Client-Provided Data — including rosters, emails, job details, demographic metadata, and structured participant information.
• Technical and Usage Data — including IP addresses, browser details, device information, logs, cookies, and session identifiers.
• Communication and Engagement Data — including email interactions, event participation, support interactions, and subscription preferences.
• Optional / Voluntary Data — including nomination statements, recognition submissions, or optional profile information.
• Data Minimization — GMI collects only the minimum necessary Personal Data required for each purpose.

5. Lawful Basis for Processing

• Consent — explicit, informed, purpose-specific consent is the primary basis for processing.
• Certain Legitimate Uses — permitted under the DPDP Act, such as voluntary submission, employment-related processing, or compliance with legal functions.
• Contractual Necessity — processing necessary to fulfil GMI’s contractual obligations with Client Organizations.
• Legal Compliance — GMI may process or disclose Personal Data to comply with applicable laws, cyber-incident requirements, DPB directions, or court orders.
• Withdrawal of Consent — Data Principals may withdraw consent at any time.
• Purpose Limitation and Minimization — data is processed only for disclosed purposes and retained only for the duration necessary.

6. Purpose of Processing

• Program Delivery and Assessment Administration

  GMI processes Personal Data to design, coordinate, and deliver its core programs, including the People Manager Effectiveness Survey, leadership assessments, recognition programs, and organizational analytics. This includes administering surveys, sending notifications, tracking completion, analyzing responses, generating scorecards, and producing organizational reports.

• Analytics, Insight Generation, and Benchmarking

  GMI processes Personal Data to generate analytics, behavioral insights, benchmarking comparisons, and research-driven findings. These insights improve program validity, highlight leadership trends, support organizational learning, and refine scoring methodologies.

• Recognition and Certification Programs

  GMI processes Personal Data to evaluate recognition eligibility, validate nominations, publish recognition results (only with explicit consent), and maintain certification records. No individual ratings, comments, or confidential feedback are ever disclosed.

• Client Relationship Management and Support

  GMI processes Personal Data to coordinate with Client Organizations, manage program execution, provide updates, respond to enquiries, and ensure complete delivery of assessments and organizational insights.

• Communication, Engagement, and Updates

  GMI uses Personal Data to send program-related notifications, research insights, invitations, learning content, and event information. Marketing communications are sent only to permitted contacts, and opt out options are provided at all times.

• Platform Functionality, Safety, and Improvement

  Technical usage data supports platform stability, fraud prevention, diagnostics, performance optimization, authentication, and UI/UX improvement to ensure smooth user experience.

• Legal, Regulatory, and DPDP Compliance

  GMI may process or disclose Personal Data to comply with legal requirements, regulatory requests, and directions from the Data Protection Board of India (DPB). The DPDP Rules 2025, officially notified on 14 November 2025, fully operationalize the DPDP Act and establish compliance procedures for organizations.

• Responding to Data Principal Rights

  Processing may be required to fulfil access, correction, deletion, and nomination requests from Data Principals. Under the DPDP Rules 2025, all such requests must be resolved within 90 days.

7. Automated Processing and Scoring

• Use of Automated Scoring Models

  GMI uses structured scoring models, algorithms, and analytics frameworks to interpret multi rater inputs, produce leadership scores, and generate benchmarking insights. Automation enables consistency, reduces subjective bias, and improves scale.

• Purpose of Automated Analytics

  Automated analytics support efficient processing of large datasets, help identify behavioral patterns, and enable robust recognition evaluations.

• Human Oversight and Review

  GMI does not use solely automated decision-making for any outcome that materially affects a Data Principal. Human experts verify scoring outputs, review recognition eligibility, and validate final decisions.

• Rights Related to Automation

  Data Principals may request explanations of the factors influencing their results, seek human review of automated outcomes, or challenge scoring interpretations as appropriate.

8. Public Recognition and Disclosure

• Information Published with Explicit Consent

  GMI may publicly disclose limited Personal Data—such as name, designation, organization name, organization logo, and award title—with explicit opt in consent. This may appear on websites, reports, press releases, and recognition publications.

• Information Never Disclosed

  Under no circumstances does GMI publish individual survey responses, qualitative feedback comments, raw ratings, or any identifiable multi rater insights.

• Consent for Public Listing

  Public disclosure requires distinct, explicit consent separate from assessment participation consent.

