Privacy Policy/GDPR/ CCPA


Black Gambit Marketing and Technologies LLP, a limited liability partnership, registered in the Mumbai, Maharashtra, INDIA and its subsidiaries and affiliates (collectively “BGambit”, “we”, “us”, or “our”) leverages years of experience to create more actionable insights for sales and marketing decision-makers with the help of digital marketing and b2b marketing.

Black Gambit Marketing and Technologies LLP, core activity is to provide support to its customers in marketing B2B products by generating effective leads from the target markets.

Black Gambit’s policy is to respect your privacy with respect to any information we may collect through registration forms, resource libraries, advertising units, widgets, web sites and web pages, whether accessed via computer, mobile or tablet device, or other technology (collectively, the “Service”), collection and licensing of data through third parties we work with, and how such information may be used and/or shared with others, how we safeguard it, and your choices in this regard (collectively, the “Policy”).

This privacy policy applies when you use our services. By the use of the Website, you expressly consent to our use and disclosure of your personal information and other information in accordance with this Policy. This Policy is incorporated into and subject to the Terms of Use (“Terms”).


As used in this Policy, personal data refers to information that directly identifies you and may be linked to you. This includes, but is not limited to, your first and surname name, as well as contact information like your physical address, email address, IP address, and phone number. Personal Data also includes information about your professional or employment status, as well as information about your interactions with our Site or email marketing.

  1. We collect, receive, and store your personal information and other information that you provide to us from time to time when you use our website.
  2. You can normally browse the Website without disclosing any personal information about yourself or informing us who you are. You are no longer anonymous to us once you have provided us with your personal information. Furthermore, you may contribute information when engaging in a marketing campaign, survey, or product feedback, comparisons, ideas, or comments, or other similar activities on the Website. We try to make it explicit which fields are mandatory, and which are optional. You can always choose not to share information by not using a specific element or feature of the Website.
  3. We may automatically track certain information about you depending on your conduct on our website, either directly or through third parties we engage. We utilize this data to conduct internal research into the demographics, interests, and behavior of our users. On an aggregated basis, this data is collated and examined.
  4. On specific parts of the Website, we additionally utilize data gathering devices such as “cookies” to help assess our web page flow, monitor promotional effectiveness, and encourage trust and safety. “Cookies” are little files stored on your hard drive that can be retrieved later to get information. We provide some services that are only available with the usage of a “cookie.” We also use cookies to make it easier for you to input your password during a session. If your browser allows it, you can always refuse our cookies; nevertheless, you may be unable to use certain areas or services of the Website, and you may be needed to re-enter your password more frequently throughout a session.

For more details about how we use these technologies, please see  Cookie Policy

  1. Time period till which your data will be stored: We usually solely retain your data for the time necessary to comprehend our legitimate business functions and to befits the law.
  2. We shall collect the information you supply to us and are authorized to use it in line with the Terms if you choose to post messages on our message boards, surveys, product review/comparison questionnaires, marketing related materials, chat rooms or other communication sections, or provide feedback.
  3. When you create an account with us, we collect personally identifiable information (email address, name, phone number, and so on). While you can explore some parts of our website without registering, certain activities do. Your contact information is used to deliver you materials that may be of interest to you.
  4. We ask you to fill out a brief form that requests information such as your name, company, title, e-mail address, and telephone number, as well as your areas of interest and, of course, the content of any message to us if you request a whitepaper or other specific content, subscribe to our newsletters, or complete the web form on the Contact Us page. Similarly, if you want to leave a comment on any blog or community page we host, you’ll need to check in – though you can do so using your Facebook, Twitter, or LinkedIn account. Of course, we collect information from you when you respond to an online or a telemarketing survey.

