Last Updated: December 30, 2025
Introduction
Vector CXO ("we," "our," or "us") is committed to protecting your privacy and complying with applicable data protection laws worldwide. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or engage our services, regardless of your location.This Privacy Policy applies globally and is designed to comply with:
India: Information Technology Act, 2000 and Digital Personal Data Protection Act, 2023
European Union/EEA: General Data Protection Regulation (GDPR)
United Kingdom: UK GDPR and Data Protection Act 2018
United States: Various state privacy laws including CCPA, CPRA, VCDPA, CPA, CTDPA, UCPA
Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
Australia: Privacy Act 1988
Other jurisdictions: Local data protection laws as applicable.
If you are subject to specific industry regulations (HIPAA, GLBA, PCI-DSS, etc.), additional terms will be specified in your Business Associate Agreement or service agreement.
Table of Contents
1. Definitions
2. Information We Collect
3. How We Use Your Information
4. Legal Basis for Processing
5. How We Share Your Information
6. International Data Transfers
7. Data Security
8. Data Retention
9. Your Privacy Rights (by Jurisdiction)
10. Cookies and Tracking Technologies
11. Third-Party Services
12. Children's Privacy
13. Regulated Industries and Special Protections
14. Changes to This Policy
15. Contact Us and Complaints
1. Definitions
Personal Data/Personal Information: Any information relating to an identified or identifiable individual.
Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
Controller/Business: The entity that determines the purposes and means of processing personal data (Vector CXO in most cases).
Processor/Service Provider: An entity that processes personal data on behalf of the controller.
Data Subject/Consumer: The individual to whom personal data relates (you).
Sensitive Personal Data/Sensitive Personal Information: Personal data revealing racial/ethnic origin, political opinions, religious beliefs, health data, biometric data, genetic data, sexual orientation, trade union membership, and similar categories defined by applicable law.
2. Information We Collect
2.1 Information You Provide Directly
We collect information you voluntarily provide when you:
Request a consultation or contact us
Subscribe to our newsletter
Fill out forms on our website
Engage our services
Communicate with us via email, phone, or other channels
Categories of information collected:
Contact Information:
Name
Email address
Phone number
Company name
Job title
Business address
Business Information:
Annual revenue range
Company size
Industry sector
Business workflows and processes
Pain points and automation needs
Engagement Information:
Service requirements
Project specifications
Communication preferences
Feedback and survey responses
Financial Information:
Billing address
Payment method details (processed by third-party payment processors)
Purchase history
Invoicing information
Technical Support Information:
System configurations
Error logs
Troubleshooting data
2.2 Information Collected Automatically
When you visit our website, we automatically collect:
Device Information:
IP address
Browser type and version
Operating system
Device identifiers
Screen resolution
Usage Information:
Pages visited
Time spent on pages
Links clicked
Referring/exit pages
Date and time of visits
Search queries
Interaction with website elements
Location Information:
General geographic location based on IP address
Precise location (only with your explicit consent)
Collection Methods:
Cookies
Web beacons
Pixel tags
Log files
Analytics tools
Similar tracking technologies
2.3 Information from Third Parties
We may receive information about you from:
Business partners who refer you to us
Data enrichment services that provide business contact information
Social media platforms if you interact with us there
Public databases and business registries
Analytics providers that help us understand website usage
2.4 Sensitive Personal Data
We generally do not collect sensitive personal data. However, in specific circumstances:
Health Information: If you are a healthcare client and we process Protected Health Information (PHI), we will enter into a Business Associate Agreement under HIPAA
Financial Account Information: If processing payment card data, we comply with PCI-DSS standards
Biometric Data: We do not intentionally collect biometric data
Other Sensitive Data: If your business workflows require processing sensitive data, we will implement additional safeguards and obtain explicit consent where required.
