Privacy Policy

1. Introduction and Scope

This Privacy Policy ("Policy") sets out how BonV Technology Private Limited ("BonV", "Company", "we", "our", or "us"), a company incorporated under the Companies Act, 2013, having its registered office at 1st Floor, Library Building, CV Raman College, Khorda, Odisha, India, collects, uses, stores, processes, discloses, and protects the personal data of individuals ("Users", "you", or "your") who access or use our website at www.bonvaero.com ("Website"), our products, services, or otherwise interact with us.

BonV is committed to protecting the privacy and personal data of its Users in compliance with the Information Technology Act, 2000 ("IT Act"), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("IT Rules"), the Digital Personal Data Protection Act, 2023 ("DPDPA"), and the Digital Personal Data Protection Rules, 2025 ("DPDP Rules"), as applicable and in force from time to time.

By accessing or using our Website or Services, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with any provision of this Policy, please refrain from using our Website or Services.

2. Definitions

"Data Fiduciary" means BonV Technology Private Limited, which alone or in conjunction with other persons determines the purpose and means of processing of personal data, as defined under Section 2(i) of the DPDPA.

"Data Principal" means the individual to whom the personal data relates, and in the case of a child (below 18 years of age), includes the parent or lawful guardian, as defined under Section 2(j) of the DPDPA.

"Data Processor" means any person who processes personal data on behalf of a Data Fiduciary, as defined under Section 2(k) of the DPDPA.

"Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under Section 2(t) of the DPDPA.

"Processing" means any operation or set of operations performed on digital personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment, combination, indexing, sharing, disclosure, restriction, erasure, or destruction.

"Sensitive Personal Data or Information" ("SPDI") as defined under Rule 3 of the IT Rules, includes passwords; financial information such as bank account, credit card, or debit card details; physical, physiological, and mental health condition; sexual orientation; medical records and history; and biometric information.

3. Information We Collect

3.1 Information You Provide Directly

When you interact with our Website, submit enquiry forms, request product demonstrations, subscribe to updates, apply for employment, or otherwise contact us, we may collect the following categories of personal data:

• Identity information: full name, designation, organisation name
• Contact information: email address, telephone number, postal address
• Enquiry details: drone model of interest, nature of support required, use-case description, project specifications
• Professional information: company name, role, industry, and business requirements
• Employment-related information: resume, qualifications, and work history (if applying for positions)

3.2 Information Collected Automatically

When you access our Website, we automatically collect certain technical and usage information through cookies, server logs, and similar technologies, including:

• Device information: IP address, device type, operating system, browser type and version
• Usage information: pages visited, time spent on pages, click-through paths, referring URLs, and exit pages
• Approximate location data: derived from IP address (not precise geolocation)

3.3 Sensitive Personal Data or Information (SPDI)

BonV does not intentionally collect Sensitive Personal Data or Information as defined under Rule 3 of the IT Rules through its Website. In the event that SPDI is collected in the course of business engagements (such as financial information for contractual payments or biometric data for facility access at our premises), such collection shall be subject to explicit prior consent, processed only for the specified purpose, and handled in strict compliance with Rules 5, 6, 7, and 8 of the IT Rules.

4. Purpose of Collection and Use

We process your personal data only for lawful, specified, and clearly defined purposes, including:

• To respond to your enquiries, requests for product information, demonstrations, or support
• To process and fulfil orders, contracts, or service requests
• To personalise your experience on our Website and deliver relevant content
• To improve Website functionality, content, security, and user experience
• To send product updates, newsletters, or marketing communications, only where you have opted in to receive such communications
• To comply with applicable legal and regulatory obligations, including under the IT Act, DPDPA, and defence sector regulations
• To detect, prevent, and investigate fraudulent activity, security incidents, or violations of our Terms of Use
• To enforce our legal rights and resolve disputes

We shall not process your personal data for any purpose beyond what is stated in this Policy or for which separate consent has been obtained.

5. Consent Framework

5.1 Obtaining Consent

Where processing is based on consent, BonV shall obtain your free, specific, informed, unconditional, and unambiguous consent prior to collecting and processing your personal data. Consent shall be sought through a clear affirmative action, with categories of personal data linked to the specified purposes of processing, as required under Section 6 of the DPDPA and the DPDP Rules, 2025.

5.2 Withdrawal of Consent

You have the right to withdraw your consent at any time by contacting us at [email protected] or through the consent withdrawal mechanism on our Website. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal. Upon withdrawal, BonV shall cease processing your personal data for the relevant purpose within a reasonable period and, unless retention is required by law or legitimate business interest, shall erase or anonymise such data in accordance with Clause 10.

