SustainableX Comprehensive Privacy Policy

1. Introduction

SustainableX, a brand of Bhavi Ventures Private Limited ("we", "us", "our", or "Company"), is committed to protecting your privacy and ensuring the security of your personal and business data. This Comprehensive Privacy Policy explains in detail how we collect, use, process, share, and protect your data when you use our ESG report writing platform and related services (collectively, the "Services").

Our Services include, but are not limited to, generating ESG reports, annual reports, audit reports, SEC filings, and other related documents based on user-provided context files and third-party data API connections. We utilize advanced technologies, including Large Language Models (LLMs), to process and analyze data to generate these reports.

This policy applies to all users of our Services, including but not limited to website visitors, registered users, clients, and business partners. By using our Services, you agree to the collection, use, and processing of information in accordance with this policy.

We understand that the nature of our Services involves handling sensitive business information, and we take this responsibility very seriously. This policy is designed to address potential concerns regarding data privacy, especially in relation to the use of LLMs and international data transfers.

2. Definitions

To ensure clarity throughout this policy, we define the following terms:

- Personal Data: Any information relating to an identified or identifiable natural person.

- Business Data: Any information relating to a business entity, including but not limited to financial data, operational data, and strategic information.

- User: Any individual or entity using our Services.

- Large Language Model (LLM): Advanced AI models used to process and generate human-like text based on input data.

- Data Controller: The entity that determines the purposes and means of processing personal data.

- Data Processor: The entity that processes personal data on behalf of the data controller.

- GDPR: The General Data Protection Regulation, a regulation in EU law on data protection and privacy.

- CCPA: The California Consumer Privacy Act, a state statute intended to enhance privacy rights and consumer protection for residents of California.

3. Data We Collect

We collect and process various types of data to provide and improve our Services:

User-Provided Data: - Account Information: Name, email address, job title, company name, and other details provided during account creation or update. - Context Files: Documents, spreadsheets, presentations, and other files uploaded by users for report generation. - Custom Report Parameters: User-defined settings and preferences for report generation.

Automatically Collected Data: - Usage Data: Information on how you interact with our Services, including features used, time spent, and actions taken. - Device and Connection Data: IP address, browser type, operating system, and other technical identifiers. - Log Data: Server logs, error reports, and performance data.

Third-Party Data: - API-Connected Data: Information retrieved from third-party APIs as authorized by the user. - Public Data: Publicly available information relevant to report generation.

Derived Data: - Generated Reports: The output produced by our Services based on user inputs and other data sources. - Analytics: Aggregated and anonymized data used for service improvement and research.

4. How We Use Your Data

We use your data for the following purposes:

Service Provision and Improvement: - To generate reports and documents as requested by users. - To personalize and improve our Services based on user preferences and usage patterns. - To develop new features and enhance existing functionalities.

Communication and Support: - To respond to user inquiries and provide customer support. - To send service-related notifications and updates.

Research and Development: - To train and improve our AI models and algorithms. - To conduct research to advance ESG reporting and related fields.

Legal and Compliance: - To comply with legal obligations and regulatory requirements. - To detect and prevent fraudulent or illegal activities.

Business Operations: - For internal business purposes such as auditing, data analysis, and research.

5. Data Processing and LLM Technology

Our Services utilize advanced LLM technology to process and analyze data for report generation. This section provides detailed information about how we use LLMs and the implications for your data:

LLM Processing: - User-provided context files and API-connected data are processed by LLMs to generate reports. - LLMs analyze the input data to extract relevant information, identify patterns, and generate human-readable content.

Data Transformation: - Before processing by LLMs, we transform your data to optimize it for AI analysis while preserving its essential meaning. - This transformation may include techniques such as tokenization, embedding, and vectorization.

LLM Providers: - We currently use LLM services provided by OpenAI and other providers based in the United States. - These providers act as our data processors and are contractually bound to protect your data and use it solely for the purpose of providing their services to us.

Data Anonymization and Encryption: - Where possible, we anonymize or pseudonymize data before it is processed by LLMs. - All data transfers to and from LLM providers are encrypted using industry-standard protocols.

LLM Output: - The reports generated by LLMs are based on the input data but do not reproduce it verbatim. - Generated reports are provided to you as a draft and should be reviewed for accuracy and completeness before use.

