Bilimbe Digital Privacy Policy

Effective Date: 01 May 2026

Bilimbe Digital (“we,” “our,” “us”) is committed to safeguarding your privacy. This Privacy Notice describes the categories of personal information collected, the purposes for such collection, and the manner in which it is processed, used, and disclosed, in accordance with applicable data protection laws. in compliance with applicable laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), DPDP Act and other relevant data privacy regulations.

We also aim to comply with other data protection laws applicable in the jurisdictions in which we operate, including but not limited to the UK GDPR, Virginia CDPA, Colorado Privacy Act, and India’s Digital Personal Data Protection Act (DPDP), where applicable.

1. Interpretation Clause

In this Privacy Notice:

• “Personal Information” means any information that identifies, relates to, or describes you as an individual, such as your name, email address or phone number.
• “Processing” refers to any operation performed on personal information, such as collecting, storing, using, or sharing it.
• “We,” “Our,” or “Us” refers to Privacy Pillar, the organization responsible for managing your personal information.
• “You” or “Your” refers to the individual who interacts with our services and whose personal information we collect and process.
• “Service Providers” are third-party companies that help us operate and provide our services, such as payment processors, hosting providers, or marketing firms.
• “Controller” means the entity that determines the purpose and means of processing personal information.
• “Processor” refers to the entity processing personal information on behalf of the Controller.
• “Supervisory Authority” means an independent public authority responsible for monitoring compliance with data protection laws.
• “Usage Data” refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
• Application refers to Bilimbe Digital, the software program provided by the Company.
• Company (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to Bilimbe Digital, 6/36, Mariamman Kovil St, KK Nagar West, K. K. Nagar, Chennai, Tamil Nadu.
• Country refers to India, Tamil Nadu, Chennai, 600078.

These definitions are provided to ensure that the terms used in this Privacy Notice are clear and understandable.

2. Personal Data We Collect

We may collect the following categories of personal information:

2.1. Information You Provide to Us

• Contact Information: Name, email address, phone number, and mailing address.
• Account Information: Username, password, and account preferences.
• Payment Information: Credit card details or other financial information for processing transactions. Payment details are securely encrypted and stored in compliance with industry standards.

2.2. Information We Collect Automatically

• Device Information: IP address, browser type, operating system, and device identifiers.
• Usage Data: Pages viewed, time spent on our website and actions taken.
• Cookies and Tracking Technologies: Data collected through essential, functional and marketing cookies. Learn more in our Cookie Policy.

2.3. Information from Third Parties

• Data from business partners, social media platforms or publicly available sources.

3. How We Use Your Information

Subject to applicable laws and regulations, the personal information collected by us may be used for one or more of the following purposes:

• Provision of Services: To deliver, operate, maintain, and enhance the functionality and performance of our products and services, including any associated features or support.
• Account Administration: To administer user accounts, facilitate account-related functions, and provide technical or customer support, including responses to queries, requests, or complaints.
• Marketing and Communications: To send you promotional materials, service updates, newsletters, and other communications relating to our products or services, where you have provided the requisite consent or where otherwise permitted under applicable law.
• Legal and Regulatory Compliance: To comply with applicable legal obligations, including those arising under statutory or regulatory provisions, and to enforce our legal rights and contractual obligations, including our Terms of Use or other governing agreements.
• Security and Risk Management: To detect, prevent, and address actual or suspected fraud, unauthorized access, data breaches, or other unlawful activities that may pose a risk to our users or systems.
• Personalization and User Experience: To analyse user preferences and behaviour for the purpose of personalizing content, recommendations, and communications, and to improve user experience and engagement with our services.