2. How We Use Personal Data

  1. To accomplish or meet the purpose for which you gave the Personal Data. To contact you regarding your purchase or use of our Products and Services, to react to your enquiries or requests for information, and for other marketing and client service purposes.
  2. To personalize your experiences while visiting our website and to help connect you with others who may have Products or Services in which you’ve expressed an interest through the development of your profile, to offer content customization, personalized help and instructions, and to otherwise personalize your experiences while visiting our Website, and to help connect you with others who may have Products or Services in which you’ve expressed an interest.
  3. For the aim of marketing. For example, we may use your Personal Data, such as your email address or phone number, to send you material, surveys, news, and newsletters, or to contact you in other ways about our Products and Services or other information that we believe may be of interest to you. We may also utilize automatically obtained Personal Data to see if and how you responded to email messages we’ve given you.
  4. To provide our customers with access to a database of accurate business data records, including Business Contact Information, that allows them to promote their goods and services through direct marketing to the right people (i.e., decision makers, influencers, champions) in other businesses, as well as to promote your business so that it can be found when other businesses search for it.
  5. Unless there are other lawful basis for processing your Personal Data, we will get your prior consent if we want to use your Personal Data for purposes other than those specified (please see below at Section 4).


We may communicate your Personal Data both within the BGambit and with third parties outside of the BGambit, as described below.

  1. Personal and other information may be shared with our other corporate organizations and affiliates. Unless you expressly opt-out, these businesses and affiliates may market to you as a result of such sharing.
  2. Personal information and other information given by you may be shared with other parties. Information may be disclosed and shared with business partners (over whose privacy policies we have no control and are not responsible/liable) with whom we offer our products and services, as well as third-party vendors who provide services or functions on our behalf. We may also reveal and share aggregated and non-personally identifiable information created with your data with our business partners, clients, and the general public. Furthermore, we may authorize third-party vendors to collect and analyze information on our behalf, including as needed to run elements of our Website; however, such third-party vendors will be required to use the information only for the purposes and in the manner approved by these Terms.
  3. The above said disclosures may be required for us to provide you with our products and services, to comply with our legal obligations, to enforce the Terms, to facilitate our marketing and advertising activities, or to prevent, detect, mitigate, and investigate fraudulent or illegal activities related to the above said disclosures. Without your specific approval, we do not distribute your personal information to other parties for marketing or advertising reasons.
  4. If required by law or in the best interest opinion that such disclosure is reasonably necessary to response to subpoenas, summons, court orders, or other legal processes, we may disclose personal information and other information submitted by you. In the best interest belief that such disclosure is reasonably necessary to: enforce our Terms or the Policy; respond to claims that an advertisement, posting, or other content violates the rights of a third party; or protect the rights, property, or personal safety of our users or the general public, we may disclose personal information or other information to law enforcement offices, third party rights owners, or others.
  5. Unless there are alternative legal bases for processing your Personal Data, we will get your prior consent if we want to share your Personal Data for purposes other than those indicated (please see Section 4, below).

4. Personal Data Processing on Legal Considerations

  1. We comply with all applicable data privacy laws and regulations when processing Personal Data. The Guidelines are applicable if you are based in the European Union or Switzerland.
  2. The UK GDPR applies if you are located in the United Kingdom. There are six legal bases for processing personal data under GDPR:
    1. Consent- For particular purposes, the processing is based on proven, freely provided, informed, and revocable consent.
  1. Contractual performance – The processing is required to fulfill the terms of a contract.
  1. Legal requirement- Compliance with the law necessitates the processing.
  1. Essential Interests – The processing is required to safeguard human lives.
  1. Task for the Public – The processing is required to complete a task that is in the public interest.
  1. Legitimate Interests – The processing is required for our legitimate interests, which do not outweigh the persons’ data protection interests, rights, and freedoms.
  1. When we process Personal Data, the three lawful basis that are most applicable are Consent, Contractual performance, and Legitimate Interests:
  1. Individuals freely consent to our processing of their Personal Data after being fully informed, and Consent is the most acceptable legal basis in general (e.g., specific purposes, right to easily withdraw at any time).
  1. When our Products and Services are purchased and utilized, and we need to handle Personal Data to meet our responsibilities under written agreements, Contractual performance is the most acceptable legal basis.
  1. Generally, Legitimate Interests is the most appropriate lawful bases when:
  1. Due to the nature of our business and the size of our databases, contacting each individual to gain his or her consent is impossible.
  2. We are unlikely to infringe on the basic rights and freedoms of the individuals whose data we handle and make available to our Customers and Partners as a result of the processing we perform because:
  3. We only process Business contact Information obtained from the public domain (e.g., work e-mail addresses) under our Business-to-Business (B2B) and Business-to-Customer(B2C) model.
  4. We provide Business contact Information to assist our customers in marketing their products and services to other businesses (i.e., B2B, B2C)
  5. It is in the best interests of the professionals whose Business contact Information we process for us to keep accurate information so that businesses can better reach the most relevant business contacts, thereby promoting the legitimate interests of the individual and our customers; and it is in the best interests of the professionals whose Business contact Information we process for us to keep accurate information so that businesses can better reach the most relevant business contacts.
  6. You can always opt-out and restrict all further processing of your Personal Data by sending us an Email to .