5.3 Legitimate Uses Without Consent

In accordance with Section 7 of the DPDPA, BonV may process personal data without consent for certain legitimate uses, including:

• Performance of any function under any law
• Compliance with any order or judgment of a court or tribunal
• Response to a medical emergency
• Measures for safety during a disaster or public order situation
• Employment-related purposes

6. Disclosure and Transfer of Personal Data

6.1 Disclosure Practices

BonV does not sell, rent, trade, or lease your personal data to any third party for marketing purposes. We may disclose your personal data to the following categories of recipients, subject to appropriate contractual safeguards:

• Affiliates and group companies: for internal business purposes, subject to confidentiality obligations equivalent to this Policy
• Service providers and data processors: including hosting providers, analytics services, payment processors, and IT support vendors, solely to the extent necessary for them to perform services on our behalf and subject to data processing agreements
• Government and regulatory authorities: where disclosure is required by law, regulation, court order, or governmental request, including under the IT Act, DPDPA, or defence sector regulations
• Professional advisors: including lawyers, auditors, and insurers, for legitimate business purposes
• Business transfers: in connection with a merger, acquisition, restructuring, or sale of assets, your personal data may be transferred to the successor entity, subject to equivalent privacy protections

6.2 Handling of Sensitive Personal Data

Any disclosure of SPDI shall be made only with the prior consent of the Data Principal, unless such disclosure is required by law or is necessary for the performance of a lawful contract, in accordance with Rule 6 of the IT Rules. SPDI shall not be published or made available in the public domain.

6.3 Cross-Border Transfer

Your personal data may be transferred to, stored, or processed outside India in connection with the use of third-party services (such as cloud hosting or analytics platforms). Such transfers shall be made only to countries or territories not restricted by the Central Government under Section 16 of the DPDPA, and subject to contractual safeguards ensuring an equivalent level of data protection. BonV shall ensure that any Data Processor located outside India provides the same level of data protection as required under this Policy and applicable Indian law.

7. Cookies and Tracking Technologies

Our Website uses cookies and similar tracking technologies to enhance your browsing experience and to gather analytical data. When you first visit our Website, you will be presented with a cookie consent banner offering you the choice to accept or reject non-essential cookies.

7.1 Types of Cookies

• Strictly necessary cookies: essential for Website functionality — these do not require consent
• Analytics cookies: used to understand how visitors interact with our Website (e.g., Google Analytics) — these are placed only with your consent
• Preference cookies: store your settings such as language or region preferences

7.2 Google Analytics

We use Google Analytics to collect anonymised visitor data, including traffic sources, popular content, and device information. Google Analytics may set cookies on your device and process data in accordance with Google's privacy policy. You may opt out of Google Analytics tracking by installing the Google Analytics opt-out browser add-on or by adjusting your cookie preferences.

7.3 Managing Cookies

You may manage, disable, or delete cookies at any time through your browser settings. Please note that disabling certain cookies may impair the functionality of our Website.

8. Data Security

8.1 Security Measures

BonV implements reasonable security practices and procedures commensurate with the nature of the information being protected and the sensitivity of our business operations. In accordance with Rule 8 of the IT Rules and the security requirements under the DPDPA, our security measures include but are not limited to:

• Encryption: use of HTTPS/TLS encryption for all data in transit; encryption at rest for stored personal data
• Access controls: role-based access controls limiting data access to authorised personnel only; multi-factor authentication for administrative systems
• Access logging and monitoring: regular monitoring of access logs to detect unauthorised access or anomalies
• Data backups: regular backups to ensure continuity of processing in the event of data loss or breach
• Network security: firewalls, intrusion detection/prevention systems, and regular vulnerability assessments
• Employee training: periodic security awareness training for all personnel handling personal data
• Vendor security: contractual data protection obligations imposed on all third-party service providers and data processors

8.2 Information Security Standards

BonV's information security programme is designed to implement reasonable security practices and procedures as contemplated under Rule 8 of the IT Rules and the DPDPA. BonV shall periodically review and update its security practices, and may engage independent auditors as appropriate based on the nature and scale of its operations and the sensitivity of the personal data being processed.

8.3 Limitations

While BonV employs commercially reasonable security measures, no method of transmission over the internet or method of electronic storage is completely secure. BonV cannot guarantee absolute security of your personal data. In the event of a security breach, BonV shall follow the incident response procedures set out in Clause 9 below.