4. Disclosure of Personal Information

We may disclose or otherwise make available your personal information to third parties under the following circumstances, subject to applicable data protection laws:

• Service Providers: We may share your personal information with third-party service providers, contractors, and agents who perform services on our behalf, including but not limited to data hosting, payment processing, analytics, and customer support. Such parties are bound by contractual obligations, including confidentiality and data protection provisions, to ensure the security and lawful processing of personal information.
• Business Partners and Affiliates: We may disclose your personal information to our business partners or affiliates with whom we jointly offer products or services, or with whom we engage in co-branded activities. Such disclosures are based on our legitimate interests or your prior consent, as applicable.
• Legal Compliance and Law Enforcement: We may disclose your personal information where such disclosure is required by applicable law, regulation, legal process, or governmental request, including to law enforcement agencies, regulatory authorities, courts, or other public bodies.
• Corporate Transactions: In connection with any actual or potential merger, acquisition, reorganization, sale of assets, or insolvency proceeding involving our business, we may transfer your personal information to the relevant acquiring or successor entity, subject to appropriate confidentiality and data protection safeguards.

We undertake reasonable efforts to ensure that all third parties with whom personal information is shared comply with applicable data protection laws and implement adequate safeguards to uphold the privacy and security of such information.

5. Cookies and Similar Technologies

We use cookies and similar tracking technologies on our website to enhance your browsing experience, analyse site traffic, personalize content, and deliver relevant advertisements. These technologies help us understand how you interact with our website and improve its functionality.

5.1 Tracking Technologies and Cookies

We use Cookies and similar tracking technologies to track the activity on Our Service and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyse Our Service. The technologies we use may include:

• Cookies or Browser Cookies. A cookie is a small file stored on your device. You can instruct your browser to refuse all cookies or to notify you when a cookie is being sent. However, if you do not accept cookies, you may be unable to use certain features of our service. Unless you have adjusted your browser settings to refuse cookies, our service may use them.
• Web Beacons. Some parts of our Service and emails may include small electronic files called web beacons (also known as clear gifs, pixel tags, or single-pixel gifs). These files allow the Company to track metrics such as the number of users visiting specific pages or opening emails. They also help us gather related website statistics, like measuring the popularity of certain sections and ensuring the integrity of our systems and servers.

Cookies can be classified as:

• Persistent Cookies: Remain on your device for a specified period or until you delete them.
• Session Cookies: Session Cookies are deleted as soon as you close your browser.

We use both Session and Persistent Cookies for the purposes set out below:

5.1.1. Necessary / Essential Cookies

Type: Session Cookies

Administered by: Us

Purpose: These cookies are necessary to provide the services you use on the website and to enable some features. They help verify users and protect user accounts from fraud. Without these cookies, we cannot provide the services you requested, and we only use them for that purpose.

5.1.2. Cookies Policy / Notice Acceptance Cookies

Type: Persistent Cookies

Administered by: Us

Purpose: These Cookies identify if users have accepted the use of cookies on the Website.

5.1.3. Functionality Cookies

Type: Persistent Cookies

Administered by: Us

Purpose: These cookies help us remember the choices you make when using the website, such as your login details or language preference. Their purpose is to provide you with more personalized experience and to prevent you from having to re-enter your preferences each time you visit the website.

5.1.4. Tracking and Performance Cookies

Type: Persistent Cookies

Administered by: Third Parties

Purpose: These cookies are used to track information about traffic to the website and how users use the website. The information gathered through these cookies may identify you as an individual visitor, either directly or indirectly. This linkage occurs because the collected data is typically associated with a pseudonymous identifier tied to the device you use to access the website. Additionally, we may use these cookies to test new pages, features, or functionalities of the website to observe how our users respond to them.

5.1.5. Social Media Cookies

These cookies allow you to share content on social media platforms and may track your interaction with such content.

5.1.6. Uncategorized Cookies

These are cookies that have not yet been classified into a specific category. We are working to update their descriptions.

5.2. Third Party Cookies

Third-party cookies are small files that websites, other than the one you are visiting, place on your device. These cookies track your actions across different sites. For example, if you look for running shoes online, you might later see ads for those shoes or other sports gear on other websites and social media platforms like Instagram. This happens because third-party cookies remember your browsing history. They use that information to show you ads that match your interests, helping advertisers reach you with relevant offers.

5.3. User Consent

We obtain user consent for cookies through a pop-up banner that appears when you first visit our website. This banner provides information about the types of cookies we use and gives you the option to manage your cookie preferences.

5.4. Managing Cookies

You can manage or disable cookies at any time through your browser settings or by using our cookie banner provided on our website.