5. Children’s Privacy

Children under the age of 16 are not entitled to use our website.

We do not gather information from children deliberately. If we discover that we have collected personal information from a child under the age of 16 on the Website, we will promptly erase the information. Please contact us at if you suspect we have any information from a child under the age of 16.

6. How We Protect Your Personal Information:

BGambit is concerned about data security and only grants access to systems containing sensitive information to those who need to know.

In web-based promotions, BGambit may occasionally collaborate with other companies. BGambit, on the other hand, assumes no responsibility for any personal information provided to third-party suppliers or any website linked to this site. BGambit also advises any visitor to the website who is an employee of a company to follow the company’s privacy and security policies. The website team at BGambit knows that unwanted email (Spam) receipt, transmission, dissemination, or propagation is a big concern. When emailing any and all information out from BGambit, we shall adhere to all anti-Spam legal rules. If you’re using one of the most popular browsers and don’t want to accept cookies from our website, you can delete and/or disable cookie acceptance in your browser’s settings. If you disable your browser in this way, your experience with and other websites you frequent on a regular basis may be affected.

7. Contact Information:

If you have any questions or comments about this notice, the ways in which Bgambit collects and uses your information described above and in the Privacy Policy, please do not hesitate to contact us at:


Email address:

Registered office address: 401, Marathon Emybro, Lake road, Bhandup West, Mumbai – 400078.



This PRIVACY NOTICE FOR CALIFORNIA RESIDENTS supplements the information contained in the Privacy Policy of Black Gambit Marketing and Technologies LLP, a limited liability Partnership and its subsidiaries (collectively, “we,” “us,” or “our”) and applies solely to visitors, users, and others who reside in the State of California (“consumers” or “you”). To comply with the California Consumer Privacy Act of 2018 (“CCPA”) and other California privacy laws, we have enacted this notice. When used in this notice, any terminology defined under the CCPA have the same meaning.

1. Information Collect by BGambit

We gather information that directly or indirectly identifies, refers to, describes, references, or might reasonably be related to a specific consumer, business contact, or device (“personal information”). We collect the following personal data from consumers and business information in particular:

Category Examples Collected
A. Identifiers. A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, business name, device id, or other similar identifiers. YES
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code 1798.80(e)). A name, postal address, telephone number, employment name. Some personal information included in this category may overlap with other categories. YES
C. Protected classification characteristics under California or federal law. Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). NO
D. Commercial information. Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. NO
E. Biometric information. Genetic, physiological, behavioural, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. NO
F. Internet or other similar network activity. Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement. YES
G. Geolocation data. Physical location or movements. NO
H. Sensory data. Audio, electronic, visual, thermal, olfactory, or similar information. NO
I. Professional or employment-related information. Current or past job history or performance evaluations. YES
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. NO
K. Inferences drawn from other personal information. Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes. YES
Personal information does not include:
  1. Publicly available information from government records.
  2. De-identified or aggregated consumer information.
  3. Information excluded from the CCPA’s scope, like:
    1. health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
    2. personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

The categories of personal information indicated above are obtained from the following sources:

  1. From our clients or their agents that have approached us directly. For instance, information relevant to the services for which our clients hire us are provided to us.
  2. From our clients or their agents, in an indirect way. For instance, during the process of delivering services to our clients, we acquire information on them.
  3. Our website’s activity, both directly and indirectly ( For example, information collected automatically via submissions, our online portal, landing pages, or website usage.
  4. Third parties who engage with us in the course of providing services.

