Privacy Policy
Effective Date: June 2026
Gemba Concepts Private Limited ("Gemba", "Gemba Connect", "Company", "we", "our", or "us") recognises the importance of privacy, confidentiality, information security, and responsible data governance. This Privacy Policy describes the manner in which the Company collects, receives, accesses, stores, organises, uses, processes, analyses, transfers, discloses, retains, protects, and otherwise handles information in connection with the Gemba Connect platform and related services.
This Privacy Policy applies to all websites, applications, dashboards, software platforms, implementation services, consulting engagements, analytics services, operational excellence services, support services, communications, and other offerings made available by the Company from time to time (collectively, the "Services").
The Company is committed to processing information in a lawful, fair, transparent, secure, and accountable manner and seeks to maintain privacy practices consistent with applicable legal requirements, contractual obligations, and generally accepted industry standards.
This Privacy Policy is intended to support compliance with, among other applicable laws: (a) the Digital Personal Data Protection Act, 2023 and any rules, regulations, or guidelines issued thereunder; (b) the Information Technology Act, 2000 and applicable rules; (c) contractual commitments undertaken by the Company with customers, suppliers, partners, and service providers; and (d) internationally recognised privacy and information security principles applicable to business-to-business technology platforms.
By accessing, using, registering for, subscribing to, or otherwise interacting with the Services, Users acknowledge that they have read, understood, and accepted the terms of this Privacy Policy.
1. Introduction
Gemba Concepts Private Limited ("Gemba", "Gemba Connect", "Company", "we", "our", or "us") recognises the importance of privacy, confidentiality, information security, and responsible data governance. This Privacy Policy describes the manner in which the Company collects, receives, accesses, stores, organises, uses, processes, analyses, transfers, discloses, retains, protects, and otherwise handles information in connection with the Gemba Connect platform and related services.
This Privacy Policy applies to all websites, applications, dashboards, software platforms, implementation services, consulting engagements, analytics services, operational excellence services, support services, communications, and other offerings made available by the Company from time to time (collectively, the "Services").
The Company is committed to processing information in a lawful, fair, transparent, secure, and accountable manner and seeks to maintain privacy practices consistent with applicable legal requirements, contractual obligations, and generally accepted industry standards.
This Privacy Policy is intended to support compliance with, among other applicable laws:
- (a) the Digital Personal Data Protection Act, 2023 and any rules, regulations, or guidelines issued thereunder;
- (b) the Information Technology Act, 2000 and applicable rules;
- (c) contractual commitments undertaken by the Company with customers, suppliers, partners, and service providers; and
- (d) internationally recognised privacy and information security principles applicable to business-to-business technology platforms.
By accessing, using, registering for, subscribing to, or otherwise interacting with the Services, Users acknowledge that they have read, understood, and accepted the terms of this Privacy Policy.
2. Scope of This Privacy Policy
This Privacy Policy applies to information collected or processed by the Company in connection with the provision of the Services.
Without limitation, this Privacy Policy applies to:
- (a) individuals who access or use the Platform;
- (b) employees, representatives, contractors, consultants, suppliers, and authorised personnel of customers who use the Platform;
- (c) prospective customers who engage with the Company for demonstrations, evaluations, consultations, pilot programmes, proposals, or commercial discussions;
- (d) visitors to websites operated by the Company;
- (e) individuals who communicate with the Company through electronic communications, support channels, training sessions, surveys, webinars, events, or business interactions; and
- (f) information uploaded to, stored within, integrated with, transmitted through, or generated by the Platform on behalf of customers.
This Privacy Policy does not apply to third-party websites, services, applications, or platforms that are not owned or controlled by the Company, even where such services may be accessible through links, integrations, or references contained within the Platform.
3. Definitions
For the purposes of this Privacy Policy, the following terms shall have the meanings assigned below:
- "Personal Data" means any information relating to an identified or identifiable natural person and shall include any information classified as personal data under applicable law.
- "Data Principal" shall have the meaning assigned under the Digital Personal Data Protection Act, 2023.
- "Processing" means any operation or set of operations performed upon information, whether by automated means or otherwise, including collection, recording, organisation, storage, retrieval, consultation, use, disclosure, transmission, dissemination, analysis, modification, combination, restriction, deletion, destruction, or any similar activity.
