Privacy and Data Protection Policy
This Privacy and Data Protection Policy ("Policy") sets out the manner in which Growdiesel Ventures Limited ("Growdiesel", "Company", "we", "us", or "our") collects, processes, stores, shares, and otherwise handles personal data in connection with its Services.
This Policy has been prepared in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and other applicable laws of India. Insofar as Growdiesel processes personal data of individuals located in the European Economic Area or the United Kingdom, the General Data Protection Regulation (EU) 2016/679 ("GDPR") is also applicable to such processing.
Please read this Policy carefully before using any of our Services. By accessing or using our Services, you acknowledge that you have read and understood this Policy. If you do not agree with any part of this Policy, you should discontinue use of our Services and may contact us to exercise your data rights as described herein.
For the purposes of the DPDP Act 2023, Growdiesel Ventures Limited is the "Data Fiduciary" responsible for determining the purposes and means of processing of personal data collected through its Services.
Registered Name: Growdiesel Ventures Limited
Website: https://www.growdiesel.in
Grievance Officer: Shrey Saxena
Grievance Contact Email: shrey@growdieselmail.com
Subject Line for Data Requests: "Data Rights Request [Your Name]"
Response Commitment: Acknowledgement within 72 hours; substantive response within 30 days of receipt of a complete request.
The Grievance Officer is designated pursuant to Rule 5(9) of the SPDI Rules and shall address complaints or concerns relating to the processing of personal data in a time-bound and effective manner.
This Policy applies to personal data processed by Growdiesel in connection with the following services (collectively, the "Services"):
| Service | Description | Persons Covered |
|---|---|---|
| Website and Digital Properties | The websites operated at growdiesel.in and growdiesel.com, including enquiry forms, newsletters, and digital marketing communications | All website visitors, enquirers, and newsletter subscribers |
| Course and Training Platform | The online course and training programme for renewable energy and biogas business development, accessible at growdiesel.in/course | Enrolled students, course purchasers, and platform users |
| B2B Consulting and Partnerships | Consulting engagements, technology licensing, and commercial partnerships with private corporates, PSUs, and other entities | Corporate clients, institutional partners, and commercial counterparts |
| Government and Institutional Projects | Projects executed in collaboration with or for central and state government bodies, municipal corporations, and statutory authorities | Government officials, nodal officers, and project liaisons |
Personal data collected or processed in connection with government projects is additionally governed by the terms of the applicable MoU, contract, or government directive, as the case may be. In the event of any conflict between this Policy and such instruments, the terms of the applicable contract or directive shall prevail to the extent of such conflict.
When you visit our website or submit an enquiry form, we may collect your name, email address, phone number, and the content of your communication. Our servers and analytics tools also automatically record technical data including your IP address, browser type, operating system, referring URL, pages visited, and session duration. This technical data is collected through cookies and similar technologies as described in Section 8 of this Policy.
Upon enrolment in any of our training programmes, we collect your full name, email address, mobile number, and billing address. Payment transactions on the course platform are processed exclusively through third-party payment gateways that are compliant with applicable payment security standards. Growdiesel does not receive, store, or process raw payment card details or UPI credentials. We additionally collect and maintain records of your course enrolment, learning progress, assessment results, and certificates of completion. Login credentials are stored in an encrypted, hashed form and are never stored in plain text.
In the course of consulting engagements, we collect professional contact details of authorised representatives, including name, designation, organisational affiliation, official email address, and telephone number. We also process business correspondence, project scoping documentation, non-disclosure agreements, commercial contracts, and such operational or technical data as may be necessary for the execution of the engagement.
In connection with government projects, we collect the name, official designation, and contact details of nodal officers and other authorised government personnel. Project documentation, inspection records, and official correspondence are processed in accordance with the terms of the applicable project agreement and applicable government regulations.
