Privacy Policy

1. Introduction

BXIM Consultancy Private Limited ("BXIM", "we", "us", or "our"), a company incorporated under the Companies Act, 2013, with CIN U72900DL2023PTC409614 and GSTIN 07AALCB3545M1ZB, registered at JP Gupta, 74, Krishna Nagar, Anarkali Colony South, New Delhi — 110051, India, is committed to safeguarding the privacy of every individual who visits our website or engages with our services.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and the rights you have regarding your data. This policy applies to our website at bxim.in and all services provided by BXIM Consultancy.

By using our website or contacting us, you acknowledge that you have read, understood, and agreed to this Privacy Policy. If you do not agree, please discontinue using our website or services.

2. Applicable Laws

This policy is governed by and construed in accordance with:

• The Information Technology Act, 2000 (as amended)
• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
• The Digital Personal Data Protection Act, 2023 (DPDP Act)
• Any other applicable Indian laws relating to privacy and data protection

3. Information We Collect

3.1 Information You Provide Directly

We collect personal information when you:

• Submit a contact form or enquiry form on our website
• Book a consultation through Calendly or our booking form
• Send us an email at info@bxim.in
• Contact us via WhatsApp or telephone
• Engage us for a paid cybersecurity consulting service

The categories of personal data collected include:

• Identity data: Full name, job title, designation
• Contact data: Email address, phone number, WhatsApp number
• Business data: Company name, industry, company size, website URL
• Engagement data: Service requirements, security concerns, preferred consultation date and time
• Communication data: Content of emails, messages, and meeting notes
• Financial data: Invoice and payment details (processed via third-party payment processors; we do not store card or bank account numbers)

3.2 Information Collected Automatically

When you visit our website, we may automatically collect:

• Technical data: IP address, browser type, browser version, device type, operating system
• Usage data: Pages visited, time spent on pages, referring URLs, links clicked
• Cookie data: As described in Section 9 of this policy

3.3 Sensitive Personal Data or Information (SPDI)

As a cybersecurity consultancy, the nature of our work may involve access to client systems and documentation that could contain sensitive information. Any such access is strictly scoped to the agreed engagement, subject to a separate written authorization and Non-Disclosure Agreement (NDA), and handled according to the confidentiality obligations in our engagement contracts. We do not collect SPDI through our website forms.

4. How We Use Your Information

We use collected personal data for the following lawful purposes:

• Service delivery: To respond to enquiries, deliver contracted security consulting services, and fulfil engagement obligations
• Consultation scheduling: To book, confirm, and manage consultation appointments
• Communications: To send service-related communications, updates, and reports
• Legal compliance: To maintain records required under Indian law, including the Companies Act and GST regulations
• Security and fraud prevention: To protect our website, systems, and users from unauthorized access
• Website improvement: To understand how visitors use our website and improve content and user experience
• Marketing (with consent): To send service updates or cybersecurity insights where you have given explicit consent; you may withdraw consent at any time

We process your personal data only where we have a lawful basis to do so: performance of a contract, compliance with a legal obligation, legitimate interests, or your explicit consent.

5. Data Sharing and Disclosure

5.1 We Do Not Sell Your Data

We do not sell, rent, trade, or transfer your personal information to any third party for commercial, marketing, or advertising purposes under any circumstances.

5.2 Third-Party Service Providers

We share personal data only with trusted third-party service providers who assist us in operating our website and delivering services, strictly on a need-to-know basis and under data processing terms:

• Calendly Inc.: For scheduling consultations. Calendly's own Privacy Policy applies to data processed through their platform.
• Google (Workspace): For email (Gmail), maps, and productivity tools. Google's Privacy Policy governs data processed through their services.
• WhatsApp Business (Meta): For client communications where initiated by the client. Meta's Privacy Policy applies.
• Payment processors: For invoicing and payment collection. Payment processors operate under their own PCI-DSS compliance obligations.
• Cloud hosting / CDN providers: For website hosting and performance. Data is stored on secure, reputable infrastructure.

5.3 Legal Disclosure

We may disclose your personal information if required to do so by law, court order, or governmental authority, including under the Information Technology Act, 2000, or in good faith belief that such disclosure is necessary to protect our rights, your safety, or the safety of others.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our assets, personal data held by us may be transferred to the successor entity, provided they agree to handle it in accordance with this Privacy Policy.

6. Data Retention

We retain personal data for as long as necessary for the purposes for which it was collected:

• Enquiry and contact data: Up to 12 months after the enquiry, unless it converts to an engagement
• Client engagement data: 7 years from the end of the engagement, as required for financial record-keeping under Indian law
• Communication records: Up to 3 years from the date of last communication
• Website analytics data: Typically retained in aggregated or anonymized form; individual session data for up to 14 months

When data is no longer required, it is securely deleted or anonymized.

7. Your Rights

Under applicable Indian data protection laws, and to the extent the Digital Personal Data Protection Act, 2023 applies, you have the following rights:

• Right to access: You may request a copy of the personal data we hold about you
• Right to correction: You may request correction of inaccurate or incomplete personal data
• "Right to erasure: You may request deletion of your personal data, subject to our legal retention obligations
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal
• Right to nominate: Under the DPDP Act, you may nominate another individual to exercise your rights in the event of incapacity or death
• Right to grievance redressal: You may raise a complaint with us and, if unresolved, with the Data Protection Board of India once constituted

To exercise any of these rights, please contact our Data Controller at info@bxim.in. We will respond within 30 days of receiving a verifiable request.

8. Data Security

As a cybersecurity consultancy, we hold data security to the highest standard. We implement and maintain appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

• Encryption of data in transit (TLS/HTTPS on all website connections)
• Access controls limiting personal data access to authorized personnel only
• Regular review of security practices and vendor security posture
• Secure handling of all engagement-related documentation under NDA
• No storage of payment card data on our systems

While we take all reasonable precautions, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of data transmitted to us electronically.

9. Cookies Policy

9.1 What Are Cookies

Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work efficiently and to provide analytical information.

9.2 Cookies We Use

• Strictly necessary cookies: Essential for the website to function and cannot be disabled. These include session and security cookies.
• Analytics cookies: Help us understand how visitors interact with our website (e.g., pages visited, time on site). Data is aggregated and anonymized where possible.
• Third-party cookies: Calendly and Google Maps embeds may set cookies when you interact with those features.

9.3 Managing Cookies

You may disable cookies through your browser settings. Disabling strictly necessary cookies may affect website functionality. Third-party cookies can be managed through the relevant third-party privacy settings.

10. Children's Privacy

Our website and services are intended for business professionals and organizations. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have inadvertently collected data from a minor, we will promptly delete it. If you believe a minor's data has been provided to us, please contact us immediately at info@bxim.in.

11. International Data Transfers

Our primary operations and data storage are located in India. Where third-party service providers (such as Calendly or Google Workspace) process data outside India, we ensure they maintain appropriate security standards and comply with applicable data protection laws. By using our website and services, you consent to such transfers where necessary for the delivery of the service.

12. Links to Third-Party Websites

Our website may contain links to third-party websites. This Privacy Policy does not apply to those external websites. We encourage you to review the privacy policies of any third-party sites you visit. BXIM is not responsible for the privacy practices or content of third-party websites.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational changes. The updated policy will be posted on this page with a revised "Last Updated" date. For material changes, we will notify active clients by email. Continued use of our website or services after the effective date of changes constitutes your acceptance of the updated policy.

14. Grievance Officer

As required under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have designated a Grievance Officer to address any concerns regarding this Privacy Policy or the handling of your personal data: