Effective Date: July 2, 2026
This supplement describes how Holomua Technologies LLC ("Holomua," "we," "our," or "us") collects, uses, and protects information specifically through the BD-BOT application (bd-bot.holomuatech.com). It supplements, and should be read together with, the Holomua Technologies Privacy Policy (the "Umbrella Policy"). Capitalized terms not defined here have the meaning given in the Umbrella Policy. Where this supplement conflicts with the Umbrella Policy with respect to BD-BOT, this supplement controls. Your use of BD-BOT is also governed by the BD-BOT Terms of Service.
BD-BOT is a business-development assistant that helps users discover U.S. federal contracting opportunities, organize source documents stored in third-party cloud storage, and produce capture and proposal artifacts with AI assistance. BD-BOT is operated by Holomua Technologies LLC.
Account and authentication data. When you sign in with Google or Microsoft, we receive your name, email address, profile picture (if any), and a unique account identifier from the identity provider. We also receive OAuth access tokens and, where you grant offline access, refresh tokens. Tokens are held only inside your active server-side session (stored in PostgreSQL with encryption at rest) and are used solely to call the third-party APIs you have authorized. They are discarded when your session ends.
Connected-service content (Google Drive / Microsoft OneDrive) — optional. Connecting Google Drive or Microsoft OneDrive is optional. If you choose to connect, BD-BOT reads files and folders you select in order to ingest source material for opportunity analysis, drafting, and search, and may create or modify files in the folder you designate when you explicitly request it (e.g., saving a generated document back to your Drive). Microsoft users are not prompted for OneDrive access at sign-in; you can opt in later from Settings if you want cloud-synced storage. Without a cloud connection, opportunity documents you download are delivered as a browser download (available for two hours) and ingested directly into your project's collection — all AI features work identically either way.
Content you upload or generate in the app. Documents you upload directly, chat and workflow inputs, prompts, search queries, document tags, and AI-generated outputs.
Opportunity data. Searches and selections you make against the HigherGov opportunity database (e.g., NAICS codes, search filters, opportunity IDs).
Usage and diagnostic data. Standard server logs (timestamp, request path, status, IP address, user agent) and application logs used to monitor reliability and security. These do not include the contents of your documents.
We use the information described above to:
We do not use BD-BOT user data for advertising, ad targeting, or building advertising profiles. We do not sell or rent your data.
BD-BOT requests only the non-sensitive https://www.googleapis.com/auth/drive.file scope from Google — the per-file access scope, not full Drive access. In practice this means:
BD-BOT's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:
In addition to the data BD-BOT receives when you sign in or grant Drive access, BD-BOT subscribes to Google's Risk and Incidents Sharing and Coordination (RISC) security event stream. RISC lets Google notify BD-BOT when something about your Google account changes in a way that should affect your BD-BOT session — for example, if you sign out of Google everywhere, revoke BD-BOT's Drive access from your Google account settings, or Google itself disables your account in response to a security incident. We participate so that BD-BOT can mirror those state changes immediately rather than continuing to operate on credentials Google has already invalidated.
The five RISC events BD-BOT subscribes to, and what we do for each:
The signals BD-BOT receives via RISC are used only for the protective actions described above. They are not used for any other purpose; they are not retained beyond the operational record required to prevent replay of the same event; and they are subject to the same Limited Use commitments as any other Google user data described in this section.
BD-BOT's handling of Microsoft Graph data follows equivalent principles to the Google handling described in §4: data accessed via Microsoft Graph is used only to deliver user-facing BD-BOT features you invoke, is not sold, is not used to serve advertising, and is not used to train generalized AI/ML models.
BD-BOT requests the following Microsoft Graph delegated permissions from your Microsoft account or your organization's Microsoft 365 tenant. Each is justified by a specific user-facing capability of BD-BOT; we do not request permissions we do not actively use.
