Privacy Policy

Privacy Policy

Who we are

This website, vimta.com, is owned and operated by Vimta Labs Limited ("Vimta", "we", "us", "our") — a public limited company incorporated in India and listed on BSE and NSE.

Registered office: Vimta Labs Limited 141/2 & 142, IDA Phase II Cherlapally, Hyderabad – 500 051 Telangana, India

CIN: L24110TG1990PLC011977 Email: contact@vimta.com Phone: +91 40 6740 4040

For privacy-specific queries, see the Contact information section at the end of this policy.

Scope of this policy

This policy covers personal data collected through vimta.com and any communications that arise from it — enquiries, career applications, investor information requests, event registrations, and newsletter subscriptions. It does not cover personal data processed under a separate agreement for testing or clinical research services, which is governed by the specific Master Services Agreement, Clinical Trial Agreement, or equivalent contract between Vimta and its client or sponsor.

What personal data we collect and why we collect it

Contact forms and enquiries

When you submit the "Contact Us", "Talk to a Specialist", or "Request a Quote" forms, we collect:

  • Name
  • Email address
  • Phone number (where provided)
  • Company / organisation name
  • Country / region
  • The nature of your enquiry and any message content you provide

Why: to respond to your enquiry, route it to the correct business unit (Drug Discovery & Development, Food & Personal Care, Electricals & Electronics, Environment Health & Safety, or Crop Care & Speciality Chemicals), and, where relevant, issue a proposal or set up a follow-up call.

Legal basis: your consent, and our legitimate interest in responding to business enquiries.

Retention: enquiry records are kept for 36 months from last contact for business continuity and audit purposes. Rejected leads are purged after this period.

Career applications

When you apply through the "Careers" or "Open Positions" section (or email a CV to a published role inbox), we collect:

  • Name and contact details
  • CV / résumé content, including employment history, education, qualifications, and references
  • Cover letter content
  • Any additional information you voluntarily provide

Why: to evaluate your suitability for the role you applied to and, with your consent, for other current or future openings at Vimta.

Legal basis: taking steps at your request prior to entering a contract of employment, and your consent for retention beyond the specific role.

Retention: applicant data for unsuccessful candidates is retained for 24 months, after which it is deleted unless you have specifically consented to a longer period.

Event registrations

When you register for a Vimta event (webinar, conference booth meeting, training session), we collect your name, email, organisation, and role. This data is used solely to confirm your registration, send event-related communications, and — with separate opt-in — add you to our mailing list.

Investor communications

If you subscribe to investor updates or request investor documents, we collect your name and email address and — where you voluntarily provide it — your investor category (institutional, retail, analyst). Investor data is processed in line with SEBI disclosure obligations.

Newsletter subscriptions

If you subscribe to our newsletter, we collect your email address and name (optional). You can unsubscribe at any time via the link in every email.

Technical data — cookies, analytics, and server logs

When you visit vimta.com, we automatically collect:

  • IP address (pseudonymised within analytics)
  • Browser type and version
  • Device type, screen resolution, operating system
  • Pages visited, time on page, referring URL
  • Date and time of access

This data is collected via server logs and through the analytics and cookie mechanisms described below.

Sensitive personal data

We do not knowingly collect sensitive personal data (health, biometric, genetic, religious, or political data) through this website. Where our services require handling sensitive data — for example, bioanalytical or clinical sample metadata under a client contract — that data is processed under separate contractual safeguards and is never collected through this website.

Please do not submit sensitive personal data through contact forms. If your enquiry requires it, we will route you to a secure channel.

Comments

This website does not currently accept public comments on posts or pages. If this changes in future, this section will be updated to reflect what data is collected and retained.

Media

Media files uploaded to this website are published by Vimta staff only. Visitors cannot upload media. If you share photographs, videos, or documents with Vimta through email or via a Vimta cloud folder shared with you, please avoid embedding unintended location metadata (EXIF/GPS); we do not extract it but it remains in the file if included.

Cookies

We use cookies to make the site work, to remember your preferences, and to understand how the site is used.

Cookie type Purpose Retention
Strictly necessary Session management, CSRF protection, cookie-consent preferences Session to 12 months
Analytics (with consent) Google Analytics 4 — measures traffic, popular pages, and conversion events Up to 14 months
Marketing (with consent) LinkedIn Insight Tag — measures campaign effectiveness for B2B outreach Up to 6 months

You can manage or withdraw cookie consent at any time via the cookie banner at the bottom of any page, or by clearing cookies in your browser. Declining non-essential cookies will not prevent you from using the website.

