Privacy Policy

1.Introduction

Chiblu India (OPC) Private Limited (“Chiblu”, “we”, “us”) operates the website chiblu.com and its associated applications (the “Platform”). This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the Platform.

This Privacy Policy is drafted in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and applicable rules and regulations thereunder.

By using the Platform, you consent to the collection and use of your personal data as described in this Privacy Policy and the specific consent notices provided during registration and at various points of data collection on the Platform. Chiblu acts as a Data Fiduciary under the DPDP Act.

2.Data We Collect

Information You Provide: Name, email address, phone number, postal address, business name (for Sellers), PAN, GSTIN, bank account details (for Sellers), product listings, reviews, and any other information you voluntarily submit.

Information from KYC Verification: Identity verification data processed through our KYC partner for Seller onboarding, including Aadhaar-related data (with consent), PAN verification results, and bank account validation.

Transaction Data: Order details, payment history, settlement records, refund and cancellation records, dispute records, video evidence submitted, and invoices.

Automatically Collected Data: IP address, browser type, device information, operating system, referral URLs, pages visited, timestamps, and usage patterns collected through cookies and similar technologies.

Communication Data: Records of your communications with Chiblu support, feedback submitted, and correspondence with Sellers through the Platform.

3.Purpose of Collection

We collect and process your personal data for the following purposes:

To operate the Platform and provide the Services, including account creation, Order processing, and payment facilitation
To verify Seller identity and conduct KYC compliance
To process payments, settlements, refunds, and TCS obligations through our Payment Partner (Razorpay)
To communicate transactional information (Order confirmations, shipping updates, payment receipts)
To send promotional communications (only with your explicit opt-in consent)
To improve the Platform, analyse usage patterns, and enhance user experience
To detect, prevent, and address fraud, abuse, or security threats
To comply with legal obligations, including tax filings (GSTR-8, TCS), law enforcement requests, and regulatory requirements
To facilitate dispute communication and enforce our Terms & Conditions

4.Lawful Basis for Processing

Under the DPDP Act, we process your personal data on the following bases:

Consent: For account registration, marketing communications, and KYC verification. Consent is obtained through specific consent notices provided at the time of data collection, which clearly state the purpose of processing.
Contractual Necessity: For processing Orders, payments, and providing the Services you have requested.
Legal Obligation: For tax compliance (GST, TCS), regulatory filings, and responding to lawful government or court orders.
Legitimate Interest: For fraud prevention, platform security, and service improvement, where such processing does not override your fundamental rights.

5.Data Sharing

We share your personal data only in the following circumstances:

With Sellers (for Buyers): Your name, delivery address, and contact information are shared with the Seller solely for the purpose of fulfilling your specific Order. Chiblu is not responsible for and assumes no liability for any misuse, unauthorized storage, or breach of Buyer personal data by Sellers. The Seller is independently responsible for their handling of Buyer data as an independent Data Fiduciary. Sellers are contractually prohibited from storing, aggregating, or using Buyer data for marketing, off-platform contact, or any purpose beyond Order fulfilment. Violation of these restrictions by a Seller constitutes a material breach of the Seller Terms & Conditions.

With Buyers (for Sellers): Your business name, storefront information, and customer care details are displayed to Buyers.

With Payment Partner (Razorpay): Transaction data necessary for payment processing, settlement, and compliance.

With KYC Verification Partner: Identity data for Seller verification (processed under separate consent).

With Logistics Partners: Delivery address and contact details for shipment.

With Communication Partners: Email and phone number for transactional and promotional communications (with consent), in compliance with TRAI DLT regulations.

With Government/Regulatory Authorities: As required by law, including tax authorities (for GST/TCS filings), law enforcement, and courts.

We do not sell your personal data to third parties for marketing purposes.

