Qualified Deals

Privacy Policy

Effective Date: 17 May 2026

Last Updated: 17 May 2026

This Privacy Policy (“Policy”) explains how Gallivant Ventures LLP, operating under the brand name Qualified Deals (“Company,” “we,” “our,” or “us”), collects, uses, discloses, retains, and protects personal data in connection with our B2B research, lead generation, database hygiene, and market research services.

This Policy complies with the Digital Personal Data Protection Act, 2023 (India), the General Data Protection Regulation (EU/UK GDPR), the California Consumer Privacy Act (CCPA, as amended by CPRA), and the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL), alongside other applicable data protection laws in jurisdictions where we operate.

By engaging with our services, visiting our website, or appearing as a contact in a lead list we research, you may have rights under this Policy. We encourage you to read it carefully and contact us with any questions.

1. Scope of This Policy

This Policy applies to all personal data processed by Gallivant Ventures LLP in connection with the Qualified Deals brand, including:

  • Visitors to qualifieddeals.com and our digital properties
  • Prospective clients who book Project Briefs or contact us through our website
  • Active clients engaging us under Scope Documents
  • Persons whose business contact information we research and verify in the course of delivering Lead Generation and Market Research services to our clients
  • Persons whose data appears in Client-provided CRM files we clean under Database Hygiene engagements

2. Our Role — Data Fiduciary, Joint Controller, or Data Processor

Our legal role under data protection law depends on the type of data and the engagement:

  • Data Fiduciary / Controller: For website visitor data, marketing subscriber data, client account and billing data, and internal business records, we act as the Data Fiduciary (under DPDP Act 2023) or Controller (under GDPR). We determine the purposes and means of processing this data.
  • Joint or Independent Controller (Lead Generation & Market Research): For business contact data we research from publicly available sources to build Lead Generation deliverables, we initially act as an independent controller during the research and verification phase. Upon delivery to the Client, the Client becomes the controller for further processing of that data.
  • Data Processor (Database Hygiene): For Client-provided CRM data that we clean under Database Hygiene engagements, we act as a Data Processor on behalf of the Client. The Client remains the Data Fiduciary/Controller for that data, and our processing is governed by the Scope Document and these terms.

This distinction matters for your rights: if you are a data subject in a Database Hygiene engagement, the original Client is the controller responsible for your data — please direct rights requests to them in the first instance. We will support such requests as a processor.

3. Information We Collect

We collect the following categories of data:

  • Website & Technical Data: IP address, browser type and version, device identifiers, referrer URLs, pages viewed, time on site, cookie identifiers, and analytics data.
  • Prospective Client Data: Information you provide when booking a Project Brief or contacting us — typically full name, business email, phone number, company name, role, and the contents of any message you send.
  • Client Account Data: For active clients — billing details, authorised signatory information, contracting party information, and engagement-specific contact details.
  • Business Contact Data (Researched for Clients): Full name, job title, business email address, business phone number, company name, LinkedIn profile URL, and country/region. Sourcing methods are described in Section 4.
  • Client-Provided Data (Database Hygiene): CRM records, contact lists, and related fields shared by the Client for verification, cleaning, and enrichment under the engagement.
  • Payment Transaction Data: Processed via secure third-party providers (Razorpay, Wise, bank transfer). We do not store full payment card details on our systems.

Sensitive Personal Data: We do not intentionally collect sensitive personal data such as racial or ethnic origin, religious or political beliefs, genetic or biometric data, health data, sexual orientation, or financial account credentials. Our services are limited to publicly available business contact information.

4. How We Source Business Contact Data for Clients

In delivering Lead Generation and Market Research engagements, we source business contact information through the following methods:

  • Publicly available business directories and company websites (including team pages, leadership listings, and company “About” pages)
  • Public LinkedIn profile data related to employment (name, current job title, current company, public profile URL)
  • Industry databases under their license terms (including providers such as ZoomInfo, Apollo, Lusha, Cognism, Crunchbase, and PitchBook)
  • Public company filings, press releases, news media, and conference speaker listings
  • Cross-verification via SMTP validation and manual review by our research analysts

We do not scrape content behind login walls, purchase consumer (B2C) data, use bot networks, source data from breached databases, or collect data on individuals in their personal (non-business) capacity. Business contact data is collected for the specific purpose of enabling legitimate B2B business communication between our clients and the contacts’ employers.

Under GDPR Article 6(1)(f), our processing of business contact data for the purpose of facilitating B2B prospecting is based on the legitimate interests of our clients and ourselves in conducting commercial outreach to relevant business decision-makers, balanced against the rights and reasonable expectations of the data subjects. Under the DPDP Act 2023, processing is conducted in accordance with the legitimate-use grounds set out in Section 7, where applicable, or with consent where required.

5. Lawful Basis for Processing

We process personal data on the following lawful bases:

  • Consent: For non-essential cookies, marketing communications to our own subscribers, and any sensitive data processing.
  • Contractual Necessity: To fulfill obligations under Scope Documents with active clients.
  • Legitimate Interests (GDPR Article 6(1)(f)): For B2B prospecting, fraud prevention, security, and improving our research methodology. We conduct legitimate-interest balancing assessments where applicable.
  • Legitimate Uses (DPDP Act 2023, Section 7): For specified purposes recognised under Indian law where consent is not required, such as compliance with legal obligations and corporate restructuring.
  • Legal Obligations: To comply with tax, accounting, anti-money-laundering, and other regulatory requirements in jurisdictions where we operate.

6. Purpose of Processing

We process personal data for the following purposes:

  • Researching, verifying, and delivering business contact data to our clients under agreed Scope Documents
  • Cleaning, re-verifying, and enriching Client-provided CRM data under Database Hygiene engagements
  • Conducting market research, ICP mapping, and competitor analysis for Clients
  • Managing client relationships, invoicing, and engagement reporting
  • Operating, securing, and improving our website and internal systems
  • Sending business communications to subscribers who have opted in
  • Preventing fraud, abuse, and unauthorised access to our systems
  • Complying with applicable laws and responding to legitimate legal requests

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on data subjects.

7. Sharing and Cross-Border Transfers

We may share personal data with the following categories of recipients, in each case under appropriate contractual and legal safeguards:

  • Our Clients: We deliver researched business contact data to Clients under agreed Scope Documents. Upon delivery, the Client becomes the controller for further processing of that data.
  • Service Providers: Cloud infrastructure (Google Workspace, Dropbox), website hosting, accounting and invoicing platforms, payment processors (Razorpay, Wise), data-verification tools, and analytics providers (Google Analytics). All service providers are bound by data-processing agreements where required.
  • Professional Advisors: Legal counsel, auditors, and accountants under confidentiality obligations, on a need-to-know basis.
  • Legal Authorities: Where required to comply with applicable law, court orders, regulatory enforcement, or legitimate government requests.
  • Successors in Interest: In the event of a business reorganisation, merger, or sale of substantially all our assets, data may be transferred subject to the same privacy protections.

Cross-Border Transfers: Personal data may be transferred outside India to support our services to international clients and to operate cloud infrastructure. Transfers are made in accordance with applicable safeguards, including Standard Contractual Clauses (where transferring data from the EU/UK), DPDP Act transfer requirements, and UAE PDPL provisions. We do not transfer personal data to jurisdictions identified by Indian authorities as restricted for data transfer.

We do not sell personal data. We do not share personal data with third parties for their own independent marketing purposes.

8. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Policy, or as required by applicable law. Specific retention periods are:

  • Client-provided data and engagement deliverables: 30 days after final delivery, after which all Client-provided data is permanently deleted. This window supports revision requests and the Bounce Replacement Guarantee.
  • Client account and billing records: For the duration of the relationship plus 7 years, in accordance with Indian tax and accounting law.
  • Prospective client inquiry data: 12 months from the most recent interaction, unless the inquiry converts into an engagement.
  • Marketing subscriber data: Until the subscriber opts out, after which the email is retained on a suppression list to honor the opt-out.
  • Website analytics data: 14 months (Google Analytics default configuration), after which data is anonymized or deleted.
  • Aggregated and anonymized analytics: Retained indefinitely for internal quality improvement and methodology refinement.

9. Your Rights as a Data Subject / Data Principal

Depending on your jurisdiction and the nature of our processing, you may have the following rights:

  • Under DPDP Act 2023 (India): Right to access summary of personal data, right to correction and erasure, right of grievance redressal, right to nominate, and right to withdraw consent.
  • Under GDPR (EU/UK): Right of access, right to rectification, right to erasure (“right to be forgotten”), right to restriction of processing, right to data portability, right to object to processing (including direct marketing and legitimate-interest processing), and rights related to automated decision-making. You also have the right to lodge a complaint with your supervisory authority.
  • Under CCPA / CPRA (California, USA): Right to know what personal information is collected, right to delete, right to correct, right to opt out of sale or sharing (note: we do not sell personal data), right to limit use of sensitive personal information, and right to non-discrimination.
  • Under UAE PDPL: Right of access, rectification, erasure, restriction of processing, portability, and to object to processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or sooner where required by applicable law). We may need to verify your identity before fulfilling a request. We do not charge a fee for reasonable rights requests; we may charge a reasonable fee for manifestly unfounded or excessive requests, as permitted by applicable law.

