Now running pipelines for Axlrate cohort companies + 40+ growth-stage teams · India + GCCRead the model →
Vikaas Logovikaas.aiBook a discovery call
Privacy policy · last updated May 2026

Privacy policy.

This policy describes how Banao Pvt Ltd ("Vikaas", "we", "us") collects, uses, stores, and protects information in connection with our B2B lead generation and hiring sourcing service. We've written it in plain language because privacy policies should be readable.

Effective: May 1, 2026 · Banao Pvt Ltd · Bengaluru, Karnataka, India

Contents
  1. 1Who we are
  2. 2What data we collect and from whom
  3. 3How we use the data
  4. 4How we share data (sub-processors)
  5. 5How long we keep data
  6. 6How we protect data
  7. 7Your rights under DPDP and other laws
  8. 8AI and automated decision-making
  9. 9Children's privacy
  10. 10Changes to this policy
  11. 11How to contact us

1. Who we are

Banao Pvt Ltd is the data controller for the Vikaas service. Our registered address is in Bengaluru, Karnataka, India. We provide AI-native B2B lead generation and senior talent sourcing services, operated primarily on LinkedIn. Our service is business-to-business; we do not target individuals acting in a personal, non-commercial capacity.

For GCC-region engagements, services are delivered through Banao's Dubai operations, subject to the same data handling commitments described in this policy.

2. What data we collect and from whom

We interact with three categories of data subjects in the course of delivering our service:

2.1 Customer contacts (the businesses that hire us)

When a company engages Vikaas, we collect and process:

  • Business contact details of the engagement owner and other designated contacts (name, work email, LinkedIn profile, phone if provided)
  • Company information (company name, website, size, funding stage, industry)
  • Service configuration data (ICP definitions, brand voice samples, role specifications, compensation bands)
  • Access credentials for CRM, ATS, and LinkedIn accounts operated on the customer's behalf (stored encrypted, access-controlled)
  • Payment and billing information (invoiced entity, billing address, bank details for payment processing)
  • Communication history (emails, call notes, strategy sync records)

2.2 Prospects and candidates (people reached through our service)

For buyers and candidates reached through outreach pipelines, we process:

  • Publicly available LinkedIn profile information (name, current role, company, location, connection count, mutual connections, education, career history)
  • Signal data derived from public professional activity (job changes, company announcements, posts, etc.)
  • Conversation transcripts of LinkedIn messages exchanged between the customer's account and the prospect or candidate
  • Intent classification and notes added by Vikaas operators based on those conversations
Lawful basis for processing prospect/candidate data: We rely on legitimate interests (our customer's genuine interest in identifying potential buyers or candidates) as the lawful basis for processing publicly available professional profile information. We do not process sensitive personal data categories of prospects or candidates unless explicitly authorised in writing by the customer and the data subject.

2.3 Website visitors (vikaas.ai)

When you visit vikaas.ai, we may collect basic server log data including IP address, browser type, referring URL, and pages visited. We use this only for security monitoring and aggregate analytics. We do not currently run third-party analytics scripts or advertising trackers on the site. If we add any, we will update this policy and seek consent where required.

2.4 What we do NOT collect

  • Sensitive personal data of prospects or candidates (health, religion, political views, sexual orientation, financial details) — unless explicitly authorised
  • Customer end-customer data (the customer's customers' transaction or product data)
  • Employee payroll or salary data beyond what's needed for a specific senior hiring role
  • Children's data (see Section 9)

3. How we use the data

We use customer contact and service configuration data to: deliver the contracted service; communicate about the service (weekly reports, strategy syncs, invoices); improve our service operations; and comply with legal obligations.

We use prospect and candidate data to: identify and prioritise outreach targets; conduct outreach on the customer's behalf; track and report on outreach performance; and manage do-not-contact lists.

We use website visitor data to: ensure the security and proper function of vikaas.ai; and understand aggregate traffic patterns (no personal profiling).

We do not use any category of data for: advertising or marketing to third parties; selling data to data brokers; building profiles beyond what's needed for service delivery; or automated decision-making that produces legal or similarly significant effects on individuals without human oversight.

4. How we share data (sub-processors)

We do not sell customer data. We share data only with third-party sub-processors needed to deliver the service, under contractual data protection terms. Our standard sub-processor categories include:

  • Cloud infrastructure provider (hosting, encryption, backup)
  • AI and machine learning providers (message drafting, signal scoring) — provider names disclosed under NDA
  • Email and calendar systems (customer communications)
  • Encrypted credential storage systems
  • Customer support and project management tools (internal use only; no customer data exposed)

The current authoritative sub-processor list is shared with customers on first engagement and updated with 30 days' advance notice before any new sub-processor that processes customer-confidential data is added. Customers may object to new sub-processors within 15 days; if reasonable accommodation is not possible, they may terminate the affected pipeline without early-termination fees.

We may also share data when required by law, court order, or regulatory authority, in which case we will notify the customer to the extent legally permitted.

5. How long we keep data

During engagement: All customer and pipeline data is retained for the duration of the engagement.

Post-engagement window: Customer-confidential data is retained for 90 days after engagement end to support clean handoff, respond to post-engagement queries, and manage any disputes. After 90 days, it is deleted from production systems.

Encrypted backups: Encrypted backups are retained for 90 days from their creation date, after which they are securely overwritten. Customer data is therefore fully deleted from all backup systems within 180 days of engagement end at the latest.

Exception — legal holds: If data is subject to a legal hold, court order, or active dispute, it may be retained beyond standard timelines until the hold is lifted. The customer will be notified where legally permissible.

Website logs: Server log data is retained for 90 days for security purposes, then deleted.

Early deletion is available on written request at any time. Standard deletion completes within 30 calendar days; emergency deletion (regulatory order or data breach response) within 5 business days.

6. How we protect data

Security measures we maintain for customer data:

  • TLS 1.3 encryption in transit for all customer-facing endpoints
  • AES-256 encryption at rest for all data stores and backups
  • Role-based access control; principle of least privilege; multi-factor authentication mandatory for all operator accounts
  • Annual third-party penetration testing
  • Continuous automated vulnerability scanning
  • Background verification and security training for all personnel with customer data access
  • SOC 2 Type II audit engaged (target Q4 2026)

Despite these measures, no security system is impenetrable. In the event of a data breach involving personal data, we will notify affected customers within 24 hours of confirmation and report to relevant regulators within applicable statutory timelines.

7. Your rights under DPDP and other laws

Under India's Digital Personal Data Protection Act, 2023, and other applicable privacy laws, data principals (individuals) have the following rights with respect to their personal data processed by Vikaas:

  • Right to access: You may request a copy of the personal data we hold about you.
  • Right to correction: You may request that we correct inaccurate personal data.
  • Right to erasure: You may request deletion of your personal data, subject to any legal retention obligations.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Right to nominate: Under DPDP, you may nominate another individual to exercise these rights on your behalf in the event of your death or incapacity.
  • Right not to be contacted: If you are a prospect or candidate reached through our outreach and you wish not to be contacted again, notify us at privacy@vikaas.aior reply "unsubscribe" or "remove me" to any LinkedIn message and we will add you to our do-not-contact list within 2 business days.

To exercise any right, contact privacy@vikaas.ai. We will respond within 30 days (or within the applicable statutory period if shorter). We may need to verify your identity before processing a request.

If you are a data subject in the GCC, EU, or UK, additional rights may apply under your local law. We will honour applicable rights and can provide jurisdiction-specific information on request.

8. AI and automated decision-making

AI is used in our service for signal scoring, message drafting, and intent classification. None of these AI functions produce decisions with legal or similarly significant effects on prospects, candidates, or customers without human operator oversight. See our AI usage policy for a detailed disclosure of where AI is and is not used.

9. Children's privacy

Vikaas is a business-to-business service. We do not knowingly collect or process data of individuals under 18 years of age. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. If you believe we have collected data from a minor, contact privacy@vikaas.ai.

10. Changes to this policy

We review this privacy policy at least annually. Material changes will be communicated to active customers via email at least 30 days before taking effect. Non-material changes (e.g. clarifications, formatting) may be made without notice. The "last updated" date at the top of this page reflects the most recent revision.

11. How to contact us

Data protection inquiries: privacy@vikaas.ai

Security and trust inquiries: trust@vikaas.ai

General inquiries: hello@vikaas.ai

Postal address: Banao Pvt Ltd, Bengaluru, Karnataka, India

We do not have a formal Data Protection Officer under current Indian law, but our trust team handles all data protection queries and is reachable at the email above.