- "Platform" means the Gemba Connect software platform, applications, dashboards, interfaces, APIs, infrastructure, databases, and associated technology systems.
- "Services" means all software, consulting, implementation, support, analytics, operational excellence, workflow management, reporting, training, and related services provided by the Company.
- "Customer Data" means all information, records, documents, content, files, operational data, workflow information, business information, and other data submitted to, uploaded into, stored within, processed through, or generated by the Platform on behalf of a customer.
- "Aggregated Data" means information derived from Customer Data or Platform usage data that has been aggregated with other information and no longer identifies an individual or customer.
- "De-Identified Data" means information that has been anonymised, pseudonymised, or otherwise processed in a manner such that it cannot reasonably be used to identify an individual or customer.
4. Notice to Users
The Company hereby provides notice that it may collect, use, process, store, analyse, transfer, disclose, and retain information for the purposes described in this Privacy Policy.
The Company shall process information only where such processing is reasonably necessary for the provision of Services, compliance with legal obligations, protection of legitimate business interests, fulfilment of contractual obligations, enhancement of platform functionality, maintenance of information security, or other lawful purposes described in this Privacy Policy.
Where applicable law requires consent for the processing of Personal Data, the Company shall seek such consent through appropriate mechanisms prior to processing the relevant information.
Users are not legally required to provide information requested by the Company. However, where Users elect not to provide information necessary for the provision of Services, the Company may be unable to create user accounts, provide access to Platform functionality, respond to support requests, perform contractual obligations, or otherwise provide certain Services.
The Company may periodically update this Privacy Policy to reflect changes in business operations, legal requirements, technological developments, security practices, or service offerings. Updated versions shall become effective upon publication unless otherwise stated.
5. Categories of Information Collected
The Company may collect information directly from Users, indirectly through customer organisations, automatically through the Platform, or through authorised integrations and third-party service providers.
The categories of information collected may include the following:
5.1 Identity and Contact Information
The Company may collect information such as names, business email addresses, telephone numbers, employer information, department details, job titles, professional credentials, and other information reasonably required for account administration and service delivery.
5.2 Account Information
The Company may collect information necessary to create, manage, authenticate, and secure user accounts, including usernames, account identifiers, authentication credentials, permissions, user preferences, and login history.
5.3 Communications Information
The Company may collect information contained in correspondence, support requests, implementation discussions, training sessions, surveys, customer meetings, webinars, feedback submissions, and other communications.
5.4 Technical Information
The Company may automatically collect information relating to devices, browsers, operating systems, network connections, IP addresses, timestamps, diagnostic logs, error reports, access logs, and other technical information necessary for operation and security of the Platform.
5.5 Usage Information
The Company may collect information relating to Platform usage, including features accessed, workflows utilised, reports generated, dashboards viewed, user activity patterns, session duration, interaction metrics, and performance indicators.
5.6 Operational and Business Information
In the course of providing the Services, the Company may process operational, manufacturing, workflow, production, quality, reporting, compliance, inventory, audit, supply chain, analytics, and other business information uploaded by or on behalf of customers.
The Company does not intentionally collect biometric information, medical information, health information, geolocation tracking information, CCTV recordings, or workforce surveillance information as part of its standard Services.
6. Sources of Information
The Company may collect information from a variety of lawful sources including Users, customers, authorised customer representatives, integrated systems, third-party applications, implementation activities, support interactions, training sessions, surveys, website usage, cookies, analytics tools, and authorised service providers.
Where information is provided by a customer organisation relating to its employees, representatives, contractors, or authorised users, the Company may rely upon the customer to ensure that appropriate notices, permissions, and authorisations have been obtained.
7. Purposes of Processing
The Company processes information for legitimate and lawful business purposes.
Such purposes may include:
- (a) providing, operating, administering, supporting, maintaining, and improving the Platform and Services;
- (b) onboarding customers and configuring deployments;
- (c) enabling workflow management, operational visibility, reporting, analytics, and collaboration;
- (d) generating dashboards, reports, benchmarks, metrics, and operational insights;
- (e) authenticating users and managing access controls;
- (f) providing technical support and responding to enquiries;
- (g) monitoring service performance and improving user experience;
- (h) detecting, investigating, preventing, and responding to fraud, misuse, security incidents, or unauthorised activities;
- (i) complying with legal, regulatory, contractual, audit, accounting, taxation, and reporting requirements;
- (j) enforcing contractual rights and protecting the Company's legitimate interests;
- (k) conducting research, product development, innovation, and service enhancement activities; and
- (l) communicating with customers, prospective customers, and authorised users regarding the Services.