Analytics

We use Google Analytics 4 to understand how visitors find and use vimta.com. GA4 uses pseudonymised identifiers and is configured with IP anonymisation enabled. No direct personal identifiers are passed to Google.

You can opt out of Google Analytics globally by installing the Google Analytics opt-out browser add-on, or by declining the analytics category in our cookie banner.

Google's privacy policy: policies.google.com/privacy

We use the LinkedIn Insight Tag to measure conversions from LinkedIn advertising and enable retargeting for professional-audience campaigns. This fires only after consent.

LinkedIn's privacy policy: linkedin.com/legal/privacy-policy

Who we share your data with

We share personal data only with the following categories of recipients, and only where necessary:

  • Hosting and infrastructure providers — our web hosting provider stores server logs and website data under a data processing agreement. Data is held on servers located in India.
  • Email and CRM — enquiry data is routed to our internal CRM (operated under a data processing agreement) and to the relevant business unit inbox.
  • Analytics providers — as listed in the Cookies section above.
  • Professional advisors — legal, audit, or compliance advisors under confidentiality obligations, only where required (e.g. responding to a regulatory investigation).
  • Regulatory authorities — where disclosure is required by law (e.g. SEBI, RBI, Income Tax, Ministry of Corporate Affairs, or a court order).

We do not sell personal data. We do not share it with advertising networks beyond the conversion and retargeting functions described above.

How long we retain your data

Data category Retention period
Contact form enquiries 36 months from last contact
Career applications (unsuccessful) 24 months from decision
Event registrations 12 months after event
Newsletter subscribers Until unsubscribed, plus 30 days for audit
Investor communications 7 years (SEBI disclosure compliance)
Server logs 90 days
Analytics (GA4) Up to 14 months

When retention expires, data is permanently deleted or anonymised.

What rights you have over your data

Depending on where you reside, you have some or all of the following rights:

  • Access — request a copy of the personal data we hold about you
  • Correction — ask us to fix data that is inaccurate or incomplete
  • Deletion — ask us to delete data we no longer have a lawful basis to hold
  • Objection — object to processing based on our legitimate interests
  • Portability — request your data in a machine-readable format
  • Withdrawal of consent — at any time, where processing is consent-based
  • Grievance redressal — raise a complaint with our Grievance Officer (below) or the relevant data protection authority

Under the Digital Personal Data Protection Act, 2023 (India), data principals resident in India additionally have the right to nominate another individual to exercise their rights in the event of death or incapacity.

To exercise any of these rights, email privacy@vimta.com or write to the Grievance Officer listed below. We respond within 30 days.

Where your data is sent

Vimta Labs is headquartered in India and most data is processed and stored within India.

Certain sub-processors operate outside India:

  • Google (Google Analytics) — servers in the United States and EU. Transfers are covered by Google's Standard Contractual Clauses and, for EU residents, the EU–US Data Privacy Framework.
  • LinkedIn (Insight Tag) — servers in the United States and Ireland. Transfers are covered by Standard Contractual Clauses.

For transfers of data concerning European residents outside the EEA, we rely on the European Commission's Standard Contractual Clauses or equivalent safeguards, and we assess the recipient jurisdiction's protections as required under GDPR Articles 44–49.

How we protect your data

We apply administrative, technical, and physical safeguards proportionate to the sensitivity of the data:

  • Encryption — all data in transit uses TLS 1.2 or higher. Sensitive data at rest is encrypted.
  • Access controls — role-based access, least-privilege principle, mandatory MFA on administrative accounts
  • Staff training — all staff who handle personal data complete data-protection training at induction and annually thereafter
  • Vendor due diligence — sub-processors are assessed for security and contractually bound to equivalent standards
  • Logging and monitoring — access to personal data is logged; anomalous activity triggers review

Vimta operates under quality management systems accredited to international standards (ISO/IEC 17025, NABL, USFDA-inspected, EU-GMP-inspected, CAP, WHO-GMP among others). These certifications govern our laboratory operations and data integrity controls; they are distinct from — but complement — the information-security measures applied to this website.