Continuous Improvement: - We may use anonymized and aggregated data to improve our LLM algorithms and report generation processes. - This improvement process does not involve sharing your specific data or reports with third parties.

6. Data Sharing and Third-Party Services

We may share your data with third parties in the following circumstances:

Service Providers: - We engage third-party service providers to perform various business functions. These providers have access to your data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

LLM Providers: - As mentioned in Section 5, we use LLM services provided by companies like OpenAI. These providers process your data solely for the purpose of generating reports as part of our Services.

API Connections: - When you choose to connect third-party APIs to our Services, data may be shared with these third-party services as necessary to provide the requested functionality.

Legal Requirements: - We may disclose your data if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).

Business Transfers: - If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your data may be transferred as part of that transaction.

With Your Consent: - We may share your data with third parties when we have obtained your prior consent to do so.

7. International Data Transfers

Given the global nature of our Services and the use of US-based LLM providers, your data may be transferred to and processed in countries other than your country of residence. This section outlines our approach to international data transfers:

Data Transfer Mechanisms: - For transfers from the EU, EEA, and UK to countries not deemed to provide an adequate level of data protection, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission.

U.S. Data Processing: - As our LLM providers are based in the U.S., your data may be processed on servers located in the United States. We ensure that such transfers comply with applicable data protection laws.

India Data Localization: - For users in India, we comply with any applicable data localization requirements. Certain data may be stored and processed on servers located in India.

Safeguards: - Regardless of the country where your data is processed, we apply the same high standards of data protection as described in this policy. - We have implemented technical and organizational measures to protect your data during international transfers and processing.

8. Data Retention and Security

Data Retention: - We retain your data for as long as necessary to provide our Services and comply with our legal obligations. - You can request deletion of your account and associated data at any time, subject to any legal requirements to retain certain data.

Security Measures: - We implement and maintain appropriate technical and organizational security measures to protect your data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. - These measures include encryption, access controls, regular security assessments, and employee training.

Data Breach Notification: - In the event of a data breach that affects your personal data, we will notify you and the relevant supervisory authorities as required by applicable law.

9. Your Rights and Choices

Depending on your location, you may have certain rights regarding your data. These may include:

- Right to access and obtain a copy of your data - Right to rectify inaccurate data - Right to erasure (or "right to be forgotten") - Right to restrict processing - Right to data portability - Right to object to processing - Rights related to automated decision-making and profiling - Right to withdraw consent

To exercise these rights, please contact us using the information provided in the "Contact Us" section.

10. Children's Privacy

Our Services are not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to remove that information from our servers.

11. Specific Provisions for Different Jurisdictions

European Union (EU) and European Economic Area (EEA): For users in the EU and EEA, we comply with the General Data Protection Regulation (GDPR). In addition to the rights outlined in Section 9, you have the right to: - Lodge a complaint with a supervisory authority - Object to processing for direct marketing purposes

We process your data on the following legal bases: - Consent - Performance of a contract - Compliance with legal obligations - Legitimate interests

United Kingdom (UK): For users in the UK, we comply with the UK GDPR and the Data Protection Act 2018. Your rights and our obligations are substantially similar to those outlined for EU/EEA users.

United States of America (USA): For users in the USA, we comply with applicable federal and state privacy laws, including the California Consumer Privacy Act (CCPA) for California residents. Under the CCPA, you have the right to: - Know what personal information is being collected about you - Know whether your personal information is sold or disclosed and to whom - Say no to the sale of personal information - Access your personal information - Request deletion of your personal information - Not be discriminated against for exercising your privacy rights

India: For users in India, we comply with applicable data protection laws, including the Information Technology Act, 2000 and its associated rules. We are committed to protecting your data and respecting your privacy rights as outlined in this policy.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Bhavi Ventures Private Limited 603, Inizio, Cardinal Gracious Road, Chakala, Andheri East, Mumbai-400099, Maharashtra, INDIA.

Email: info@sustainablex.in Phone: +919967049877

CIN: U74120MH2015PTC265553 GSTIN: 27AAGCB7638C1ZP

For EU/EEA Users: You may also contact our EU representative at: info@sustainablex.in

For UK Users: You may also contact our UK representative at: info@sustainablex.in