| Permission | Why BD-BOT needs it |
|---|---|
openid, profile, email | Standard OpenID Connect sign-in. Identifies you to BD-BOT and provides your basic profile (display name, email) so we can associate your activity with your account. |
User.Read | Reads your display name, email, and profile picture from Microsoft Graph. We use these to populate the BD-BOT user menu and personalize the interface. No other user-directory data (org chart, manager, colleagues) is accessed. |
Files.ReadWrite.All(Conditional — only when a user opts in to OneDrive integration) | Not requested at sign-in. BD-BOT's initial Microsoft sign-in requests only identity scopes (User.Read, offline_access). This broader scope is requested only when a user explicitly opts in via the Settings > Connect OneDrive flow — the request happens through Microsoft's incremental consent screen, per-user, and can be revoked without signing out. Users who never opt in never grant it, and BD-BOT never touches their OneDrive or SharePoint content.When granted, the scope reads the opportunity documents and reference materials the user designates for BD-BOT to process, and writes opportunity downloads and AI-generated reports back into a folder the user picks. The broad .All qualifier is what enables BD-BOT to support Shared Drives (Microsoft Teams SharePoint sites) that enterprise customers rely on for shared opportunity workspaces — narrower scopes would force BD-BOT to operate only out of personal OneDrive. Even with the scope granted, BD-BOT only touches files in folders the user explicitly designates or files the user explicitly selects; we do not enumerate or read other content in the user's OneDrive or their organization's SharePoint sites. |
offline_access | Issues a refresh token so background jobs (opportunity downloads, document ingestion, report generation) can continue running on your behalf while you are not actively signed in. Without it, you would need to re-authenticate every hour. Refresh tokens are stored server-side and never sent to the browser. |
If your organization's Microsoft 365 tenant uses admin-consent for third-party applications, your tenant administrator can review and grant tenant-wide consent for BD-BOT using these same permissions. Contact your administrator if you see a "needs admin approval" message when signing in.
BD-BOT relies on the following subprocessors to deliver the service. Each is contractually bound to confidentiality and data-protection obligations.
| Subprocessor | Purpose | Data category |
|---|---|---|
| Google Cloud Platform (Cloud Run, Secret Manager, Cloud Logging) | Application hosting, secret storage, log storage | All application data in transit and at rest |
| Supabase (PostgreSQL) | Primary database, session store, vector embeddings | Account data, app content, document metadata, embeddings |
| Google (Drive API + Identity) | User sign-in and connected file access | User profile; files you select |
| Microsoft (Graph API + Identity) | User sign-in and connected file access | User profile; files you select |
| OpenAI | LLM inference for user-invoked AI features | Prompts and document excerpts you submit |
| Anthropic | LLM inference for user-invoked AI features | Prompts and document excerpts you submit |
| Google (Gemini API) | LLM inference for user-invoked AI features | Prompts and document excerpts you submit |
| xAI (Grok API) | LLM inference for user-invoked AI features | Prompts and document excerpts you submit |
| HigherGov | Federal opportunity data retrieval | Your search queries; no document content |
OpenAI, Anthropic, Google (Gemini), and xAI operate under terms that prohibit using BD-BOT customer data — including any Google or Microsoft user data — to train their generalized AI/ML models. We do not transfer Google user data to any subprocessor not listed above without updating this supplement. BD-BOT also supports user-configured integrations (for example, a user-supplied Mattermost workspace). Such integrations are operated by you or your organization and are not Holomua subprocessors.
| Data | Retention |
|---|---|
| OAuth access and refresh tokens | Held until you sign out, revoke access at myaccount.google.com or account.microsoft.com, or delete your BD-BOT account. Access tokens additionally rotate per the identity provider's lifetime. |
| Cached document content, projects, collections, chat history, generated documents | Retained for the life of your BD-BOT account. On an account-deletion request to inquiries@holomuatech.com, your account is suspended and OAuth tokens revoked immediately; account content is held in a recoverable state for 28 days and then permanently deleted. Full deletion completes within 30 days of the request. |
| Server and application logs | Retained for up to 30 days (Google Cloud Logging default), then automatically purged. |
| Database backups | Daily automated backups retained for 7 days on a rolling basis (Supabase Pro). |
To delete your data, you may (a) revoke BD-BOT's access at your Google or Microsoft account's third-party-apps page, which terminates further access, and/or (b) email inquiries@holomuatech.com from the address associated with your BD-BOT account to request account deletion. On a verified deletion request, we immediately suspend your account, revoke connected OAuth tokens, and place your content in a recoverable state. If you do not retract the request within 28 days, your account and content are permanently deleted. Full deletion completes within 30 days of the request, subject to legal retention obligations. To retract a request during the recovery window, reply to the same email thread within 28 days.
You may at any time:
Depending on your jurisdiction, you may have additional rights described in the Umbrella Policy.
BD-BOT runs on Google Cloud Run with secrets managed in Google Secret Manager. OAuth tokens live only inside active server-side sessions, which are stored in PostgreSQL with encryption at rest. Transport is TLS-only. Server and application logs are retained for 30 days and then automatically purged. Access to production systems is restricted to authorized Holomua personnel. No system is perfectly secure; we encourage you to report suspected vulnerabilities to inquiries@holomuatech.com.
BD-BOT is intended for business users and is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal information from children.
We may update this supplement from time to time. Material changes will be posted on this page with a revised effective date. Where required by law or by Google's or Microsoft's policies, we will provide additional notice.
Questions about BD-BOT privacy:
Holomua Technologies LLC
Email: inquiries@holomuatech.com
Phone: +1 (808) 594-9943