Privacy Policy | Guntur Global Media

1

Who We Are

Legal Entity

Guntur Global Media

Brand / Product

cDoc

Our Global Operations

Our team operates as a distributed, remote-first organization, serving clients in Australia, the United Kingdom, Europe, North America, and internationally. We focus on delivering clear, structured, and scalable automation systems that help organizations transition from fragmented, manual workflows into transparent, automated, and growth-ready operations.

Data Protection Officer: Our data protection team can be contacted at privacy@gunturglobalmedia.com.

2

Information We Collect

We collect only the data necessary to provide and operate the Service, adhering to the principle of data minimization.

2.1 Information You Provide Directly

Identity Data

• Full name
• Email address
• Company/organization name
• Job title

Account & Billing Data

• Account credentials
• Payment information (processed by payment providers)
• Subscription details
• Communication preferences

2.2 Information From Connected Integrations

When you connect third-party platforms (such as HubSpot, Asana, Monday.com, Xero, QuickBooks, Pipedrive, or Slack), we may process automation-related data including:

CRM Data

• Deal and pipeline metadata
• Contact information
• Deal stage transitions

Project Data

• Project names & descriptions
• Task statuses and assignments
• Milestone completion data

Financial Data

• Invoice identifiers and numbers
• Payment status and amounts
• Transaction dates

Important: We only access data explicitly authorized through OAuth or API permissions granted by you. We never access sensitive financial data like bank account numbers, credit card details, or full accounting records.

2.3 Automatically Collected Information

Technical & Usage Data

IP address and approximate location
Browser type, version, and device information
Log files and system usage patterns

Operational Data

Automation execution logs (for monitoring and debugging)
Security and access logs
Performance metrics and error reports

3

How We Use Your Information

Service Operation

Provide, operate, and maintain the Service and execute automated workflows between connected platforms.

Authentication & Security

Authenticate users, secure accounts, and prevent unauthorized access or fraudulent activities.

Billing & Payments

Process subscriptions, payments, and invoicing through authorized payment providers.

Performance Monitoring

Monitor system performance, reliability, and integrity to ensure optimal service delivery.

Customer Support

Provide technical support, troubleshoot issues, and respond to customer inquiries.

Legal Compliance

Comply with legal, regulatory, tax, and accounting obligations in relevant jurisdictions.

Additional Legitimate Business Purposes

Improving and optimizing our Service and user experience
Developing new features and functionality
Conducting research and analysis for product development
Communicating important service updates and announcements

4

Legal Basis for Processing (GDPR & Global Compliance)

As a global SaaS provider, we process personal data in compliance with applicable data protection laws including the GDPR (EU/UK), CCPA (California), PIPEDA (Canada), and other regional regulations.

Contractual Necessity

We process personal data when necessary to perform our contract with you and provide the Service you have requested, including account management, billing, and core automation functionality.

Legitimate Interests

We process data for our legitimate business interests, such as improving our Service, ensuring security, preventing fraud, conducting analytics, and communicating important service updates. We always balance these interests against your rights and freedoms.

Consent

Where required by law, we obtain your explicit consent before processing personal data for specific purposes, such as marketing communications, optional integrations, or non-essential cookies. You may withdraw consent at any time.

Legal Obligations

We may process personal data to comply with legal and regulatory requirements, including tax laws, accounting standards, fraud prevention, and responding to lawful requests from authorities.

5

Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

We may share your information only in the following circumstances:

Service Providers & Infrastructure Partners

We engage trusted third-party providers to perform functions on our behalf, such as:

Hosting & Cloud Infrastructure

AWS, Google Cloud, etc.

Payment Processing

Lemon Squeezy, Stripe, etc.

Monitoring & Analytics

Logging, error tracking services

All such partners: Are contractually bound to confidentiality and security obligations; Process data only for specified purposes; Implement appropriate technical and organizational safeguards.

Connected Third-Party Platforms

When you connect platforms like HubSpot, Asana, or Xero, data is shared between these systems as necessary to perform the automation functions you have configured. Each platform operates under its own privacy policy and terms of service.

Legal Requirements & Protection

We may disclose information if required by law, regulation, legal process, or governmental request; to enforce our terms and policies; to protect the security or integrity of our Service; or to protect the rights, property, or safety of cDoc, our users, or the public.

Business Transfers

In connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company, your information may be transferred as part of the transaction. We will notify you of any such change in ownership or control.

6

International Data Transfers

Global Operations

As a globally operated SaaS platform with a distributed team, your personal data may be transferred to, stored, and processed in countries outside your country of residence, including the United States, European Union, United Kingdom, Australia, and other jurisdictions where our service providers operate.