• Organization-Level Recognition

  GMI may publish names of organizations receiving recognition or participating in industry-level benchmarking initiatives, in accordance with contractual terms.

• Feedback Confidentiality

  Feedback provider identities are never disclosed. All feedback appears only in aggregated and anonymized formats.

• Marketing and Case Study Use

  Recognition results may be used in marketing materials or success stories only with specific consent. No confidential or sensitive information is included.

9. Aggregated and Anonymized Research

• Purpose of Anonymized and Aggregated Use

  GMI transforms Personal Data into anonymized or aggregated datasets to support research publications, industry benchmarking, longitudinal studies, and leadership insights.

• Types of Insights Generated

  Insights may cover leadership patterns, behavioral trends, segment-based comparisons, and cross industry observations.

• Safeguards and Anonymization

  Anonymization removes direct and indirect identifiers. Aggregation thresholds ensure that no dataset reflects individual-level data.

• No Individual-Level Disclosure

  Research publications never include identifiable feedback, individual ratings, or personally attributable insights.

• Retention of Anonymized Data

  Anonymized datasets may be retained indefinitely because they cannot identify any Data Principal.

10. Data Sharing and Disclosure

• Authorized Service Providers

  GMI shares Personal Data only with contracted service providers for cloud hosting, analytics, communication, IT security, and operational support. All providers are bound by confidentiality and DPDP-compliant safeguards.

• Client Organization Sharing

  GMI shares aggregated outputs, program insights, and participation information with Client Organizations regarding their workforce. No raw feedback or individually attributable data is shared.

• Legal and Regulatory Disclosures

  GMI may disclose Personal Data to comply with lawful government requests, regulatory inquiries, cyber incident reporting mandates, and DPB directions under the DPDP Rules 2025.

• Corporate Restructuring

  In a merger, acquisition, or reorganization, Personal Data may be transferred to the successor entity under equivalent privacy obligations.

• No Sale of Personal Data

  GMI never sells Personal Data under any circumstances.

11. International Data Transfers

• Cross-Border Storage and Processing

  GMI may store or process Personal Data outside India through trusted cloud infrastructure providers to support program scalability and platform reliability.

• DPDP Compliance for Transfers

  All cross-border personal data transfers comply with the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025, which were officially notified on 14 November 2025 and fully operationalized India’s digital data protection framework.

• Contractual and Organizational SafeguardsWhere applicable, GMI enters into data protection agreements with service providers to ensure confidentiality, data minimization, and equivalent privacy protections.

• Government-Notified Restrictions

  If the Central Government restricts transfers to certain jurisdictions, GMI will comply with such restrictions and update its operational practices accordingly.

• Control and Visibility

  GMI maintains full control over the purpose, retention, and deletion of Personal Data, regardless of where it is processed.

12. Data Retention

• Purpose-Linked Retention

  GMI retains Personal Data only as long as required to fulfil the purposes for which it was collected. Retention schedules apply to each category of data.

• Typical Retention Durations

  Assessment and feedback data may be retained for 12–24 months; reports for up to 24 months; technical logs for at least 180 days. Anonymized datasets may be retained indefinitely.

• Compliance with DPDP Rules 2025

  Retention and deletion practices align with operational requirements established under the DPDP Rules 2025, which provide practical guidance for implementing the DPDP Act.

• Secure Deletion

  Upon the end of the retention period or upon valid erasure request, GMI securely deletes or irreversibly anonymizes Personal Data as appropriate.

• Requests Affecting Retention

  Data Principals may request deletion of their Personal Data unless legal or contractual obligations require further retention.

13. Data Security

• Technical Safeguards

  GMI implements encryption, secure authentication, network monitoring, and cloud-security best practices to protect Personal Data.

• Organizational Safeguards

  GMI enforces confidentiality obligations, conducts staff training, applies need to know access controls, and performs periodic assessments of internal privacy practices.

• Incident Response

  GMI maintains an incident response process to detect, escalate, contain, and remediate security incidents.

• Breach Notifications Under DPDP Rules

  Under the DPDP Rules 2025, GMI must notify affected individuals without undue delay and report breaches to the Data Protection Board of India (DPB), providing clear incident details and assistance measures.

• Continuous Improvement

  GMI regularly reviews and enhances its security safeguards in light of emerging risks and evolving regulatory standards.