The Company shall not process Personal Data for purposes that are materially incompatible with those described in this Privacy Policy unless otherwise authorised by law or consent.
8. Legal Basis for Processing
The Company may process information on one or more lawful grounds depending upon the nature of the information, the applicable legal requirements, and the context of processing.
Such grounds may include:
- (a) the consent of the individual concerned;
- (b) performance of contractual obligations;
- (c) compliance with legal obligations;
- (d) protection of legitimate business interests, including information security, fraud prevention, service improvement, operational efficiency, customer support, and risk management; and
- (e) establishment, exercise, protection, or defence of legal claims and rights.
Where consent constitutes the legal basis for processing, Users may withdraw consent in accordance with Section 9 of this Privacy Policy.
9. Consent and Withdrawal of Consent
Where processing of Personal Data is based upon consent, the Company shall endeavour to obtain valid consent through appropriate mechanisms before undertaking such processing.
Users may withdraw consent at any time by contacting the Company or the designated Grievance Officer using the contact details specified in this Privacy Policy.
Withdrawal of consent shall not affect the lawfulness of processing undertaken before such withdrawal and shall not affect processing required for compliance with legal obligations, exercise of legal rights, performance of contractual obligations, protection of security interests, or other processing authorised by applicable law.
Where consent is withdrawn, certain Platform features, functionalities, or Services may become unavailable, restricted, or incapable of being provided.
10. Data Principal Rights
Subject to applicable law, individuals whose Personal Data is processed by the Company may be entitled to exercise certain rights in relation to their Personal Data.
Such rights may include the right to seek access to information regarding processing activities, request correction of inaccurate information, request completion of incomplete information, request deletion of information in appropriate circumstances, withdraw consent, seek grievance redressal, nominate another person to exercise rights where permitted by law, and exercise any other rights available under applicable data protection legislation.
The Company shall establish reasonable mechanisms to receive, review, and respond to such requests in accordance with applicable legal requirements. The Company reserves the right to verify the identity and authority of any person submitting a request prior to taking action in response thereto.
Nothing in this Privacy Policy shall require the Company to comply with a request where an applicable legal exemption, contractual obligation, security requirement, or lawful business necessity permits or requires the Company to retain or continue processing the relevant information.
11. Customer Data Ownership
The Company acknowledges and agrees that, as between the Company and the applicable customer, the customer shall retain all right, title, and interest, including all intellectual property rights, in and to Customer Data submitted to, uploaded into, stored within, transmitted through, integrated with, or otherwise processed by the Platform.
Nothing contained in this Privacy Policy, any customer agreement, or any use of the Services shall be construed as transferring ownership of Customer Data to the Company. The Company's access to and use of Customer Data shall be limited to the rights expressly granted under this Privacy Policy, applicable contractual arrangements, and applicable law.
The customer hereby grants the Company a limited, non-exclusive, worldwide, royalty-free licence to host, store, access, reproduce, transmit, analyse, process, display, modify, and otherwise utilise Customer Data solely to the extent reasonably necessary for the provision, operation, maintenance, support, enhancement, security, compliance, and administration of the Services.
The Company shall not sell Customer Data to third parties. Furthermore, the Company shall not disclose Customer Data to third parties except as authorised by the customer, required for the provision of Services, required by law, necessary for the protection of legal rights, or otherwise permitted under this Privacy Policy.
For the avoidance of doubt, Customer Data may include manufacturing information, production information, workflow information, process information, operational data, supply chain information, quality records, audit information, compliance records, business intelligence information, reports, documents, communications, and any other information processed through the Platform on behalf of a customer.
