Back to BD-BOT

BD-BOT Privacy Policy Supplement

Effective Date: July 2, 2026

This supplement describes how Holomua Technologies LLC ("Holomua," "we," "our," or "us") collects, uses, and protects information specifically through the BD-BOT application (bd-bot.holomuatech.com). It supplements, and should be read together with, the Holomua Technologies Privacy Policy (the "Umbrella Policy"). Capitalized terms not defined here have the meaning given in the Umbrella Policy. Where this supplement conflicts with the Umbrella Policy with respect to BD-BOT, this supplement controls. Your use of BD-BOT is also governed by the BD-BOT Terms of Service.


1. About BD-BOT

BD-BOT is a business-development assistant that helps users discover U.S. federal contracting opportunities, organize source documents stored in third-party cloud storage, and produce capture and proposal artifacts with AI assistance. BD-BOT is operated by Holomua Technologies LLC.

2. Information We Collect

Account and authentication data. When you sign in with Google or Microsoft, we receive your name, email address, profile picture (if any), and a unique account identifier from the identity provider. We also receive OAuth access tokens and, where you grant offline access, refresh tokens. Tokens are held only inside your active server-side session (stored in PostgreSQL with encryption at rest) and are used solely to call the third-party APIs you have authorized. They are discarded when your session ends.

Connected-service content (Google Drive / Microsoft OneDrive) — optional. Connecting Google Drive or Microsoft OneDrive is optional. If you choose to connect, BD-BOT reads files and folders you select in order to ingest source material for opportunity analysis, drafting, and search, and may create or modify files in the folder you designate when you explicitly request it (e.g., saving a generated document back to your Drive). Microsoft users are not prompted for OneDrive access at sign-in; you can opt in later from Settings if you want cloud-synced storage. Without a cloud connection, opportunity documents you download are delivered as a browser download (available for two hours) and ingested directly into your project's collection — all AI features work identically either way.

Content you upload or generate in the app. Documents you upload directly, chat and workflow inputs, prompts, search queries, document tags, and AI-generated outputs.

Opportunity data. Searches and selections you make against the HigherGov opportunity database (e.g., NAICS codes, search filters, opportunity IDs).

Usage and diagnostic data. Standard server logs (timestamp, request path, status, IP address, user agent) and application logs used to monitor reliability and security. These do not include the contents of your documents.

3. How We Use Information

We use the information described above to:

  • Authenticate you and maintain your session.
  • Read, index, and search the documents you have authorized BD-BOT to access.
  • Send relevant document content to large language model ("LLM") providers in order to summarize, classify, extract data from, draft against, and chat about your material at your request.
  • Match opportunities from HigherGov against your resume and configured search criteria.
  • Persist your projects, collections, workflows, chat history, and generated documents so you can return to them.
  • Operate, secure, debug, and improve the service, including investigating abuse.

We do not use BD-BOT user data for advertising, ad targeting, or building advertising profiles. We do not sell or rent your data.

4. Limited Use of Google User Data

BD-BOT requests only the non-sensitive https://www.googleapis.com/auth/drive.file scope from Google — the per-file access scope, not full Drive access. In practice this means:

  • You choose what BD-BOT can see. You explicitly select the files and folders BD-BOT can read by picking them through the Google Picker — Google's official, sandboxed file selection interface. Nothing else in your Drive is visible to BD-BOT.
  • No discovery, no browsing. BD-BOT cannot enumerate, list, or read any file or folder you did not explicitly pick. It has no ability to browse your Drive or open files by guessing names or IDs.
  • App-created files stay yours. Files BD-BOT creates in your Drive (for example, downloaded opportunity documents or generated reports) live in your Drive under your ownership. You can move, share, rename, or delete them at any time, the same as any other file you own.
  • Revocable at any time. You can revoke BD-BOT's Drive access from your Google Account permissions at any time. BD-BOT mirrors that revocation immediately via the RISC security event stream described below.

