PRIVACY POLICY

1. Introduction and Global Commitment

VD AR CONSULTANCY ("Bhoomirang", "we", "us", or "our") is a specialized strategic growth partner providing services to startups globally. While our headquarters are in Victoria, Australia, we acknowledge that our clients and users operate in diverse legal environments. This Privacy Policy is structured to meet the requirements of the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), while also adhering to international best practices for data protection and cross-border information flows.

We are committed to protecting your privacy and handling your personal information with transparency, integrity, and in compliance with Australian law. This policy explains what information we collect, how we use it, who we share it with, and your rights regarding your personal information.

2. Information We Collect and Hold

To execute our "Service-for-Equity" partnerships and due diligence protocols, we collect information that falls into the following categories:

2.1 Application Data

• Company Information: Company name, business registration details, industry, and stage of development
• Founder Information: Founder names, professional email addresses, phone numbers with country codes
• Partnership Details: Preferred partnership model (fee-for-service, hybrid, or equity swap)
• Business Information: Pitch content, pitch deck PDF files, financial forecasts, capitalization tables (cap tables), tax records, strategic product roadmaps, source code snippets, and Minimum Viable Product (MVP) technical specifications

2.2 Email Verification Data

• Verification Codes: Time-limited 8-digit codes with 10-minute automatic expiry
• Verification Attempts: Counter of verification attempts and lockout status
• Verification Methods: API-based email verification scores and detailed validation results
• Verification Timestamps: Date and time of code generation, verification attempts, and successful verification

2.3 Gripe to Gold Research Access Data

• Access Information: Email addresses provided for research document access
• Access Tracking: Access count, timestamps, and engagement patterns
• Verification Status: Email verification status and verification methods used

2.4 Meeting Request Data

• Contact Information: Name, email address, phone number with country code
• Meeting Details: Preferred meeting date and time, meeting description and purpose
• Scheduling Information: Calendly integration data and meeting confirmations

2.5 Security and Fraud Prevention Data

• Privacy-Preserving Security Data: IP address cryptographic hashes (SHA-256, not raw IP addresses), user agent strings, browser specifications
• Security Audit Logs: Authentication events, form submissions, email verifications, access control events, suspicious activity detection
• Rate Limiting Data: Request counters, rate limit violations, temporary restriction periods
• CSRF Protection: Anti-forgery tokens with 1-hour rotation for form security
• Verification Lockout Tracking: Failed verification attempt counters, lockout timestamps, automated lockout enforcement

2.6 Behavioral Metadata

• Interaction Data: Page views, form interactions, document access patterns
• Security Events: Suspicious activity detection, input validation failures, authentication anomalies
• Device Information: Device identifiers, operating system, screen resolution for interface optimization

2.7 Privacy-Preserving Security Measures

We apply technical safeguards designed to protect your privacy while maintaining platform security:

• IP Address Protection: Raw IP addresses are not stored; only anonymised representations are retained for security purposes
• Verification Code Expiry: Email verification codes expire automatically and are not retained beyond their intended use
• Abuse Prevention: Automated controls are in place to detect and limit misuse of our systems

3. Collection Methods and Third-Party Services

We collect information through the following channels:

3.1 Direct Collection

• Application Portal: Direct submission through our partnership application form
• Gripe to Gold Access Form: Email submission for research document access
• Contact and Meeting Request Forms: Meeting scheduling and inquiry submissions
• Email Verification System: Multi-layered verification through API validation and code verification

3.2 Automated Collection

• Security Monitoring: Automated fraud detection and suspicious activity monitoring
• Rate Limiting: Database-backed request tracking to prevent abuse
• Audit Logging: Automated logging of all security-relevant events
• Cookies and Local Storage: Session management and user preferences (detailed in Section 9)

3.3 Third-Party Services

We use the following third-party services that may collect or process your information:

• Calendly (USA): Meeting scheduling platform with embedded iframe integration for managing meeting requests
• Resend (USA): Email delivery service for verification codes, application confirmations, and transactional communications
• Secure Cloud Infrastructure (USA): Database hosting and serverless computing platforms for data storage and application logic execution
• Google Sheets: Embedded display of research documents in view-only mode

Important: While we do not name specific infrastructure providers, you acknowledge that your data is stored and processed using secure cloud database infrastructure and serverless computing platforms located in the United States.

3.4 Third-Party Verification

We may collect or verify information through regulatory bodies (e.g., ASIC, ATO), credit reporting agencies, or subscription-based due diligence databases during the partnership assessment process.