12. Company Intellectual Property, Derived Analytics and Platform Insights
Notwithstanding the customer's ownership of Customer Data, the Company shall retain all right, title, and interest in and to the Platform, software, databases, interfaces, source code, object code, APIs, documentation, workflows, templates, methodologies, models, algorithms, analytical frameworks, dashboards, reports, visualisations, operational excellence methodologies, benchmarking methodologies, scoring systems, business processes, know-how, trade secrets, and all improvements, modifications, enhancements, updates, derivative works, and related intellectual property rights.
The Platform may generate reports, dashboards, visualisations, benchmarks, performance indicators, predictive outputs, recommendations, insights, observations, analyses, metrics, and other outputs based upon Customer Data and Platform usage.
Subject always to the customer's ownership of the underlying Customer Data, the Company shall own all intellectual property rights in the methodologies, algorithms, calculations, benchmarking frameworks, scoring systems, analytical models, visualisation techniques, and operational frameworks utilised to generate such outputs.
The customer acknowledges that the Company has developed substantial proprietary technology, methodologies, operational excellence frameworks, implementation approaches, and analytical capabilities through significant investment of resources, expertise, and intellectual effort. Nothing contained in this Privacy Policy shall grant the customer any ownership interest in such proprietary assets.
The outputs generated through the Platform are intended to support operational visibility, decision-making, and business improvement. Such outputs shall not constitute legal advice, financial advice, engineering certification, regulatory certification, professional advice, or guarantees of performance.
13. Aggregated Data, De-Identified Data and Artificial Intelligence
The Company may create, derive, compile, analyse, process, retain, disclose, publish, commercialise, license, distribute, and otherwise utilise Aggregated Data and De-Identified Data for lawful business purposes.
Such purposes may include product improvement, service optimisation, benchmarking, industry analysis, market research, trend identification, statistical reporting, forecasting, machine learning development, artificial intelligence development, algorithm training, product innovation, research initiatives, academic collaborations, operational analytics, and development of new products and services.
Prior to utilising information for such purposes, the Company shall implement commercially reasonable measures designed to remove, anonymise, aggregate, mask, pseudonymise, or otherwise de-identify information so that it cannot reasonably be used to identify an individual, customer, supplier, facility, employee, contractor, or proprietary business process.
The Company shall not knowingly attempt to re-identify information that has been de-identified for legitimate business purposes.
Nothing in this Privacy Policy shall restrict the Company's ability to use information that has been anonymised to a standard that no longer constitutes Personal Data under applicable law.
The customer acknowledges that the creation and use of Aggregated Data and De-Identified Data is an essential component of modern SaaS services and may contribute to the continuous improvement of the Platform and related technologies.
14. Controller–Processor Relationship
Where the Company processes Personal Data on behalf of a customer through the Platform or Services, the parties acknowledge that the customer shall generally act as the Data Fiduciary, Data Controller, or equivalent decision-making authority responsible for determining the purposes and means of processing such Personal Data.
In such circumstances, the Company shall generally act as a processor, service provider, or similar processing entity acting on behalf of and pursuant to the instructions of the customer.
The Company shall process such information only for the purposes of providing the Services, fulfilling contractual obligations, maintaining the security and integrity of the Platform, complying with applicable law, protecting legal rights, or otherwise as instructed by the customer.
The Company shall implement and maintain reasonable technical, organisational, and administrative safeguards designed to protect information processed on behalf of customers.
Where legally required, the Company shall reasonably cooperate with customers in responding to requests from individuals seeking to exercise rights under applicable privacy and data protection laws.
Nothing contained in this Privacy Policy shall require the Company to process information in a manner that would violate applicable law, compromise security, infringe the rights of third parties, or create unreasonable technical burdens.
15. Data Sharing and Disclosure
The Company may disclose information only where reasonably necessary for the operation of the Services, compliance with legal obligations, protection of legal rights, maintenance of security, or other legitimate business purposes.
Information may be disclosed to:
- (a) cloud hosting providers;
- (b) infrastructure providers;
- (c) data centre operators;
- (d) cybersecurity service providers;
- (e) communication and collaboration service providers;
- (f) analytics providers;
- (g) customer support providers;
- (h) implementation partners;
- (i) auditors, accountants, legal advisors, consultants, and professional advisers;
- (j) affiliated entities within the Company's corporate group; and
- (k) governmental, judicial, regulatory, law enforcement, or statutory authorities where disclosure is required by applicable law or lawful process.