BD-BOT's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We use Google user data only to provide and improve user-facing features of BD-BOT that are prominent in the app's UI.
  • We do not transfer Google user data to third parties except (a) to subprocessors strictly necessary to provide the service (see §6), (b) for security purposes (such as investigating abuse), (c) to comply with applicable law, or (d) as part of a merger, acquisition, or sale of assets with notice to users.
  • We do not use Google user data for serving advertisements.
  • We do not allow humans to read Google user data unless (i) we have your affirmative agreement for specific items, (ii) it is necessary for security purposes such as investigating abuse, (iii) to comply with applicable law, or (iv) the data is aggregated and used for internal operations consistent with the Limited Use policy.
  • We do not use Google user data to develop, improve, or train generalized or non-personalized artificial intelligence or machine-learning models. Content sent to third-party LLM providers is sent only to perform the user-requested task and is subject to those providers' no-training commitments (see §6).

In addition to the data BD-BOT receives when you sign in or grant Drive access, BD-BOT subscribes to Google's Risk and Incidents Sharing and Coordination (RISC) security event stream. RISC lets Google notify BD-BOT when something about your Google account changes in a way that should affect your BD-BOT session — for example, if you sign out of Google everywhere, revoke BD-BOT's Drive access from your Google account settings, or Google itself disables your account in response to a security incident. We participate so that BD-BOT can mirror those state changes immediately rather than continuing to operate on credentials Google has already invalidated.

The five RISC events BD-BOT subscribes to, and what we do for each:

  • Sessions revoked — when you sign out of Google everywhere or your Google sessions are otherwise terminated, BD-BOT destroys your active BD-BOT sessions. You'll see the login screen the next time you visit.
  • Tokens revoked — when you revoke BD-BOT's Google Drive access (or Google revokes it on your behalf after a security event), BD-BOT discards the cached Drive tokens. Your BD-BOT session remains; the next Drive operation prompts you to re-consent.
  • Account disabled — if Google disables your Google account, BD-BOT schedules your BD-BOT account for deletion immediately (28-day recoverable grace window; same lifecycle as a user-initiated deletion request — see §7).
  • Account enabled — if Google re-enables a previously disabled account, BD-BOT logs the event so the operator can restore your BD-BOT account during the 28-day window described above.
  • Verification — Google's setup handshake; logged with no other effect.

The signals BD-BOT receives via RISC are used only for the protective actions described above. They are not used for any other purpose; they are not retained beyond the operational record required to prevent replay of the same event; and they are subject to the same Limited Use commitments as any other Google user data described in this section.

5. Limited Use of Microsoft Graph Data

BD-BOT's handling of Microsoft Graph data follows equivalent principles to the Google handling described in §4: data accessed via Microsoft Graph is used only to deliver user-facing BD-BOT features you invoke, is not sold, is not used to serve advertising, and is not used to train generalized AI/ML models.

BD-BOT requests the following Microsoft Graph delegated permissions from your Microsoft account or your organization's Microsoft 365 tenant. Each is justified by a specific user-facing capability of BD-BOT; we do not request permissions we do not actively use.

PermissionWhy BD-BOT needs it
openid, profile, emailStandard OpenID Connect sign-in. Identifies you to BD-BOT and provides your basic profile (display name, email) so we can associate your activity with your account.
User.ReadReads your display name, email, and profile picture from Microsoft Graph. We use these to populate the BD-BOT user menu and personalize the interface. No other user-directory data (org chart, manager, colleagues) is accessed.
Files.ReadWrite.All
(Conditional — only when a user opts in to OneDrive integration)
Not requested at sign-in. BD-BOT's initial Microsoft sign-in requests only identity scopes (User.Read, offline_access). This broader scope is requested only when a user explicitly opts in via the Settings > Connect OneDrive flow — the request happens through Microsoft's incremental consent screen, per-user, and can be revoked without signing out. Users who never opt in never grant it, and BD-BOT never touches their OneDrive or SharePoint content.

When granted, the scope reads the opportunity documents and reference materials the user designates for BD-BOT to process, and writes opportunity downloads and AI-generated reports back into a folder the user picks. The broad .All qualifier is what enables BD-BOT to support Shared Drives (Microsoft Teams SharePoint sites) that enterprise customers rely on for shared opportunity workspaces — narrower scopes would force BD-BOT to operate only out of personal OneDrive. Even with the scope granted, BD-BOT only touches files in folders the user explicitly designates or files the user explicitly selects; we do not enumerate or read other content in the user's OneDrive or their organization's SharePoint sites.
offline_accessIssues a refresh token so background jobs (opportunity downloads, document ingestion, report generation) can continue running on your behalf while you are not actively signed in. Without it, you would need to re-authenticate every hour. Refresh tokens are stored server-side and never sent to the browser.