5.5. Retention Period

Cookies are classified into two types: “persistent” cookies and “session” cookies. Persistent cookies stay on your device for a specific duration or until you decide to delete them. In contrast, session cookies are temporary and are removed when you close your browser.

5.6. Data Sharing

We may share cookie data with third parties such as Google Analytics and The IAB for analytics and advertising purposes. These third parties may use the information for their own purposes in accordance with their privacy policies.

6. Your Rights as a Data Subject

Subject to applicable data protection laws and depending on your jurisdiction, you may have the following rights in relation to your personal information:

• Right of Access: You have the right to request confirmation as to whether we process your personal information and, if so, to access such information, along with details regarding the nature, purpose, and categories of data processed.
• Right to Rectification: You have the right to request the correction or updating of any inaccurate or incomplete personal information concerning you.
• Right to Erasure (Right to be Forgotten): In certain circumstances, you may request the deletion of your personal information, such as where the information is no longer necessary for the purposes for which it was collected or where you withdraw consent.
• Right to Restrict Processing: You may request the restriction of processing of your personal information under specific conditions, such as when the accuracy of the data is contested or the processing is unlawful.
• Right to Know: You have the right to obtain information about the categories and specific pieces of personal information we collect, the sources of such information, the purposes for which it is collected, and the third parties with whom it is shared.
• Right to Data Portability: You may request to receive your personal information in a structured, commonly used, and machine-readable format, and to have such information transmitted to another controller where technically feasible.
• Right to Object: You have the right to object to the processing of your personal information for certain purposes, including direct marketing and profiling based on legitimate interests.
• Right to Withdraw Consent: Where the processing of your personal information is based on your consent, you have the right to withdraw such consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to Non-Discrimination: You are entitled to exercise your privacy rights without being subject to discriminatory treatment or denial of goods or services as a result.
• Right to Opt-Out of Sale or Sharing: Where applicable, you have the right to opt out of the sale or sharing of your personal information, including for purposes of targeted advertising or profiling.

To exercise any of the above rights, or to obtain further information regarding your rights, please submit a request through privacy@bilimbe.in. When you contact us, please provide your full name, email address and the specific type of request you are making. We will respond to your request within 30 days.

7. Data Retention

We retain personal information for no longer than is necessary to fulfil the purposes for which it was collected, as outlined in this Privacy Notice, unless a longer retention period is required or permitted by applicable law. Specifically, personal information may be retained for the following purposes:

• To Fulfil Contractual and Operational Obligations: Including the provision of services, account management, and customer support.
• To Comply with Legal and Regulatory Requirements: Such as obligations under tax laws, corporate laws, financial regulations, and data protection legislation.
• To Resolve Disputes and Enforce Legal Rights: Including the defense or establishment of legal claims, investigation of violations, and enforcement of our terms and conditions or other contractual agreements.

Retention periods may vary depending on the nature of the data and the context in which it is processed. For instance, transactional or financial data may be retained for a legally mandated period to ensure compliance with applicable tax or accounting regulations.

Upon expiry of the applicable retention period, or upon fulfilment of the purposes for which the personal information was collected (whichever is later), we will securely delete, anonymize, or otherwise render the personal information inaccessible, unless further retention is required by law.

8. Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with the processing of personal information. These measures are designed to protect personal information against unauthorized access, alteration, disclosure, or destruction and include, but are not limited to:

• Encryption Technologies: Use of encryption protocols to secure personal information in transit and at rest.
• Access Controls: Restriction of access to personal information on a need-to-know basis through role-based permissions and authentication mechanisms.
• Firewalls and Intrusion Detection Systems: Deployment of firewalls, intrusion detection, and prevention technologies to monitor and protect our networks and systems.
• Security Audits and Monitoring: Regular review, testing, and updating of our information security practices and protocols to identify and mitigate emerging security threats.

We also encourage users to take reasonable steps to protect their personal information, including the use of strong, unique passwords and maintaining the confidentiality of their account credentials.

While we take commercially reasonable efforts to safeguard personal information, no method of transmission over the Internet or method of electronic storage is entirely secure. Accordingly, we cannot guarantee absolute security.