3. How We Use Your Information
We process your information for the following purposes:
3.1 Service Delivery and Contract Performance
Respond to inquiries and provide requested information
Deliver consulting and automation services
Conduct workflow analysis and audits
Design, build, and implement AI automation solutions
Provide ongoing maintenance and support
Communicate about service delivery and project updates
Process payments and maintain financial records
Fulfill contractual obligations
3.2 Business Operations
Improve our services and website
Develop new services and features
Conduct internal analytics and research
Train our team
Manage customer relationships
Maintain business records
3.3 Marketing and Communications (with consent where required)
Send newsletters and informational content
Provide updates about our services
Conduct market research
Send promotional materials (you can opt-out anytime)
3.4 Legal Compliance and Safety
Comply with legal obligations
Respond to legal processes (court orders, subpoenas)
Protect our rights and property
Detect, prevent, and address fraud and security issues
Enforce our terms and policies
Protect the safety of individuals
3.5 With Your Consent
Any other purpose for which you provide specific consentProcessing sensitive personal data (where consent is the legal basis)
4. Legal Basis for Processing
The legal basis for processing your information depends on your location and the specific context:
4.1 For EEA/UK Residents (GDPR)
We process your personal data based on:
Consent: You have given clear, affirmative consent for specific purposes (e.g., newsletter subscription, marketing communications)
Contract Performance: Processing is necessary to fulfill our contractual obligations to you or to take steps at your request before entering into a contract
Legal Obligation: Processing is required to comply with legal requirements (e.g., tax laws, court orders, regulatory requirements)
Legitimate Interests: Processing is necessary for our legitimate business interests, provided these do not override your fundamental rights and freedoms.
Our legitimate interests include:
Operating and improving our business
Providing customer support
Conducting business analytics
Protecting against fraud and security threats
Direct marketing (where permitted)
Vital Interests: Processing is necessary to protect your life or that of another person (rare circumstances)
Public Interest: Processing is necessary for tasks carried out in the public interest (typically not applicable to our services)
4.2 For US Residents (State Privacy Laws)
We process personal information:
With your consent or at your direction
To provide services you requested
For purposes compatible with the context in which you provided the information
As permitted by applicable state law
4.3 For Indian Residents (DPDP Act 2023)
We process personal data:
With your explicit consent for specified purposes
For legitimate purposes as defined under Indian law
To comply with legal obligations
4.4 For Other Jurisdictions
We process data in accordance with applicable local laws and regulations.
5. How We Share Your Information
We do not sell, rent, or trade your personal information to third parties for their marketing purposes.
5.1 Service Providers and Processors
We share information with third-party service providers who assist us in:
Technology Services:
Website hosting and infrastructure (e.g., AWS, Google Cloud, Microsoft Azure)
Email service providers (e.g., for newsletters and transactional emails)
Customer relationship management (CRM) systems
Project management and collaboration tools
Analytics providers (e.g., Google Analytics)
Payment processors (e.g., Stripe, Razorpay)
Cloud storage providers
Security and fraud prevention services
Professional Services:
Legal advisors
Accountants and auditors
Business consultants
Insurance providers
Contractual Requirements:
All service providers are contractually required to:
Use your information only for specified purposes
Implement appropriate security measures
Comply with applicable data protection laws
Not use your information for their own purposes
Return or delete your information upon termination (where required)
Where required by law (particularly GDPR), we enter into Data Processing Agreements (DPAs) with processors.
5.2 Business Transfers
If Vector CXO is involved in a merger, acquisition, asset sale, reorganization, or bankruptcy proceeding, your information may be transferred as part of that transaction.
We will:
Provide notice before your information is transferred
Notify you if the new entity's privacy practices differ materially
Ensure the new entity honors commitments we made in this Privacy Policy
5.3 Legal Requirements and Protection of Rights
We may disclose your information when required or permitted by law:
Legal Compliance:
In response to court orders, subpoenas, or legal processes
To comply with regulatory requirements
To respond to government or law enforcement requests
To comply with tax, accounting, or audit requirements
Protection of Rights:
To protect our rights, property, or safety
To protect the rights, property, or safety of our clients or others
To detect, prevent, or address fraud, security, or technical issues
To enforce our Terms of Service or other agreementsIn connection with claims, disputes, or litigation
Emergency Situations:
To prevent imminent harm to individuals or public safety
5.4 With Your Consent
We may share your information with third parties when you explicitly consent or direct us to do so.
5.5 Aggregated and De-identified Information
We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you. This information is not subject to this Privacy Policy.
5.6 Information We Do Not Share
We will never:
Sell your personal information to third parties
Share your information with third parties for their direct marketing purposes (without your consent)
Share sensitive personal data without appropriate safeguards and legal basis
6. International Data Transfers
Vector CXO is based in Mumbai, India. Your information may be transferred to, stored in, and processed in India and other countries where we or our service providers operate.These countries may have data protection laws different from those in your country of residence. When we transfer data internationally, we implement appropriate safeguards.
