Privacy Policy

Effective Date: 27/1/2026

Preamble

Grief & Beyond (“we”, “us”, “our”, or the “Data Fiduciary”) is a grief-support practice based in Chennai, Tamil Nadu, India, founded by V. Sai Kripa (called Kripa). We are committed to protecting your privacy and ensuring that your personal data is handled in accordance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”).

This Privacy Notice explains how we collect, use, store, and protect your personal data when you access our website, book sessions, or use our services. By accessing our services or providing your personal data, you acknowledge that you have read and understood this Privacy Notice.

This Notice is available in English and may be made available in other languages specified in the Eighth Schedule to the Constitution of India upon request.

1. Definitions

For the purposes of this Privacy Notice:

“Data Principal” means you, the individual whose personal data is being processed;
“Data Fiduciary” means Grief & Beyond, the entity that determines the purpose and means of processing your personal data;
“Personal Data” means any data about an individual who is identifiable by or in relation to such data;
“Processing” means any operation performed on personal data, including collection, storage, use, disclosure, or erasure;
“Data Processor” means any person who processes personal data on behalf of the Data Fiduciary.

2. Personal Data we Collect

2.1 Categories of Personal Data

We collect and process the following categories of personal data:

Category	Types of Data	Purpose
Identity Data	Full name, date of birth, gender	Service delivery, communication
Contact Data	Email address, phone number, postal address	Communication, session scheduling
Session Data	Booking details, session notes, attendance records	Service provision, record-keeping
Sensitive Personal Data	Grief-related information, emotional experiences, loss details voluntarily shared	Personalized support services
Technical Data	IP address, browser type, device information, usage data	Website functionality, analytics
Payment Data	Transaction records (we do not store full payment card details)	Payment processing

2.2 Sensitive Personal Data – Special Note

Given the nature of our services, you may share sensitive information relating to your emotional state, grief experiences, loss of loved ones, and personal circumstances. We treat such information with the highest degree of confidentiality and care. This data is:

Accessed only by Kripa (Founder) and authorized personnel directly involved in your care;
Stored with enhanced security measures;
Never shared with third parties except where legally mandated;
Subject to your explicit consent for processing.

3. Lawful Basis and Purpose of Processing

3.1 Consent-Based Processing (Section 6, DPDP Act)

We process your personal data based on your explicit consent for the following purposes:

To provide grief yoga therapy, life coaching, and other support services;
To schedule and manage your sessions;
To communicate with you regarding your services;
To send you newsletters, updates, or promotional materials (with separate consent);
To improve our services based on your feedback.

3.2 Legitimate Uses (Section 7, DPDP Act)

We may process your personal data without separate consent for the following legitimate uses under Section 7 of the DPDP Act:

Where you have voluntarily provided your data for a specified purpose (e.g., booking enquiry);
Compliance with any law or court order;
Response to medical or safety emergencies;
For employment-related purposes (for our staff).

4. Consent Mechanism

4.1 How We Obtain Consent

Your consent is obtained through clear affirmative action:

By clicking “I Agree” or “Submit” on our website forms;
By signing a consent form before your first session;
By verbally confirming consent (which will be documented).

4.2 Characteristics of Valid Consent

As required under Section 6 of the DPDP Act, your consent is:

Free: You are not compelled to provide consent;
Specific: Limited to the purposes stated in this Notice;
Informed: Given after reading this Privacy Notice;
Unconditional: Not bundled with unrelated terms;
Unambiguous: Clear indication through affirmative action.

4.3 Withdrawal of Consent

You have the right to withdraw your consent at any time. Withdrawal of consent is as easy as giving consent. To withdraw:

Email us at: privacy@griefandbeyond.com;
Use the “Manage Preferences” link in any email communication;
Contact our Grievance Officer (details in Section 12).

We will process your withdrawal request within seven (7) days. Withdrawal does not affect the lawfulness of processing conducted before withdrawal. Upon withdrawal, we will cease processing your personal data, except where retention is required by law.

5. Your Rights as a Data Principal

Under the DPDP Act, 2023, you have the following rights:

5.1 Right to Access (Section 11(1))

You have the right to obtain:

A summary of your personal data being processed and the processing activities;
The identities of all Data Fiduciaries and Data Processors with whom your data has been shared;
Any other information as may be prescribed by the DPDP Rules.

5.2 Right to Correction (Section 11(2))

You have the right to request correction of inaccurate or misleading personal data, and completion of incomplete data.

5.3 Right to Erasure (Section 11(3))

You have the right to request erasure of your personal data where it is no longer necessary for the purpose for which it was collected, subject to our legal retention obligations.

5.4 Right to Grievance Redressal (Section 13)

You have the right to have your grievances addressed by us, and if unresolved, to escalate to the Data Protection Board of India.

5.5 Right to Nominate (Section 14)

You have the right to nominate any other individual who shall, in the event of your death or incapacity, exercise your rights under the DPDP Act.

5.6 How to Exercise Your Rights

To exercise any of these rights:

Submit a written request to our Grievance Officer (details in Section 12);
We will acknowledge your request within 48 hours;
We will respond to your request within fifteen (15) days;
If we cannot fulfill your request, we will provide written reasons.

6. Children’s Data

6.1 Age Restriction

Our services are intended for individuals aged 18 years and above. We do not knowingly collect personal data from children (individuals below 18 years of age) without verifiable parental or guardian consent.

6.2 Verification

We implement age verification mechanisms on our website. By using our services, you represent that you are at least 18 years of age.