What data breach procedures we have in place

In the event of a personal data breach, we will:

  1. Contain the breach and assess its scope within 72 hours of detection
  2. Notify the Indian Computer Emergency Response Team (CERT-In) where required under the CERT-In Directions, 2022
  3. Notify the Data Protection Board of India within the timelines prescribed under the DPDP Act, 2023
  4. Notify affected data principals where the breach is likely to cause significant harm, with a description of the breach, likely consequences, and mitigation measures
  5. For EU residents, notify the lead supervisory authority within 72 hours as required under GDPR Article 33

Our internal incident response process is documented and reviewed annually.

What third parties we receive data from

We do not purchase or receive personal data from data brokers or advertising platforms. We occasionally receive contact details from:

  • Professional networks (LinkedIn) — when you message us or respond to an outreach campaign, your LinkedIn-provided contact details become known to us
  • Event organisers — when you opt in at a conference booth or industry event to receive follow-up from Vimta

In each case the original data controller has obtained your consent before transferring your details to us.

Automated decision-making and profiling

We do not use automated decision-making or profiling to evaluate contact form enquiries, career applications, or investor communications. A human reviews every enquiry.

LinkedIn Insight Tag and Google Analytics perform audience-level aggregation for marketing reporting; these do not make individual decisions about you.

Industry regulatory disclosure

Vimta is a CDSCO-registered, USFDA-inspected, EU-GMP-inspected, NABL-accredited, and CAP-accredited laboratory. Personal data processed in the course of our laboratory services (client, sample, and study data) is governed by:

  • Good Clinical Practice (GCP) — ICH E6(R2)
  • Good Laboratory Practice (GLP) — OECD Principles
  • Good Manufacturing Practice (GMP) — EU, US, WHO, Indian Schedule M
  • New Drugs and Clinical Trials Rules, 2019 (India)
  • HIPAA (where applicable to US clinical data)
  • Master Services Agreements and Clinical Trial Agreements with individual sponsors

These frameworks impose data-handling obligations that exceed those of this website. Data processed under them is not governed by this website privacy policy.

Children's data

This website is not directed to individuals under the age of 18, and we do not knowingly collect data from children. If you believe a child has submitted data to us, please contact privacy@vimta.com and we will delete it.

Contact information

Grievance Officer / Data Protection Officer

For any questions, requests, or complaints regarding this privacy policy or how we handle your personal data:

[Name to be filled in] Grievance Officer, Vimta Labs Limited 141/2 & 142, IDA Phase II Cherlapally, Hyderabad – 500 051 Telangana, India Email: privacy@vimta.com Phone: +91 40 6740 4040

Supervisory authorities

If you are not satisfied with our response, you may lodge a complaint with:

  • Data Protection Board of India (once notified under the DPDP Act, 2023)
  • For EU residents: the data protection authority in your country of residence. A list is available at edpb.europa.eu
  • For UK residents: the Information Commissioner's Office at ico.org.uk

Changes to this policy

We review this policy annually and update it when our practices change. Material changes will be announced on this page with a revised "Last updated" date. For significant changes affecting existing data principals, we will notify you by email where we hold your address.

Fields you need to complete before publishing

Before this policy goes live, please confirm or complete:

  1. Grievance Officer / DPO name and direct line — India's DPDP Act and IT Rules require a named contact
  2. CIN number — confirm correct Corporate Identity Number (I used a placeholder format)
  3. Registered office address — confirm exact address
  4. Cookie inventory — confirm which analytics/marketing tools are actually deployed (I listed GA4 and LinkedIn Insight Tag based on the global_ga4_id and global_linkedin_partner_id ACF fields in your theme)
  5. Retention periods — verify the numbers above match what your ops/HR actually do; contact-form and career-applicant windows in particular
  6. Sub-processors — confirm hosting provider and CRM platform, list in "Who we share your data with"
  7. Regulatory accreditations — verify the list in the Industry regulatory disclosure section (I pulled the standard set from your About Us content model but you'll want to cross-check against your actual certifications page)
  8. Have legal counsel review before publishing. This is a drafted template based on public privacy-policy standards and your stated use cases — it is not a substitute for qualified legal review, particularly given Vimta's multi-jurisdiction exposure (DPDP, GDPR, HIPAA via US clinical clients, SEBI disclosures).

Before you continue

We use a few cookies — some to keep the site working, others to understand how it's used and to reach the right people on LinkedIn. Nothing is shared or sold. You're in control.