6.1 Transfers from EEA/UK
For transfers of personal data from the EEA or UK to countries not deemed adequate by the European Commission or UK authorities, we use:
Standard Contractual Clauses (SCCs): We enter into EU Standard Contractual Clauses (also known as Model Clauses) approved by the European Commission, or UK International Data Transfer Agreements/Addendum approved by the UK Information Commissioner's Office.
Adequacy Decisions: We transfer data to countries recognized as providing adequate protection (e.g., Canada, Japan, South Korea).
Binding Corporate Rules: If applicable in the future as we expand.
Derogations: In specific situations, we may rely on derogations such as:
Your explicit consent to the transfer
Transfer necessary for contract performance
Transfer necessary for legal claims
Transfer necessary to protect vital interests
Supplementary Measures: We conduct Transfer Impact Assessments (TIAs) and implement additional technical, organizational, and contractual measures where necessary to ensure adequate protection.
6.2 Transfers from India
For transfers of personal data from India, we comply with requirements under:Digital Personal Data Protection Act, 2023
Information Technology Act, 2000 and rules there under any cross-border data transfer restrictions imposed by Indian authorities
6.3 Transfers from Other Jurisdictions
We comply with applicable cross-border data transfer requirements, including:
Canada (PIPEDA): Ensuring comparable protection through contracts
Australia (Privacy Act): Taking reasonable steps to ensure overseas recipients comply
US State Laws: Complying with any specific cross-border requirements
6.4 Accessing Transfer Documentation
Upon request, we will provide information about:
Countries where your data is processed
Safeguards in place for international transfers
Copies of relevant SCCs or other transfer mechanisms (with redactions for confidentiality)
7. Data Security
We implement comprehensive technical, physical, and organizational security measures to protect your personal information.
7.1 Technical Safeguards
Encryption:
Data in transit: TLS 1.2 or higher
Data at rest: AES-256 or equivalent encryption
Email communications: Encrypted where sensitive information is involved
Access Controls:
Multi-factor authentication (MFA)
Role-based access control (RBAC)
Principle of least privilege
Regular access reviews
Network Security:
Firewalls and intrusion detection/prevention systems
Network segmentation
Virtual Private Networks (VPNs) for remote access
Regular vulnerability scanning and penetration testing
Application Security:
Secure coding practices
Regular security updates and patching
Input validation and sanitization
Protection against common vulnerabilities (OWASP Top 10)
Monitoring and Logging:
Security information and event management (SIEM)
Continuous monitoring of systems
Audit logs of data access and modifications
Anomaly detection
7.2 Physical Safeguards
Secure facilities with restricted access
Environmental controls (fire suppression, climate control)
Video surveillance where applicableVisitor management protocols
Secure disposal of physical media containing data
7.3 Organizational SafeguardsPolicies and Procedures:
Comprehensive information security policies
Incident response and breach notification procedures
Business continuity and disaster recovery plans
Regular policy reviews and updates
Personnel:
Background checks for employees with data access
Confidentiality agreements
Regular security awareness training
Clear roles and responsibilities
Separation of duties for critical functions
Vendor Management:
Due diligence assessments of service providers
Contractual security requirements
Regular vendor security reviews
Right to audit provisions
7.4 Industry-Specific Security (When Applicable)HIPAA (Healthcare):
Administrative, physical, and technical safeguards per HIPAA Security Rule
Business Associate Agreements
Encryption of ePHI
Audit controls and integrity controls
PCI-DSS (Payment Cards):
Compliance with Payment Card Industry
Data Security Standards
Secure payment processing through certified providers
No storage of sensitive authentication data
Regular security assessments
SOC 2:
Controls addressing security, availability, processing integrity, confidentiality, and privacy
Annual SOC 2 Type II audits (upon client request for enterprise clients)
7.5 Limitations
Despite our efforts, no security measures are 100% effective. We cannot guarantee absolute security of your information. In the event of a data breach, we will follow the notification procedures outlined in Section 7.6.
7.6 Data Breach NotificationIn the event of a personal data breach:
Our Response:
Contain and assess the breach
Investigate the cause and scope
Take remedial actions to prevent recurrence
Document the breach
Notification to Authorities:GDPR: Notify supervisory authority within 72 hours if the breach poses a risk
HIPAA: Notify HHS as required
India: Notify Data Protection Board as required under DPDP Act
US State Laws: Notify as required by applicable state breach notification laws
Notification to You:Notify affected individuals without undue delay if the breach poses a high risk to rights and freedoms
Provide information about:
Nature of the breach
Categories and approximate number of individuals affected
Likely consequences
Measures taken or proposed to mitigate harm
Contact information for further inquiries
8. Data Retention
We retain your personal information only as long as necessary for the purposes outlined in this Privacy Policy or as required by law.