10. If Your Contact Information Appears in a Delivered Lead List

If you have received outreach from a Qualified Deals client and believe your business contact details were sourced through our research, you have specific options:

  • To stop the outreach you are currently receiving: Contact the sender directly. Each cold outreach email is required by applicable anti-spam law (CAN-SPAM, GDPR, DPDP Act) to include an unsubscribe mechanism. The sender of the outreach is responsible for honoring that opt-out — we, as the original researcher of the data, do not have visibility into or control over the campaigns our clients run.
  • To request your data be removed from our research databases so it does not appear in future research projects: Email [email protected] with your full name, business email, and current employer. We will suppress your record in our research systems within 30 days. Note: this prevents your data from being included in future Qualified Deals lead lists, but does not affect lists already delivered to clients.
  • To understand how your data was sourced: We will provide, on request, a summary of the lawful basis and source category (e.g., “publicly available LinkedIn profile and corporate directory”) under which your data was researched. Specific client identities cannot be disclosed without that client’s consent or a legal requirement to do so.

We acknowledge the rights of data subjects whose data we process without direct contact (per GDPR Article 14). Where providing direct notice to every researched contact would involve disproportionate effort, we make this Policy publicly available and provide clear opt-out mechanisms as set out above.

11. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, loss, and destruction. Our measures include:

  • Encryption of data in transit using TLS/SSL protocols
  • Industry-standard encryption of data at rest in cloud storage
  • Access controls limiting Client-provided and engagement data to named team members on the specific engagement
  • Confidentiality obligations on all team members and contractors
  • Project-specific cloud folders for Client data, rather than shared databases
  • Periodic security reviews and credential rotation
  • Multi-factor authentication on internal systems handling personal data

No system is perfectly secure. In the event of a personal-data breach affecting your data, we will notify you and the relevant authorities as set out in Section 15.

12. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies for the following purposes:

  • Strictly necessary cookies: Required for the website to function (session management, security). Used without consent under applicable law.
  • Analytics cookies: To understand how visitors use our website (Google Analytics or equivalent). Loaded only with consent where required by law.
  • Functional cookies: To remember user preferences and improve experience. Loaded only with consent where required by law.
  • Marketing and advertising cookies: We do not currently use third-party advertising cookies. If we introduce them in future, they will be loaded only with explicit consent.

You can manage cookie preferences through our cookie consent banner or your browser settings. Refusing non-essential cookies will not prevent you from using our website.

13. Children’s Data

Our services are directed at businesses, not individuals in their personal capacity, and we do not knowingly collect personal data from children. Where applicable law sets a specific age threshold (DPDP Act, GDPR, COPPA), we comply with the highest applicable standard. If we become aware that we have inadvertently collected personal data from a child, we will delete it promptly.

14. International Compliance Framework

This Policy is designed to comply with the following data protection regimes:

  • India: Digital Personal Data Protection Act, 2023, and the Information Technology Act, 2000 (where applicable)
  • EU / UK: General Data Protection Regulation (GDPR) and UK Data Protection Act 2018
  • USA: California Consumer Privacy Act (CCPA, as amended by CPRA), and other applicable state privacy laws
  • UAE: Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL)
  • Saudi Arabia: Personal Data Protection Law (PDPL), where applicable
  • Other Regions: Applicable local data protection laws in jurisdictions where our clients and contacts operate

15. Grievance Officer and Data Breach Response

Grievance Officer: In accordance with the Digital Personal Data Protection Act 2023 and the Information Technology Rules 2011, we have designated the following Grievance Officer to address concerns related to personal data processing:

Name: [GRIEVANCE OFFICER NAME — TO BE DESIGNATED]
Designation: Designated Partner, Gallivant Ventures LLP
Email: [email protected]
Address: Gallivant Ventures LLP, Kochi, Kerala, India
Response time: Within 30 days of receipt of grievance

Data Breach Response: In the event of a personal data breach affecting your data:

  • We will notify the Data Protection Board of India and affected data principals in accordance with the DPDP Act 2023 timelines.
  • Where the breach involves EU/UK data subjects, we will notify the relevant supervisory authority within 72 hours of becoming aware (per GDPR Article 33), where required.
  • Where the breach involves data we process as a Data Processor on behalf of a Client, we will notify the affected Client without undue delay.
  • Notifications to affected data subjects will include the nature of the breach, the likely consequences, the measures taken to mitigate, and contact details for further information.

16. Updates to This Policy

We may update this Policy periodically to reflect changes in our practices, our services, or applicable law. The “Last Updated” date at the top of this Policy indicates when it was most recently revised. Material changes will be communicated through our website, by email to active clients and subscribers, or through other appropriate channels. Continued use of our services after an update constitutes acceptance of the revised Policy.

17. Contact for Privacy Matters

For any questions, concerns, or requests related to this Privacy Policy or our handling of your personal data:

Email: [email protected]
General contact: [email protected] · +91 98955 53141

Postal address:
Gallivant Ventures LLP
Kochi, Kerala, India

LLPIN: ACB-5193
GSTIN: 32AAZFG7923K1ZR

error: Content is protected !!