We may use, sell, or disclose the personal information we collect for one or more of the following purposes:

  • To accomplish or meet the purpose for which you provided the information. If you have provided your name and contact information to seek information about our services, for example, we will use that information to respond to your enquiry.
  • In order to fulfill your requests for white paper downloads, please fill out the form below.
  • To assist you and respond to your requests, including investigating and addressing your concerns, as well as monitoring and improving our replies.
  • To customize your website experience and deliver content, products, and services that are relevant to your interests, including targeted offers and advertising via our Website, third-party sites, and email or text message (with your consent, where required by law).
  • As described to you at the time of collection of your personal information or as otherwise provided in the CCPA.

BGambit may sell your Personal Information to third parties with your permission. You can opt out of the selling of your Personal Data at any time by sending an email to A request to opt-out must be implemented within 15 days of receipt under the CCPA.

2. Sharing Personal Information

For business purposes, we may share your personal information with a third party. When we release personal information for a business reason, we engage into a contract with the receiver that specifies the purpose and requires the recipient to keep the information confidential and not use it for any purpose other than the contract’s performance.

In the last twelve (12) months, we have disclosed the following categories of personal information for a business purpose:

Category A: Identifiers.

Category B: California Customer Records personal information categories.

Category F: Internet or other similar network activity.

Category I: Professional or employment-related information.

We disclose your personal information for a business purpose to the following categories of third parties:

  1. Data Providers.

3. Your Rights and Choices

Consumers (Californians) have specific rights under the CCPA when it comes to their personal information. This section discusses how to use your CCPA rights and how to exercise them.

 Access to Specific Information and Data Portability Rights.

You have the right to ask us to provide you with information on how we collected and used your personal information in the last 12 months. We will inform you of the following whenever we receive and validate your verifiable consumer request:

  1. The kind of personal information about you that we gathered.
  2. The several types of sources for the personal data we gathered about you.
  3. The objective of collecting or selling that personal information is for our company or commercial purposes.
  4. The many types of third parties with whom we exchange personal data.
  5. The exact pieces of personal information about you that we gathered (also called a data portability request).
  6. If we sold or disclosed your personal information for a particular business, two separate lists will be disclosed:
    1. sales, identifying the personal information categories purchased by each category of recipient; and
    2. disclosures for a particular business, identifying the personal information categories obtained by each category of recipient.
Deletion Request Rights

Subject to certain exceptions, you have the right to request that we delete any of your personal information that we have collected and stored about you. Unless an exception applies, once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records.

We may deny your deletion request if we or our service providers require the information to:

  1. Complete the transaction for which we obtained your personal information, supply a good or service that you requested, take reasonable actions in the context of our ongoing business relationship with you, or otherwise fulfill our contract with you.
  2. Detect security breaches, guard against malicious, misleading, fraudulent, or unlawful conduct, and prosecute those who are responsible.
  3. Exercise your right to free speech, protect the right of another consumer to exercise their right to free speech, or exercise another legal right.
  4. Observe the California Electronic Communications Privacy Act (California Penal Code Sections 1546 et seq.).
  5. If you previously provided informed consent, engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the deletion of the information would likely render the research impossible or seriously impair the research’s achievement.
  6. Allow only internal uses based on your relationship with us that are reasonably consistent with customer expectations.
  7. Comply with a legal requirement.
  8. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Exercising Access, Data Portability, and Deletion Rights

Please submit a genuine consumer request to us by visiting Do Not Sell My Data to exercise the above-mentioned access, data portability, and deletion rights.

Only you or someone you empower to act on your behalf who is registered with the California Secretary of State may make a verifiable consumer request connected to your personal information. On behalf of your underage child, you may also make a verifiable consumer request.

Contacting us by email , a genuine consumer request connected to your personal information can also be made by you or someone legally authorized to act on your behalf. On behalf of your underage child, you may also make a verifiable consumer request.

Within a 12-month period, you may only make two genuine consumer requests for access or data portability.

The verifiable consumer request must include enough information to allow us to reasonably verify that you are the person whose personal information we obtained or an authorized representative.