8.1 Retention Periods by Category
Website Visitors and Newsletter Subscribers:
Newsletter subscribers: Until you unsubscribe, plus 30 days
Website analytics: 26 months (Google Analytics default), then anonymized
Contact form inquiries: 2 years from last contact, then deleted
Cookie data: As specified in cookie settings (typically 13 months maximum)
Prospective Clients:
Initial consultation records: 2 years from consultation date
Proposal and pre-contract communications: 2 years from last contact or until contract signed
If no contract: Deleted after 2 years
Active Clients:
Contract and engagement documents: Duration of engagement plus 7 years (for legal/tax purposes)
Project deliverables and documentation: Duration of engagement plus 3 years
Communication records: Duration of engagement plus 3 years
Financial records: As required by Indian tax law (minimum 7 years) or applicable jurisdiction
Support tickets and technical data: Duration of engagement plus 2 years
Former Clients:
Essential contract and financial records: 7 years from end of engagement
Project documentation: 3 years from end of engagement, then deleted unless renewal likely
General communications: 1 year from end of engagement, then deleted
Marketing communications: Until opt-out, plus 30 days
Legal Holds:
Data subject to litigation, investigation, or regulatory inquiry: Retained until matter is resolved
8.2 Industry-Specific Retention
HIPAA (Healthcare):Protected Health Information: 6 years from creation or last use, or as required by state law (whichever is longer)
Financial Services (GLBA):Customer information: As required by applicable financial regulations
8.3 Deletion and Anonymization
At the end of retention periods, we will:
Delete: Securely and permanently delete personal data using secure deletion methods
Anonymize: Remove identifying elements so data cannot be linked back to individuals
Archive: For limited data required for legal compliance, archive in secure, access-restricted systems
8.4 Your Right to Request Deletion
You may request deletion of your personal data before the end of standard retention periods.
We will comply unless:
Legal obligations require us to retain the data
The data is necessary for legal claims or defense
Other legitimate legal grounds exist for continued processing
9. Your Privacy Rights (by Jurisdiction)Your rights depend on your location and applicable laws. We honor the strongest rights regardless of location when technically feasible.
9.1 Rights for EEA/UK Residents (GDPR/UK GDPR)
You have the following rights:
1. Right to Access (Article 15)
Confirm whether we process your personal data
Obtain a copy of your personal data
Receive information about how we process your data
2. Right to Rectification (Article 16)
Correct inaccurate personal data
Complete incomplete personal data
3. Right to Erasure/"Right to be Forgotten" (Article 17)
Request deletion of your personal data when:
No longer necessary for the purposes collected
You withdraw consent (where consent was the legal basis)
You object and there are no overriding legitimate grounds
Processed unlawfully
Required for legal compliance
4. Right to Restriction of Processing (Article 18)
Restrict processing when:
Accuracy is contested
Processing is unlawful but you don't want deletion
We no longer need the data but you need it for legal claims
You've objected pending verification of legitimate grounds
5. Right to Data Portability (Article 20)
Receive your data in structured, commonly used, machine-readable format
Transmit data to another controller (where technically feasible)
6. Right to Object (Article 21)
Object to processing based on legitimate interests
Object to direct marketing (absolute right)
Object to processing for scientific/historical research or statistics
7. Rights Related to Automated Decision-Making (Article 22)
Not be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects
We generally do not engage in such automated decision-making
8. Right to Withdraw Consent
Withdraw consent at any time (where consent is the legal basis)
Withdrawal does not affect lawfulness of processing before withdrawal
9. Right to Lodge a Complaint
File a complaint with your national supervisory authority
For UK: Information Commissioner's Office (ICO)For EEA: Your national data protection authority
Response Time: Within 1 month (extendable by 2 months for complex requests)
Free of Charge: First request is free; we may charge a reasonable fee for manifestly unfounded or excessive requests
9.2 Rights for California Residents (CCPA/CPRA)
Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), you have:
1. Right to Know/Access
Categories of personal information collected
Categories of sources
Business or commercial purposes for collection
Categories of third parties with whom we share information
Specific pieces of personal information we hold about you
