Last updated: August 11, 2025

This Privacy Policy explains how [Biased Media Group / BMG] (“BMG”, “we”, “us”, “our”) collects, uses, discloses, and protects personal information when you visit [https://your-domain] (the “Site”), interact with our content and marketing, or engage our product marketing consulting services (the “Services”).

We serve clients globally. This Policy is designed to meet requirements of the EU/EEA GDPR, UK GDPR, California Consumer Privacy Laws (CPRA), Brazil’s LGPD, and India’s Digital Personal Data Protection Act, 2023 (DPDP Act). If local law grants you stronger rights or protections, we will honor those.

Roles we play

• Controller: for data about Site visitors, prospects, vendors, and our own operations/marketing.
  
  
• Processor/Service Provider: for data we process only on a client’s documented instructions during consulting engagements (e.g., reviewing anonymized customer research). In these cases, a Data Processing Addendum (DPA) governs.
  
  

1) Information We Collect

We collect information in three ways: (a) you provide it; (b) we collect it automatically; (c) we obtain it from third parties.

A. Information you provide

• Identity & Contact: name, job title, company, email, phone, country, timezone.
  
  
• Professional context: team size, GTM stack, product details you choose to share in discovery forms or calls.
  
  
• Communications: emails, messages, call notes, meeting recordings (if we ask and you consent to recording).
  
  
• Contract & Billing: billing contact, address, tax ID, purchase orders, invoices, payment confirmations (payments are typically processed by third-party providers; we don’t store full card details).
  
  

B. Information collected automatically

• Device & Usage: IP address, device identifiers, browser type, operating system, pages viewed, links clicked, timestamps, referrers.
  
  
• Cookies & similar tech: session cookies, preference cookies, analytics cookies.
  [If you use advertising/retargeting pixels, add: “advertising cookies and pixels (e.g., LinkedIn Insight Tag) for measurement and audience insights.”]
  
  

C. Information from third parties

• Prospect data & enrichment: business contact data from B2B tools (e.g., LinkedIn, public websites, conference lists) where permitted by law.
  
  
• Vendors: analytics providers, payment processors, cloud platforms.
  
  
• Clients (Processor role): limited personal information clients share with us under a DPA (we encourage pseudonymization/minimization).
  
  

Sensitive data: We do not intentionally collect sensitive personal data (e.g., health, biometric, financial account numbers) via the Site. If a project requires exposure to any sensitive data, we will process it only on instructions under a signed DPA, applying strict safeguards.

Children: Our Site and Services are not directed to children. We do not knowingly collect data from persons under 16 (or lower age as defined by local law).

2) Purposes & Legal Bases for Processing

We use information to:

1. Provide and operate the Site/Services (legal basis: contract performance; legitimate interests).
   
   
2. Respond to inquiries and schedule consultations (contract performance; legitimate interests).
   
   
3. Client delivery and account management (contract performance; processor role under DPA).
   
   
4. Improve, secure, and debug the Site (legitimate interests).
   
   
5. Analytics and business insights (legitimate interests; where required, consent).
   
   
6. Marketing communications—updates, newsletters, case studies (consent where required; otherwise legitimate interests; you can opt out anytime).
   
   
7. Compliance and enforcement—fraud prevention, legal obligations, defending legal claims (legal obligation; legitimate interests).
   
   

Where GDPR/UK GDPR applies, our legal bases are consent, contract performance, legitimate interests, and legal obligation. For LGPD, we rely on consent, contract, legitimate interest, and compliance with legal/regulatory obligations. Under India’s DPDP Act, we process based on consent or for lawful purposes reasonably expected by you.

3) Cookies & Similar Technologies

We use cookies and similar technologies to make the Site work, remember preferences, and measure performance.

• Strictly necessary (cannot be disabled).
  
  
• Functional (preferences).
  
  
• Analytics (traffic and usage).
  
  
• [Optional] Advertising (retargeting/measurement).
  
  

You can manage cookies via our Cookie Banner and browser settings. Where required (e.g., in the EEA/UK), we request consent for non-essential cookies.
[If you use an analytics vendor, add a short list here.]

4) How We Share Information

We share personal information with:

• Service providers / processors: hosting (cloud), email and CRM platforms, analytics, video-conferencing/recording, document collaboration, billing and accounting. These providers are bound by confidentiality and processing agreements.
  
  
• Professional advisors: legal, tax, accounting, and audit.
  
  
• Business transfers: in a merger, acquisition, financing, or sale of assets, your data may transfer as part of the transaction, subject to this Policy.
  
  
• Legal & safety: to comply with law, enforce agreements, or protect rights, safety, and property.
  
  

No selling of personal information. We do not sell personal information.
[If you enable advertising cookies later, update this section and your “Do Not Sell/Share” controls accordingly.]

5) International Transfers

We operate globally. Your data may be stored and processed in countries different from your own. Where required, we use appropriate safeguards such as:

• EU Standard Contractual Clauses (SCCs) and/or UK IDTA for EEA/UK transfers,
  
  
• Contractual clauses under LGPD,
  
  
• Contractual and technical safeguards for India DPDP Act compliance.
  
  

We also implement technical (encryption in transit and at rest where supported) and organizational measures to protect data during transfer.

6) Data Security

We use administrative, technical, and physical safeguards designed to protect personal information, including access controls, least-privilege practices, audit logging on core systems, and encrypted transport (TLS). No system is 100% secure; if we detect a breach impacting your data, we will notify you and regulators where legally required.

7) Data Retention

We retain personal information only as long as necessary for the purposes described or as required by law and contracts. Typical periods:

• Inquiry/lead records: 24 months from last activity (unless you opt out earlier).
  
