VMAi ("we," "us," or "our") operates the VMAi M&A Deal Room platform and related services (the "Services"). We are committed to protecting your personal information and your right to privacy.
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Services. It applies to all users globally and complies with:
- Australia: Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs)
- European Union/UK: General Data Protection Regulation (GDPR)
- United States: State privacy laws including CCPA/CPRA (California), VCDPA (Virginia), and other applicable regulations
1. Information We Collect
1.1 Personal Information You Provide
We collect information that you voluntarily provide when using our Services:
- Account Information: Name, email address, password, phone number
- Profile Information: Company name, job title, business address, professional details
- Transaction Information: Deal details, financial data, documents uploaded to the platform
- Communication Data: Messages, support requests, feedback
- Payment Information: Billing address, payment method details (processed by third-party providers)
1.2 Information Collected Automatically
When you access our Services, we automatically collect:
- Device Information: IP address, browser type, operating system, device identifiers
- Usage Data: Pages viewed, features used, time spent on platform, clickstream data
- Location Data: General geographic location based on IP address
- Cookies and Similar Technologies: Session data, preferences, authentication tokens
1.3 Information from Third Parties
- Social media platforms (if you choose to connect accounts)
- Business partners and referral sources
- Public databases and data enrichment services
- Analytics and marketing service providers
2. How We Use Your Information
We use collected information for the following purposes:
| Purpose |
Legal Basis (GDPR) |
| Provide and maintain the Services |
Performance of contract |
| Process transactions and manage accounts |
Performance of contract |
| Send administrative communications |
Performance of contract / Legitimate interest |
| Respond to inquiries and provide support |
Performance of contract / Legitimate interest |
| Improve and optimize our Services |
Legitimate interest |
| Detect and prevent fraud and abuse |
Legitimate interest / Legal obligation |
| Comply with legal obligations |
Legal obligation |
| Send marketing communications (with consent) |
Consent / Legitimate interest |
| Personalize user experience |
Consent / Legitimate interest |
3. How We Share Your Information
We may share your information in the following circumstances:
3.1 Service Providers
We share information with third-party vendors who perform services on our behalf:
- Cloud hosting providers (data storage and processing)
- Payment processors
- Email and communication service providers
- Analytics and monitoring services
- Customer support platforms
3.2 Business Transfers
If we are involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred to the acquiring entity.
3.3 Legal Requirements
We may disclose information when required by law or in response to:
- Court orders or subpoenas
- Law enforcement requests
- Legal proceedings or government investigations
- Protection of our rights, property, or safety
3.4 With Your Consent
We may share information with third parties when you explicitly consent to such sharing.
Important: We Do Not Sell Your Personal Information
We do not sell, rent, or trade your personal information to third parties for their marketing purposes.
4. International Data Transfers
VMAi operates globally. Your information may be transferred to and processed in countries other than your country of residence, including:
- Australia (primary data center location)
- United States (cloud service providers)
- European Union (for EU/UK users)
4.1 Safeguards for International Transfers
When transferring data internationally, we implement appropriate safeguards:
- EU-US Data Privacy Framework: For transfers to the United States
- Standard Contractual Clauses (SCCs): EU Commission-approved contracts
- Adequacy Decisions: Transfers to countries deemed adequate by relevant authorities
- Binding Corporate Rules: Internal data protection policies
5. Your Privacy Rights
Depending on your location, you may have the following rights:
5.1 Rights Under Australian Privacy Act 1988
- Access: Request access to your personal information
- Correction: Request correction of inaccurate information
- Complaints: Lodge a complaint with us or the Office of the Australian Information Commissioner (OAIC)
5.2 Rights Under GDPR (EU/UK)
- Access: Obtain confirmation of processing and a copy of your data
- Rectification: Correct inaccurate or incomplete data
- Erasure ("Right to be Forgotten"): Request deletion of your data
- Restriction: Limit how we process your data
- Data Portability: Receive your data in a structured, machine-readable format
- Object: Object to processing based on legitimate interests or for marketing
- Automated Decision-Making: Not be subject to decisions based solely on automated processing
- Withdraw Consent: Withdraw consent at any time (where processing is based on consent)
