Privacy Policy

1. Introduction and Scope

This Privacy Policy ("Policy") sets out how BonV Technology Private Limited ("BonV", "Company", "we", "our", or "us"), a company incorporated under the Companies Act, 2013, having its registered office at HD-094, WeWork Latitude, 9th Floor, RMZ Latitude Commercial, Bellary Road, Hebbal, Bangalore, Karnataka, India - 560024, collects, uses, stores, processes, discloses, and protects the personal data of individuals ("Users", "you", or "your") who access or use our website at www.bonvaero.com, mobile applications, APIs, or other digital interfaces (collectively, "Platform"), our products, services, or otherwise interact with us.

BonV is committed to protecting the privacy and personal data of its Users in compliance with the Information Technology Act, 2000 ("IT Act"), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("IT Rules"), the Digital Personal Data Protection Act, 2023 ("DPDPA"), and the rules and regulations framed thereunder ("DPDP Rules"), as applicable and in force from time to time. This Policy is made available in English and BonV shall endeavour to make it available in Kannada for users located in Karnataka, in accordance with the requirements of the DPDPA and applicable CCPA Guidelines 2021.

By accessing or using our Platform or Services, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with any provision of this Policy, please refrain from using our Platform or Services.

2. Definitions

"Data Fiduciary" means BonV Technology Private Limited, which alone or in conjunction with other persons determines the purpose and means of processing of personal data, as defined under Section 2(i) of the DPDPA.

"Data Principal" means the individual to whom the personal data relates, and in the case of a child (below 18 years of age), includes the parent or lawful guardian, as defined under Section 2(j) of the DPDPA.

"Data Processor" means any person who processes personal data on behalf of a Data Fiduciary, as defined under Section 2(k) of the DPDPA.

"Personal Data Breach" means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises the confidentiality, integrity, or availability of personal data, as defined under Section 2(n) of the DPDPA.

"Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under Section 2(t) of the DPDPA.

"Processing" means any operation or set of operations performed on digital personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment, combination, indexing, sharing, disclosure, restriction, erasure, or destruction.

"Sensitive Personal Data or Information" ("SPDI") as defined under the IT Rules, includes passwords; financial information such as bank account, credit card, or debit card details; physical, physiological, and mental health condition; sexual orientation; medical records and history; and biometric information. To the extent the DPDPA 2023 prescribes a different or broader category of sensitive data in rules framed thereunder, such categories shall also be treated as SPDI under this Policy.

3. Information We Collect

3.1 Information You Provide Directly

When you interact with our Platform, submit enquiry forms, request product demonstrations, subscribe to updates, apply for employment, or otherwise contact us, we may collect the following categories of personal data, each collected only to the extent necessary for the specific purpose for which it is sought (see Clause 4 for purpose linkage):

• Identity information: full name, designation, organisation name
• Contact information: email address, telephone number, postal address
• Enquiry details: drone model of interest, nature of support required, use-case description, project specifications
• Professional information: company name, role, industry, and business requirements
• Employment-related information: resume, qualifications, and work history (if applying for positions)
• Age verification information: where required to verify that a user is 18 years of age or older, or to obtain verifiable parental consent for users below 18, in accordance with Section 9 of the DPDPA and applicable DPDP Rules

3.2 Information Collected Automatically

When you access our Platform, we automatically collect certain technical and usage information through cookies, server logs, and similar technologies, subject to your cookie consent preferences as described in Clause 7. IP addresses and device identifiers collected automatically may constitute personal data under the DPDPA. Analytics and preference cookies are placed only with your prior consent, including:

• Device information: IP address, device type, operating system, browser type and version
• Usage information: pages visited, time spent on pages, click-through paths, referring URLs, and exit pages
• Approximate location data: derived from IP address (not precise geolocation)
• Server and access logs: records of access to the Platform, including IP addresses, timestamps, and request details. Such logs are retained for a minimum of one hundred and eighty (180) days as required under the CERT-In Directions issued under Section 70B of the IT Act, 2000

3.3 Sensitive Personal Data or Information (SPDI)

BonV does not intentionally collect Sensitive Personal Data or Information as defined under the IT Rules through its Platform. In the event that SPDI is collected in the course of business engagements (such as financial information for contractual payments or biometric data for facility access at our premises), such collection shall be subject to explicit prior consent, processed only for the specified purpose, and handled in strict compliance with Sections 5, 6, 7, and 8 of the DPDP Act.

