Privacy Policy, Security & Data Governance

1. Introduction

Gridleaf provides energy analytics and infrastructure intelligence platforms designed for regulated environments including utilities, policymakers, and enterprise stakeholders. This policy outlines our strict approach to privacy, security, and responsible handling of sensitive infrastructure data.

2. Regulatory & Compliance Alignment

Gridleaf aligns with GDPR, CCPA/CPRA, India DPDP Act, and follows best practices inspired by NIST Cybersecurity Framework and ISO 27001.

3. Lawful Basis for Processing

Processing is based on consent, contractual necessity, legitimate interests (security and improvement), and legal obligations.

4. Data Classification Framework

We classify data into: (a) Public Data, (b) Customer Confidential Data, and (c) Critical Infrastructure Data. Each class is handled with increasing levels of protection, monitoring, and access restriction.

5. Data We Collect

Minimal data only: contact info, credentials, technical metadata, limited analytics, and enterprise-provided datasets.

6. Utility-Grade Data Safeguards

Customer data is isolated per tenant. No commingling across utilities or enterprises. Data is never resold or used for competitive intelligence.

7. AI & Model Usage Policy

Customer data is not used to train generalized AI/ML models without explicit consent. All outputs are advisory and require human validation.

8. API Usage & Responsibilities

API usage is logged for security and rate limiting. Customers must secure API keys and ensure lawful usage.

9. Collaboration Integrations (Slack, Email)

Integrations process only required data. No persistent monitoring or storage of communication content.

10. Cookies & Tracking

Only essential cookies are used. Optional analytics cookies improve performance. No advertising tracking.

11. Audit Logging & Transparency

All system access is logged. Audit logs are retained for a defined period and may be made available to enterprise customers upon request.

12. Data Retention & Deletion

Data is retained only as necessary. Deletion requests are processed within 30 days, subject to verification and legal obligations.

13. Incident Response & Breach Notification

We maintain incident response procedures. Material breaches are reported within 72 hours where required by applicable law.

14. Subprocessors & Infrastructure

We may use trusted subprocessors (e.g., hosting, email delivery). All subprocessors are contractually bound to strict data protection obligations.

15. Data Sharing

No sale of data. Sharing only with processors or legal authorities when required.

16. User Rights

Users may access, correct, delete, or restrict their data under applicable regulations.

17. Security Measures

Encryption (in transit and at rest), role-based access control, monitoring, and periodic security reviews.

18. International Transfers

Data transfers follow safeguards such as standard contractual clauses.

19. Children’s Privacy

Not intended for individuals under 18.

20. Regulatory Positioning

Gridleaf is designed for regulated energy environments and supports compliance-oriented workflows. It functions as a decision-support system and not as an autonomous control system.

21. Updates

Policy may be updated periodically.

22. Contact