4. Data Retention Periods

We retain your information only as long as necessary to fulfill the purposes for which it was collected, or as required by Australian law. Our specific retention periods are:

4.1 Automated Deletion Mechanisms

We have implemented automated systems to ensure data is deleted according to our retention schedule:

• Scheduled Cleanup Processes: Automated daily processes delete expired verification codes and other time-limited records according to our retention schedule
• Data Retention Tracking: Database-level tracking of retention policies with automated notification system for upcoming deletion events
• Legal Hold Capability: Ability to suspend automated deletion in cases of regulatory investigations or legal disputes
• Soft Deletion: Initial soft deletion (marking as deleted) before permanent removal to allow for recovery in case of errors

5. Use of Information and Legal Basis

Your information is processed for these specific objectives:

• Due Diligence and Vetting: Evaluating the commercial potential and founder-fit for our partnership models, including verification of identity and business legitimacy
• Service Deployment: Utilizing our time-capital for Marketing, Market Research, MVP Development, and Operations Setup for successful partnership applicants
• Relationship Management: Direct communication regarding your partnership application, meeting requests, or research document access
• Email Verification: Confirming identity, preventing fraudulent submissions, and ensuring communications reach legitimate recipients
• Security and Fraud Prevention: Protecting our platform and users from abuse, automated attacks, fraudulent applications, and security threats
• Lead Tracking and Engagement: Monitoring access to our Gripe to Gold research to understand engagement patterns and follow up with interested parties
• Marketing and Research Distribution: Distributing industry reports and partnership opportunities (with consent as detailed in Section 7)
• Legal Compliance: Meeting our obligations under Australian tax law, corporate law, and privacy law

6. Disclosure and Cross-Border Data Transfers

As a global firm with infrastructure in the United States, we may disclose your information to:

• External Subject Matter Experts: Legal advisors, tax consultants, and technical auditors involved in structuring equity transactions and conducting due diligence
• International Service Providers: Third-party platforms and services including Calendly (USA) for meeting scheduling, Resend (USA) for email delivery and verification, and secure cloud infrastructure providers (USA) for database hosting and serverless computing
• Regulatory Authorities: Where required by the Corporations Act 2001 (Cth), Taxation Administration Act 1953 (Cth), or international equivalents
• Law Enforcement: Where required by law or necessary to prevent fraud, protect our rights, or ensure platform security

6.1 APP 8 Cross-Border Disclosure Compliance

7. Consent Management and Spam Act Compliance

7.1 How We Obtain Consent

We obtain your consent for data collection and communications through:

• Form Submission: Submitting an application, requesting research access, or scheduling a meeting constitutes consent to collect and process the information you provide
• Email Verification: Successful verification of your email address confirms your identity and validates your consent
• Checkbox Acknowledgment: Where required, explicit checkbox acknowledgment of our Privacy Policy and Terms of Service
• Express Consent for Communications: Submission constitutes express consent under the Spam Act 2003 (Cth) for commercial electronic messages

7.2 Types of Communications

We send two categories of emails:

• Transactional Emails (Cannot Unsubscribe): Application confirmations, email verification codes, meeting reminders, partnership status updates. These are essential for providing the services you requested.
• Marketing Emails (Can Unsubscribe): Research releases, partnership opportunity announcements, industry insights, thought leadership content. All marketing emails include a functional unsubscribe link in the footer.

7.3 Withdrawing Consent

You can withdraw your consent at any time:

• Marketing Unsubscribe: Click the unsubscribe link in any marketing email. We process unsubscribe requests within 5 business days.
• Full Withdrawal: Contact us at connect@bhoomirang.com or via our contact form to request complete deletion of your information (subject to legal retention obligations)
• Consequences: Withdrawing consent may prevent us from processing your partnership application or providing requested services

7.4 Spam Act 2003 Compliance

We comply fully with the Spam Act 2003 (Cth). All commercial electronic messages include accurate sender identification, functional unsubscribe mechanisms, and are sent only to those who have provided express or inferred consent through their interaction with our platform.

8. Security Measures and Data Protection

Bhoomirang recognizes that startup pitch data constitutes high-value trade secrets. We implement comprehensive security measures:

8.1 Technical Security Measures

• Email Verification: Multi-step identity verification to prevent fraudulent submissions
• Abuse Prevention: Automated controls to protect against unauthorized access and misuse
• Privacy-Preserving Logging: Security events are logged without storing raw personal identifiers
• Encryption: Industry-standard TLS/SSL encryption for data in transit and encryption at rest for sensitive data

8.2 Organizational Security Measures

• Strict Access Control: Need-to-know access protocols restricted to personnel assigned to your specific project
• Confidentiality Agreements: All team members and contractors sign confidentiality agreements before accessing client data
• Security Training: Regular security awareness training for all personnel handling personal information
• Incident Response Plan: Documented procedures for detecting, responding to, and recovering from security incidents

8.3 Notifiable Data Breaches (NDB Scheme)

We maintain a comprehensive Data Breach Response Plan in compliance with the NDB scheme under the Privacy Act 1988 (Cth):