4. Purpose of Collection and Use

We process your personal data only for lawful, specified, and clearly defined purposes, including:

• To respond to your enquiries, requests for product information, demonstrations, or support
• To process and fulfil orders, contracts, or service requests
• To personalise your experience on our Platform and deliver relevant content
• To improve Platform functionality, content, security, and user experience
• To send product updates, newsletters, or marketing communications, only where you have opted in to receive such communications
• To comply with applicable legal and regulatory obligations, including under the IT Act, DPDPA, and defence sector regulations
• To detect, prevent, and investigate fraudulent activity, security incidents, or violations of our Terms of Use
• To enforce our legal rights and resolve disputes

We shall not process your personal data for any purpose beyond what is stated in this Policy or for which separate consent has been obtained.

5. Consent Framework

5.1 Obtaining Consent

Where processing is based on consent, BonV shall obtain your free, specific, informed, unconditional, and unambiguous consent prior to collecting and processing your personal data. Consent shall be sought through a clear affirmative action, with categories of personal data linked to the specified purposes of processing, as required under Section 6 of the DPDPA and the DPDP Rules, 2025. Each consent notice issued by BonV shall, in accordance with Section 5 of the DPDPA, contain: (a) a description of the personal data sought to be collected and the specific purpose of processing; (b) the manner in which you may exercise your rights under the DPDPA, including withdrawal of consent; and (c) the manner in which you may make a complaint to the Data Protection Board of India. Consent to this Privacy Policy does not itself constitute consent to any specific processing activity — separate, specific consent shall be sought for each purpose where consent is the legal basis.

5.2 Withdrawal of Consent

You have the right to withdraw your consent at any time by using the consent preference centre accessible from the Platform footer or by contacting our Grievance Officer at [email protected]. The mechanism for withdrawing consent shall be as easy to use as the mechanism by which consent was given, in accordance with Section 6(7) of the DPDPA. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal. Upon withdrawal, BonV shall cease processing your personal data for the relevant purpose within thirty (30) days of receipt of withdrawal and, unless retention is required by law or legitimate business interest, shall erase or anonymise such data in accordance with Clause 10.

5.3 Legitimate Uses Without Consent

In accordance with Section 7 of the DPDPA, BonV may process personal data without consent for certain legitimate uses, including:

• Performance of any function under any law
• Compliance with any order or judgment of a court or tribunal
• Response to a medical emergency
• Measures for safety during a disaster or public order situation
• Employment-related purposes

6. Disclosure and Transfer of Personal Data

6.1 Disclosure Practices

BonV does not sell, rent, trade, or lease your personal data to any third party for marketing purposes. We may disclose your personal data to the following categories of recipients, subject to appropriate contractual safeguards:

• Affiliates and group companies: for internal business purposes, subject to confidentiality obligations equivalent to this Policy
• Service providers and data processors: including hosting providers, analytics services, payment processors, and IT support vendors, solely to the extent necessary for them to perform services on our behalf and subject to data processing agreements
• Government and regulatory authorities: where disclosure is required by law, regulation, court order, or governmental request, including under the IT Act, DPDPA, or defence sector regulations
• Professional advisors: including lawyers, auditors, and insurers, for legitimate business purposes
• Business transfers: in connection with a merger, acquisition, restructuring, or sale of assets, your personal data may be transferred to the successor entity, subject to equivalent privacy protections

6.2 Handling of Sensitive Personal Data

Any disclosure of SPDI shall be made only with the prior consent of the Data Principal, unless such disclosure is required by law or is necessary for the performance of a lawful contract, in accordance with the IT Rules. SPDI shall not be published or made available in the public domain.