The Company shall endeavour to ensure that third parties receiving information are subject to appropriate contractual, confidentiality, security, or legal obligations proportionate to the nature of the information disclosed.
The Company does not sell Personal Data to third parties for advertising or commercial exploitation purposes.
16. Sub-Processors
The Company may engage Sub-Processors to support the delivery, operation, maintenance, security, enhancement, and administration of the Services.
Such Sub-Processors may include cloud service providers, hosting providers, infrastructure providers, analytics providers, communication service providers, authentication providers, monitoring providers, security service providers, backup service providers, and other specialised technology vendors.
Before engaging a Sub-Processor, the Company shall undertake reasonable due diligence appropriate to the nature of the services being provided and the sensitivity of the information involved.
The Company shall endeavour to impose contractual obligations upon Sub-Processors requiring them to maintain confidentiality, implement appropriate security measures, process information only for authorised purposes, and comply with applicable legal requirements.
The Company may replace, add, or remove Sub-Processors from time to time in the ordinary course of business, provided that appropriate safeguards continue to be maintained.
17. International Data Transfers
The Company operates in a global technology environment and may utilise service providers, infrastructure providers, cloud hosting providers, support providers, and other business partners located in multiple jurisdictions.
Accordingly, information processed by the Company may be stored, transferred, accessed, processed, or maintained in jurisdictions outside the country in which the information was originally collected.
Where cross-border transfers occur, the Company shall endeavour to implement reasonable safeguards designed to protect information against unauthorised access, misuse, alteration, disclosure, or loss.
Such safeguards may include contractual protections, access controls, encryption measures, information security policies, vendor management processes, technical security controls, and other measures appropriate to the nature of the information involved.
The Company shall conduct international transfers in a manner intended to comply with applicable legal requirements, including restrictions imposed by the Digital Personal Data Protection Act, 2023, where applicable.
The Company does not represent that all jurisdictions provide identical levels of legal protection. However, the Company shall endeavour to maintain reasonable standards of protection regardless of the location in which information is processed.
18. Information Security Programme
The Company recognises that the confidentiality, integrity, availability, and resilience of information systems are fundamental to the trust placed in the Services by customers, users, and business partners. Accordingly, the Company maintains and continuously develops an information security programme designed to protect information against unauthorised access, acquisition, disclosure, misuse, alteration, destruction, corruption, loss, or other security incidents.
The Company's information security programme may include administrative, technical, physical, and organisational safeguards appropriate to the nature, volume, sensitivity, and business importance of the information processed through the Platform.
Such safeguards may include, without limitation, access control mechanisms, authentication controls, role-based permissions, password policies, multi-factor authentication where appropriate, network security controls, encryption technologies, logging and monitoring systems, backup procedures, vulnerability management programmes, incident response procedures, vendor management processes, and employee awareness initiatives.
Access to information shall be restricted to authorised personnel who require such access for legitimate business purposes and who are subject to confidentiality obligations and internal security requirements.
The Company periodically reviews and updates its security practices to address evolving threats, technological developments, business requirements, and legal obligations. However, notwithstanding the safeguards implemented by the Company, no system, network, platform, or transmission method can be guaranteed to be completely secure.
Accordingly, while the Company endeavours to protect information using commercially reasonable and industry-accepted measures, the Company does not warrant or guarantee absolute security.
19. Confidentiality of Client Data
The Company recognises that Customer Data and Client Data may contain commercially sensitive, proprietary, confidential, operational, strategic, technical, or business-critical information belonging to customers.
The Company shall maintain the confidentiality of such information and shall not access, use, disclose, distribute, publish, transfer, commercialise, or otherwise exploit such information except to the extent reasonably necessary for the provision of Services, compliance with legal obligations, protection of legal rights, maintenance of security, fulfilment of contractual obligations, or as otherwise authorised by the customer.
The Company shall require employees, contractors, consultants, temporary personnel, and authorised representatives who may have access to Customer Data to be subject to appropriate confidentiality obligations.
Where third-party service providers or Sub-Processors are engaged, the Company shall endeavour to ensure that such parties are subject to confidentiality obligations substantially similar to those imposed upon the Company with respect to the protection of Customer Data.