5.3 Rights Under US State Laws (CCPA/CPRA, VCDPA, etc.)
- Know: Know what personal information we collect, use, disclose, and sell
- Access: Request access to specific pieces of information
- Delete: Request deletion of your personal information
- Opt-Out: Opt-out of the sale or sharing of personal information
- Correct: Request correction of inaccurate information
- Limit: Limit the use of sensitive personal information
- Non-Discrimination: Not be discriminated against for exercising your rights
How to Exercise Your Rights
To exercise any of these rights, please contact us using the information in the "Contact Us" section below. We will respond to your request within the timeframes required by applicable law:
- GDPR: Within 30 days (extendable to 60 days for complex requests)
- CCPA/CPRA: Within 45 days (extendable to 90 days)
- Australian Privacy Act: Within 30 days
6. Data Retention
We retain your personal information for as long as necessary to:
- Provide the Services and maintain your account
- Comply with legal, tax, and accounting obligations
- Resolve disputes and enforce our agreements
- Maintain business records and analytics
Retention Periods:
| Data Type |
Retention Period |
| Account information |
Duration of account + 7 years (tax/legal requirements) |
| Transaction records |
7 years (financial regulations) |
| Support communications |
3 years |
| Marketing data |
Until consent withdrawn + 1 year |
| Aggregate/anonymized data |
Indefinitely (no longer personal data) |
After the retention period expires, we will securely delete or anonymize your information.
7. Data Security
We implement appropriate technical and organizational measures to protect your information:
7.1 Technical Measures
- Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
- Access Controls: Role-based access, multi-factor authentication
- Firewalls and Monitoring: Network security and intrusion detection
- Secure Servers: Industry-standard data centers with physical security
- Regular Backups: Encrypted backups with disaster recovery procedures
7.2 Organizational Measures
- Employee training on data protection
- Confidentiality agreements with staff and contractors
- Regular security audits and assessments
- Incident response and breach notification procedures
- Data Protection Impact Assessments (DPIAs) for high-risk processing
Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and applicable regulators within the timeframes required by law (72 hours under GDPR, without unreasonable delay under Australian law).
8. Cookies and Tracking Technologies
We use cookies and similar technologies to enhance your experience:
Types of Cookies We Use:
- Essential Cookies: Required for the platform to function (authentication, security)
- Performance Cookies: Analyze usage and improve Services (Google Analytics)
- Functional Cookies: Remember your preferences and settings
- Marketing Cookies: Deliver relevant advertisements (requires consent)
Managing Cookies:
You can control cookies through:
- Browser settings (most browsers allow you to refuse or delete cookies)
- Our cookie consent banner (when you first visit)
- Privacy preference center (link in footer)
- Opt-out tools provided by third parties (e.g., Google Analytics opt-out)
Note: Disabling essential cookies may affect platform functionality.
9. Children's Privacy
Our Services are not directed to individuals under 18 years of age (or 16 in the EU). We do not knowingly collect personal information from children.
If we become aware that we have collected information from a child without parental consent, we will take steps to delete that information promptly.
10. Third-Party Links and Services
Our Services may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any information.
11. California-Specific Disclosures
11.1 California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
Categories of Personal Information Collected (last 12 months):
- Identifiers (name, email, IP address)
- Commercial information (transaction history)
- Internet activity (browsing history, interactions)
- Professional information (job title, company)
- Geolocation data (general location)
- Inferences (preferences, characteristics)
Business Purposes for Collection:
- Providing Services
- Security and fraud prevention
- Service improvement
- Internal research and analytics
Categories of Third Parties with Whom We Share Information:
- Service providers and contractors
- Cloud infrastructure providers
- Analytics providers
- Payment processors
Sale or Sharing of Personal Information: We do not sell or share personal information as defined by CCPA/CPRA.
11.2 Shine the Light Law
California residents may request information about disclosures of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.
12. Nevada-Specific Rights
Nevada residents have the right to opt-out of the sale of certain covered information. We do not sell covered information as defined by Nevada law. If you have questions, please contact us.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect:
- Changes in our practices
- Changes in applicable laws
- New features or Services
- Feedback from users or regulators
We will notify you of material changes by:
- Posting the updated policy on our website
- Updating the "Last Updated" date
- Sending an email notification (for significant changes)
- Displaying a notice on the platform
Your continued use of the Services after changes constitutes acceptance of the updated Privacy Policy.
14. Supervisory Authorities
If you are located in the EU/UK or Australia, you have the right to lodge a complaint with your local data protection authority:
European Union / UK:
- EU: Your national Data Protection Authority (find your DPA)
- UK: Information Commissioner's Office (ICO) - ico.org.uk
Australia:
- Office of the Australian Information Commissioner (OAIC)
- Website: oaic.gov.au
- Phone: 1300 363 992
- Email: enquiries@oaic.gov.au
United States:
Important Information for Different Jurisdictions
Australian Users: VMAi is bound by the Australian Privacy Principles (APPs) under the Privacy Act 1988. You may contact the OAIC if you have concerns about our compliance.
EU/UK Users: VMAi complies with the GDPR. Our legal basis for processing is primarily contractual necessity and legitimate interests. You may withdraw consent or object to processing at any time.
California Users: You have specific rights under the CCPA/CPRA. We do not discriminate against consumers who exercise their privacy rights. You may designate an authorized agent to make requests on your behalf.