Privacy Policy

Last updated date: 23 January, 2026

VNMT Solutions (“VNMT”, “Company”, “we”, “us”, or “our”) is a global technology consulting and services organization providing implementation, advisory, managed services, and support to clients across multiple jurisdictions. In the course of our global operations, we collect, receive, access, store, and process personal data and client-controlled data belonging to website visitors, prospective clients, client representatives, employees, end users, vendors, and other stakeholders.

Company recognizes that personal data and client data are entrusted to us with a high expectation of confidentiality, integrity, availability, and lawful handling. This Policy explains how we manage personal data and client data throughout its lifecycle and demonstrates the company’s commitment to compliance with applicable global data protection laws, contractual obligations, and internal governance standards.

Scope and Applicability

This Policy applies to all personal data and client data processed by us irrespective of the country in which the data subject resides or the Company’s entity involved.

It covers data processed through:

Pre-sales, contractual, and business communications

Client engagements, including implementation, consulting, support, and managed services

Authorized access to client systems, applications, and environments

Internal corporate activities such as recruitment, employment, vendor management, and compliance

This Policy applies whether data is:

Received from clients or third parties

Generated through system usage

Processed electronically or manually

Regulatory and Legal Compliance

We process personal data in compliance with applicable data protection and privacy laws across the jurisdictions in which it operates or provides services.

Key Regulations Include:

- General Data Protection Regulation (GDPR – EU) 2016/679 – Governs the collection, processing, storage, and protection of personal data of individuals located in the European Union and European Economic Area and sets strict requirements for data controllers and processors.

- UK General Data Protection Regulation (UK GDPR) – Applies to the processing of personal data of individuals in the United Kingdom and mirrors GDPR principles following the UK’s exit from the EU.

- Digital Personal Data Protection Act, 2023 (DPDP Act) – Regulates the processing of digital personal data in India and establishes obligations for organizations regarding consent, data security, and data subject rights.

- California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA) – Provides privacy rights to residents of California, including rights to access, delete, and limit the use of personal information collected by businesses.

- Personal Data Protection Act (PDPA) – Regulates the collection, use, and disclosure of personal data in Singapore and requires organizations to implement reasonable security safeguards.

- Other applicable local and national data protection laws – Includes additional country-specific privacy and data protection regulations that may apply based on Company’s operations, client locations, or data processing activities.

Where multiple laws apply to a particular processing activity, Company applies the most stringent applicable standard to ensure consistent protection

Data Protection Principles

We process personal data in accordance with internationally recognized data protection principles, including those set out under GDPR Article 5. These principles define the standards and obligations that govern how personal data is handled throughout its lifecycle, regardless of the specific business activity involved

Processed lawfully, fairly, and transparently, with individuals informed about how their data is used

Collected only for specific, explicit, and legitimate purposes

Limited to what is necessary and relevant for those purposes

Maintained accurately and updated where required

Retained only for the period justified by purpose, law, or contract

Protected through appropriate technical and organizational safeguards

Subject to accountability, documentation, and auditability

These principles are embedded into the Company’s internal policies and operational controls.

VNMT Internal Policies & Governance Framework

This Privacy Policy is supported by VNMT’s internal governance framework, which consists of multiple internal policies, standards, and procedures designed to ensure the lawful, secure, and responsible handling of personal data and client data across the organization. These internal controls collectively govern how data is collected, accessed, used, stored, protected, shared, retained, and disposed of, and are aligned with applicable data protection laws, contractual obligations, and industry best practices. Together, they are intended to safeguard the rights and interests of individuals and clients whose data is processed by VNMT.

Governance & Accountability

We maintain defined ownership for privacy and information security matters, conduct periodic internal reviews, and provide mandatory training to personnel handling personal or client data. Compliance with internal policies is monitored, and violations may result in disciplinary or contractual action.

VNMT’s Role: Data Controller and Data Processor

Our role depends on the nature of the engagement.

♦ VNMT as Data Controller

Company acts as a Data Controller where it determines the purpose and means of processing, including:

Website inquiries and contact forms
Marketing and business communications
Vendor and partner management
Recruitment and employment-related activities
Internal corporate and compliance functions

♦ VNMT as Data Processor

Company acts as a Data Processor when it processes personal data strictly on behalf of a client and in accordance with written agreements or documented instructions. Typical examples include:

System implementation and configuration
Application support and managed services
Data migration, testing, and troubleshooting
Temporary or controlled access to client systems

In such cases:

The client remains the Data Controller
We do not determine data retention periods
We do not use client data for independent purposes

Types of Information We Collect

The company collects and processes different categories of information depending on the relationship and service involved.

♦ Website & Digital Interaction Data

Collected when individuals visit Company websites or submit forms:

Name, business email, phone number
Client/ Individual Company’s name and job title
Inquiry or message content
IP address, browser type, device information
Usage data, cookies, and analytics information

♦ Business & Client Relationship Data

Collected during business and contractual interactions:

Contact details of client and partner representatives
Communication records and meeting notes
Contractual and commercial information

♦ Client Data Processed Under Agreements

Processed strictly on behalf of clients:

Employee or customer personal data
Transactional and operational records
System configuration data, logs, and reports
Files and documents stored in client systems

Access to such data is purpose-limited, time-bound, logged, and monitored.