Growdiesel processes personal data only where there exists a lawful basis for doing so under applicable law. The following table sets out the purposes for which we process personal data and the corresponding legal basis:
| Purpose of Processing | Applicable Service | Legal Basis (DPDP Act 2023) |
|---|---|---|
| Responding to enquiries and providing requested information | Website, B2B | Consent of the Data Principal |
| Processing course enrolments, facilitating payments, and issuing completion certificates | Course Platform | Performance of a contract to which the Data Principal is a party |
| Delivery of consulting and technology services pursuant to a commercial engagement | B2B, Government Projects | Performance of a contract; legitimate uses under Section 7 |
| Sending transactional communications including payment receipts, project updates, and service notifications | All Services | Performance of a contract; legitimate uses |
| Sending marketing and promotional communications, including newsletters and case studies | Website, Course Platform | Consent of the Data Principal (opt-in basis only) |
| Compliance with GST invoicing and statutory financial reporting obligations | All paying customers | Compliance with a legal obligation under applicable Indian law |
| Prevention of fraud, maintenance of cybersecurity, and protection of our systems and users | All Services | Legitimate uses under Section 7 of the DPDP Act |
| Internal analytics, platform improvement, and business development | Website, Course Platform | Legitimate uses under Section 7 of the DPDP Act |
| Fulfilment of reporting obligations under government project agreements and applicable statutes | Government Projects | Compliance with legal obligations; functions of the State under Section 7(b) |
Where processing is based on your consent, you retain the right to withdraw such consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
Personal data is retained only for so long as is necessary to fulfil the purpose for which it was collected, or as required by applicable law. The following retention schedule governs our data retention practices:
| Category of Personal Data | Retention Period | Applicable Legal or Contractual Basis |
|---|---|---|
| Website enquiry and lead data | 12 months from date of last interaction | Legitimate business interest |
| Course enrolment and learning records | 5 years from date of course completion | Contractual obligation; certification records |
| Payment records and GST invoices | 7 years from the end of the relevant financial year | Section 36 of the CGST Act, 2017; Section 44AA of the Income Tax Act, 1961 |
| B2B consulting agreements and commercial correspondence | 7 years from the conclusion of the engagement | Limitation Act, 1963; contractual risk management |
| Government project documentation and official correspondence | As stipulated in the applicable contract or statute; minimum 7 years where not specified | Applicable government regulations and project-specific instruments |
| Marketing subscriber data | Until unsubscription, plus 6 months for suppression list management | Consent; legitimate interest in preventing re-contact |
| Server and security logs | 6 months on a rolling basis | IT Act 2000 and legitimate security interest |
Upon expiry of the applicable retention period, personal data shall be securely deleted or anonymised in a manner that makes re-identification of the individual not reasonably practicable. Where deletion is temporarily impracticable due to storage architecture constraints, the data shall be isolated from further processing until deletion is carried out.
Growdiesel does not sell, rent, or otherwise commercially exploit personal data. Disclosure of personal data to third parties is limited to the following circumstances:
We engage third-party vendors who process personal data on our behalf and under our instructions as "Data Processors" for the purposes of this Policy. Such vendors include payment gateway operators, email and communication service providers, cloud hosting and storage providers, website analytics platforms, and video content delivery platforms for course hosting. All third-party processors are required to maintain data security standards consistent with applicable law and are bound by contractual data processing obligations.
We may disclose personal data where required to do so under applicable law, pursuant to a court order, or in response to a lawful request from a government authority or regulatory body, including the Enforcement Directorate, Securities and Exchange Board of India, Ministry of New and Renewable Energy, or any other competent authority.
In the event of a merger, acquisition, corporate restructuring, or sale of all or a part of Growdiesel's business undertaking, personal data held by us may be transferred to the successor entity as part of such transaction. We will endeavour to notify affected users prior to such transfer, subject to any obligations of confidentiality applicable to the transaction.
For jointly executed government or institutional projects, professional contact and project-related data may be shared with co-implementing agencies, state government departments, or central ministries, to the extent required under the project agreement or applicable MoU. Such sharing shall be governed by the terms of the relevant instrument.
Where personal data is required to be transferred outside the territory of India, Growdiesel shall ensure that such transfer is in compliance with Section 16 of the DPDP Act 2023 and any rules or notifications issued by the Central Government with respect to cross-border data flows. Transfers to third-party processors located outside India are subject to contractual data transfer safeguards consistent with applicable law.
Our website uses cookies and similar tracking technologies to support the operation of the site and to collect usage information. The following categories of cookies may be deployed:
| Category | Function | Consent Required |
|---|---|---|
| Strictly Necessary Cookies | Required for core site functionality including session management, user authentication, and security. Cannot be disabled without affecting service delivery. | Not required (necessary for service) |
| Analytics Cookies | Used to collect aggregated information about traffic, user navigation patterns, and platform performance. Typically implemented via Google Analytics or equivalent tools. | Required |
| Marketing and Retargeting Cookies | Used to measure the effectiveness of advertising campaigns and to enable remarketing via platforms such as Google Ads and Meta Ads. These cookies may track your browsing across other websites. | Required |
| Preference Cookies | Store user preferences such as language or display settings to improve your browsing experience. | Not required |
You may manage or disable non-essential cookies through your browser settings at any time. Disabling such cookies will not affect your access to the core features of our Services. You may also opt out of Google Analytics measurement using the browser add-on available at tools.google.com/dlpage/gaoptout and adjust your Meta advertising preferences at facebook.com/ads/preferences.
Our website does not currently respond to browser-level Do-Not-Track signals, as no uniform technical standard for such signals has been established. Should a binding standard be adopted, this Policy will be updated accordingly.
