Chiblu
Make unique products? Join as a Seller

Privacy Policy

Your privacy matters to us

PRIVACY POLICY

Chiblu India (OPC) Private Limited

Last updated: February 2, 2026

1. INTRODUCTION

Chiblu India (OPC) Private Limited (“Chiblu”, “we”, “us”) operates the website chiblu.com and its associated applications (the “Platform”). This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the Platform.

This Privacy Policy is drafted in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and applicable rules and regulations thereunder.

By using the Platform, you consent to the collection and use of your personal data as described in this Privacy Policy. Chiblu acts as a Data Fiduciary under the DPDP Act.

2. DATA WE COLLECT

Information You Provide: Name, email address, phone number, postal address, business name (for Sellers), PAN, GSTIN, bank account details (for Sellers), product listings, reviews, and any other information you voluntarily submit.

Information from KYC Verification: Identity verification data processed through our KYC partner for Seller onboarding, including Aadhaar-related data (with consent), PAN verification results, and bank account validation.

Transaction Data: Order details, payment history, settlement records, refund and cancellation records, dispute records, video evidence submitted, and invoices.

Automatically Collected Data: IP address, browser type, device information, operating system, referral URLs, pages visited, timestamps, and usage patterns collected through cookies and similar technologies.

Communication Data: Records of your communications with Chiblu support, feedback submitted, and correspondence with Sellers through the Platform.

3. PURPOSE OF COLLECTION

We collect and process your personal data for the following purposes:

  • To operate the Platform and provide the Services, including account creation, Order processing, and payment facilitation

  • To verify Seller identity and conduct KYC compliance

  • To process payments, settlements, refunds, and TCS obligations through our Payment Partner (Razorpay)

  • To communicate transactional information (Order confirmations, shipping updates, payment receipts)

  • To send promotional communications (only with your explicit opt-in consent)

  • To improve the Platform, analyse usage patterns, and enhance user experience

  • To detect, prevent, and address fraud, abuse, or security threats

  • To comply with legal obligations, including tax filings (GSTR-8, TCS), law enforcement requests, and regulatory requirements

  • To resolve disputes and enforce our Terms & Conditions

4. LAWFUL BASIS FOR PROCESSING

Under the DPDP Act, we process your personal data on the following bases:

  • Consent: For account registration, marketing communications, and KYC verification.

  • Contractual Necessity: For processing Orders, payments, and providing the Services you have requested.

  • Legal Obligation: For tax compliance (GST, TCS), regulatory filings, and responding to lawful government or court orders.

  • Legitimate Interest: For fraud prevention, platform security, and service improvement, where such processing does not override your fundamental rights.

5. DATA SHARING

We share your personal data only in the following circumstances:

  • With Sellers (for Buyers): Your name, delivery address, and contact information are shared with the Seller solely for the purpose of fulfilling your specific Order. Sellers are contractually prohibited from storing, aggregating, or using Buyer data for marketing, off-platform contact, or any purpose beyond Order fulfilment. Violation of these restrictions by a Seller constitutes a material breach of the Seller Terms & Conditions.

  • With Buyers (for Sellers): Your business name, storefront information, and customer care details are displayed to Buyers.

  • With Payment Partner (Razorpay): Transaction data necessary for payment processing, settlement, and compliance.

  • With KYC Verification Partner: Identity data for Seller verification (processed under separate consent).

  • With Logistics Partners: Delivery address and contact details for shipment.

  • With Communication Partners: Email and phone number for transactional and promotional communications (with consent), in compliance with TRAI DLT regulations.

  • With Government/Regulatory Authorities: As required by law, including tax authorities (for GST/TCS filings), law enforcement, and courts.

We do not sell your personal data to third parties for marketing purposes.

6. DATA RETENTION

We retain your personal data for as long as your account is active and for a reasonable period thereafter to fulfil the purposes outlined in this Policy. Specific retention periods:

  • Account data: Duration of account plus 3 years after closure

  • Transaction and financial records: 8 years from the date of transaction (as required under the Income Tax Act and GST law)

  • KYC records: 5 years after the business relationship ends (as required under anti-money laundering regulations)

  • Communication and dispute records: 3 years from the date of communication or dispute resolution

  • Video evidence: 3 years from the date of dispute resolution

  • Automatically collected data (analytics, logs): 2 years from collection

After the retention period, data will be securely deleted or anonymised.

7. YOUR RIGHTS AS A DATA PRINCIPAL

Under the DPDP Act, you have the following rights:

  • Right to Access: You may request a summary of your personal data processed by us and the processing activities undertaken.

  • Right to Correction: You may request correction or updating of inaccurate or incomplete personal data.

  • Right to Erasure: You may request deletion of your personal data, subject to our legal obligations to retain certain records.

  • Right to Grievance Redressal: You may raise grievances with our Grievance Officer regarding data processing practices.

  • Right to Nominate: You may nominate another individual to exercise your rights in the event of your death or incapacity.

  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal.

To exercise any of these rights, contact us at support@chiblu.com. We will respond to your request within thirty (30) days.

8. DATA SECURITY

We implement reasonable security practices and procedures, including encryption of data in transit (TLS/SSL), secure storage of sensitive data, access controls, regular security audits, and incident response procedures. All payment data is processed by our RBI-licensed Payment Partner (Razorpay), which is PCI DSS Level 1 compliant. Chiblu does not store sensitive payment credentials.

Despite our efforts, no method of transmission or storage is completely secure. In the event of a data breach, we will notify affected Data Principals and the Data Protection Board of India as required under the DPDP Act.

9. COOKIES AND TRACKING TECHNOLOGIES

The Platform uses cookies and similar technologies to enhance user experience, analyse usage, and facilitate authentication. You may manage cookie preferences through your browser settings. Disabling cookies may affect certain Platform functionalities.

10. CHILDREN’S PRIVACY

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child’s data has been collected, we will take steps to delete it promptly. Verifiable consent of a parent or lawful guardian is required for processing personal data of children as mandated under the DPDP Act.

11. DATA STORAGE AND TRANSFERS

Personal data is stored on secure servers operated by our infrastructure provider (Supabase) located in Australia. Data transfers are conducted in compliance with the DPDP Act, 2023 and applicable rules. Where cross-border transfer is necessary, appropriate safeguards including encryption and access controls are implemented.

12. GRIEVANCE OFFICER

In compliance with the DPDP Act and the IT (Intermediary Guidelines) Rules, 2021, Chiblu has appointed the following Grievance Officer:

Grievance Officer: Pradeep

Email: support@chiblu.com

Address: Chiblu India (OPC) Private Limited, No. 51, Innov8, Mantri Commercio, Devarabisanahalli, Bellandur, Bengaluru, Karnataka – 560103, India

The Grievance Officer shall acknowledge complaints within forty-eight (48) hours and resolve them within one (1) month. If you are not satisfied with the resolution, you may approach the Data Protection Board of India.

13. MODIFICATIONS

We may update this Privacy Policy from time to time. Material changes will be communicated at least thirty (30) days before the effective date through email or prominent notice on the Platform. Continued use constitutes acceptance of the revised Policy.

14. CONTACT

For any privacy-related queries or concerns, contact:

Email: support@chiblu.com

Address: Chiblu India (OPC) Private Limited, No. 51, Innov8, Mantri Commercio, Devarabisanahalli, Bellandur, Bengaluru, Karnataka – 560103, India

Have questions?

Need help or have questions about our policies? Our support team is here to help.

Contact Support