Adequate Safeguards

We take reasonable measures to ensure that international data transfers comply with applicable data protection laws through:

EU Standard Contractual Clauses (SCCs)
UK International Data Transfer Addendum
Adequacy decisions where applicable
Binding corporate rules for intra-group transfers

Regional Compliance

GDPR (EU/UK)

Transfers governed by SCCs, UK Addendum, and adequacy mechanisms

CCPA (California)

Service provider contracts with appropriate restrictions

Other Jurisdictions

Compliance with local data protection regulations

By using our Service, you acknowledge that your personal data may be transferred to countries with different data protection laws than your country of residence. We implement appropriate safeguards to protect your data regardless of where it is processed.

7

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Active Accounts

We retain personal data for the duration of your active account plus a reasonable period afterward to allow for account recovery or to address any outstanding issues.

Retention Period: Account duration + 90 days

Billing & Financial Records

We retain billing and transaction information as required by tax, accounting, and commercial laws, typically for 7 years from the transaction date.

Retention Period: 7 years minimum

Data Deletion & Anonymization

Upon Account Termination

When you terminate your account, we will:

Delete or anonymize your personal data within 90 days
Revoke all integration tokens and API connections
Retain only data required for legal obligations

Data Backup Retention

Data may persist in encrypted backups for up to 12 months before being permanently deleted. Backup data is not accessible for normal operations and is used only for disaster recovery purposes.

Legal Exceptions

We may retain certain information longer when required by law, regulation, legal process, or governmental request; to enforce our agreements; to resolve disputes; to maintain security; or to prevent fraud and abuse.

8

Data Security

We implement comprehensive technical and organizational security measures designed to protect your personal data from unauthorized access, disclosure, alteration, and destruction.

Encryption

• HTTPS/TLS for data in transit
• AES-256 encryption for data at rest
• Encrypted database fields
• Secure OAuth token storage

Access Controls

• Role-based access control (RBAC)
• Principle of least privilege
• Multi-factor authentication
• Regular access reviews

Monitoring & Logging

• 24/7 security monitoring
• Intrusion detection systems
• Automated anomaly detection
• Comprehensive audit logs

Infrastructure Security

• Enterprise-grade hosting
• Regular security patches
• DDoS protection
• Network segmentation

Organizational Security

• Employee security training
• Confidentiality agreements
• Security incident response plan
• Regular security assessments

Compliance & Standards

• SOC 2 Type II compliance
• ISO 27001 alignment
• GDPR security requirements
• Vendor security assessments

Security Limitations

While we implement industry-standard security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but we continuously work to maintain and improve our security practices.

Security Incident Response

In the event of a data breach or security incident that affects your personal data, we will:

Notify affected users and relevant authorities as required by law
Take immediate steps to contain and remediate the incident
Conduct a thorough investigation to prevent recurrence
Provide guidance to affected users on protective measures

9

Your Data Protection Rights

Depending on your location and applicable data protection laws (such as GDPR, CCPA, etc.), you may have certain rights regarding your personal data. We will respond to all legitimate requests within the timeframes required by law.

Right to Access

Request confirmation of whether we process your personal data and receive a copy of that data.

Right to Rectification

Request correction of inaccurate or incomplete personal data.

Right to Erasure

Request deletion of your personal data under certain circumstances ("right to be forgotten").

Right to Restrict Processing

Request temporary restriction of processing while accuracy or legal basis is verified.

Right to Object

Object to processing based on legitimate interests or for direct marketing purposes.

Right to Data Portability

Receive your data in a structured, commonly used format and transmit it to another controller.

How to Exercise Your Rights

To exercise any of your data protection rights, you may:

Email Request

Submit a request to privacy@gunturglobalmedia.com with sufficient details to verify your identity.
Account Settings

Access and update certain information directly through your account settings in the cDoc dashboard.
Integration Controls

Revoke integration permissions directly in the connected platforms (HubSpot, Asana, etc.).

Identity Verification

For security purposes, we may need to verify your identity before processing certain requests. We may ask for additional information to confirm you are the account owner or an authorized representative. We will respond to all legitimate requests within one month, though complex requests may require additional time.

Right to Lodge a Complaint

If you believe we have not addressed your concerns adequately, you have the right to lodge a complaint with your local data protection authority. For EU/UK residents, this includes your national Data Protection Authority. For California residents, you may contact the California Attorney General.

CCPA-Specific Rights (California Residents)

Under the California Consumer Privacy Act (CCPA), California residents have additional rights:

Right to know what personal information is collected, used, shared, or sold
Right to opt-out of the sale of personal information (we do not sell personal information)
Right to non-discrimination for exercising CCPA rights

To exercise CCPA rights, email privacy@gunturglobalmedia.com with "CCPA Request" in the subject line.

10

Third-Party Services and Integrations

cDoc integrates with various third-party platforms to provide automation functionality. When you connect these services, data flows between systems according to the permissions you grant.