Under the DPDP Act 2023 and other applicable laws, you, as a "Data Principal", have the following rights in respect of your personal data:
| Right | Description |
|---|---|
| Right to Access Information | You have the right to obtain a summary of the personal data processed by us and the processing activities carried out in respect of such data, pursuant to Section 11 of the DPDP Act 2023. |
| Right to Correction and Erasure | You have the right to request correction of inaccurate or incomplete personal data and, in certain circumstances, erasure of your personal data, pursuant to Section 12 of the DPDP Act 2023. Erasure requests are subject to applicable statutory retention obligations. |
| Right to Grievance Redressal | You have the right to have your grievances addressed by our Grievance Officer in a timely and effective manner, pursuant to Section 13 of the DPDP Act 2023. |
| Right to Nominate | You have the right to nominate another individual to exercise your rights under the DPDP Act 2023 in the event of your death or incapacity, pursuant to Section 14 of the DPDP Act 2023. |
| Right to Withdraw Consent | Where processing is based on your consent, you have the right to withdraw such consent at any time. Withdrawal of consent shall not affect the lawfulness of any processing undertaken prior to withdrawal. |
| Right to Data Portability | Where applicable law so provides, you may request that your personal data be provided to you in a structured and commonly used format. |
To exercise any of the above rights, please submit a written request by email to shrey@growdieselmail.com with the subject line "Data Rights Request [Your Name]". We will acknowledge receipt within 72 hours and provide a substantive response within 30 days of receiving a complete request. Where a request requires additional information or clarification, we will communicate this to you within the same period.
If you are dissatisfied with our response, you may escalate your grievance to the Data Protection Board of India, once it is constituted pursuant to the DPDP Act 2023. Users located in the European Economic Area or the United Kingdom may additionally lodge a complaint with their local data protection supervisory authority.
Growdiesel implements technical and organisational security measures that are reasonable and appropriate in relation to the nature, scope, and context of the personal data processed, pursuant to Section 8(4) of the DPDP Act 2023 and Rule 8 of the SPDI Rules 2011. These measures include:
Encrypted data transmission using TLS/HTTPS across all web properties and data interfaces; hashing and salting of user passwords and authentication credentials on the course platform; role-based access controls and least-privilege principles governing internal access to personal data; third-party payment processing through PCI-DSS compliant payment gateways, with no storage of raw card or UPI credentials by Growdiesel; and regular review of security practices and access controls.
Our course platform may offer the option to register or log in using credentials from a third-party social media or identity provider, including Google, Facebook, or LinkedIn. Where you elect to use this facility, we receive certain profile information from the relevant provider as authorised by you, which may include your name, email address, and profile photograph.
Information received through such third-party authentication is used solely for the purpose of creating and maintaining your account on our platform and shall not be used for any purpose beyond those described in this Policy. Growdiesel has no control over the data practices of third-party providers and is not responsible for how such providers collect, use, or share your personal data. You are encouraged to review the privacy policies of any third-party provider whose authentication service you use.
Our Services are not directed at or intended for use by individuals below the age of 18 years. Growdiesel does not knowingly collect or process personal data from minors. Where we become aware that personal data has been submitted by or in respect of a minor without appropriate verifiable parental consent, we will take steps to delete such data without undue delay.
If you believe that a minor's personal data has been submitted to us in error, please contact our Grievance Officer at shrey@growdieselmail.com with the relevant details, and we will investigate and act accordingly.
Growdiesel reserves the right to amend or update this Policy from time to time, including to reflect changes in applicable law, regulatory guidance, or our business practices. The date of the most recent revision is indicated at the top of this document.
Where any amendment constitutes a material change to our data processing practices, we will notify registered course platform users by email and will display a prominent notice on our website. Your continued use of our Services following the effective date of any revised Policy shall constitute your acceptance of the revised terms, to the extent permitted by applicable law.
Growdiesel has designated a Grievance Officer pursuant to the SPDI Rules 2011 and the DPDP Act 2023 to address complaints and concerns relating to the processing of personal data. All requests, complaints, or notices in connection with this Policy should be directed as follows:
Grievance Officer: Shrey Saxena
Organisation: Growdiesel Ventures Limited
Email: shrey@growdieselmail.com
Subject Line: "Privacy Grievance [Your Name]" or "Data Rights Request [Your Name]"
Acknowledgement Timeline: Within 72 hours of receipt
Resolution Timeline: Within 30 days of receipt of a complete grievance or request
If your grievance is not resolved to your satisfaction within the timelines indicated above, you may escalate the matter to the Data Protection Board of India, which is the designated adjudicatory body under the DPDP Act 2023. EEA and UK-based individuals may additionally pursue remedies before their applicable supervisory authority.