GCC ERA — Privacy Policy
Effective date: 23 May 2026 Last updated: 23 May 2026
1. Data Controller Identity
GCC ERA PRIVATE LIMITED ("GCC ERA", "we", "us") is the Data Controller and Data Fiduciary for personal data processed through gccera.com and gccera.com/products under:
- Information Technology Act, 2000 (and IT Rules 2021)
- Digital Personal Data Protection Act, 2023 ("DPDP Act")
- Indian Contract Act, 1872
Legal identifiers (Companies Act 2013 §12):
- CIN: U62011AS2025PTC028987
- PAN: AAMCG3895Q
- GSTIN: 18AAMCG3895Q1ZH
- Date of incorporation: 19 September 2025
- Registered office: 11, Niribili Path, R G Baruah Road, Guwahati, Zoo Road, GMC, Kamrup — 781024, Assam, India
2. Categories of Data Collected
A. Personal Data
- Name
- Phone (optional)
- Location (city)
B. Professional & Sensitive Data
- CVs / résumés (full content)
- Salary slips, CTC, compensation details
- Employment hierarchy, career history, employer details
C. Voice & Audio Data
- Voice recordings (microphone audio) from mock interview sessions
- Auto-generated transcripts of those recordings
- Session metadata: timestamp, duration, persona chosen, CV+JD context, scoring rubric output
D. Payment Metadata
- Razorpay transaction IDs, amount, tax breakdown
- GST details (where provided)
- We do not store card numbers, CVV, UPI PINs, or netbanking credentials — Razorpay handles those
E. Technical Data
- IP address
- Browser type, OS, screen size
- Cookies and similar identifiers (see Section 3)
- Usage analytics (pages visited, features used, AI prompt counts)
3. Use of Cookies & Tracking Technologies
GCC ERA uses cookies and similar tracking technologies to operate, secure, analyse, and improve the Platform. Cookies are small text files stored on a user's device.
Categories used
a. Strictly necessary cookies — required for authentication, security, and fraud prevention. Disabling these prevents the Platform from working.
b. Performance and analytics cookies — help us understand usage patterns. Third-party providers: Google Analytics.
c. Functional cookies — remember preferences and improve personalization.
d. Advertising & marketing cookies (future use) — may be used in future for relevant content, marketing measurement, and remarketing.
Third-party cookies
Some cookies are placed by third-party service providers (e.g., Razorpay, Google OAuth). GCC ERA does not control these; they are governed by the respective third party's policies.
Control & consent
You may manage or disable cookies through your browser settings. We also display a consent banner on first visit to /products/ — your choice is stored in your browser's local storage.
By continuing to use the Platform after the consent banner, you consent to cookies as described.
4. Purpose & Legal Basis
| Purpose | Data used | Legal basis (DPDP) |
|---|---|---|
| Platform functionality (account, AI features) | Personal, Professional, Voice | Consent |
| Process payments and issue invoices | Payment metadata, GST | Contract performance |
| Run mock interview AI (record + transcribe + score) | Voice, Professional | Consent (re-confirmed at each session start) |
| Send transactional emails (sign-in code, invoice, deletion confirm) | Contract performance | |
| Aggregated, anonymised product analytics | Technical | Legitimate interest with opt-out |
| Compliance with Indian tax + corporate law | Payment metadata | Legal obligation |
We do not sell personal data. We do not use your CV or interview content to train AI models without your explicit opt-in.
5. Data Sharing & Third-Party Processors
Each processor below is contractually bound to handle your data only on our instructions.
| Processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | USA / EU (AWS) |
| OpenAI L.L.C. | AI CV generation, scoring | USA |
| Anthropic PBC | AI coaching responses (Claude API) | USA |
| ElevenLabs Inc. | Voice synthesis + transcription for mock interviews | USA |
| Google LLC | OAuth sign-in, Google Analytics (if you consent) | USA / EU |
| LinkedIn Corporation | OAuth sign-in | USA |
| Microsoft Corporation | OAuth sign-in | USA / EU |
| Razorpay Software Pvt. Ltd. | Payment processing | India |
| Zoho Corporation Pvt. Ltd. | Transactional + invoice email delivery | India |
In future we may also share with:
- Employers — only with your explicit case-by-case consent
- Government / legal authorities — when legally compelled
6. Data Retention
| Data type | Retention period |
|---|---|
| Account profile, CV content, AI generations | While your account is active, plus 36 months after last login |
| Voice audio (mock interview recordings) | 12 months from session date, then auto-deleted |
| Mock interview transcripts | 24 months |
| Session metadata (scores, dates) | 36 months or until account deletion |
| Payment records (tax-law mandate) | 8 years from transaction (Income Tax Act, GST law) |
| Usage analytics | 26 months (Google Analytics default) |
| Server access logs | 90 days |
| Account in deletion grace period | 30 days from request, then permanent deletion |
| Data export request audit logs | 24 months |
| Backups containing deleted data | Purged within 90 days |
When you delete your account, all categories above are purged on the stated timeline, except payment records (legally retained).