Response Timing and Format

We guarantee that we will react to a verified consumer request within 45 days of receiving it. If we need extra time (up to 90 days), we will notify you in writing of the reason and the extension term. We will send you our written response via postal mail or email, depending on your preference. Any disclosures we make will only cover the 12-month period prior to the receipt of a verifiable consumer request. If applicable, we will explain why we are unable to comply with a request in our response. We shall choose a format to send your personal information in for data portability requests that is easily usable and allows you to transfer the information from one entity to another without difficulty.

We do not charge a fee to process or respond to your verifiable consumer request.

4. Non-Discrimination

We will not treat you unfairly if you exercise any of your CCPA rights. We will not: Unless permitted by the CCPA,

  1. Refuse to provide you with goods or services.
  2. You may be charged different prices or rates for goods or services, including through the provision of discounts or other benefits or the imposition of penalties.
  3. Provide you with goods or services of varying levels of quality.
  4. Suggest that you receive a different price or rate for goods or services, or that the level or quality of goods or services be different.

5. Changes to Our Privacy Notice

We retain the right to make changes to this privacy notice at any time, so please be sure to check back periodically. We will send you an email or post a notice on the homepage of our website ( -policy) if we make any changes to this privacy notice.  

6. Contact Information

Please do not hesitate to contact us if you have any questions or concerns concerning this notice, our California Privacy Statement, the methods in which we collect and use your personal information, your choices and rights regarding such use, or if you desire to exercise your rights under California law.

Registered office address: 401, Marathon Emybro, Lake Road, Bhandup, Mumbai – 40078.


Black Gambit – Code of Conduct (GDPR)


This Document is the current operational version of the GDPR Compliance policy effective from 1st  Dec 2021 and applies to activities of Black Gambit that consists of the following entities.

  1. Black Gambit Marketing and Technologies LLP – 401, Marathon Emybro, Lake Road, Bhandup West, Mumbai – 400078.
  2. Black Gambit Marketing and Technologies LLP – 710, Global Business Hub, Kharadi, Pune, MH, India – 411046.


Bgambit’s main activity is to assist its customers in marketing B2B products and services by creating high-quality leads from their target markets. Lead generation is accomplished by intelligent market research that collects relevant data in order to discover trustworthy corporate purchasing intent through various channels, including business partners who use relevant technology in Web/digital marketing, email marketing, and telemarketing. Black Gambit acts as an interface in these activities, adding value to the B2Bmarketing chain. Customers provide campaign information, which is fine-tuned and translated into campaign materials for distribution to a potential market sector.

The campaign materials are placed in appropriate media and distributed to end target consumers through in-house publication and the usage of unique corporate intent marketing techniques developed by Black Gambit’s R&D team.

Before being passed on to clients, the leads generated by the channels are intelligently analyzed to increase their quality and converted into actionable marketing goals.

This GDPR Compliance Code, adopted by Black Gambit Marketing and Technologies LLP, declares that Black Gambit is committed to the concept of “Privacy as a fundamental right of a citizen of a democratic society” around the world and will implement all Privacy principles mandated by GDPR where applicable in best interests.

Black Gambit, on the other hand, discloses that it is in its legitimate interest to carry on a legitimate business operation as a B2B market Mediator around the world, and that it is Black Gambit’s democratic right to do so without breaching on the rights of the individual natural persons whose privacy is intended to be protected under GDPR.

Black Gambit also discloses that its business model necessarily involves the collection of only data from business entities that are exempt from GDPR, as well as Business Contact data, which is not personal data per se but may contain personally identifiable information in part but does not include personal data of children or personal data classified as “Special categories” under GDPR.

Black Gambit is a “B2B marketing Agency” that generates marketing leads and provides services to clients in a variety of nations. Black Gambit collects data from corporate employees in the category of Business Contact Data, which includes information such as the employee’s name, e-mail address, and phone number. A percentage of B2B marketing leads is created in EU countries and the United Kingdom.

How we make ourselves GDPR complaint

Black Gambit has adopted a policy to treat GDPR Sensitive Data (GSD) flowing through Black Gambit’s resources as “Sensitive Data,” tagging the incoming data with a suitable tag to classify it as GSD where applicable, in order to enable application of as rigorous standards a norm as possible to the processing of Data that is exposed to GDPR Compliance Risk. The design of the support structure takes into account the privacy protection of data subjects and the security of information linked to privacy protection in relation to GSD tagged data.

But since data is processed in specific locations and the technical infrastructure for processing GSD is also located in specific locations, an enterprise wide GDPR awareness has been established and will continue to be followed so that the principles of this GDPR Code of Conduct propagates throughout the organization.

The Company has implemented a comprehensive information security policy that comprises several sub policies addressing data access, processing, storage, and transmission, among other things, in order to properly implement security for the complete data processing infrastructure.

Commitment to Privacy

Black Gambit acknowledges the significance of “privacy” as a democratic right in modern society. Black Gambit is committed to protecting the privacy of every individual natural people whose personal data is entered into the corporate data repository for processing as a responsible corporate entity. Black Gambit has decided to implement GDPR Compliance standards to protect the privacy of all natural persons who may interact with the Group, even if such interaction is only in their capacity as employees of different business entities pursuing the business objectives of their respective business organizations, due to the presence of Customers in EU/UK and the monitoring of activities of corporate employees residing in EU/UK.

Legitimate Interest

Black Gambit’s main activity is the processing of data linked to the purchase of various products for business usage. Collection, aggregation, analysis, classification, and intent monitoring are all part of the activity spectrum. Black Gambit adds value to the raw data collected from the business environment and changes it into value-added business decision-making information during this process. The Raw Data gathered is identified as data that belongs to the data subject and to whom the Data Subject’s GDPR rights apply. Black Gambit’s exclusive data processing skills, on which Black Gambit has a specific amount of Intellectual Property Right claim, are responsible for the value addition to the data that occurs during the process.

If any data has been pseudonymized, the value added pseudonymized data will be recognized data that Black Gambit has a genuine interest in using for future research. Even in the value-added state, non-pseudonymized data is subject to Data Subject rights such as Access, Rectification, Restriction, Portability, and Erasure. If any pseudonymized data exists, it will not be considered GDPR sensitive.

Black Gambit has a legitimate business interest in the gathering and processing of business-related data such as firmographics, demographics, and business contact data of decision-making officials in business entities, as defined by Article 6(1)(f) of the EU GDPR laws.

Furthermore, Black Gambit’s business involves operations both within and outside of the EU, exposing it to various countries’ statutory obligations related to data processing as well as other laws applicable to business in general and IT-related activities in particular, as outlined in Article 6(1)(c) of the EU GDPR regulations.

Black Gambit has also developed business procedures for legitimate processing that incorporate the principles of the EU GDPR as articulated in Article 6, such as getting informed explicit consent when required and adhering to contractual responsibilities with data subjects, if applicable.

Black Gambit’s privacy and data protection policies are thus structured with specific Privacy and Information Security controls that address the issue of identifying GDPR sensitive data at the point of origin and entry into the Black Gambit system, as well as tagging it throughout its processing life cycle.

2. Data Classification

Black Gambit does not market to specific natural beings and so does not collect personally identifiable information that falls under the GDPR’s regulatory regulations. However, if the business unit or employee is known to be situated in the EU/UK, any potentially identifiable personal data, such as an employee’s e-mail address and phone number, is designated as “GDPR Sensitive.” As a result, the full Business contact data set connected with a physical location address in the EU/UK is labeled as GDPR Sensitive Data (GSD) and marked for processing within the company. The physical location of the connected business organization would be regarded significant in the absence of the data subject’s physical location information.

Audit of Data

Stored data sets will be examined to locate any GSD and verify the compliance requirements related with it, such as whether the data has to be archived, erased, or otherwise appropriately protected, from effective date as mentioned above and then at monthly intervals or as otherwise specified. Any GSD data set without a valid “Consent” or “Legitimate Interest Note” will be suggested for deletion.

Such material will be forensically erased after confirmation.

Data Storage Policy for GSD

GSD shall be stored in systems which are accessed only by designated persons on a strict “Need To Know Basis”. Every GSD set must be labeled with the name of the Data Controller who obtained it and is accountable for the data collection under a consent or contract. Any restrictions that are linked with the data set must be tagged with the data set as well.

Individual data sets must be able to be located and processed for the fulfillment of any Data Subject’s rights, such as requests for data rectification, data portability, data erasure, or data access, at any point during its life cycle.

Data Access Policy for GSD

GSD must be accessible in accordance with the Access Control policy, which ensures that each GSD data set has particular access parameters defining who can access the data and how they can access it.

The GSD data set will only be accessible to people who have been designated as part of the GSD work force.

Passwords and other access parameters should be created with as much complexity and uniqueness as possible and should be complemented by encryption and Machine ID tags so that GSD data may only be accessed from specific hardware issued to approved GSD employees.

Where data is stored in the cloud, only GDPR-compliant cloud services should be utilized, together with any extra controls that may be required to ensure that it is protected from unauthorized access while in storage and transit.

GSD specific to a project must be saved in such a way that only employees involved with that project have access to it. Access across projects will be regulated on a “need-to-know” basis.

Data Retention Policy for GSD

GSD should only be kept in the active process environment for as long as it is required for processing. Following that, the data will be securely archived in accordance with the requirements identified under legitimate interest, such as until the project billing cycle is completed. Following that, data will be kept in secure archiving or destroyed according to the Company’s legitimate interest obligations.

3. GSD Data Disclosure Policy

In most cases, the source Data Controller is the only one who may seek GSD disclosure. It is acknowledged that requests received directly from data subjects are vulnerable to phishing attacks, and such requests, if any, should be sent to the Data Controller who gathered the data from the data subject within the terms of a consent or contract between them. After adequately confirming the identity of the Data Controller’s representative who makes the request, the data to be shared shall be transferred only to the Data Controller for transmission to the Data subject.

In extraordinary cases, if data must be supplied directly to a data subject, his authorized representative, or a law enforcement body, proper authentication of the person making the request is required.

Before releasing data, all data disclosure requests must be approved and the request, as well as the assessment documents, will be considered required GDPR compliance documentation.

4. Data Incident Management Policy for GSD

Any observation that has the potential to indicate that the GSD compliance code or any policies or procedures thereunder has been breached, whether or not any data is suspected to have been compromised, is considered a “Incident” under this code. A whistleblower policy can be utilized to ensure that any observer, whether inside or outside the company, reports occurrences as soon as possible. Any incidence of this nature that comes to Black Gambit’s attention must be recorded in a GSD Incident Management Register and reported to the DPO for urgent action.

The DPO is responsible for reviewing the incident report and taking quick action to rectify the event.

The DPO will call a meeting as soon as possible to assess the situation and determine whether it involves any potential data breaches.

DPO may, if necessary, request an immediate techno-legal audit to assess the incident’s risk. DPO will determine the necessity for further action based on the risk assessment, which may include sending a data breach notification to the Data Controller.

A Security Incident is defined as a situation in which GSD is accessible by another employee of the firm rather than a “Breach.” However, such events must be investigated to determine the cause of illegal access, and if the unauthorized access was inadvertent, it may be rectified with appropriate internal disciplinary action in accordance with HR policy.

If data hasn’t been moved or accessed by an outsider, the situation could be considered as an internal data incident rather than a breach.

If the access or data transferred out was encrypted and in a state that was undecipherable by the recipient, the access may be regarded as an internal data accident not amounting to a breach, subject to a sufficient internal investigation into the security of the related decryption key.

5. Data Breach Notification Policy for GSD

A “Data Breach” incident occurs when Black Gambit discovers, after conducting the proper investigation, that access to any specific GSD data set has been hacked and that an external organization has gained access to or sent out a GSD set. Such a data breach occurrence must be immediately reported to the DPO, who will notify the Data Controller associated with the data set as soon as possible. The nature and scope of the breach, the time and data of the breach, the information of the affected data subjects, and the actions done after the breach was discovered are all details that should be included in such a report.

6. Rights Management Policy for GSD Data Subjects

Black Gambit’s data processing system was built with “Privacy and Security by Design” in mind, allowing it to comply with GDPR standards, particularly in regard to the Data Subject’s Rights. Black Gambit has enabled its GSD storage and access systems in such a way that a data set belonging to a specific data subject can be extracted separately and processed in order to meet these rights of the data subject, such as “Access,” “Rectification,” “Erasure,” “Portability,” and the Right to impose “Restrictions.” As a result, the system has been built to meet the strictest GDPR regulations.