The confidentiality obligations set forth in this Privacy Policy shall not apply to information that:
- (a) is or becomes publicly available through no wrongful act or omission of the Company;
- (b) was lawfully known to the Company without confidentiality restrictions prior to disclosure;
- (c) is independently developed by the Company without use of Customer Data; or
- (d) is required to be disclosed pursuant to applicable law, court order, regulatory directive, or lawful governmental request.
20. Data Retention
The Company shall retain information only for as long as reasonably necessary to fulfil the purposes described in this Privacy Policy, comply with contractual obligations, maintain operational records, resolve disputes, protect legal rights, satisfy regulatory requirements, and support legitimate business operations.
Retention periods may vary depending upon the nature of the information, the contractual relationship with the customer, applicable legal requirements, operational needs, and security considerations.
The Company may retain information for extended periods where necessary to:
- (a) comply with legal, regulatory, tax, accounting, audit, or reporting obligations;
- (b) investigate security incidents or fraudulent activities;
- (c) establish, exercise, or defend legal claims;
- (d) preserve evidence relevant to actual or anticipated disputes;
- (e) maintain business continuity and disaster recovery capabilities; or
- (f) satisfy lawful instructions received from competent authorities.
Where Customer Data is processed on behalf of a customer, retention periods may also be governed by contractual arrangements, customer instructions, or applicable legal requirements binding upon the customer.
The Company reserves the right to retain Aggregated Data and De-Identified Data indefinitely, provided that such information no longer identifies an individual, customer, facility, supplier, or proprietary business process.
21. Secure Deletion and Disposal of Information
Upon expiry of applicable retention periods, termination of services, receipt of valid deletion requests, or satisfaction of applicable legal obligations, the Company may delete, anonymise, archive, destroy, or otherwise dispose of information in accordance with internal policies and applicable law.
Deletion may not occur immediately and may require reasonable time to propagate across active systems, backup systems, disaster recovery environments, archives, logs, and operational repositories.
The Company may retain certain information notwithstanding a deletion request where retention is required or permitted by applicable law, contractual obligations, security requirements, fraud prevention requirements, dispute resolution needs, business continuity obligations, or protection of legal rights.
Where technically feasible and commercially reasonable, the Company shall endeavour to implement secure disposal methods designed to reduce the risk of unauthorised access or recovery of deleted information.
Nothing in this Privacy Policy shall require the Company to delete information where retention is necessary to comply with legal obligations or protect legitimate business interests.
22. Incident Response and Personal Data Breach Management
The Company maintains procedures designed to identify, investigate, assess, contain, mitigate, document, and remediate actual or suspected security incidents affecting information processed through the Platform.
Upon becoming aware of a security incident, the Company shall undertake reasonable efforts to determine the nature, scope, impact, and potential consequences of the incident and implement measures intended to minimise harm and restore the security of affected systems.
Where required by applicable law, contractual obligations, or regulatory requirements, the Company may notify affected customers, individuals, regulatory authorities, or other relevant stakeholders regarding a security incident or Personal Data breach.
Any notification provided by the Company shall be made within such timeframes as may be reasonable under the circumstances and consistent with applicable legal requirements.
The Company reserves the right to delay notification where immediate disclosure may impede law enforcement investigations, compromise remediation efforts, increase security risks, or otherwise conflict with applicable legal obligations.
Nothing in this Privacy Policy shall be interpreted as an admission of fault, liability, negligence, or wrongdoing by the Company in connection with any security incident.
23. Cookies and Tracking Technologies
The Company may utilise cookies, web beacons, tracking technologies, pixels, software development kits, analytics tools, and similar technologies to support the operation, security, functionality, and improvement of the Platform and related services.
Such technologies may be used for purposes including authentication, session management, user preferences, platform functionality, analytics, performance monitoring, security monitoring, fraud prevention, troubleshooting, service enhancement, and user experience optimisation.
Cookies used by the Company may include essential cookies, functional cookies, analytics cookies, performance cookies, and security-related cookies.
Users may configure browser settings to block, restrict, delete, or otherwise manage cookies. However, certain Platform features may not function properly if cookies or related technologies are disabled.
The Company may utilise third-party analytics providers to assist in understanding usage patterns, platform performance, feature utilisation, and service effectiveness. Such providers may collect information in accordance with their own privacy practices and contractual arrangements with the Company.