♦ Technical & Security Data

Generated by systems:

Access logs and audit trails
Authentication and session records
Security alerts, error logs, and performance metrics

♦ Recruitment & Employment Data

Collected where applicable:

Identification and contact details
Professional qualifications and work history
Background verification (where legally permitted)
Payroll and statutory compliance data

Purpose of Processing

Personal data and client data are processed only where there is a legitimate and defined business purpose. The purposes outlined below describe the specific operational and service-related reasons for which VNMT collects and uses personal data.

Delivering contracted services and fulfilling client instructions
Supporting, maintaining, and enhancing client systems
Managing communications, inquiries, and service requests
Ensuring system security, integrity, and availability
Meeting contractual, legal, audit, and compliance requirements
Improving service quality through controlled and anonymized analysis

Confidentiality and Access Control

Company enforces strict confidentiality and access controls, including:

Confidentiality obligations for all personnel
Role-based and least-privilege access principles
Time-bound access aligned with project scope
Immediate access revocation upon role change or disengagement
Logging, monitoring, and periodic access reviews

Sub-processors and Third Parties

Company may engage third-party service providers or sub-processors solely to support service delivery.

Sub-processors are vetted for security and compliance
Data Processing Agreements are executed where required
Sub-processors are bound by confidentiality and data protection obligations
Company remains accountable for data protection compliance

The company does not sell personal data.

International Data Transfers

Due to Company’s global operations, personal data and client data may be transferred across borders. We ensure appropriate safeguards, including:

Contractual protections (e.g., Standard Contractual Clauses where applicable)
Technical measures such as encryption and access controls
Compliance with applicable cross-border transfer laws

Data Retention and Disposal

Company retains personal data and client data strictly in accordance with its internal data protection and information security policies, applicable legal and regulatory requirements, and the terms agreed under valid, executed contracts. We do not retain personal data or client data beyond what is necessary, lawful, and contractually permitted.

♦ General Retention Principles (Applicable to All Data Collected by VNMT)

All personal data collected or processed by Company-whether relating to website visitors, prospective clients, clients, employees, vendors, partners, or any other stakeholders—is retained only for as long as there is a legitimate and lawful basis to do so.

Data may be retained only to the extent necessary to:

Fulfil the specific purpose for which the data was collected or processed
Perform obligations arising under a valid contract or engagement
Comply with applicable legal, statutory, tax, audit, or regulatory requirements
Resolve disputes, enforce contractual rights, or defend legal claims

Retention periods are not uniform and vary depending on the nature of the data, the purpose of processing, the engagement context, and applicable law. Where no such purpose, obligation, or requirement exists, the Company does not retain the data.

♦ Client Data Retention (Data Processed Under Client Agreements)

Client-controlled data processed by the Company is retained strictly in accordance with the terms of the applicable signed client agreement and documented client instructions.

Company expressly confirms that:

Company does not independently determine retention periods for client-controlled data
Client data is retained only for the duration and purpose agreed under the executed contract
Company does not retain, reuse, archive, or process client data beyond the agreed scope or timeline

Upon completion, expiry, or termination of services, and unless otherwise required by law or expressly agreed in writing, client data is:

Returned to the client, and/or
Securely deleted or irreversibly anonymized in accordance with contractual terms

Where there is no contractual requirement, legal obligation, or explicit written consent permitting further retention, all client data is cleared from Company systems in line with secure disposal procedures.

♦ Secure Disposal and Safeguards

When retention periods expire or data is no longer required:

Data is securely deleted, anonymized, or irreversibly destroyed using industry-accepted methods
Disposal activities are documented and auditable

All personal data and client data handled during disposal, deletion, archiving, or backup processes are protected in accordance with the Company’s internal security and data protection policies. Unauthorized access, retention, disclosure, or use of data is strictly prohibited.

Data Breach Management

In the event of a suspected or confirmed data breach:

Incidents are promptly identified, logged, and assessed
Containment and remediation actions are initiated
Clients are notified without undue delay
Regulatory authorities are informed where legally required
Root cause analysis and preventive actions are implemented

Individual Rights

Depending on applicable law, individuals may have rights including:

Access to personal data
Rectification of inaccurate data
Erasure or restriction of processing
Objection to processing
Data portability

Where the Company acts as a Data Processor, such requests are coordinated with the client (Data Controller).

Links to Third-Party Websites

VNMT’s website, products, or services may contain links to third-party websites or services that are not operated or controlled by VNMT. When you access a third-party website through a link on our website, your interaction and any personal data you provide are governed by that third party’s privacy policies and terms, and not by this Privacy Policy.

VNMT does not control and is not responsible for the content, privacy practices, or data handling activities of third-party websites. We encourage users to review the privacy notices and terms of use of any third-party websites they choose to visit.

Contact Information

If you have any questions, concerns, or inquiries related to data protection, privacy practices, or our services, please feel free to contact us using the details below:

VNMT Solutions
Email: [email protected]