Privacy Policy

This Privacy Policy explains how personal information is collected, used, shared, retained, and protected when you visit or make a purchase from www.bubbleme.in. The Site is owned and operated by Derma Lush Private Limited (GSTIN: 06AAMCD2780K1ZB), referred to as “Bubble Me”, “we”, “us”, or “our”.

This Policy is prepared with reference to applicable Indian laws, including the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, the Consumer Protection Act, 2019, the Consumer Protection (E-Commerce) Rules, 2020, and the Digital Personal Data Protection Act, 2023 and rules notified thereunder, to the extent applicable.

Derma Lush Private Limited acts as a Data Fiduciary for personal data collected through this Site, to the extent applicable under the Digital Personal Data Protection Act, 2023.

1. Consent and Use of the Site

By accessing or using the Site, placing an order, creating an account, contacting support, subscribing to communications, or otherwise providing personal information, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, sharing, and processing of your information as described here.

If you do not agree with this Policy, please do not use the Site or provide your personal information.

2. Information We Collect

2.1 Order and Contact Information

When you make or attempt to make a purchase, we may collect your name, email address, phone number, billing address, shipping address, PIN code, order details, invoice details, and payment status.

2.2 Payment Information

Online payments are processed through secure third-party payment gateway partners. We do not store your full card number, CVV, net banking password, or complete payment credentials on our own servers. Payment gateways may process payment identifiers, transaction IDs, risk signals, and status information to complete and verify transactions.

2.3 Device and Usage Information

When you browse the Site, we may automatically collect device and usage information such as IP address, browser type, device type, operating system, time zone, pages viewed, referring/exit pages, products viewed, cart events, checkout events, cookies, pixels, tags, web beacons, and log files.

2.4 Customer Support Information

When you contact us through email, WhatsApp, phone, social media, website forms, or customer support channels, we may collect the information you provide, including order details, issue descriptions, photos, videos, unboxing videos, and communication history.

2.5 Optional Marketing and Preference Information

If you choose to participate in surveys, reviews, feedback requests, contests, promotions, or marketing communications, we may collect your preferences, product interests, feedback, ratings, and communication choices.

2.6 Sensitive Personal Data

We do not intentionally collect sensitive personal data such as medical records, biometric identifiers, sexual orientation, or financial passwords through the Site. If you voluntarily share health-related information during support interactions, we use it only to address your specific query and do not treat our products or content as medical advice.

3. Subscription and Prepaid Plan Data

If you purchase a Bubble Me subscription, prepaid plan, prepaid bundle, monthly delivery plan, or Build Your Own subscription box, we may collect and process additional plan-related information such as the plan selected, product choices, shipment cycle, scheduled shipment status, cancellation/refund/replacement status, payment gateway reference IDs, Shopify order references, Razorpay or other payment references where applicable, and customer support communications related to the plan.

We use this information to operate the plan, process payments, schedule and track shipments, handle support requests, prevent fraud or misuse, comply with tax/accounting obligations, and provide customer updates. We may share relevant plan data with Shopify, payment gateway partners, logistics partners, analytics tools, customer support tools, and service providers only as needed for these purposes and as described in this Privacy Policy.

4. How We Use Personal Information

  • To process, confirm, fulfil, ship, deliver, replace, cancel, or refund orders
  • To process payments and verify transaction status through payment partners
  • To send invoices, order confirmations, shipping updates, tracking links, service messages, and support responses
  • To verify identity, prevent fraud, detect misuse, and protect our business and customers
  • To operate, maintain, secure, troubleshoot, and improve the Site and customer experience
  • To analyse browsing, product interest, cart, checkout, and purchase behaviour
  • To run marketing, remarketing, analytics, campaign measurement, and ad performance tracking where permitted
  • To ask for ratings, reviews, feedback, or service quality inputs
  • To comply with legal, tax, accounting, regulatory, dispute resolution, and enforcement requirements
  • To establish, exercise, or defend legal claims

5. Legal Basis and Consent

We process personal information where you have provided consent, where processing is necessary to fulfil your order or request, where processing is required for compliance with law, or where processing is reasonably necessary for legitimate uses permitted under applicable law.

You may withdraw consent for non-essential promotional communications at any time by using unsubscribe options where available or by contacting us. Withdrawal of consent may affect our ability to provide certain services, fulfil pending requests, or maintain your account where the information is necessary.

6. Cookies, Pixels, Analytics, and Advertising Tools

We use cookies and similar technologies to remember preferences, support cart and checkout functionality, analyse website traffic, measure marketing performance, prevent fraud, and improve the Site.

We may use third-party tools such as Shopify analytics, Google Analytics, Meta Pixel, Meta Conversions API, advertising pixels, email/SMS/WhatsApp tools, and similar technologies. Where Meta Business Tools are enabled, data such as page views, product views, add-to-cart actions, checkout events, purchases, device/browser data, IP address, and hashed customer identifiers such as email or phone may be shared with Meta for ad measurement, optimization, and audience creation.