2. Right to Delete
Request deletion of personal information (subject to exceptions)
3. Right to Correct
Request correction of inaccurate personal information
4. Right to Opt-Out of Sale/Sharing
We do not sell personal information
We do not share personal information for cross-context behavioral advertising
No opt-out necessary, but right is available if practices change
5. Right to Limit Use of Sensitive Personal Information
We do not use sensitive personal information beyond permitted purposes
This right is available if practices change
6. Right to Non-Discrimination
We will not discriminate against you for exercising your rights
Response Time: Within 45 days (extendable by 45 days for complex requests)
Verification: We may require verification of your identity before responding
Authorized Agents: You may designate an authorized agent to make requests on your behalf
Metrics: We will provide metrics about requests received annually
9.3 Rights for Other US State Residents
Similar rights apply under other US state privacy laws:
Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA):
Right to access
Right to correct
Right to delete
Right to data portability
Right to opt-out of targeted advertising (
Right to opt-out of sale (we don't sell data)
Right to opt-out of profiling (we don't engage in this )
Response Time: 45 days (extendable by additional 45 days)
Appeals: If we deny your request, you have the right to appeal
9.4 Rights for Indian Residents (DPDP Act 2023)
Under India's Digital Personal Data Protection Act:
1. Right to Access
Summary of personal data being processed
Processing activities undertaken
Identities of Data Fiduciaries and Data Processors
2. Right to Correction
Correct inaccurate or misleading personal data
Complete incomplete personal data
3. Right to Erasure
Erase personal data when:
Consent withdrawn
Personal data no longer necessary
Processing is unlawful
4. Right to Grievance Redressal
File grievance with our Grievance Officer (see Section 15)
5. Right to Nominate
Nominate another individual to exercise rights in case of death or incapacity
Response Time: As specified by regulations (typically within reasonable timeframe)
9.5 Rights for Canadian Residents (PIPEDA)
Under Canada's Personal Information Protection and Electronic Documents Act:
1. Right to Access
Access personal information held about youBe informed about how it's used and disclosed
2. Right to Correction
Challenge accuracy and completeness
Request corrections
3. Right to Withdraw Consent
Withdraw consent at any time (subject to legal/contractual restrictions)
4. Right to File Complaint
File complaint with Privacy Commissioner of Canada
Response Time: Within 30 days
9.6 Rights for Australian Residents (Privacy Act 1988)
Under Australia's Privacy Act:
1. Right to Access
Request access to personal informationBe informed about how it's handled
2. Right to Correction
Request correction of inaccurate, out-of-date, incomplete, or misleading information
3. Right to Complain
File complaint with Office of the Australian Information Commissioner (OAIC)
Response Time: Within 30 days
9.7 Universal Rights (All Jurisdictions)
Regardless of location, you can always:
Unsubscribe from marketing emails (click "unsubscribe" link)
Update your contact preferences
Request information about our data practices
Contact us with privacy concerns
10. How to Exercise Your Rights
To exercise any of your privacy rights:
Contact Methods:Email (Preferred): info@vectorcxo.com
Subject Line: "Privacy Rights Request - [Your Name]"Mail:
Vector CXO
Attention: Privacy/Data Protection Officer
Mumbai, Maharashtra, India
Information to Include:
Your full nameEmail address
Phone number (optional)
Description of your request
Jurisdiction (country/state you're located in)
Preferred method of response
Any additional information that helps us verify your identity and locate your data
Verification Process:To protect your privacy, we must verify your identity before processing requests.
We may:
Request additional identifying information
Ask you to confirm details about your interactions with us
Use third-party verification services (with your consent)
For sensitive requests, require additional verification steps
Authorized Agents:You may designate an authorized agent to submit requests on your behalf.
We require:
Written authorization signed by you
Proof of the agent's identity
Verification of your identity
Response Timeline:
EEA/UK: Within 1 month (extendable to 3 months for complex requests)
California/US States: Within 45 days (extendable to 90 days for complex requests)
India: Within reasonable timeframe as specified by regulations
Canada/Australia: Within 30 days
Extensions:If we need more time, we will:Notify you within the initial response period
Explain the reason for the extension
Provide an estimated completion date
No Fee (Generally):Your first request is free.