6.3 Parental Consent

If we become aware that a child wishes to use our services (for example, a minor who has experienced loss), we will:

Obtain verifiable consent from the parent or lawful guardian before processing;
Not engage in tracking, behavioral monitoring, or targeted advertising directed at the child;
Ensure processing does not cause any detrimental effect to the child’s well-being.

6.4 Inadvertent Collection

If we become aware that we have collected personal data from a child without verified parental consent, we will delete such information within seven (7) days of becoming aware of the same.

7. Data Retention and Erasure

7.1 Retention Periods

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

Type of Data	Retention Period
Contact and Identity Data	Duration of service relationship + 3 years
Session Records and Notes	5 years from last session (professional standards)
Payment Records	8 years (Income Tax Act / Companies Act requirements)
Marketing Consent Records	Until consent is withdrawn + 1 year
Website Analytics Data	26 months (anonymized thereafter)

7.2 Erasure

Upon expiry of the retention period, or upon your valid erasure request, we will:

Erase your personal data from our active systems;
Direct our Data Processors to erase your data;
Retain only such data as required by applicable law.

8. Data Security

8.1 Security Safeguards

We implement reasonable security safeguards to protect your personal data from unauthorized access, disclosure, alteration, or destruction, including:

Encryption: Data encrypted at rest and in transit using industry-standard protocols (TLS/SSL);
Access Controls: Role-based access with strong authentication mechanisms;
Secure Hosting: Data stored on secure, access-controlled servers;
Regular Audits: Periodic security assessments and vulnerability testing;
Staff Training: Regular training on data protection best practices.

8.2 Limitation

While we take all reasonable precautions, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

9. Data Breach Notification

In the event of a personal data breach that is likely to cause harm to you:

9.1 Notification to Data Protection Board

We will notify the Data Protection Board of India in the prescribed manner and within the prescribed timeframe as specified in the DPDP Rules.

9.2 Notification to You

We will notify you through your registered email address within seventy-two (72) hours of becoming aware of such breach, providing:

Description of the nature of the breach;
Categories and approximate volume of personal data affected;
Likely consequences of the breach;
Measures taken or proposed to address the breach;
Contact details of our Grievance Officer for further information.

10. Third-party Data Processors

10.1 Categories of Processors

We engage the following categories of third-party service providers who may process your personal data on our behalf:

Service Provider	Purpose	Data Shared
Calendly / Booking Platform	Session scheduling	Name, email, phone, booking details
Email Service Provider	Communication	Name, email address
Google Analytics	Website analytics	Anonymized usage data, IP address
Payment Gateway	Payment processing	Transaction details (not card numbers)
Cloud Hosting Provider	Data storage	All data as per this Notice

10.2 Processor Obligations

All our Data Processors are bound by written contracts that require them to:

Process data only as per our documented instructions;
Implement appropriate security safeguards;
Assist us in responding to Data Principal requests;
Delete or return data upon termination of services.

We remain responsible for the actions of our Data Processors in relation to your personal data.

11. Cross-border Data Transfers

Some of our third-party service providers may process your data outside India. We will:

Ensure appropriate contractual safeguards are in place;
Not transfer data to any country that the Central Government of India may notify as restricted under Section 16 of the DPDP Act;
Remain responsible for such transferred data as required under the DPDP Act.

12. Grievance Redressal

12.1 Grievance Officer

For any questions, concerns, or complaints regarding this Privacy Notice or our data practices, please contact:

Grievance Officer: V. Sai Kripa

Designation: Therapist

Email: grievance@griefandbeyond.com

Phone: +91 91765 47433

Address: A12, Kottur Villa Apartments, 5 Lock Street, Kottur Gardens, Kotturpuram, Chennai – 600085, Tamil Nadu, India.

12.2 Response Timeline

Acknowledgment: Within 48 hours of receipt of complaint;
Resolution: Within 15 days of receipt of complaint;
Written Response: If we cannot resolve your complaint, we will provide written reasons.

12.3 Escalation to Data Protection Board

If you are not satisfied with our resolution, you have the right to file a complaint with the Data Protection Board of India. Details regarding the Board’s complaint portal will be updated on our website once operational.

13. Cookies and Tracking Technologies

13.1 Types of Cookies

Our website uses the following types of cookies:

Essential Cookies: Necessary for website functionality;
Analytics Cookies: To understand how visitors use our website (with consent);
Preference Cookies: To remember your preferences.

13.2 Cookie Consent

On your first visit, we will present a cookie consent banner allowing you to accept or reject non-essential cookies. You may also manage cookie preferences through your browser settings.

14. Updates to this Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

Material changes will be:

Posted on our website with the updated effective date;
Notified to you via email where we have your contact details;
Subject to fresh consent where required by law.

We encourage you to review this Notice periodically.

15. Governing Law

This Privacy Notice shall be governed by and construed in accordance with the laws of India, including the Digital Personal Data Protection Act, 2023, and the rules made thereunder.

Any disputes arising under this Notice shall be subject to the exclusive jurisdiction of the courts in Chennai, Tamil Nadu, India, without prejudice to your right to approach the Data Protection Board of India.

16. Contact Us

If you have any questions about this Privacy Notice or wish to exercise your rights, please contact us:

Grief & Beyond

Proprietor: V. Sai Kripa

Address: A12, Kottur Villa Apartments, 5 Lock Street, Kottur Gardens, Kotturpuram, Chennai – 600085, Tamil Nadu, India.

Email: kripa@griefandbeyond.com

Phone: +91 91765 47433

Website: www.griefandbeyond.com