Integrated Platforms

HubSpot

CRM Platform

Asana

Project Management

Monday.com

Work OS

Xero

Accounting

Third-Party Privacy Policies

Each third-party service operates under its own privacy policy and terms of service. We encourage you to review the privacy policies of platforms you connect to cDoc:

Your Control Over Integrations

You have full control over third-party integrations:

You choose which platforms to connect and can disconnect them at any time
You control the specific permissions granted to cDoc through OAuth
You can audit and revoke permissions directly in the connected platforms

Limitation of Responsibility

We are not responsible for the data handling practices of third-party platforms. Data transmitted to or from these platforms is subject to their respective privacy policies and security measures. We recommend reviewing their data protection practices before connecting any sensitive data sources.

11

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to provide, secure, and improve our Service. Our approach to cookies is minimal and privacy-respecting.

Essential Cookies

These cookies are necessary for the Service to function and cannot be switched off:

Authentication: Maintain your logged-in session
Security: Protect against cross-site request forgery
Functionality: Remember preferences and settings

Analytics Cookies

We use minimal analytics to understand how our Service is used:

Performance: Monitor Service performance and errors
Usage: Understand feature adoption and user flows
Debugging: Identify and fix technical issues

What We Don't Do

No Advertising Cookies

We do not use cookies for targeted advertising or behavioral profiling

No Data Resale

We do not sell cookie data or allow third-party advertising networks

No Cross-Site Tracking

Our cookies are first-party only and not used across other websites

No Fingerprinting

We do not use browser fingerprinting or similar invasive techniques

Managing Cookies

You can control cookies through your browser settings:

Google Chrome

Settings → Privacy and Security → Cookies

Safari

Preferences → Privacy → Cookies and website data

Firefox

Options → Privacy & Security → Cookies and Site Data

Note: Disabling essential cookies may affect the functionality of the Service and prevent you from logging in or using certain features.

Cookie Consent (GDPR/CCPA)

For users in jurisdictions requiring consent for non-essential cookies (such as the EU and UK under GDPR, and California under CCPA), we provide clear notice and obtain consent before setting analytics cookies. Essential cookies for authentication and security do not require consent.

12

Children's Privacy

Our Service is not intended for individuals under the age of 18 ("minors"). We do not knowingly collect personal data from minors. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately.

Age Verification

By using the Service, you represent that you are at least 18 years old. If we become aware that we have collected personal data from a minor without verification of parental consent, we will take steps to remove that information from our systems.

International Age Requirements

United States

COPPA: Under 13 requires parental consent

European Union

GDPR: Age of consent varies by country (13-16)

United Kingdom

Age appropriate design code applies

We comply with all applicable laws regarding children's privacy, including the Children's Online Privacy Protection Act (COPPA) in the United States and age-appropriate design principles in other jurisdictions.

13

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you through appropriate channels.

Notification of Changes

Email notification to account administrators
In-app notifications within the cDoc platform
Updated version posted on our website with clear revision date

Policy History

We maintain a version history of this Privacy Policy. Previous versions are available upon request.

Current Version

Effective: December 27, 2025

Your Continued Use

Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy. If you do not agree with the changes, you should discontinue using the Service and contact us to close your account.

Review Period

For material changes that expand our use of personal data or reduce your rights, we will provide at least 30 days' notice before the changes take effect, giving you time to review the changes and decide whether to continue using the Service.

14

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the information below.

Data Protection Team

privacy@gunturglobalmedia.com

For privacy requests and data protection inquiries

General Support

support@gunturglobalmedia.com

For general questions and technical support

Compliance Framework

As a global SaaS provider, we are committed to complying with data protection laws and regulations worldwide. Our privacy practices align with internationally recognized standards and frameworks.

GDPR (EU/UK)

Compliant with General Data Protection Regulation requirements including data subject rights, lawful bases, and international transfer mechanisms.

CCPA/CPRA (California)

Compliant with California Consumer Privacy Act and California Privacy Rights Act, including consumer rights and opt-out mechanisms.

Global Standards

Our practices align with ISO 27001, SOC 2, PIPEDA (Canada), APPs (Australia), and other international data protection standards.

Data Processing Agreements (DPAs)

We offer Data Processing Agreements for customers who require them under GDPR or other regulations. Our DPA includes:

Standard Contractual Clauses for international transfers
Technical and organizational security measures
Subprocessor transparency and notification
Data breach notification procedures
Assistance with data subject requests
Data return and deletion obligations

To request a DPA, contact privacy@gunturglobalmedia.com.

Privacy by Design & Default

We implement privacy by design and default principles throughout our product development lifecycle. This includes data minimization, purpose limitation, storage limitation, and security by design. Our engineering and product teams receive regular privacy training to ensure these principles are embedded in all aspects of the Service.

Ongoing Compliance Monitoring

We regularly monitor and update our privacy practices to ensure ongoing compliance with evolving regulations:

Regulatory Monitoring

Tracking changes in data protection laws worldwide

Privacy Impact Assessments

Conducting DPIAs for new features and processes

Third-Party Audits

Regular security and privacy assessments