  
• Contract/billing records: 7 years (or longer if law requires).
  
  
• Analytics data: 14–26 months (vendor default, where configurable).
  
  
• Client project data (processor role): per DPA—we return or delete upon request or project end.
  
  

8) Your Privacy Rights

Your rights vary by region. We will honor requests according to applicable law and verify your identity before acting.

EEA/UK (GDPR/UK GDPR)

• Access your data; rectify inaccuracies; erase; restrict processing; object to processing (including direct marketing); data portability; withdraw consent at any time (does not affect prior processing); and lodge a complaint with your local supervisory authority.
  
  

California (CPRA) & certain US state laws

• Know/access categories and specific pieces of personal information;
  
  
• Delete personal information;
  
  
• Correct inaccuracies;
  
  
• Opt out of “sale” or “sharing” (cross-context behavioral advertising);
  
  
• Limit use/disclosure of sensitive personal information (if applicable);
  
  
• No retaliation for exercising rights;
  
  
• Appeal a denied request (also available under several US state laws).
  
  
• Authorized agents: You may designate an authorized agent; we may require proof of authorization and your identity.
  
  

Our current stance: We do not sell or share personal information for cross-context behavioral advertising. If this changes, we will update this Policy and provide opt-out mechanisms (including recognizing Global Privacy Control (GPC) signals where required).

Brazil (LGPD)

• Confirm existence, access, correct, anonymize/block/delete unnecessary or excessive data, portability, information about sharing, withdraw consent, and review automated decisions where applicable.
  
  

India (DPDP Act)

• Seek access, correction, erasure, grievance redressal, withdraw consent, and report a personal data breach where applicable.
  
  

How to exercise your rights:
Email [privacy@your-domain] or use [link to web form] with your request, your region, and a method to verify your identity. We will respond within the timeline required by your law (e.g., 30–45 days).

9) Marketing Preferences

You can opt out of marketing emails at any time by clicking Unsubscribe or emailing [privacy@your-domain]. We may still send non-marketing messages (e.g., administrative, billing, contractual).

10) Processor Activities (Client Projects)

When clients engage BMG, we may process limited personal information on their behalf under a DPA:

• Process only on documented instructions,
  
  
• Maintain confidentiality,
  
  
• Implement appropriate security,
  
  
• Assist with data subject requests,
  
  
• Assist with DPIAs as reasonably required,
  
  
• Delete or return personal information at the end of the engagement,
  
  
• Maintain records of processing and facilitate audits where agreed,
  
  
• Use sub-processors (e.g., cloud and collaboration tools) only with appropriate flow-down obligations and notice.
  
  

Sub-processors: We maintain a current list upon request and will provide advance notice of material changes where contractually required.

11) Third-Party Links & Tools

Our Site may link to third-party sites or embed tools (e.g., scheduling widgets, video hosting). These third parties operate under their own privacy policies. Review those policies; we aren’t responsible for their practices.

12) Automated Decision-Making / Profiling

We do not engage in automated decision-making that produces legal or similarly significant effects about you via the Site or our marketing.

13) Do Not Track & Global Privacy Control

Some browsers offer Do Not Track. There is no common industry standard. Where laws require (e.g., California), we will treat a valid GPC signal as an opt-out of sale/share.

14) Changes to This Policy

We may update this Policy from time to time. The “Last updated” date shows the latest revision. If changes materially affect your rights, we will provide prominent notice (e.g., banner, email, or in-product notice if applicable).

15) Contact Us

Controller: [Biased Media Group / BMG]
Registered address: [Company Address]
Email: [privacy@your-domain]
Data Protection Officer / Grievance Officer (if appointed): [Name, contact email, phone]
EU/UK Representative (if appointed): [Name, contact]
India Grievance Officer (DPDP Act): [Name, contact]

For unresolved concerns in the EEA/UK, you may contact your local supervisory authority. In Brazil, the ANPD. In India, the Data Protection Board (once operational). In California, the Attorney General/CPPA.

16) California “Notice at Collection”

We are required to disclose, at or before collection, the categories of personal information we collect, the purposes, and retention periods. We collect the following categories for the purposes and retention noted below (see Sections 1–2 & 7 for details):

Category (CPRA)	Examples	Purpose(s)	Retention (typical)
Identifiers	Name, email, IP, device IDs	Site operation, communications, security, analytics, marketing (with consent where required)	24 months for leads; logs per security/ops needs
Customer records	Billing contact, business address	Contract/billing, compliance	7 years (or by law)
Commercial info	Services purchased, engagement history	Account management, analytics	Contract term + 24 months
Internet activity	Pages viewed, clicks, referrers	Site performance, analytics	14–26 months (analytics defaults)
Geolocation (coarse)	IP-derived city/country	Localization, analytics, security	14–26 months
Professional info	Role, company, industry	B2B marketing/sales, qualification	24 months
Inferences	Interest in services (high-level)	Segmentation (with consent where required)	24 months

• 
  Sensitive personal information: Not sought via the Site; if incidentally received, we minimize and restrict use.
  
  
• Sale/Share: We do not sell or share personal information for cross-context behavioral advertising.
  
  
• Your rights: See Section 8 and our rights request methods above.
  
  

17) Region-Specific Disclosures

• EEA/UK: Controller is [BMG legal entity]. Legal bases listed in Section 2. You may lodge complaints with your supervisory authority (e.g., ICO in the UK).
  
  
• Brazil: We act as controlador (Site/marketing) and operador (client DPA). Contact: [privacy@your-domain].
  
  
• India: Grievance Officer: [Name], [email/phone]. We process personal data in accordance with the DPDP Act and applicable rules; consent withdrawals honored via [web form/email].