Where required by applicable law, the Company shall seek appropriate consent prior to deploying non-essential tracking technologies.
24. Automated Analytics, Reporting and Decision Support
The Platform may utilise analytics engines, algorithms, machine learning tools, statistical models, operational frameworks, benchmarking methodologies, predictive techniques, and automated processing capabilities to generate reports, recommendations, dashboards, insights, forecasts, observations, metrics, performance indicators, and decision-support outputs.
Such outputs are intended to assist customers in understanding operational performance, identifying opportunities for improvement, monitoring business processes, and enhancing decision-making capabilities.
The Company does not represent or warrant that automated outputs generated through the Platform are complete, error-free, suitable for any particular purpose, or capable of replacing professional judgement.
Customers remain solely responsible for evaluating, validating, interpreting, and acting upon information generated by the Platform.
The Company shall not be responsible for business decisions, operational decisions, manufacturing decisions, financial decisions, compliance decisions, or strategic decisions made by customers based upon information generated through the Platform.
To the extent that artificial intelligence, machine learning, predictive analytics, or automated processing tools are utilised by the Platform, such tools shall be intended to support human decision-making rather than replace it.
Nothing in this Privacy Policy shall be construed as guaranteeing specific operational, financial, compliance, manufacturing, quality, productivity, or business outcomes.
25. Children's Data
The Services offered by the Company are intended exclusively for business, commercial, industrial, and professional use and are not directed toward children.
The Company does not knowingly solicit, collect, process, store, or maintain Personal Data relating to children except where such processing is specifically authorised by applicable law and appropriate legal requirements have been satisfied.
Customers and Users are responsible for ensuring that they do not upload, submit, transmit, or otherwise make available through the Platform any Personal Data relating to children unless such processing is expressly authorised by law and appropriate notices, consents, and permissions have been obtained.
If the Company becomes aware that information relating to a child has been collected, processed, or stored in a manner inconsistent with applicable law or this Privacy Policy, the Company reserves the right to take appropriate corrective action, including restricting access to such information, deleting such information, suspending affected accounts, or taking other remedial measures deemed necessary.
Any parent, guardian, customer, or authorised representative who believes that information relating to a child may have been improperly submitted to the Platform is encouraged to contact the Company promptly using the contact information provided in this Privacy Policy.
26. Grievance Redressal Mechanism
The Company is committed to addressing concerns relating to privacy, data protection, information security, and the processing of Personal Data in a fair, transparent, and timely manner.
Any User, Data Principal, customer representative, or authorised individual who wishes to raise a concern, complaint, request, objection, or grievance relating to the collection, use, processing, disclosure, retention, transfer, correction, deletion, or protection of information may contact the Company's designated Grievance Officer.
The Company shall establish and maintain reasonable procedures to receive, review, investigate, and respond to grievances relating to the processing of Personal Data.
Upon receipt of a grievance, the Company may request additional information reasonably necessary to verify the identity, authority, or relationship of the requesting individual and to facilitate investigation of the matter.
The Company shall endeavour to acknowledge and respond to grievances within reasonable timelines and in accordance with applicable legal requirements.
Nothing in this Privacy Policy shall restrict the rights of any individual to seek remedies, raise complaints, or pursue rights available under applicable law.
Grievance Officer
The Company reserves the right to update Grievance Officer details from time to time and publish revised details through the Platform or other appropriate channels.
Name: Abhishek Kumar
Designation: Director
Email: abhishek@gembaconcepts.com
Postal Address: No.10 L, 10 M, 4th N Block Rajajinagar, Near Shanti Enterprises, Rajajinagar, Bengaluru Urban, Bengaluru, Karnataka - 560010
Telephone: 9886911182
27. Regulatory Compliance and Privacy Governance
The Company is committed to maintaining privacy and information governance practices designed to support compliance with applicable laws, regulations, contractual commitments, and recognised industry standards.
Without limiting the foregoing, the Company intends that its privacy programme, information security practices, operational controls, and data governance procedures support compliance with:
- (a) the Digital Personal Data Protection Act, 2023;
- (b) the Information Technology Act, 2000 and applicable rules thereunder;
- (c) contractual commitments undertaken with customers, suppliers, business partners, and service providers;
- (d) applicable judicial, regulatory, governmental, and statutory requirements; and
- (e) recognised industry practices relating to privacy, cybersecurity, information governance, and risk management.