9. Data Breach Notification

In the event of a personal data breach that compromises the confidentiality, integrity, or availability of personal data under BonV's control, BonV shall:

• Notify the Data Protection Board of India within seventy-two (72) hours of becoming aware of the breach, or within such other timeframe as may be prescribed under the DPDPA and DPDP Rules, providing details including the nature and extent of the breach, the timing and circumstances of its occurrence, the potential consequences, and the mitigating measures taken or proposed
• Notify the affected Data Principals without undue delay, providing sufficient information to enable them to take protective measures
• Investigate the breach, take immediate remedial action, and implement measures to prevent recurrence
• Maintain records of all data breaches, including the facts, effects, and remedial action taken, for a minimum period of one (1) year as required under the DPDP Rules, 2025

10. Data Retention and Deletion

BonV retains personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. The indicative retention periods are as follows:

• Enquiry and contact data: generally not exceeding three (3) years from the date of the last interaction, unless an ongoing business relationship necessitates longer retention
• Contractual and transactional data: for the duration of the contractual relationship and for such additional period as required under applicable commercial and tax laws
• Website analytics data: retained in anonymised or aggregated form; identifiable data generally not exceeding twelve (12) months
• Employment application data: generally not exceeding twelve (12) months from the date of application, unless the candidate consents to longer retention for future opportunities

Upon expiry of the applicable retention period, or upon a valid request for erasure by the Data Principal, personal data shall be securely deleted or irreversibly anonymised. Deletion shall be carried out using industry-standard methods appropriate to the storage medium.

11. Rights of Data Principals

In accordance with the DPDPA and the IT Rules, you have the following rights in relation to your personal data:

• Right of access: obtain confirmation of whether BonV is processing your personal data and access a summary of such data and the processing activities undertaken
• Right to correction and erasure: request correction of inaccurate or misleading data, completion of incomplete data, updating of out-of-date data, and erasure of data no longer necessary for the purpose for which it was collected
• Right to withdraw consent: withdraw your consent at any time, as set out in Clause 5.2
• Right to grievance redressal: have your grievances addressed by our designated Grievance Officer, and if unsatisfied, file a complaint with the Data Protection Board of India
• Right to nominate: nominate an individual to exercise your rights in the event of your death or incapacity, as provided under Section 14 of the DPDPA

To exercise any of the above rights, please contact our Grievance Officer using the details provided in Clause 14. BonV shall respond to all requests within ninety (90) days of receipt, as mandated under the DPDP Rules, 2025.

12. Children's Data

BonV's Website and Services are not directed at individuals below the age of eighteen (18) years. BonV does not knowingly collect or process personal data of children without verifiable consent from a parent or lawful guardian. In the event that we become aware that personal data of a child has been collected without appropriate parental consent, we shall take immediate steps to delete such data.

Verifiable parental consent shall be obtained through mechanisms specified under the DPDP Rules, 2025, including verification through existing account information, government-issued identification, or tokens issued by authorised entities. If you are a parent or guardian and believe that your child has provided personal data to BonV without your consent, please contact us at [email protected].

13. Third-Party Services and Links

Our Website may contain links to third-party websites, platforms, or services that are not operated or controlled by BonV. This Policy does not apply to such third-party services. BonV is not responsible for the privacy practices, content, or data handling of any third-party website or service. We encourage you to review the privacy policies of any third-party services before providing your personal data.

14. Grievance Officer

In accordance with Rule 5(9) of the IT Rules and the requirements of the DPDPA, BonV has designated the following Grievance Officer to address your concerns regarding data privacy and this Policy:

• Name: Roshan Senapati
• Designation: Head, Marketing
• Email: [email protected]
• Address: BonV Technology Private Limited, 1st Floor, Library Building, CV Raman College, Khorda, Odisha, India

The Grievance Officer shall acknowledge your complaint within a reasonable time and endeavour to resolve it within thirty (30) days of receipt, as required under applicable law. If you are not satisfied with the resolution, you may escalate your complaint to the Data Protection Board of India in accordance with the procedures prescribed under the DPDPA.

15. Changes to This Policy

BonV reserves the right to update or modify this Policy at any time. Any material changes will be communicated by posting the updated Policy on our Website with a revised "Last Updated" date. Where material changes affect the processing of your personal data, BonV shall provide reasonable prior notice and, where required by law, obtain your renewed consent. Your continued use of the Website or Services following the posting of changes constitutes your acceptance of the revised Policy.

16. Compliance with Indian Data Protection Regulations

BonV complies with the applicable requirements under the following legislation:

• The Information Technology Act, 2000
• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
• The Digital Personal Data Protection Act, 2023
• The Digital Personal Data Protection Rules, 2025, to the extent in force from time to time during the phased implementation period

BonV shall continue to monitor and adapt its privacy practices to remain compliant with the evolving regulatory framework.

17. Governing Law

This Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising from or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts at Bhubaneswar, India, without prejudice to the jurisdiction of the Data Protection Board of India under the DPDPA.

18. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or BonV's data handling practices, please contact us at:

Email: [email protected]

Address: BonV Technology Private Limited, 1st Floor, Library Building, CV Raman College, Khorda, Odisha, India