14. Rights of Data Principals

• Right to Access

  Data Principals may request confirmation of processing and obtain a summary of their Personal Data processed by GMI.

• Right to Correction

  Individuals may request correction or updating of inaccurate or incomplete Personal Data.

• Right to Erasure

  Data Principals may request deletion of their Personal Data when purposes are fulfilled or consent is withdrawn, unless legal obligations require retention.

• Right to Nominate

  Individuals may nominate another person to exercise their rights in cases of death or incapacity, as required under the DPDP Act.

• DPDP-Mandated Resolution Timelines

  Under the DPDP Rules 2025, Data Principal rights requests must be resolved within 90 days.

• Right to Grievance Redressal

  Data Principals may submit complaints to GMI’s Grievance Officer and escalate unresolved complaints to the DPB.

• Identity Verification

  GMI may verify identity before fulfilling rights requests to prevent unauthorized access.

15. Withdrawal of Consent

 

• Right to Withdraw Consent

  Data Principals may withdraw consent at any time using the mechanisms provided through GMI communications or platform settings.

• Impact of Withdrawal

  Withdrawal may limit participation in assessments or recognition programs but does not affect processing that occurred before withdrawal.

• Withdrawal Requirements Under DPDP Rules

  The DPDP Rules 2025 require that withdrawal must be as easy as giving consent, ensuring Data Principals have simple and accessible withdrawal options.

• No Penalty for Withdrawal

  GMI does not penalize Data Principals for withdrawing consent, though certain services may become unavailable afterward.

16. Cookies and Tracking Technologies

• Use of Cookies

  GMI uses cookies and similar tracking technologies to support secure access, session stability, user authentication, and personalized platform interactions. Cookies help improve navigation, store preferences, and support consistent user experience across devices.

• Types of Cookies Used

  GMI may use essential cookies for authentication, functional cookies for user settings, analytics cookies for understanding usage patterns, and communication pixels for evaluating email engagement. These technologies enable GMI to improve product performance and communication relevance.

• User Control Over Cookies

  Users may control or disable cookies through browser settings. Some platform features may not function as intended if certain cookies are disabled, but core privacy rights remain accessible.

• Transparency Commitment

  GMI provides notice regarding the use of cookies and ensures that users are informed of tracking practices in alignment with transparency principles under India’s digital data protection framework.

17. Third-Party Links

• External Website Disclaimer

  GMI websites or platforms may contain links to third party websites or services that operate independently of GMI. These sites have their own privacy policies and security practices.

• No Responsibility for External Content

  GMI is not responsible for the content, privacy standards, or data practices of external websites or services. Users are encouraged to review third party policies before providing Personal Data.

• Limited Interactions

  GMI does not automatically transfer Personal Data to third party linked sites unless the user chooses to interact with such links.

18. Grievance Redressal

• Submitting a Grievance

  Data Principals may raise concerns or complaints regarding their Personal Data processing by contacting:Grievance Officer
  Great Manager Research and Consultancy Pvt Ltd
  Email: privacy@greatmanagerinstitute.com

• Resolution Timelines Under DPDP Rules

  Under the DPDP Rules 2025, organizations must resolve Data Principal rights requests and grievances within specified timelines, including a 90 day SLA for rights-related requests.

• Escalation to the Data Protection Board of India (DPB)

  If GMI does not resolve a grievance adequately, Data Principals may escalate the complaint to the DPB, the statutory authority established to enforce India’s digital data protection law. The DPB operates with a digital first approach and oversees compliance.

• Identity Verification for Grievance Requests

  To prevent unauthorized access, GMI may verify the identity of the Data Principal before fulfilling any rights or grievance requests.

19. Updates to this Policy

• Policy Revisions

  GMI may update this Privacy Policy periodically to reflect legal changes, DPDP Rule revisions, operational adjustments, security improvements, or changes in program offerings.

• Notification of Material Changes

  If significant updates affect how Personal Data is used or processed, GMI may notify users via platform announcements, email alerts, or updated website postings.

• Compliance Alignment

  All revisions will continue to align with the DPDP Act 2023 and the DPDP Rules 2025, which were officially notified on 14 November 2025 and operationalize India’s data protection compliance framework.

• Version Control

  The most current version of this Privacy Policy supersedes earlier versions. Past versions may be retained internally for audit and compliance record keeping.