9. International Data Transfers

If you access or use our services from a jurisdiction outside the United States, please be aware that your personal information may be transferred to, stored in, and processed in the United States or in other jurisdictions where our affiliates, service providers, or business partners are located. These jurisdictions may not offer the same level of data protection as your home country.

To ensure that such cross-border data transfers are conducted in compliance with applicable data protection laws, we implement appropriate safeguards, including but not limited to:

• Standard Contractual Clauses (SCCs): We rely on the European Commission-approved Standard Contractual Clauses or other lawful transfer mechanisms as applicable for the transfer of personal information from the European Economic Area (EEA), the United Kingdom, or other jurisdictions with similar requirements.
• Contractual Protections: Where required, we enter into data processing agreements or similar contractual arrangements with third-party recipients to ensure that personal information is afforded an adequate level of protection consistent with applicable privacy laws.

By using our services and providing us with your personal information, you acknowledge and consent to the transfer, processing, and storage of your personal information in jurisdictions outside your country of residence, including the United States, subject to the safeguards described herein.

10. Children’s Privacy

Our services are not directed to, and we do not knowingly collect or solicit personal information from, individuals under the age of 18 (or such other minimum age as may be prescribed by applicable data protection laws in the relevant jurisdiction). If you are under the applicable age threshold, you are not permitted to use our services or submit any personal information to us.

If we become aware that we have inadvertently collected personal information from a child in violation of applicable law, we shall take immediate steps to delete such information from our records and systems.

If you are a parent or legal guardian and believe that your child has provided personal information to us without your consent, you are encouraged to contact us using the contact details provided in this Privacy Notice so that we may take appropriate action in accordance with applicable legal requirements.

11. GDPR Compliance

If you are located in the European Union (EU), European Economic Area (EEA), or the United Kingdom (UK), your personal data is processed in accordance with the General Data Protection Regulation (GDPR). We are committed to ensuring that your data is handled with the utmost care and in full compliance with the GDPR.

11.1. Legal Basis for Processing

In accordance with Section 4(1) under DPDP Act, we process personal data only where a valid legal basis exists. The lawful bases upon which we rely include the following:

• Where you have provided your explicit consent to the processing of your personal data for one or more specified purposes, such as receiving marketing communications. You may withdraw your consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal.
• Where the processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering a contract (e.g., to provide the services you have requested).
• Where processing is required for compliance with a legal obligation to which we are subject, including obligations related to tax, accounting, regulatory investigations, or court orders.
• Where processing is necessary for the purposes of our legitimate interests or those of a third party, provided that such interests are not overridden by your fundamental rights and freedoms. Examples include ensuring the security and integrity of our services, preventing fraud, or improving our offerings.

We ensure that any reliance on a legitimate interest is supported by a documented balancing test in accordance with DPDP Act requirements.

If you are a data subject located in the EU, EEA, or UK, you may exercise your data protection rights as set out in the “Your Rights as a Data Subject” section of this Privacy Notice.

11.2. Data Transfers

Where personal data is transferred outside the European Economic Area (“EEA”) to a country that does not offer an adequate level of data protection as determined by the European Commission, such transfers shall be conducted in full compliance with the General Data Protection Regulation (GDPR).

To ensure an adequate level of protection for your personal data, we implement appropriate safeguards, including but not limited to the following:

• Standard Contractual Clauses (SCCs): We may enter into data transfer agreements incorporating the European Commission’s Standard Contractual Clauses (or the UK-approved International Data Transfer Addendum, as applicable) with data recipients located in jurisdictions that do not benefit from an adequacy decision. These clauses impose contractual obligations on the recipient to maintain a level of data protection consistent with EU/UK standards.
• Adequacy Decisions: Where applicable, we may rely on adequacy decisions issued by the European Commission or the UK Secretary of State, confirming that the receiving country ensures an adequate level of data protection as defined under the GDPR or UK GDPR.

Additional technical, organizational, and contractual measures may also be implemented to enhance the security and confidentiality of personal data transferred internationally.