7. Data Security
We protect your data with:
- HTTPS for all traffic (HSTS enforced; locked-in for 1 year)
- Row-level security on our Supabase database
- Hashed passwords / OAuth tokens — we never see your account password
- Razorpay-tokenised payments — we never touch card numbers
- DOMPurify-sanitised AI output — defends against script injection
- Defensive HTTP headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
- Voice audio encrypted at rest (Supabase Storage AES-256)
- Quarterly access-log + processor-terms review
Breach notification
In the event of a personal data breach affecting your data, we will notify affected users and the Data Protection Board of India within 72 hours of discovery, as required by DPDP §8.
Account deletion mechanism
When you request deletion via the dashboard, your account is marked for deletion and you are signed out. Data remains intact for a 30-day grace period so you can recover by signing back in and clicking "Cancel deletion". After 30 days, our automated process permanently deletes all personal data (profiles, CVs, reports, transcripts, voice audio, payment metadata except items legally required to retain) within 24 hours.
8. Your Rights under the DPDP Act
| Right | How to exercise |
|---|---|
| Access — copy of your data | Dashboard → Helpful Links → More → "Download my data" (delivered within 36 hours as JSON file). Each download is one-time; submit a new request afterward. |
| Correction — fix anything wrong | Edit fields in your profile, or email hello@gccera.com |
| Erasure — delete your account and all data | Dashboard → Helpful Links → More → "Delete my account". 30-day recovery window; permanent deletion thereafter. |
| Portability | Same as Access — your data is exported as machine-readable JSON |
| Withdraw consent — stop new processing | Email hello@gccera.com with subject "Withdraw consent" — we halt within 7 days |
| Nomination (DPDP unique) — assign your data to a person in case of death/incapacity | Email us — we record the nominee in our system |
| Grievance — complain about our handling | Email our Grievance Officer (Section 10). 7 business days response (faster than 30-day DPDP requirement). Unresolved → escalate to Data Protection Board of India. |
We will not refuse, delay, or condition any of these requests on payment.
9. Children's Data
The Platform is intended for working professionals. Users below 18 require verifiable parental or guardian consent before processing any data, per DPDP §9. We do not knowingly collect data from children below 14. If you believe we have collected data from a minor without proper consent, email hello@gccera.com and we will delete it immediately.
10. International Data Transfers
Several of our processors operate outside India:
- Supabase, OpenAI, Anthropic, ElevenLabs — primarily USA
- Google, Microsoft, LinkedIn — global
Transfers to these jurisdictions are protected by standard contractual clauses with each processor. We monitor each processor's data-protection terms and will discontinue any processor that ceases to maintain DPDP-aligned safeguards.
11. Grievance Officer
In accordance with the Information Technology Rules 2021 and DPDP §13:
- Name: Ms. Priya
- Designation: Grievance Officer
- Email: hello@gccera.com
- Postal: 11, Niribili Path, R G Baruah Road, Guwahati 781024, Assam, India
- Response time: Within 7 business days (faster than the 30-day DPDP maximum)
For unresolved concerns, you may escalate to the Data Protection Board of India at the address published on its official website.
12. Voice & Audio Data — Mock Interview Features
Our mock interview features (voice mocks, Premium GCC Grade) record your microphone audio. By starting any voice session, you provide explicit consent under DPDP §6 for:
What is recorded
- Your spoken responses (raw audio)
- Auto-generated transcript of your responses
- Session metadata (timestamp, duration, persona, CV + JD context, scoring output)
What is NOT recorded
- Video or camera feed
- Screen contents
- Audio from before "Start interview" / after "End interview"
- Any other application's audio playing on your device
Why we need it
- Run the interview (the AI needs to hear you to respond)
- Score the session (scoring rubric needs the transcript)
- Deliver your report (your PDF references specific transcript moments)
- Improve scoring AI — only with explicit opt-in via email
Who processes voice data
- GCC ERA (storage on Supabase)
- ElevenLabs (USA) — voice synthesis + transcription
- OpenAI / Anthropic (USA) — scoring rubric on transcript
Retention
- Voice audio: 12 months from session date, then auto-deleted
- Transcript: 24 months (referenced by your scored report)
- Session metadata: 36 months or until account deletion
Withdrawal & deletion
- End any session at any time — partial recording is processed only for the portion you completed
- Delete a specific session via dashboard → past sessions
- Delete all voice data via "Delete my account"
- Opt out of AI training via email to hello@gccera.com — your transcripts are excluded from future model improvements
Security
Voice audio is encrypted at rest (AES-256). Transit is HTTPS only. Access is restricted to the account owner via row-level security. In the event of a breach affecting voice data, we notify affected users + DPB within 72 hours.
13. Policy Updates
We may update this policy. The "Last updated" date at the top reflects the latest revision. Material changes will be emailed to all account holders 30 days before they take effect.
14. Contact
- Email: hello@gccera.com
- Grievance Officer: Priya (see Section 11)
- Postal: GCC ERA Private Limited, 11, Niribili Path, R G Baruah Road, Guwahati 781024, Assam, India
For unresolved concerns, write to the Data Protection Board of India at the address on their official website.
_GCC ERA Private Limited · CIN U62011AS2025PTC028987 · GSTIN 18AAMCG3895Q1ZH · Incorporated 19 September 2025 · Guwahati, Assam, India_