Privacy Policy

1. INTRODUCTION AND SCOPE

VELSTROM Private Limited ("VELSTROM", "we", "us", or "our"), a company incorporated under the Companies Act, 2013, is committed to protecting the personal data of every individual who interacts with our website, services, or agricultural carbon credit programme.

This Privacy Policy applies to: (a) visitors to our website at velstrom.in ("Website"); (b) enrolled farmers and their representatives who participate in our Carbon Credit Aggregation Programme; and (c) any other individual whose personal data VELSTROM processes in connection with its operations under the Carbon Credit Trading Scheme (CCTS), 2023.

This Policy is issued in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and associated rules notified by the Government of India, and in accordance with BEE Offset Mechanism Procedure v1.0 (March 2025) which governs our obligations as a Non-Obligated Entity (Project Developer) under the Indian Carbon Market.

2. DATA WE COLLECT AND WHY

2.1 Website Visitors

When you visit our Website, we may automatically collect the following technical data:

• IP address and approximate geographic location (country/city level only)
• Browser type, version, and operating system
• Pages visited, time spent, and navigation path (via Google Analytics 4)
• Referral source (how you reached our Website)
• Cookie identifiers (see Section 7)

We collect this data to understand how our Website is used, improve its content, and ensure it loads correctly across devices. This is collected on the basis of our legitimate interest in maintaining a functional and informative website.

2.2 Enquiry Form / Contact Submissions

If you contact us through our Website, we collect your name, email address, organisation name, and the content of your message. This is used solely to respond to your enquiry and is retained for up to 2 years.

2.3 Enrolled Farmers

Under our Carbon Credit Aggregation Programme, we collect the following categories of personal data from enrolled farmers, with their explicit written consent as per the Farmer Enrollment Agreement:

• Identity data: Full name, Aadhaar number (last 4 digits retained in operational systems after verification), mobile number registered with Aadhaar
• Land data: Survey number / Gat number, village, taluka, district, GPS plot boundary coordinates (GeoJSON polygon), enrolled area in hectares, crop type
• Financial data: Bank account linked to Aadhaar (for UPI payment processing only; full account details are not stored beyond payment processing)
• Soil data: Lab results (SOC, bulk density, pH, texture) from NABL-accredited laboratories, QR-coded sample chain-of-custody records
• Satellite and monitoring data: Spectral index time series per plot, VIIRS fire alert records, GPS-stamped field agent photographs with EXIF metadata
• Activity logs: Farming practice records logged by farmer or field agent in the VELSTROM platform, including tillage events, residue management decisions, and fertiliser applications
• Payment records: UPI transaction IDs, Annual Settlement Statement copies

2.4 Corporate / Buyer Contacts

If you represent an industrial entity or corporate buyer and engage with VELSTROM regarding CCC purchase or ESG reporting services, we collect your name, professional email address, company name, and the contents of our correspondence. This data is retained for the duration of the commercial relationship plus 7 years for audit purposes.

3. LEGAL BASIS FOR PROCESSING

4. DATA STORAGE, SECURITY, AND LOCALISATION

All personal data is stored on Google Cloud Platform (GCP) in the Mumbai, India region (asia-south1) in compliance with data localisation obligations under the DPDP Act. We do not transfer personal data outside India except where explicitly required for international carbon credit transactions (e.g., Verra VCS Registry) and only with the data principal's prior awareness.

We implement the following technical and organisational security measures:

• AES-256 encryption at rest for all data stored in Google Cloud Storage (Immutable class)
• TLS 1.3 encryption in transit for all data transmissions
• Role-based access controls — only authorised VELSTROM personnel with specific operational roles can access farmer personal data
• SHA-256 cryptographic hashes of key datasets anchored on the Polygon PoS public blockchain, creating a tamper-evident audit trail accessible to BEE-accredited ACVAs
• Separate ACVA read-only audit portal — verifiers access monitoring data without VELSTROM intermediation, reducing the risk of manipulation
• NABL laboratory chain-of-custody QR codes linking physical soil samples to digital records

5. DATA RETENTION

6. YOUR RIGHTS UNDER THE DPDP ACT 2023

As a data principal under the Digital Personal Data Protection Act, 2023, you have the following rights:

• Right to access: Request confirmation of whether we process your personal data and obtain a summary of what we hold.
• Right to correction: Request correction of inaccurate or incomplete personal data.
• Right to erasure: Request deletion of personal data after your Farmer Enrollment Agreement expires, subject to the mandatory 10-year regulatory retention under BEE requirements.
• Right to grievance redressal: Lodge a complaint with our designated contact (details below) and receive a response within 15 working days.
• Right to nominate: Nominate another individual to exercise these rights on your behalf in the event of incapacity or death.

To exercise any of these rights, contact us at: velstrom.un.inc@gmail.com or through your VELSTROM field agent.

7. COOKIES

Our Website uses the following categories of cookies:

• Strictly necessary cookies: Required for the Website to function. Cannot be disabled.
• Analytics cookies: Google Analytics 4 cookies that help us understand Website traffic patterns. No personal identification. You may opt out via [Cookie Preferences] or at tools.google.com/dlpage/gaoptout.

No advertising or tracking cookies are used. VELSTROM does not sell advertising on its platform.

8. THIRD-PARTY PROCESSORS

VELSTROM uses the following third-party data processors, each bound by data processing agreements:

• Google Cloud Platform (GCP Mumbai): Cloud infrastructure for data storage and ML model hosting.
• Google Earth Engine: Satellite data processing platform. Farm polygon coordinates are uploaded for spectral index extraction. No farmer personal identity data is shared.
• Google BigQuery: Data warehouse for satellite feature time series and model outputs.
• Polygon Foundation (public blockchain): SHA-256 data hashes only — no personal data is written to the blockchain.
• NABL-accredited laboratories: Receive physical soil samples linked to farm_id (not farmer name or Aadhaar) for analysis.
• BEE-accredited ACVAs: Receive anonymised monitoring data for project verification. Personal farmer data is not shared with ACVAs unless required by BEE regulatory process.
• NPCI (UPI): Payment processor for farmer Net Payment disbursements. Receives Aadhaar-linked VPA only.

9. UPDATES TO THIS POLICY

We will update this Privacy Policy as required by changes to the DPDP Act rules, BEE Offset Mechanism Procedure, or our operational practices. Material updates will be notified to enrolled farmers by field agent and to website visitors via a banner. The version and effective date are noted at the top of this document.