For further information regarding the legal mechanisms relied upon for international data transfers or to request a copy of the relevant safeguards, please contact us at privacy@bilimbe.in.

12. Consumer Rights under DPDP Act

As an Indian resident, you have the following rights under the DPDP Act:

• Right to Know: You have the right to request information about the personal data we have collected about you in the past 12 months. This includes the categories of personal information, the purposes for which it was used, and the third parties with whom it was shared.
• Right to Delete: You have the right to request the deletion of your personal data, subject to certain exceptions (e.g., if the data is necessary for legal compliance or to complete transactions).
• Right to Opt-Out of Sales: You have the right to opt-out of the sale of your personal data. Since we do not sell personal data, this right does not apply unless we change this practice in the future.
• Right to Opt-Out of Sharing: You can request opt-out of the sharing of your personal data for business purposes. We share data only as described in this policy.
• Right to Non-Discrimination: You have the right to not be discriminated against for exercising any of your DPDP Act rights. This means we will not deny you services or provide a lower quality of service because you exercise your rights under this law.

How to Exercise Your Rights

To exercise your rights under the DPDP Act, you may submit a request by contacting us at:

Email: privacy@bilimbe.in

We will verify your identity before processing your request. In most cases, we will respond to your request within 45 days, in accordance with the DPDP Act.

12.1. Categories of Personal Information Sold or Disclosed for a Business Purpose

Under the DPDP Act, we are required to disclose whether we “sell” personal information. We do not sell personal information to third parties. If we decide to sell or share your personal data in the future, we will update this policy and provide you with the opportunity to opt out.

We may disclose personal data to third parties for a business purpose (e.g., providing services, analytics, etc.), but this does not constitute a sale under the DPDP Act.

12.2. Sensitive Personal Information

Under the DPDP Act, sensitive personal information includes data such as Social Security numbers, driver’s license numbers, and financial account details. We take extra care in handling sensitive personal data, and we do not use or share this type of data for purposes other than those explicitly stated in this policy or required by law.

If you are concerned about the processing of sensitive personal information, please contact us at privacy@bilimbe.in.

13. DPDP Act Compliance

This section applies to individuals located in India and explains your rights under the Digital Personal Data Protection Act, 2023 (DPDP Act). We are committed to ensuring that your personal data is collected, processed, stored, and shared in a transparent and secure manner, in full compliance with applicable Indian data protection laws.

13.1 Legal Basis for Processing Your Personal Data

We process your personal data only when we have a lawful reason to do so, as required under the Digital Personal Data Protection Act, 2023. This means your data will be collected and used only when:

• You have given your clear, specific, and informed consent for us to process your data;
• The processing is necessary to enter into or perform a contract with you;
• The processing is required to comply with a legal obligation under applicable laws;
• The processing is necessary to address a medical emergency or to protect your life, health, or safety, or that of another person;
• The processing is needed for the performance of any function of the State, as authorized by law;
• The processing is for legitimate use as permitted under the DPDP Act and does not override your rights and expectations of privacy.

We will not process your personal data for any other reason without a valid legal basis.

13.2 Consent Management

We collect and process your personal data only after obtaining your clear, specific, informed, and unambiguous consent, as required under the DPDP Act, 2023. You have full control over your consent and may choose to grant or withhold it for specific purposes of data processing.

You also have the right to withdraw your consent at any time. If you choose to do so, we will stop processing your personal data from the date of withdrawal, unless we are required to retain or process it under any applicable law.

13.3 Grievance Redressal

If you have any concerns, complaints, or grievances related to the processing of your personal data or this Privacy Notice, you may reach out to privacy@bilimbe.in. We are committed to addressing your concerns in a timely and transparent manner.

We will acknowledge your complaint within 24 hours of receipt and aim to resolve it within 7 working days, in accordance with the provisions of the DPDP Act, 2023.

14. Changes to This Privacy Notice

We may update this Privacy Notice periodically. Any significant changes will be communicated to you in advance via email or through a notice on our website. The updated Privacy Notice will include a new effective date.

15. Contact Us

If you have any questions about this Privacy Policy, You can contact us:

By email: privacy@bilimbe.in

By visiting website: www. bilimbe.in