Legal
Privacy Policy.
Last updated: 27 June 2026. This policy explains how the operator of Blip ("we", the "Data Fiduciary") collects, uses, and protects your personal data in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000 and the SPDI Rules, 2011.
Section 01
Who we are
Blip is an experiential e-commerce simulation operated from Pune, India. We are the Data Fiduciary in respect of personal data we collect through the Service. You, the user, are the Data Principal.
Section 02
Personal data we collect
- Account data: name, email address, profile picture (when signing in via Google or email).
- Simulated order data: shipping name, postal address, pincode, phone number, delivery instructions, tip amount.
- Usage data: pages viewed, products viewed, cart additions, checkout starts, simulated purchases, share clicks, session identifier — collected only with your consent (Section 6).
- Technical data: IP-derived approximate region (transient, not stored against your profile), browser type, error reports.
We do not collect Aadhaar, PAN, financial account details, biometric data, or other sensitive personal data under Rule 3 of the SPDI Rules, 2011. We do not process payments.
Section 03
Purposes & legal basis
We process personal data for the following specified purposes:
- to create and operate your account (performance of contract and your consent under s. 6 DPDP Act);
- to display simulated order history and tracking;
- to measure and improve the Service (analytics) — only after you accept analytics cookies;
- to maintain security, prevent abuse, and comply with legal obligations.
Section 04
Sharing & processors
We share personal data only with the following categories of Data Processors, under contract, and only to the extent necessary:
- Hosting & database: our backend infrastructure provider (used to store accounts, simulated orders, and consented analytics events).
- Authentication: Google (only if you choose Google sign-in).
- Analytics: Plausible or Google Analytics, only after consent.
We do not sell or rent your personal data. Cross-border transfers, if any, are made only to jurisdictions not restricted by the Central Government under s. 16 DPDP Act.
Section 05
Retention
We retain personal data only for as long as the purpose for which it was collected is being served, or as required by law. Account and simulated order data are retained while your account is active; we delete them within 30 days of an account-deletion request. Analytics events are retained for up to 13 months in aggregated form.
Section 06
Cookies & similar technologies
We use two categories of cookies/local storage:
- Strictly necessary: authentication session, cart contents, cookie-consent record. These always run; the Service cannot function without them.
- Analytics (optional): session identifier and event log entries (page views, product views, add-to-cart, checkout, purchase, share clicks). These run only after you click "Accept analytics".
You can change your choice anytime via the "Cookie preferences" control in the footer.
Section 07
Your rights as a Data Principal
Under the DPDP Act, 2023, you have the right to:
- access a summary of your personal data and how it is processed (s. 11);
- correct, complete, update, or erase your personal data (s. 12);
- nominate another person to exercise your rights in case of death or incapacity (s. 14);
- grievance redressal — first with our Grievance Officer, then with the Data Protection Board of India (s. 13, s. 28).
To exercise any right, email privacy@blip.example. We will respond within 30 days.
Section 08
Children's data
We do not knowingly collect personal data of children (persons under 18 years of age) without verifiable parental consent, in accordance with s. 9 DPDP Act. If you believe a child has provided us personal data, contact us and we will delete it.
Section 09
Security
We implement reasonable security practices under Rule 8 of the SPDI Rules, 2011, including TLS in transit, role-based access, row-level security on the database, and access logs. No system is fully secure; please notify us immediately of any suspected unauthorised access at security@blip.example.
Section 10
Grievance & Data Protection Officer
In accordance with s. 8(9) DPDP Act and Rule 5(9) of the SPDI Rules, 2011:
- Grievance Officer / DPO: Privacy Team, Blip
- Email: grievance@blip.example
- Address: Pune, Maharashtra, India
Complaints are acknowledged within 24 hours and resolved within 15 days. If you are not satisfied, you may approach the Data Protection Board of India.
Section 11
Changes to this policy
We will notify you of material changes via the Service or by email. The "Last updated" date at the top of this page reflects the most recent revision.
See also our Terms of Use.