We may charge a reasonable fee for:
Manifestly unfounded or excessive requests
Additional copies beyond the first
Administrative costs for complex requests
Denial of Requests:
If we deny your request (in whole or part), we will:
Explain the reason for denial
Inform you of your right to appeal or complain to supervisory authorities
Provide information about how to exercise those rights
11. Cookies and Tracking Technologies
We use cookies and similar technologies to collect information about your browsing activities.
11.1 What Are Cookies?
Cookies are small text files stored on your device that allow websites to recognize your device and remember information about your visit.
11.2 Types of Cookies We UseEssential/Strictly Necessary Cookies
Purpose: Enable core website functionality
Examples: Session management, security, load balancing
Legal Basis: Legitimate interest (necessary for service provision)
Can you opt-out? No, these are required for the website to function
Analytics/Performance Cookies
Purpose: Understand how visitors use our website
Examples: Google Analytics, heatmaps, page view tracking
Information Collected: Pages visited, time spent, bounce rate, traffic sources
Legal Basis: Consent (in jurisdictions requiring it) or legitimate interest
Can you opt-out? Yes
Functional Cookies
Purpose: Remember your preferences and choices
Examples: Language preferences, region selection, display preferences
Legal Basis: Consent or legitimate interest
Can you opt-out? Yes, but may affect functionality
Marketing/Advertising Cookies
Purpose: Deliver relevant advertisements and measure campaign effectiveness
We currently: Do not use these cookies
If we implement: Will obtain explicit consent and provide clear opt-out
11.3 Third-Party Cookies
We use services that may set their own cookies:
Google Analytics:Collects anonymous usage statistics
11.4 Cookie Duration
Session Cookies: Deleted when you close your browser
Persistent Cookies: Remain until expiration date or manual deletion
Analytics cookies: Typically 13-26 months
Functional cookies: Varies by purpose
We limit cookie duration to what's necessary
11.5 Managing Cookies
Browser Settings:
Most browsers allow you to:
View cookies stored on your device
Delete existing cookies
Block some or all cookies
Receive warnings before cookies are stored
Our Cookie Settings:
Note: Blocking cookies may affect website functionality
11.6 Other Tracking Technologies
Web Beacons/Pixel Tags:
Tiny graphics used to track email opens and website actions
Used in: Emails, web pages
Opt-out: Disable images in email client
Log Files:
Automatically recorded by web servers
Include: IP address, browser type, ISP, pages viewed, timestamps
Used for: Security, troubleshooting, analytics
Anonymized after retention period
Device Fingerprinting:
We do not currently use device fingerprinting
If implemented: Will disclose clearly and obtain consent where required
11.7 Do Not Track (DNT) Signals
Currently, there is no industry standard for responding to Do Not Track signals. We do not currently respond to DNT signals but will update this policy if standards emerge.
11.8 Global Privacy Control (GPC)
For jurisdictions requiring it (California, Colorado, Connecticut), we will recognize and honor Global Privacy Control signals as opt-outs from sale/sharing of personal information.
12. Third-Party Services and Links
12.1 Third-Party Services We Use
We use various third-party services that may collect information:
Examples (specify your actual services):
Hosting: [e.g., AWS, Google Cloud]
Email: [e.g., Google Workspace, Microsoft 365]
Newsletter: [e.g., Mailchimp, SendGrid]
Analytics: [e.g., Google Analytics]
CRM: [e.g., HubSpot, Salesforce]
Payment Processing: [e.g., Stripe, Razorpay]
Calendar/Scheduling: [e.g., Calendly]
Communication: [e.g., Slack, Zoom]
Each service has its own privacy policy. We encourage you to review them.
12.2 Third-Party Links
Our website may contain links to third-party websites, including:
Partner websites
Social media platforms
Resource libraries
Blog posts and articles
We are not responsible for:
Privacy practices of third-party websites
Content on external sites
Accuracy of information on linked sites
Recommendation: Review privacy policies of any websites you visit through their links
12.3 Social Media Features
We may include social media features (share buttons, embedded content) that:
May collect your IP address and page visited
May set cookies to enable functionality
Are governed by the privacy policies of the respective platforms
Social Media Platforms We May Link To:
LinkedIn
Twitter/X
Facebook
YouTube[Others as applicable]
12.4 Embedded Content
We may embed content from third-party platforms:
YouTube videos
LinkedIn posts
Twitter feeds[Others]
These embeds may collect data about your interactions.
Refer to the platform's privacy policy for details.
13. Children's Privacy
13.1 Age Restrictions
Our services are not directed to individuals under 18 years of age (or the age of majority in your jurisdiction).We do not knowingly collect personal information from children.