When a Data Subject demands the exercise of such rights, the request is checked first, and then, if the data was received from a Data Controller, the Data Controller is asked to confirm the data disclosure, as per the Data disclosure policy.

The request is normally handled while in connection with the data controller, and if it is to be ported, it is returned to the data controller. Black Gambit will take appropriate precautions to prevent a wrongful disclosure.

7. Data Transmission Policy for GSD

Normally, GSD data enters the system via an application interface (API), interface is accessed using a secure password access mechanism reinforced with a suitable second factor authentication. The data is transmitted via encryption and is subject to transmission security management that addresses known vulnerabilities. An adequate malware and secured access management system protects the program, as well as its intrinsic storage and processing elements and API, from unauthorized access and malicious attacks.

When a GSD set is subsequently sent to a customer, the transmission is handled via encrypted communication channels, such as an API or an encrypted e-mail.

8. Marketing use Policy for GSD

When Black Gambit uses GSD for marketing purposes, whether via email, telemarketing, or other means, care is taken to ensure that the relevant consent or contract is in place to allow such communication. Black Gambit additionally requires that its partners, including clients, use the GSD only when permissions are available. No business contact data is processed if a clear consent is not present.

When such data enters the Black Gambit system, it is flagged as a “GSD without sufficient processing consent” and is terminated.

9. Consent Policy for GSD

All information categorized as GSD because the data subject or his or her employer is based in the EU/UK will only be accepted if the data subject has granted specific consent based on the format as required by GDPR. Prior to the GDPR, such consents were typically obtained in accordance with the principles of personal data processing, which included a Privacy Notice. Such a Privacy Notice detailed what data was being collected, why it was being gathered, how long it would be kept, how it would be secured, whether the data was correct, and whether it would be moved outside of the EU for processing. As a default option, some of the consents were based on the “Opt-in” approach. Personal data must only be acquired on the basis of an Explicit Consent under GDPR, where “Opt-Out” is the default choice and consent are only acknowledged if an affirmative action indicating acceptance is taken.

Due to the new rules, all consents obtained prior to the GDPR will be considered invalid, and Black Gambit will discard such data.

10. Legitimate Interest identification Policy for GSD

Black Gambit acknowledges that some data subject rights, such as Data Erasure or Data Rectification, may conflict with Black Gambit’s legitimate interests or with data retention rules that may be relevant for the data due to other legislative duties. Black Gambit would assess the request before taking further action in circumstances where Data Subject Rights were to be imposed.

For using the legitimate interest argument to process the data subject’s request must be communicated to the Data Controller who is accountable for the Data Subject for forwarding to the data subject.

11. People Management Policy for GSD

While in Black Gambit’s ownership, GSD will be treated as a data set that requires unique and special attention in terms of information security. As a result, GSD would be appropriately marked and processed by a properly trained group of personnel on a need-to-know basis. Given the amount of risk involved with GSD, these personnel and the systems in which GSD would be stored, accessed, and processed would be handled securely.

The assignment of individuals to this GSD processing and their removal will be handled using suitable security measures such as enhanced background checks, training, physical access identification, penalty procedures, and so on.

As needed, HR policies for the GSD personnel should be revised.

12. DRP (Disaster Recovery) Policy for GSD

Black Gambit understands the need of having a solid Disaster Recovery and Business Continuity strategy in place for all of its activities, especially GSD processing. Black Gambit will keep a sufficient backup of GSD data and the ability to ensure Business Continuity in the event of a disaster.

13. Network Security Policy

Black Gambit will implement a rigorous information security strategy that includes Firewalls, Intrusion Detection Systems, Malware Prevention Systems, and System Patching, to guarantee that the Company’s IT infrastructure is safe. The network security must be maintained by an authorized Information Security Manager.

14. Audit policy

Black Gambit’s information assets will be audited at least once a year by an internal security audit team to examine the degree of security and compliance with GDPR and other regulatory standards. When a significant change in company profile happens, external audits may be considered based on an evaluation.

15. Contact Information

Until further notice, Miss. Jyoti Kumari, located at the Black Gambit Marketing and Technologies LLP, India office, is the designated Privacy Manager, and she would be available at

Note – This Code is subject to revision from time to time.