BD-BOT Privacy Policy Supplement

Effective Date: May 24, 2026

This supplement describes how Holomua Technologies LLC ("Holomua," "we," "our," or "us") collects, uses, and protects information specifically through the BD-BOT application (bd-bot.holomuatech.com). It supplements, and should be read together with, the Holomua Technologies Privacy Policy (the "Umbrella Policy"). Capitalized terms not defined here have the meaning given in the Umbrella Policy. Where this supplement conflicts with the Umbrella Policy with respect to BD-BOT, this supplement controls. Your use of BD-BOT is also governed by the BD-BOT Terms of Service.

1. About BD-BOT

BD-BOT is a business-development assistant that helps users discover U.S. federal contracting opportunities, organize source documents stored in third-party cloud storage, and produce capture and proposal artifacts with AI assistance. BD-BOT is operated by Holomua Technologies LLC.

2. Information We Collect

Account and authentication data. When you sign in with Google or Microsoft, we receive your name, email address, profile picture (if any), and a unique account identifier from the identity provider. We also receive OAuth access tokens and, where you grant offline access, refresh tokens. Tokens are stored encrypted at rest and used solely to call the third-party APIs you have authorized.

Connected-service content (Google Drive / Microsoft OneDrive). With your authorization, BD-BOT reads files and folders you select from your Google Drive or Microsoft OneDrive account in order to ingest source material for opportunity analysis, drafting, and search. BD-BOT may also create or modify files in those services when you explicitly request it (e.g., saving a generated document back to your Drive).

Content you upload or generate in the app. Documents you upload directly, chat and workflow inputs, prompts, search queries, document tags, and AI-generated outputs.

Opportunity data. Searches and selections you make against the HigherGov opportunity database (e.g., NAICS codes, search filters, opportunity IDs).

Usage and diagnostic data. Standard server logs (timestamp, request path, status, IP address, user agent) and application logs used to monitor reliability and security. These do not include the contents of your documents.

3. How We Use Information

We use the information described above to:

Authenticate you and maintain your session.
Read, index, and search the documents you have authorized BD-BOT to access.
Send relevant document content to large language model ("LLM") providers in order to summarize, classify, extract data from, draft against, and chat about your material at your request.
Match opportunities from HigherGov against your resume and configured search criteria.
Persist your projects, collections, workflows, chat history, and generated documents so you can return to them.
Operate, secure, debug, and improve the service, including investigating abuse.

We do not use BD-BOT user data for advertising, ad targeting, or building advertising profiles. We do not sell or rent your data.

4. Limited Use of Google User Data

BD-BOT's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

We use Google user data only to provide and improve user-facing features of BD-BOT that are prominent in the app's UI.
We do not transfer Google user data to third parties except (a) to subprocessors strictly necessary to provide the service (see §6), (b) for security purposes (such as investigating abuse), (c) to comply with applicable law, or (d) as part of a merger, acquisition, or sale of assets with notice to users.
We do not use Google user data for serving advertisements.
We do not allow humans to read Google user data unless (i) we have your affirmative agreement for specific items, (ii) it is necessary for security purposes such as investigating abuse, (iii) to comply with applicable law, or (iv) the data is aggregated and used for internal operations consistent with the Limited Use policy.
We do not use Google user data to develop, improve, or train generalized or non-personalized artificial intelligence or machine-learning models. Content sent to third-party LLM providers is sent only to perform the user-requested task and is subject to those providers' no-training commitments (see §6).

5. Limited Use of Microsoft Graph Data

BD-BOT's handling of Microsoft Graph data follows equivalent principles: data accessed under User.Read and Files.ReadWrite.All is used only to deliver user-facing BD-BOT features you invoke, is not sold, is not used to serve advertising, and is not used to train generalized AI/ML models.

6. Service Providers and Subprocessors

BD-BOT relies on the following subprocessors to deliver the service. Each is contractually bound to confidentiality and data-protection obligations.

Subprocessor	Purpose	Data category
Google Cloud Platform (Cloud Run, Secret Manager, Cloud Logging)	Application hosting, secret storage, log storage	All application data in transit and at rest
Supabase (PostgreSQL)	Primary database, session store, vector embeddings	Account data, app content, document metadata, embeddings
Google (Drive API + Identity)	User sign-in and connected file access	User profile; files you select
Microsoft (Graph API + Identity)	User sign-in and connected file access	User profile; files you select
OpenAI	LLM inference for user-invoked AI features	Prompts and document excerpts you submit
Anthropic	LLM inference for user-invoked AI features	Prompts and document excerpts you submit
Google (Gemini API)	LLM inference for user-invoked AI features	Prompts and document excerpts you submit
xAI (Grok API)	LLM inference for user-invoked AI features	Prompts and document excerpts you submit
HigherGov	Federal opportunity data retrieval	Your search queries; no document content

OpenAI, Anthropic, Google (Gemini), and xAI operate under terms that prohibit using BD-BOT customer data — including any Google or Microsoft user data — to train their generalized AI/ML models. We do not transfer Google user data to any subprocessor not listed above without updating this supplement. BD-BOT also supports user-configured integrations (for example, a user-supplied Mattermost workspace). Such integrations are operated by you or your organization and are not Holomua subprocessors.

7. Data Retention and Deletion

Data	Retention
OAuth access and refresh tokens	Held until you sign out, revoke access at myaccount.google.com or account.microsoft.com, or delete your BD-BOT account. Access tokens additionally rotate per the identity provider's lifetime.
Cached document content, projects, collections, chat history, generated documents	Retained for the life of your BD-BOT account. Deleted within 30 days of an account-deletion request to inquiries@holomuatech.com.
Server and application logs	Retained for up to 30 days (Google Cloud Logging default), then automatically purged.
Database backups	Daily automated backups retained for 7 days on a rolling basis (Supabase Pro).

To delete your data, you may (a) revoke BD-BOT's access at your Google or Microsoft account's third-party-apps page, which terminates further access, and/or (b) email inquiries@holomuatech.com from the address associated with your BD-BOT account to request full account deletion. We will confirm deletion within 30 days, subject to legal retention obligations.

8. Your Choices and Rights

You may at any time:

Disconnect BD-BOT from your Google account: https://myaccount.google.com/permissions
Disconnect BD-BOT from your Microsoft account: https://account.microsoft.com/privacy/app-access
Request access, correction, or deletion of your BD-BOT data by emailing inquiries@holomuatech.com.

Depending on your jurisdiction, you may have additional rights described in the Umbrella Policy.

9. Security

BD-BOT runs on Google Cloud Run with secrets managed in Google Secret Manager. OAuth tokens are encrypted at rest. Transport is TLS-only. Access to production systems is restricted to authorized Holomua personnel. No system is perfectly secure; we encourage you to report suspected vulnerabilities to inquiries@holomuatech.com.

10. Children

BD-BOT is intended for business users and is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect personal information from children.

11. Changes to This Supplement

We may update this supplement from time to time. Material changes will be posted on this page with a revised effective date. Where required by law or by Google's or Microsoft's policies, we will provide additional notice.

12. Contact

Questions about BD-BOT privacy:

Holomua Technologies LLC
Email: inquiries@holomuatech.com
Phone: +1 (808) 594-9943