13.2 If We Learn of Collection from Children
If we become aware that we have collected information from a child without proper parental consent:
We will delete the information as soon as possible
We will not use the information for any purpose
We will not disclose the information to third parties
13.3 Parental Notice
If you are a parent or guardian and believe we have collected information from your child, please contact us immediately at info@vectorcxo.com with:
Your child's name
Your relationship to the child
Details about the information you believe was collected
We will investigate and take appropriate action.
13.4 Children's Online Privacy Protection Act (COPPA) - US
We comply with COPPA requirements and do not:
Collect personal information from children under 13
Condition participation on disclosure of more information than necessary
Disclose children's information to third parties without parental consent
14. Regulated Industries and Special Protections
14.1 Healthcare - HIPAA ComplianceIf you are a healthcare provider or we process Protected Health Information (PHI):
Business Associate Agreement (BAA):
We will enter into a HIPAA-compliant BAA before processing PHI
BAA specifies permitted uses and disclosures
BAA requires implementation of appropriate safeguards
HIPAA Safeguards:
Administrative safeguards (policies, training, incident response)
Physical safeguards (facility access, device security)
Technical safeguards (encryption, access controls, audit logs)
Patient Rights:
Right to access PHI
Right to request amendments
Right to accounting of disclosures
Right to request restrictions
Right to confidential communications
Breach Notification:
Notify you of breaches affecting PHI within 60 days
Notify HHS for breaches affecting 500+ individuals
Notify affected individuals as required
Business Associate Subcontractors:
Obtain satisfactory assurances (BAAs) from subcontractors
Ensure downstream compliance with HIPAA
Minimum Necessary:
Limit PHI use and disclosure to minimum necessary
Implement role-based access controls
De-identification:
May create de-identified data sets compliant with HIPAA standards
De-identified data not subject to HIPAA restrictions
Contact for HIPAA Matters: info@vectorcxo.com (Subject: HIPAA/BAA)
14.2 Financial Services - GLBA and PCI-DSS
Gramm-Leach-Bliley Act (GLBA):
If we process non-public personal information (NPI) of customers of financial institutions:
Comply with Safeguards Rule requirements
Implement appropriate security measures
Provide privacy notices as required
Respect opt-out rights for information sharing
Payment Card Industry Data Security Standard (PCI-DSS):
For payment card data:Use PCI-DSS certified payment processors (Stripe, Razorpay, etc.)
Do not store sensitive authentication data (CVV, PIN)
Encrypt cardholder data in transit and at restImplement strong access controls
Regularly monitor and test security systemsMaintain information security policies
Contact for Financial Compliance: info@vectorcxo.com (Subject: Financial Compliance)
14.3 European Health Data
Processing Health Data under GDPR:
Explicit consent or other lawful basis required (Article 9)
Appropriate safeguards for special category data
Data Protection Impact Assessment (DPIA) conducted
Enhanced security measures
Limited retention periods
14.4 Other Regulated Industries
If your industry has specific requirements (legal, government, education, etc.):
We will discuss compliance requirements during engagement
Additional terms will be specified in service agreements
We will implement industry-appropriate safeguards
15. International Users - Jurisdiction-Specific Information
15.1 European Economic Area (EEA) and United Kingdom
Data Protection Officer (DPO):Email: info@vectorcxo.com
(Subject: DPO/Data Protection)
EU Representative (if required):[To be appointed if we regularly process data of EU residents]
UK Representative (if required):[To be appointed if we regularly process data of UK residents]
Lawful Basis for Processing:Specified in Section 4.1
Data Protection Impact Assessments (DPIAs):Conducted for high-risk processing activities
Supervisory Authority:You may lodge complaints with your national data protection authority. Find your authority: https://edpb.europa.eu/about-edpb/about-edpb/members_en
International Transfers:See Section 6 for information about transfers outside EEA/UK15.2 California, United States
Business Information:Vector CXO does not sell personal information.Vector CXO does not share personal information for cross-context behavioral advertising.
California Privacy Rights:See Section 9.2
"Shine the Light" Law:Under California Civil Code Section 1798.83, California residents may request information about disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.
Contact: info@vectorcxo.com (Subject: California Privacy Rights)
Metrics (Annual Report):We will publish an annual report of privacy rights requests metrics.