You can control cookies through your browser settings. You can also manage ad preferences through platform-level settings such as Google Ad Settings, Facebook/Meta Ad Preferences, and device-level advertising settings. Disabling cookies may affect some Site features, but you may still be able to place orders depending on the browser and checkout requirements.

7. Sharing of Personal Information

We do not sell your personal information. We may share personal information with trusted third parties only for business, operational, legal, or service-related purposes, including:

  • Shopify and ecommerce platform providers
  • Payment gateway and fraud prevention partners
  • Courier, logistics, fulfilment, and warehouse partners
  • Customer support, email, SMS, WhatsApp, and communication platforms
  • Analytics, advertising, and marketing measurement platforms
  • Cloud hosting, security, IT, and website service providers
  • Professional advisers such as legal, tax, accounting, and audit providers
  • Government authorities, courts, regulators, law enforcement, or other parties where required by applicable law
  • Potential buyers, investors, successors, or transferees in connection with a business restructuring, merger, acquisition, or asset transfer, subject to appropriate safeguards

Service providers are expected to process personal information only for the purpose for which it is shared and to maintain appropriate confidentiality and security safeguards.

8. Cross-Border Data Transfers

Some of our service providers, platforms, analytics tools, advertising tools, cloud providers, or payment/logistics partners may process or store data outside India. Such transfers will be handled in accordance with applicable Indian data protection laws, including the Digital Personal Data Protection Act, 2023 and rules or government notifications issued thereunder, to the extent applicable.

9. Data Retention

We retain personal information only for as long as necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law.

Data Category Typical Retention Period
Order, invoice, transaction, tax, and accounting records Up to 8 years or longer if required by law, tax, audit, dispute, or compliance obligations
Customer account information Until account deletion request is processed or as required for pending orders, legal records, fraud prevention, or compliance
Customer support records, emails, photos, videos, and complaint history Up to 3 years, unless needed longer for dispute, legal, warranty, fraud prevention, or compliance purposes
Marketing consent and communication preferences Until you opt out, withdraw consent, or request deletion where applicable
Website analytics, cookies, and technical logs As per tool/platform settings and our operational, security, and analytics needs

Where information is no longer required, we may delete, anonymise, or aggregate it in a manner that no longer identifies you.

10. Your Rights

Subject to applicable law, you may have the right to:

  • Request access to information about the personal data we process about you
  • Request correction, completion, or updating of inaccurate or incomplete personal data
  • Request erasure/deletion of personal data where retention is no longer necessary or legally required
  • Withdraw consent for processing where processing is based on consent
  • Nominate another individual to exercise your rights in the event of death or incapacity, where applicable
  • Raise a grievance with us and, where applicable, approach the Data Protection Board of India after exhausting our grievance process

To exercise these rights, email info@bubbleme.in with a clear subject line such as: Privacy Request - [Access/Correction/Deletion/Withdrawal]. We may verify your identity before processing the request. We may refuse or limit requests where permitted by law, including where retention is required for tax, accounting, fraud prevention, dispute resolution, legal claims, or compliance obligations.

11. Data Deletion Request Process

  1. Email info@bubbleme.in with the subject line: Data Deletion Request.
  2. Include your full name, registered email/phone number, and any relevant Order ID.
  3. We will verify your identity and review whether any data must be retained for legal, tax, accounting, fraud prevention, dispute, or operational reasons.
  4. Where deletion is permitted, we will process the request within a reasonable period and endeavour to complete it within 30 days.

12. Communications and DND/NCPR

By providing your phone number or email and placing an order or submitting a request, you consent to receive service-related communications such as OTPs, order confirmations, shipping updates, delivery calls, support responses, refund/replacement updates, and transactional notifications even if your number is registered under DND/NCPR, to the extent such communications are service-related and permitted by applicable telecom regulations.

Promotional communications will be sent only where permitted by law and your preferences. You may opt out of non-essential promotional communications at any time.

13. Minors

The Site is intended for users who are at least 18 years old and legally capable of entering into a contract. We do not knowingly collect personal information from children without appropriate consent. If we become aware that personal data of a child has been collected without required consent, we will take steps to delete it where required.

14. Security

We use reasonable technical, administrative, and organisational safeguards to protect personal information against unauthorised access, misuse, disclosure, alteration, or destruction. However, no method of internet transmission or electronic storage is completely secure, and we cannot guarantee absolute security.

In the event of a personal data breach, we will take appropriate steps to mitigate the breach and notify affected individuals and relevant authorities where required by applicable law.

15. Third-Party Websites and Marketplaces

Our Site may contain links to third-party websites, platforms, marketplaces, payment pages, or social media pages. We are not responsible for the privacy practices, content, or policies of third-party websites. Please review their privacy policies before sharing information.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal obligations, or operational requirements. The updated policy will be posted on this page with a revised “Last updated” date.

17. Contact and Grievance Officer

For privacy questions, complaints, requests, or grievances, contact us at info@bubbleme.in or +91 82888 07455.

Address: SCO 20, Sector 5, MDC, Panchkula, Haryana 134114, India.

We will acknowledge grievance-related communications within 48 hours and will endeavour to resolve them within one month/30 days from the date of receipt, subject to the nature of the complaint and the information or documents required for resolution.