If your organization's Microsoft 365 tenant uses admin-consent for third-party applications, your tenant administrator can review and grant tenant-wide consent for BD-BOT using these same permissions. Contact your administrator if you see a "needs admin approval" message when signing in.

6. Service Providers and Subprocessors

BD-BOT relies on the following subprocessors to deliver the service. Each is contractually bound to confidentiality and data-protection obligations.

SubprocessorPurposeData category
Google Cloud Platform (Cloud Run, Secret Manager, Cloud Logging)Application hosting, secret storage, log storageAll application data in transit and at rest
Supabase (PostgreSQL)Primary database, session store, vector embeddingsAccount data, app content, document metadata, embeddings
Google (Drive API + Identity)User sign-in and connected file accessUser profile; files you select
Microsoft (Graph API + Identity)User sign-in and connected file accessUser profile; files you select
OpenAILLM inference for user-invoked AI featuresPrompts and document excerpts you submit
AnthropicLLM inference for user-invoked AI featuresPrompts and document excerpts you submit
Google (Gemini API)LLM inference for user-invoked AI featuresPrompts and document excerpts you submit
xAI (Grok API)LLM inference for user-invoked AI featuresPrompts and document excerpts you submit
HigherGovFederal opportunity data retrievalYour search queries; no document content

OpenAI, Anthropic, Google (Gemini), and xAI operate under terms that prohibit using BD-BOT customer data — including any Google or Microsoft user data — to train their generalized AI/ML models. We do not transfer Google user data to any subprocessor not listed above without updating this supplement. BD-BOT also supports user-configured integrations (for example, a user-supplied Mattermost workspace). Such integrations are operated by you or your organization and are not Holomua subprocessors.

7. Data Retention and Deletion

DataRetention
OAuth access and refresh tokensHeld until you sign out, revoke access at myaccount.google.com or account.microsoft.com, or delete your BD-BOT account. Access tokens additionally rotate per the identity provider's lifetime.
Cached document content, projects, collections, chat history, generated documentsRetained for the life of your BD-BOT account. On an account-deletion request to inquiries@holomuatech.com, your account is suspended and OAuth tokens revoked immediately; account content is held in a recoverable state for 28 days and then permanently deleted. Full deletion completes within 30 days of the request.
Server and application logsRetained for up to 30 days (Google Cloud Logging default), then automatically purged.
Database backupsDaily automated backups retained for 7 days on a rolling basis (Supabase Pro).

To delete your data, you may (a) revoke BD-BOT's access at your Google or Microsoft account's third-party-apps page, which terminates further access, and/or (b) email inquiries@holomuatech.com from the address associated with your BD-BOT account to request account deletion. On a verified deletion request, we immediately suspend your account, revoke connected OAuth tokens, and place your content in a recoverable state. If you do not retract the request within 28 days, your account and content are permanently deleted. Full deletion completes within 30 days of the request, subject to legal retention obligations. To retract a request during the recovery window, reply to the same email thread within 28 days.

8. Your Choices and Rights

You may at any time:

Depending on your jurisdiction, you may have additional rights described in the Umbrella Policy.

9. Security

BD-BOT runs on Google Cloud Run with secrets managed in Google Secret Manager. OAuth tokens live only inside active server-side sessions, which are stored in PostgreSQL with encryption at rest. Transport is TLS-only. Server and application logs are retained for 30 days and then automatically purged. Access to production systems is restricted to authorized Holomua personnel. No system is perfectly secure; we encourage you to report suspected vulnerabilities to inquiries@holomuatech.com.

10. Children

BD-BOT is intended for business users and is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal information from children.

11. Changes to This Supplement

We may update this supplement from time to time. Material changes will be posted on this page with a revised effective date. Where required by law or by Google's or Microsoft's policies, we will provide additional notice.

12. Contact

Questions about BD-BOT privacy:

Holomua Technologies LLC
Email: inquiries@holomuatech.com
Phone: +1 (808) 594-9943