6.3 Cross-Border Transfer

Your personal data may be transferred to, stored, or processed outside India in connection with the use of third-party services (such as cloud hosting or analytics platforms). Such transfers shall be made only to countries or territories notified by the Central Government of India as permissible destinations for cross-border transfer of personal data under Section 16 of the DPDPA, once such notification is issued. Pending such notification, BonV shall implement appropriate safeguards including standard contractual clauses, data transfer agreements, or other mechanisms recognised under applicable Indian law to ensure an equivalent level of data protection. BonV shall monitor and update its cross-border transfer practices upon issuance of Government notifications under Section 16 of the DPDPA. BonV shall ensure that any Data Processor located outside India provides the same level of data protection as required under this Policy and applicable Indian law.

7. Cookies and Tracking Technologies

Our Platform uses cookies and similar tracking technologies to enhance your browsing experience and to gather analytical data. When you first visit our Platform, you will be presented with a cookie consent banner with non-essential cookies set to 'off' by default (privacy-by-default). You must affirmatively opt in to each category of non-essential cookies before they are placed on your device. Your preferences are recorded and respected across sessions.

7.1 Types of Cookies

• Strictly necessary cookies: essential for Platform functionality — these do not require consent
• Analytics cookies: used to understand how visitors interact with our Platform (e.g., Google Analytics) — these are placed only with your consent
• Preference cookies: store your settings such as language or region preferences

7.2 Google Analytics

We use Google Analytics to collect pseudonymised or aggregated visitor data, including traffic sources, popular content, and device information. Google Analytics may set cookies on your device and process data in accordance with Google's privacy policy. Processing by Google Analytics may involve transfer of data outside India — BonV has implemented the Google Ads Data Processing Terms and applicable standard contractual clauses to address cross-border transfer obligations under Section 16 of the DPDPA. You may opt out of Google Analytics tracking by installing the Google Analytics opt-out browser add-on or by adjusting your cookie preferences.

7.3 Managing Cookies

You may manage, disable, or delete cookies at any time through your browser settings or through the cookie preference centre accessible from the Platform footer. Please note that disabling certain cookies may impair the functionality of our Platform.

8. Data Security

8.1 Security Measures

BonV implements reasonable security practices and procedures commensurate with the nature of the information being protected and the sensitivity of our business operations. In accordance with the IT Rules and the security requirements under the DPDPA, our security measures include but are not limited to:

• Encryption: use of HTTPS/TLS encryption for all data in transit; encryption at rest for stored personal data
• Access controls: role-based access controls limiting data access to authorised personnel only; multi-factor authentication for administrative systems
• Access logging and monitoring: regular monitoring of access logs to detect unauthorised access or anomalies
• Data backups: regular backups to ensure continuity of processing in the event of data loss or breach
• Network security: firewalls, intrusion detection/prevention systems, and regular vulnerability assessments
• Employee training: periodic security awareness training for all personnel handling personal data
• Vendor security: contractual data protection obligations imposed on all third-party service providers and data processors

8.2 Information Security Standards

BonV's information security programme is designed to implement reasonable security practices and procedures as contemplated under the IT Rules and the DPDPA. BonV's security practices are aligned with ISO/IEC 27001 (Information Security Management Systems) or an equivalent standard. BonV shall periodically review and update its security practices.

8.3 Limitations

While BonV employs commercially reasonable security measures, no method of transmission over the internet or method of electronic storage is completely secure. BonV cannot guarantee absolute security of your personal data. In the event of a security breach, BonV shall follow the incident response procedures set out in Clause 9 below.

9. Data Breach Notification

In the event of a personal data breach that compromises the confidentiality, integrity, or availability of personal data under BonV's control, BonV shall:

• Report the cybersecurity incident to the Indian Computer Emergency Response Team (CERT-In) within six (6) hours of becoming aware of the incident, in accordance with the CERT-In Directions issued under Section 70B of the Information Technology Act, 2000, providing details of the nature of the incident, systems affected, and initial impact assessment
• Notify the Data Protection Board of India in the manner and within the timeframe prescribed under Section 8(6) of the DPDPA and the DPDP Rules, providing details including the nature and extent of the Personal Data Breach, the timing and circumstances of its occurrence, the categories and approximate number of Data Principals affected, the potential consequences, and the mitigating measures taken or proposed
• Notify affected Data Principals without undue delay, and in any event within seventy-two (72) hours of becoming aware of the breach (or such timeframe as prescribed under the DPDP Rules), providing sufficient information to enable them to take protective measures, including the nature of the data affected and steps they can take to protect themselves
• Investigate the breach, take immediate remedial action, and implement measures to prevent recurrence
• Maintain records of all data breaches, including the facts, effects, and remedial action taken, for a minimum period of one (1) year as required under the DPDP Rules, 2025. In addition, BonV shall maintain logs of all system and network activities for a minimum of one hundred and eighty (180) days in accordance with CERT-In Directions 2022, irrespective of whether a breach has occurred