15.3 Other US StatesVirginia, Colorado, Connecticut, Utah:See Section 9.3 for your rights.
Contact: info@vectorcxo.com (Subject: State Privacy Rights - [Your State])15.4 India
Data Fiduciary: Vector CXO
Grievance Officer:Name: [Your Name or Designated Person]
Email: info@vectorcxo.com
Address: Mumbai, Maharashtra, India
Response Time: Within 30 days
Data Protection Board:Once established, you may file complaints with India's Data Protection Board.
Consent Management:We obtain and manage consent in accordance with DPDP Act requirements.
Children's Data:We do not process data of children (under 18) without verifiable parental consent. 15.5
Canada Privacy Commissioner:Office of the Privacy Commissioner of Canada
Website: https://www.priv.gc.ca
Provincial Privacy Laws:If you're in a province with specific privacy laws (e.g., Quebec, British Columbia, Alberta), additional rights may apply.
15.6 Australia Privacy Commissioner:Office of the Australian Information Commissioner (OAIC)
Website: https://www.oaic.gov.au
Australian Privacy Principles (APPs):We comply with the Australian Privacy Principles.
Overseas Disclosure: See Section 6 regarding international transfers.
15.7 Other Jurisdictions
If your jurisdiction is not listed:
We comply with applicable local data protection laws
Contact us to discuss specific requirements: info@vectorcxo.com
16. Changes to This Privacy Policy
16.1 How We Update This Policy
We may update this Privacy Policy periodically to reflect:
Changes in our practices
Changes in applicable laws
New services or features
Feedback from users or regulators
16.2 Notice of Material Changes
For material changes, we will:
Update the "Last Updated" date
Post the revised policy on our website
Send email notification to: Newsletter subscribers
Active clients
Recent inquirers (within past 6 months)
Provide prominent notice on our website for 30 days
Material changes include:
New purposes for processing data
New categories of data collected
Changes to data retention periods
New third-party sharing arrangements
Changes in user rights
Changes in security practices
16.3 Non-Material Changes
For non-material changes (e.g., clarifications, formatting, contact information updates):
Update the "Last Updated" date
Post the revised policy on our website
No additional notification required
16.4 Your Continued Use
Your continued use of our website or services after changes take effect constitutes acceptance of the updated Privacy Policy.
If you do not agree with changes:
Discontinue use of our services
Request deletion of your data
Contact us to discuss concerns
16.5 Archive of Previous Versions
Upon request, we can provide previous versions of this Privacy Policy.
17. Contact Us and Data Protection Inquiries
17.1 General Privacy Questions
Email: info@vectorcxo.com
Subject Line: Privacy Inquiry
Mail:
Vector CXO
Attention: Privacy Officer
Mumbai, Maharashtra, India
17.2 Data Protection Officer (DPO)For EEA/UK and other GDPR-related matters:Email: info@vectorcxo.com
Subject Line: DPO - [Your Issue]17.3 Grievance Officer (India)For Indian residents under DPDP Act:Name: [Your Name or Designated Person]
Email: info@vectorcxo.com
Subject Line: Grievance - [Your Issue]
Response Time: Within 30 days
17.4 Exercise Your Rights
Email: info@vectorcxo.com
Subject Line: Privacy Rights Request - [Specific Right]
Include:Your name and contact information
Description of your request
Jurisdiction (location)
Information to help us verify your identity
17.5 Report a Concern or Complaint
If you believe we have violated your privacy rights or applicable laws:
Internal Complaint:Contact us using details aboveWe will investigate and respond within timeframes required by lawWe will work to resolve your concern
External Complaint:You may also file complaints with:
EEA/UK: Your national data protection authority
California: California Attorney General
India: Data Protection Board (once established)
Canada: Office of the Privacy Commissioner
Australia: Office of the Australian Information Commissioner
Other jurisdictions: Your local privacy regulator
17.6 Response Timeframes
We aim to respond to all inquiries within:
General questions: 5 business days
Rights requests: As specified in Section 9 (typically 30-45 days)
Complaints: 30 days
Urgent security matters: 24-48 hours
18. Additional Information
18.1 Language
This Privacy Policy is written in English. Translations may be provided for convenience, but in case of conflict, the English version prevails.
18.2 Severability
If any provision is found unenforceable, the remaining provisions remain in full effect.
18.3 No Waiver
Our failure to enforce any provision does not constitute a waiver of that provision.
18.4 Entire Agreement
This Privacy Policy, together with our Terms of Service, constitutes the entire agreement regarding privacy