The Company may maintain policies, procedures, standards, guidelines, training programmes, awareness initiatives, governance structures, risk management processes, and internal controls designed to support compliance with its legal and contractual obligations.
Nothing contained in this Privacy Policy shall be interpreted as a representation or warranty that the Company is immune from cybersecurity threats, privacy incidents, regulatory changes, or legal risks. Rather, the Company seeks to implement reasonable and proportionate measures designed to manage such risks in a commercially responsible manner.
28. Audit, Review, Monitoring and Compliance Activities
In order to support information security, operational resilience, regulatory compliance, risk management, and service improvement, the Company may conduct or facilitate internal reviews, assessments, monitoring activities, testing exercises, audits, vulnerability assessments, security reviews, compliance reviews, and other governance activities.
Such activities may include the review of access logs, authentication records, user activity information, system performance metrics, operational records, security alerts, and other information reasonably necessary for maintaining the integrity, security, and effectiveness of the Platform.
The Company may also engage independent auditors, consultants, assessors, legal advisors, security professionals, and other qualified third parties to assist with governance, compliance, risk management, security assurance, or operational improvement activities.
Any information disclosed during such activities shall be subject to confidentiality obligations, professional duties, contractual restrictions, or other safeguards deemed appropriate by the Company.
Nothing in this Privacy Policy shall require the Company to disclose proprietary security information, confidential audit findings, vulnerability information, trade secrets, or information that may compromise the security of the Platform or the interests of customers.
29. Changes to This Privacy Policy
The Company reserves the right to amend, modify, supplement, replace, update, revise, or otherwise change this Privacy Policy at any time in its sole discretion.
Changes may be made to reflect developments in law, regulatory requirements, technology, information security practices, business operations, service offerings, contractual obligations, customer requirements, industry standards, or other relevant considerations.
Where material changes are made, the Company may provide notice through the Platform, electronic communications, customer portals, websites, account notifications, or other reasonable means of communication.
The most current version of this Privacy Policy shall supersede all previous versions and shall become effective from the date specified therein.
Continued access to or use of the Services following publication of an updated Privacy Policy shall constitute acknowledgement of the revised Privacy Policy, to the extent permitted by applicable law.
30. Governing Law and Jurisdiction
This Privacy Policy shall be governed by, interpreted, and construed in accordance with the laws of India, without regard to principles relating to conflicts of laws.
Subject to any mandatory legal requirements to the contrary, the courts located in Bengaluru, Karnataka, India shall have exclusive jurisdiction over any dispute, claim, controversy, proceeding, or matter arising out of or relating to this Privacy Policy, the processing of information by the Company, or the use of the Services.
Nothing contained herein shall prevent the Company from seeking injunctive relief, interim relief, equitable relief, protective orders, or similar remedies before any court, tribunal, or competent authority having jurisdiction where such action is necessary to protect its rights, confidential information, intellectual property, systems, or security interests.
Where a customer agreement, master services agreement, subscription agreement, data processing agreement, or other written contract contains a separate dispute resolution mechanism, jurisdiction provision, or governing law provision, such contractual provision shall prevail to the extent of any inconsistency.
31. Contact Information
Questions, requests, complaints, notices, communications, or enquiries relating to this Privacy Policy, privacy matters, data protection matters, information security matters, or the processing of information by the Company may be directed to:
Gemba Concepts Private Limited
Registered Office: No. 10L, Dr. Rajkumar Road, Rajajinagar, Bengaluru – 560010, Karnataka, India
Email: sales@gembaconcepts.com
Website: https://gembaconcepts.com
Grievance Officer
The Company shall endeavour to review and respond to legitimate communications received through the above channels within reasonable timelines and in accordance with applicable legal obligations.
Name: Abhishek Kumar
Designation: Director
Email: abhishek@gembaconcepts.com
Postal Address: No.10 L, 10 M, 4th N Block Rajajinagar, Near Shanti Enterprises, Rajajinagar, Bengaluru Urban, Bengaluru, Karnataka - 560010
Telephone: 9886911182