10. Data Retention and Deletion

BonV retains personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law. The indicative retention periods are as follows:

• Enquiry and contact data: generally not exceeding three (3) years from the date of the last interaction, unless an ongoing business relationship necessitates longer retention
• Contractual and transactional data: for the duration of the contractual relationship and for such additional period as required under applicable commercial and tax laws, including a minimum of five (5) years under the Central Goods and Services Tax Act, 2017 and eight (8) years for certain company records under the Companies Act, 2013
• Website analytics data: retained in irreversibly anonymised or aggregated form; identifiable data generally not exceeding twelve (12) months
• Employment application data: generally not exceeding twelve (12) months from the date of application, unless the candidate consents to longer retention for future opportunities

Upon expiry of the applicable retention period, or upon a valid request for erasure by the Data Principal, personal data shall be securely deleted or irreversibly anonymised. Deletion shall be carried out using methods compliant with recognised data sanitisation standards (such as NIST SP 800-88 or equivalent) appropriate to the storage medium. Notwithstanding the above, BonV shall retain system and access logs for a minimum of one hundred and eighty (180) days as required under CERT-In Directions 2022, which retention period shall override any shorter erasure request for such logs.

11. Rights of Data Principals

In accordance with the DPDPA and the IT Rules, you have the following rights in relation to your personal data:

• Right of access: obtain confirmation of whether BonV is processing your personal data and access a summary of such data and the processing activities undertaken
• Right to correction and erasure: request correction of inaccurate or misleading personal data, completion of incomplete personal data, updating of out-of-date personal data, and erasure of personal data no longer necessary for the purpose for which it was collected
• Right to withdraw consent: withdraw your consent at any time, as set out in Clause 5.2
• Right to grievance redressal: have your grievances addressed by our designated Grievance Officer, and if unsatisfied, file a complaint with the Data Protection Board of India
• Right to nominate: nominate an individual to exercise your rights in the event of your death or incapacity, as provided under Section 14 of the DPDPA

To exercise any of the above rights, please contact our Grievance Officer using the details provided in Clause 14. BonV shall respond to all requests within thirty (30) days of receipt, or within such other period as may be prescribed under the DPDP Rules. BonV may extend this period by a further thirty (30) days where the complexity or volume of requests requires it, in which case BonV shall notify you of the extension and the reasons for it.

12. Children's Data

BonV's Platform and Services are not directed at individuals below the age of eighteen (18) years. BonV does not knowingly collect or process personal data of children without verifiable consent from a parent or lawful guardian. In accordance with Section 9(3) of the DPDPA, BonV shall not undertake tracking or behavioural monitoring of children and shall not target advertising at children. In the event that we become aware that personal data of a child has been collected without appropriate parental consent, we shall take immediate steps to delete such data. If you are a parent or guardian and believe that your child has provided personal data to BonV without your consent, please contact us at [email protected].

Verifiable parental consent shall be obtained through mechanisms specified under the DPDP Rules, 2025, including verification through existing account information, government-issued identification, or tokens issued by authorised entities.

13. Third-Party Services and Links

Our Platform may contain links to third-party websites, platforms, or services that are not operated or controlled by BonV. This Policy does not apply to such third-party services. BonV is not responsible for the privacy practices, content, or data handling of any third-party website or service. We encourage you to review the privacy policies of any third-party services before providing your personal data.

Note: third-party tools embedded within the Platform (such as analytics or CRM services) are Data Processors acting on BonV's instructions and are subject to data processing agreements as described in Clause 6.1. BonV remains responsible for their compliance with this Policy and applicable law.

