Privacy Policy
Version: 2025-01 Effective Date: January 1, 2025 Last Updated: February 24, 2026
1. Scope
This Privacy Policy explains how GRSCIA, powered and managed by CISOSHARE INSPECTION AUDIT SERVICES - L.L.C - S.P.C ("GRSCIA", "we", "our", or "us"), collects and processes Personal Data when you use the GRSCIA platform.
This is a privacy notice. Contractual, operational, and service-delivery terms are defined in other legal documents (see Section 15).
2. Roles and Responsibilities
- Customer organizations are typically the Controller for data they submit to the platform.
- GRSCIA typically acts as Processor for Customer data under the DPA.
- For limited account, security, and billing operations, GRSCIA may act as an independent Controller as required by law.
Detailed Controller/Processor obligations are in the Data Processing Agreement (DPA).
3. Data We Collect
3.1 Data You Provide
- Account and identity data: name, work email, phone, role, organization details.
- Onboarding and business verification data: trade license details, legal entity details, selected workspace settings.
- Compliance workspace data: documents, records, workflow actions, audit-related metadata.
- Billing and subscription data: billing contacts, plan selections, invoice metadata.
3.2 Data We Collect Automatically
- Device and connection metadata: IP address, browser, operating system, basic device identifiers.
- Service usage data: pages accessed, feature usage, timestamps, session-level technical events.
- Security and reliability telemetry: error logs, integrity checks, abuse-prevention signals.
3.3 Data from Third Parties
- Identity providers (for example UAE Pass) when enabled.
- Payment processors and billing infrastructure.
- Customer-authorized integrations.
4. Sources of Personal Data
We receive Personal Data from:
- You and your organization administrators.
- Your authorized users and invited participants.
- Connected providers and integrations you enable.
- Automated system events generated during platform use.
5. Purposes and Legal Bases
| Purpose | Typical Legal Basis |
|---|---|
| Provide and operate the platform | Contract performance |
| Account security, fraud prevention, abuse detection | Legitimate interests / legal obligation |
| Onboarding, identity verification, access management | Contract performance / legal obligation |
| Billing, invoicing, payment operations | Contract performance / legal obligation |
| Regulatory and audit obligations | Legal obligation |
| Product quality, service reliability, incident prevention | Legitimate interests |
| Optional cookies and optional marketing communications | Consent |
Where consent is required, you may withdraw it at any time for future processing.
6. Sharing and Disclosure
We do not sell Personal Data.
We may disclose Personal Data only to:
- Approved sub-processors and service providers that support platform delivery.
- Payment, communications, and infrastructure providers under contract.
- Competent authorities when legally required.
- Other parties where you direct us to share data.
Public sub-processor disclosures are maintained in the Sub-Processor Register. Contractual sub-processor terms remain in DPA Annex C.
7. Data Residency and International Transfers
7.1 Residency Scope
GRSCIA enforces strict UAE residency for:
- Platform database (control plane)
- Tenant database (workspace data)
7.2 Approved Operational Exceptions
Certain non-database processing may involve approved operational exceptions required to deliver the service, including:
- MCP service integrations
- Billing and payment processing
These exceptions are governed by contractual safeguards and documented in the DPA and Sub-Processor Register.
7.3 Transfer Safeguards
When cross-border processing is involved for approved scenarios, GRSCIA applies contractual and organizational safeguards required by applicable law and contract.
8. Retention and Deletion
We retain Personal Data only for as long as needed for service delivery, legal/regulatory obligations, and legitimate business records.
Retention periods, deletion obligations, and post-termination handling are governed contractually in the DPA and SLA.
9. Security and Incident Handling
GRSCIA applies technical and organizational security controls appropriate to risk, including access controls, encryption in transit and at rest, logging, and monitoring.
Operational security commitments and incident-response timelines are governed by the SLA and DPA.
10. Your Rights
Subject to applicable law, you may request:
- Access to your Personal Data.
- Rectification of inaccurate data.
- Erasure where legally applicable.
- Restriction or objection to certain processing.
- Data portability where applicable.
- Withdrawal of consent where processing is consent-based.
- Complaint escalation to a competent authority.
To submit a request, contact us using Section 14.
11. Cookies and Similar Technologies
We use strictly necessary cookies for core service operation and optional categories for analytics, functionality, and marketing where applicable.
Full details are in our Cookie Policy.
12. Children
The platform is designed for organizational/business use and is not directed to children.
13. Changes to This Policy
We may update this Privacy Policy periodically. The latest version and update date are shown at the top of this document. Material updates are communicated through appropriate channels.
14. Contact and Complaints
For privacy requests or complaints:
- Privacy Team: privacy@grscia.ae
- Data Protection Officer: dpo@grscia.ae
- General Legal/Compliance: compliance@grscia.ae
Mailing address:
GRSCIA, powered and managed by CISOSHARE INSPECTION AUDIT SERVICES - L.L.C - S.P.C
Abu Dhabi, United Arab Emirates
15. Related Documents
This Privacy Policy should be read together with:
| Document | Purpose | Reference |
|---|---|---|
| Data Processing Agreement (DPA) | Controller/Processor terms, sub-processors, transfers, deletion obligations | View |
| Service Level Agreement (SLA) | Operational service levels, backup/DR, incident response timelines | View |
| Terms of Use | Platform use terms and general contractual conditions | View |
| Cookie Policy | Cookie categories, consent controls, preference management | View |
| Sub-Processor Register | Public list of active sub-processors and transfer basis | View |
The Master Service Agreement (MSA) remains a private contractual document and is provided through private commercial/onboarding channels.
Acknowledgment
By using the platform, you acknowledge that you have read and understood this Privacy Policy.