• Breach Detection: Automated security monitoring and manual review processes to detect potential breaches
• Assessment Protocol: Documented procedures for determining if a breach meets the OAIC notification threshold (likely to result in serious harm)
• 30-Day Notification: If a notifiable breach occurs, we will notify the Office of the Australian Information Commissioner within 30 days
• Individual Notification: Direct notification to affected individuals via email when a breach is likely to cause serious harm
• Remediation Steps: Clear communication of steps taken to remediate the breach and support offered to affected individuals
• Post-Incident Review: Comprehensive review and enhancement of security measures following any incident

9. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to maintain functionality and optimize user experience:

9.1 Types of Cookies We Use

• Essential Cookies: Session management, security tokens (CSRF), authentication, and access control. These are necessary for the platform to function.
• Functional Cookies: User preferences, returning user recognition for Gripe to Gold access, interface customization
• No Advertising Cookies: We do not use advertising cookies, third-party tracking cookies, or behavioral advertising technologies

9.2 Local Storage Usage

We use browser local storage for:

• Gripe to Gold Access: Session tokens with 7-day expiry to remember access status
• User Preferences: Interface settings and preferences for returning users

9.3 Managing Cookies

You can manage cookies through your browser settings:

• Browser Settings: Most browsers allow you to refuse or delete cookies. Consult your browser's help documentation.
• Impact of Disabling: Disabling cookies may affect functionality of the application portal, email verification, and Gripe to Gold access management
• No Cross-Site Tracking: We do not track users across other websites or engage in behavioral advertising

10. Your Rights Under Australian Privacy Principles

Under the Australian Privacy Principles, you have the following rights regarding your personal information:

10.1 Right to Know (APP 5)

You have the right to know what personal information is being collected at the point of collection. We display privacy collection notices on all forms that explain:

• Why we collect your information
• How we will use it
• Who we share it with
• How long we retain it
• Cross-border disclosure details

10.2 Right to Access (APP 12)

You can request access to the personal information we hold about you. We will provide access within 30 days unless:

• Providing access would pose a serious threat to life, health, or safety
• Providing access would have an unreasonable impact on the privacy of others
• The request is frivolous or vexatious
• The information relates to existing or anticipated legal proceedings
• Providing access would be unlawful

If we refuse access, we will provide a written explanation and inform you of available complaint mechanisms.

10.3 Right to Correction (APP 13)

You can request correction of inaccurate, outdated, incomplete, irrelevant, or misleading information. If we correct your information, we will take reasonable steps to notify any third parties to whom we have disclosed the information.

10.4 Right to Deletion

You can request deletion of your personal information, subject to:

• Legal retention obligations (e.g., 7-year retention for financial records)
• Ongoing partnership agreements or legal proceedings
• Legitimate business interests in maintaining historical records

10.5 Right to Data Portability

You can request a copy of your personal information in a machine-readable format (typically CSV or JSON).

10.6 Right to Complain

You can lodge a complaint if you believe we have breached your privacy rights. See Section 11 for our complaints process.

10.7 How to Exercise Your Rights

11. Complaints Process and Escalation

If you believe we have breached our privacy obligations, we have a structured complaints handling procedure:

12. Children's Privacy

Our services are intended exclusively for business professionals and startup founders aged 18 and over:

• Age Restriction: We do not knowingly collect personal information from individuals under 18 years of age
• Partnership Requirements: Partnership agreements require legal capacity to enter into binding contracts
• Discovery and Deletion: If we discover that we have collected information from a minor, we will delete it promptly
• Parental Notification: Parents or guardians who believe we have collected information from a minor should contact us immediately at connect@bhoomirang.com
• Age Verification: We may request proof of age during the due diligence process for partnership applicants

13. Australian Privacy Principles Compliance Summary

This policy demonstrates our compliance with all 13 Australian Privacy Principles:

14. Policy Updates and Version Control

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other operational needs:

• Version History: We maintain a version history of this policy. Previous versions are available on request.
• Material Changes: We will provide 30 days advance notice of material changes to registered users via email
• Continued Use: Continued use of our services after the notice period constitutes acceptance of the updated policy
• Website Banner: Significant policy changes will be highlighted via website banner notification
• Regular Review: We encourage you to review this policy periodically for updates
• Last Updated Date: The "Last Updated" date at the top of this policy reflects the most recent revision

15. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of Victoria, Australia, and the Privacy Act 1988 (Cth). By engaging with Bhoomirang, you submit to the exclusive jurisdiction of the courts of Victoria for any disputes arising from this policy.

16. Contact Information

17. About Our Business

VD AR CONSULTANCY (trading as Bhoomirang) is a registered Australian business operating globally:

• Registration: Australian-registered business with ABN 83 127 178 751
• Global Operations: Serving startups worldwide through digital platforms and remote collaboration
• Privacy Commitment: Committed to full compliance with Australian Privacy Principles
• Service Model: Service-for-equity partnership model for early-stage and growth-stage startups
• Governing Law: All operations governed by the laws of Victoria, Australia
• Currency: All financial dealings conducted in Australian Dollars (AUD)