14. Grievance Officer

In accordance with Rule 5(9) of the IT Rules and the requirements of the DPDPA, BonV has designated the following Grievance Officer to address your concerns regarding data privacy and this Policy:

• Name: Roshan Senapati
• Designation: Head, Marketing
• Email: [email protected]
• Address: BonV Technology Private Limited, HD-094, WeWork Latitude, 9th Floor, RMZ Latitude Commercial, Bellary Road, Hebbal, Bangalore, Karnataka, India – 560024

The Grievance Officer shall acknowledge your complaint within a reasonable time and endeavour to resolve it within thirty (30) days of receipt, as required under applicable law. If you are not satisfied with the resolution, you may escalate your complaint to the Data Protection Board of India in accordance with the procedures prescribed under the DPDPA.

15. Changes to This Policy

BonV reserves the right to update or modify this Policy at any time. Any material changes will be communicated by posting the updated Policy on our Platform with a revised "Last Updated" date. Where material changes affect the processing of your personal data, BonV shall provide reasonable prior notice and, where required by law, obtain your renewed consent. Your continued use of the Platform or Services following the posting of changes constitutes your acceptance of the revised Policy to the extent that acceptance by continued use is valid under applicable law — certain changes will require your active, affirmative consent regardless of continued use.

16. Compliance with Indian Data Protection Regulations

BonV complies with the applicable requirements under the following legislation:

• The Information Technology Act, 2000
• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
• The Digital Personal Data Protection Act, 2023
• The Digital Personal Data Protection Rules, 2025

BonV shall continue to monitor and adapt its privacy practices to remain compliant with the evolving regulatory framework. BonV shall periodically assess whether it meets the criteria for designation as a Significant Data Fiduciary under Section 10 of the DPDPA, as prescribed by the Central Government from time to time, and shall implement any additional obligations applicable to Significant Data Fiduciaries upon such designation.

17. Governing Law

This Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising from or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts at Bhubaneswar, India, without prejudice to the jurisdiction of the Data Protection Board of India under the DPDPA.

18. Automated Decision-Making and Profiling

BonV may use artificial intelligence, machine learning algorithms, or other automated means to process your personal data, including for purposes such as routing enquiries, personalising content, detecting fraud, or evaluating suitability for partnerships or employment. Where such automated processing produces decisions that significantly affect you, BonV shall:

• Inform you that the decision was made using automated processing
• Provide, upon your request, a meaningful explanation of the factors considered in the automated decision
• Afford you the right to contest the decision and seek human review by a qualified BonV representative
• Correct any inaccurate personal data that may have influenced the automated decision

BonV shall not use automated processing as the sole basis for decisions that produce significant legal or similarly significant effects without human oversight.

19. Marketing and Promotional Communications

BonV will send marketing emails, SMS messages, or other promotional communications only with your prior, separate, and explicit consent, in accordance with Section 6 of the DPDPA. Consent for marketing communications is distinct from consent for other processing activities. For SMS and voice-based commercial communications, BonV complies with the Telecom Commercial Communications Customer Preference Regulations, 2018 (TRAI TCCCPR 2018). You may register your preferences (including DND status) on the TRAI preference portal.

You may opt out of marketing communications at any time by:

• Clicking the 'unsubscribe' link in any marketing email
• Updating your preferences via the consent preference centre on the Platform
• Registering on the TRAI DND registry for SMS/voice
• Contacting us at [email protected]

Opt-out requests will be processed within ten (10) business days.

20. Data Protection Impact Assessments

BonV conducts Data Protection Impact Assessments (DPIAs) for new or significantly changed processing activities that are likely to result in a high risk to the rights and freedoms of Data Principals, including:

• Systematic profiling of individuals on a large scale
• Processing of sensitive personal data on a large scale
• Automated decision-making with significant effects
• Any processing likely to result in cross-border transfer of sensitive data

Where BonV is designated as a Significant Data Fiduciary under Section 10 of the DPDPA, it shall conduct DPIAs and periodic audits as prescribed by the Central Government and submit reports to the Data Protection Board as required.

21. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or BonV's data handling practices, please contact us at:

Email: [email protected]

Address: HD-094, WeWork Latitude, 9th Floor, RMZ Latitude Commercial, Bellary Road, Hebbal, Bangalore, Karnataka, India – 560024