6.Data Retention

We retain your personal data for as long as your account is active and for a reasonable period thereafter to fulfil the purposes outlined in this Policy. Specific retention periods:

Data Type	Retention Period
Account data	Duration of account + 3 years after closure
Transaction and financial records	8 years from the date of transaction (Income Tax Act & GST law)
KYC records	5 years after the business relationship ends (AML regulations)
Communication and dispute records	3 years from the date of communication or dispute resolution
Video evidence	3 years from the date of dispute resolution
Automatically collected data (analytics, logs)	2 years from collection

After the retention period, data will be securely deleted or anonymised.

7.Your Rights as a Data Principal

Under the DPDP Act, you have the following rights:

Right to Access: You may request a summary of your personal data processed by us and the processing activities undertaken.

Right to Correction: You may request correction or updating of inaccurate or incomplete personal data.

Right to Erasure: You may request deletion of your personal data, subject to our legal obligations to retain certain records.

Right to Grievance Redressal: You may raise grievances with our Grievance Officer regarding data processing practices.

Right to Nominate: You may nominate another individual to exercise your rights in the event of your death or incapacity.

Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal.

To exercise any of these rights, contact us at support@chiblu.com. We will respond to your request within thirty (30) days.

8.Data Security

We implement reasonable security practices and procedures, including encryption of data in transit (TLS/SSL), secure storage of sensitive data, access controls, regular security audits, and incident response procedures. All payment data is processed by our RBI-licensed Payment Partner (Razorpay), which is PCI DSS Level 1 compliant. Chiblu does not store sensitive payment credentials.

Despite our efforts, no method of transmission or storage is completely secure. Chiblu does not guarantee or assure the absolute security of your data. In the event of a data breach, we will notify affected Data Principals and the Data Protection Board of India within 72 hours of becoming aware of the breach, or within such timeline as prescribed by the DPDP Act and rules thereunder.

9.Cookies and Tracking Technologies

The Platform uses cookies and similar technologies to enhance user experience, analyse usage, and facilitate authentication. You may manage cookie preferences through your browser settings or the cookie consent mechanism provided on the Platform. Disabling cookies may affect certain Platform functionalities.

10.Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child's data has been collected, we will take steps to delete it promptly. Verifiable consent of a parent or lawful guardian is required for processing personal data of children as mandated under the DPDP Act.

11.Data Storage and Transfers

Personal data is stored on secure servers operated by our infrastructure provider (Supabase) located in Australia. Chiblu has entered into a Data Processing Agreement with Supabase that includes appropriate safeguards for cross-border data transfer, including encryption at rest and in transit, access controls, and data isolation.

Data transfers are conducted in compliance with the DPDP Act, 2023 and applicable rules. The Government of India has not, as of the date of this Policy, restricted data transfers to Australia under the DPDP Act. If cross-border transfer to any jurisdiction is restricted by the Central Government in the future, Chiblu shall migrate data to compliant infrastructure within the prescribed timeline.

Where cross-border transfer is necessary, appropriate safeguards including encryption and access controls are implemented.

12.Grievance Officer

In compliance with the DPDP Act and the IT (Intermediary Guidelines) Rules, 2021, Chiblu has appointed the following Grievance Officer:

Grievance Officer: Pradeep

Email: support@chiblu.com

Address: Chiblu India (OPC) Private Limited, No. 51, Innov8, Mantri Commercio, Devarabisanahalli, Bellandur, Bengaluru, Karnataka – 560103, India

The Grievance Officer shall acknowledge complaints within forty-eight (48) hours and resolve them within one (1) month. If the Data Principal is not satisfied with the resolution provided by the Grievance Officer within 30 days, the Data Principal may file a complaint with the Data Protection Board of India as established under the DPDP Act, 2023.

13.Modifications

We may update this Privacy Policy from time to time. Material changes will be communicated at least thirty (30) days before the effective date through email or prominent notice on the Platform. Continued use constitutes acceptance of the revised Policy.

14.Contact

For any privacy-related queries or concerns, contact: