Privacy Policy

How we collect, use, and protect your personal information.

Last Updated: April 2026

This Privacy Policy describes how Resilient Sustainance Private Limited ("we," "us," or "our"), operating the website india.rsustain.com, collects, uses, stores, and protects your personal information. This policy is published in compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), the Digital Personal Data Protection Act, 2023 ("DPDP Act"), and other applicable Indian laws.

Under the DPDP Act, Resilient Sustainance Private Limited acts as the Data Fiduciary — the entity that determines the purpose and means of processing your personal data. Where we engage third parties to process data on our behalf (such as payment processors or analytics providers), those parties act as Data Processors under the DPDP Act.

By accessing or using our website and services, you consent to the practices described in this Privacy Policy. Your continued use of our services constitutes consent under Section 6 of the DPDP Act.

1. Information We Collect

1.1 Information You Provide Directly

We collect information that you voluntarily provide to us, including:

• Contact Information: Name, email address, phone number, company name, designation, and business address when you fill out contact forms, book consultations, or subscribe to our communications.
• Assessment and Tool Data: When you use our BRSR Compass, BRSR XBRL Filing Tool, Pre-Assurance Validator, ESG Compliance Calendar, Policy Templates, Workforce Aggregator, Water & Waste Tracker, GreenCampus Rating, or AA1000 Assurance Platform, we collect your responses, company details, industry sector, and organisational information to generate reports and scorecards.
• Lead Capture Forms: Information submitted through forms on our website for downloading resources, registering for events, or requesting proposals, including name, email, company, and role.
• Payment Information: When you purchase paid services, payment details are collected and processed securely by our payment processor (Razorpay). We do not store your full card number or CVV on our servers.
• Communication Data: Content of emails, messages, and enquiries you send to us.

1.2 Information Collected Automatically

When you visit our website, we automatically collect certain information, including:

• IP address, browser type, operating system, and device information
• Pages visited, time spent on pages, referring URLs, and navigation patterns
• Geographic location (city/country level, derived from IP address)
• Cookies and similar tracking technologies (see Section 3 below)

1.3 Sensitive Personal Data or Information (SPDI)

We do not intentionally collect sensitive personal data or information as defined under the SPDI Rules (such as passwords, financial information beyond what is processed by Razorpay, health data, biometric data, or sexual orientation). If we need to collect SPDI for any service, we will obtain your explicit consent beforehand.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To provide our BRSR advisory, assurance, ESG consulting, and digital tool services, including generating assessment reports, readiness scorecards, filing outputs, and assurance statements.
• Communication: To respond to your enquiries, send service updates, share relevant regulatory alerts, and provide information about our services.
• Improvement: To analyse usage patterns, improve our website and tools, and develop new services.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.
• Marketing: To send you information about our services, events, publications, and regulatory updates, where you have opted in to receive such communications.
• Analytics: To understand how our website is used, measure the effectiveness of our content, and improve user experience.

3. Automated Decision-Making and Algorithmic Scoring

Several of our online tools use automated algorithmic scoring to generate results. This includes, but is not limited to:

• BRSR Compass: Automated scoring of your organisation's BRSR readiness based on your responses to structured questions.
• Pre-Assurance Validator: Automated evaluation of your assurance readiness across defined criteria.
• GreenCampus Rating: Algorithmic assessment of campus sustainability maturity across multiple pillars.
• AA1000 Assurance Platform: Automated criteria evaluation for Type 1 and Type 2 assurance readiness.

These tools apply deterministic, rule-based scoring algorithms to the data you provide. No artificial intelligence or machine learning models are used to make decisions about you. The scoring logic is based on published frameworks (SEBI BRSR, AA1000AS v3, etc.) and our professional methodology. All automated outputs are indicative and do not constitute professional opinions, audit results, or regulatory certifications.

You have the right to request human review of any automated assessment output. To do so, please contact us at india@rsustain.com.

4. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your browsing experience and collect analytical data.

4.1 Types of Cookies We Use

• Essential Cookies: Required for the website to function properly, including session management and security.
• Analytics Cookies: Used to understand how visitors interact with our website (via Google Analytics). These cookies collect information in an aggregated form.
• Functional Cookies: Remember your preferences and settings to provide a personalised experience.

4.2 Managing Cookies

You can control and manage cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our website. Most browsers allow you to refuse cookies or alert you when cookies are being sent.

5. Third-Party Services (Data Processors)

We engage the following third-party Data Processors (as defined under the DPDP Act) who process your personal data on our behalf or in connection with our services:

5.1 Razorpay (Data Processor — Payment Processing)

We use Razorpay Software Private Limited as our payment gateway for processing payments in Indian Rupees (INR). When you make a payment, your payment information is collected and processed directly by Razorpay in accordance with their privacy policy and PCI DSS compliance standards. Razorpay acts as a Data Processor under the DPDP Act for payment-related personal data. We do not store your complete payment card details. For more information, please refer to Razorpay's Privacy Policy.

5.2 Google Analytics (Data Processor — Analytics)

We use Google LLC (via Google Analytics) to analyse website traffic and usage patterns. Google Analytics uses cookies to collect information about how visitors use our website. Google acts as a Data Processor for this analytics data. The data generated is transmitted to and stored by Google on servers that may be located outside India (see Section 6 on Cross-Border Transfers). Google's ability to use and share information collected by Google Analytics is governed by the Google Privacy Policy.

5.3 Hosting and Infrastructure

Our website application backend and assessment tools are hosted on a virtual private server (VPS) located in a data centre operated by our hosting provider. Our WordPress front-end is hosted by Hostinger International Ltd. with CDN distribution. Data processed through our tools may transit through or be stored on servers located in Europe or the United States as part of these hosting arrangements.

6. Cross-Border Data Transfers

Certain personal data collected through our website may be transferred to, stored on, or processed on servers located outside India, including:

• Google Analytics data: Processed on Google servers, which may be located in the United States or other jurisdictions.
• Hosting infrastructure: Our VPS and CDN providers may route or store data through servers in Europe or the United States.

Where personal data is transferred outside India, we ensure that such transfers comply with the requirements of the DPDP Act, including ensuring that the receiving jurisdiction provides adequate data protection or that appropriate contractual safeguards are in place. We do not transfer personal data to any country or territory that has been restricted by the Central Government under Section 16(1) of the DPDP Act.

7. Data Security

We implement reasonable security practices and procedures as required under the SPDI Rules and the DPDP Act, including:

• SSL/TLS encryption for all data transmitted between your browser and our servers
• Secure storage of personal data with access controls and authentication measures
• Regular security reviews and updates of our systems and processes
• Limiting access to personal data to authorised personnel on a need-to-know basis
• Using PCI DSS compliant payment processing through Razorpay
• Implementing reasonable security safeguards to protect personal data against breaches, as required under Section 8 of the DPDP Act

While we take reasonable precautions to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data. In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals in accordance with Section 8(6) of the DPDP Act.

8. Your Rights

Under the Information Technology Act, 2000, the SPDI Rules, and the DPDP Act, 2023, you have the following rights as a Data Principal:

• Right to Access: You may request a summary of your personal data being processed by us and the processing activities undertaken, in accordance with Section 11 of the DPDP Act.
• Right to Correction and Erasure: You may request that we correct inaccurate or misleading personal data, complete incomplete personal data, update your personal data, or erase personal data that is no longer necessary for the purpose for which it was collected, in accordance with Section 12 of the DPDP Act.
• Right to Data Portability: You may request a copy of your personal data in a structured, commonly used, and machine-readable format, to the extent technically feasible.
• Right to Withdraw Consent: You may withdraw your consent for the collection and use of your personal data at any time, in accordance with Section 6(4) of the DPDP Act. To withdraw consent:
  • Send an email to india@rsustain.com with the subject line "Consent Withdrawal Request"
  • Specify whether you wish to withdraw consent for all processing or for specific purposes (e.g., marketing only)
  • We will process your withdrawal request within 7 business days
  • Please note that withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal, and may limit our ability to provide certain services to you
• Right to Grievance Redressal: You may contact our Data Protection Officer (details below) for any complaints or concerns regarding the handling of your personal data.
• Right to Nominate: You may nominate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity, in accordance with Section 14 of the DPDP Act.
• Right to Opt Out: You may unsubscribe from our marketing communications at any time using the unsubscribe link in our emails or by contacting us directly.

To exercise any of the above rights, please contact us at india@rsustain.com. We will respond to your request within the timeframe prescribed by applicable law.

9. Data Retention

We retain your personal information for as long as reasonably necessary to fulfil the purposes for which it was collected, including:

• Assessment Data: Assessment responses and reports from our tools (BRSR Compass, GreenCampus, Validator, etc.) are retained for the duration of our engagement and for a reasonable period thereafter to provide continuity of service.
• Contact Information: Retained for as long as you maintain a business relationship with us or until you request deletion.
• Payment Records: Retained for the period required under applicable tax and financial regulations (typically 8 years under Indian law).
• Analytics Data: Aggregated and anonymised data may be retained indefinitely for trend analysis and service improvement.

When personal information is no longer required, we will securely delete or anonymise it in accordance with our data retention procedures and Section 8(7) of the DPDP Act.

10. Disclosure of Information

We do not sell, trade, or rent your personal information to third parties. We may disclose your information in the following circumstances:

• Service Providers (Data Processors): To trusted third-party Data Processors who assist us in operating our website and delivering our services, subject to contractual obligations that ensure they process your data only as instructed by us and maintain adequate security safeguards.
• Legal Requirements: When required by law, court order, or government authority, or to protect our rights, property, or safety.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction.
• With Consent: In any other circumstance, with your explicit consent.

11. Children's Privacy

Our website and services are not directed at individuals under the age of 18. We do not knowingly collect personal information from children. In accordance with Section 9 of the DPDP Act, processing of personal data of children (below 18 years) requires verifiable consent of a parent or lawful guardian. If we become aware that we have collected personal information from a child without appropriate consent, we will take steps to delete such information promptly.

12. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last Updated" date at the top of this page. We encourage you to review this policy periodically.

13. Data Protection Officer

In accordance with the Information Technology Act, 2000, the SPDI Rules, and the DPDP Act, 2023, the details of our Data Protection Officer are as follows:

Data Protection Officer
Resilient Sustainance Private Limited
Email: india@rsustain.com
Website: india.rsustain.com

The Data Protection Officer shall acknowledge your complaint or request within 48 hours and resolve it within 30 days of receipt, in accordance with applicable regulations. If you are not satisfied with the resolution provided, you may file a complaint with the Data Protection Board of India established under the DPDP Act.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Resilient Sustainance Private Limited
Email: india@rsustain.com
Website: india.rsustain.com