BloodBridge

Last updated: 8 May 2026

Privacy Policy

A note on who we are. BloodBridge is a non-profit, open-source community project. We do not charge users, run ads, or sell or rent personal data. We still publish this policy because Indian privacy law (DPDP Act, 2023 and IT Act, 2000) applies regardless of whether a service is run for profit, and because you deserve to know exactly what happens with your data.

BloodBridge (“we”, “us”) is a community-run platform that helps people in India find voluntary blood donors. This policy explains what personal data we collect, why we collect it, and the rights you have under Indian law — primarily the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000 read with the SPDI Rules, 2011.

1. What we collect

  • Account data: name, display name, email address, password hash, mobile number (when you sign up by OTP).
  • Donor profile (optional): blood group, age, gender, city, locality, approximate location (latitude/longitude is obfuscated before storage), travel radius, last donation date, availability, contact preferences.
  • Requests & messages: request details you post, messages you exchange with other users on the platform.
  • Technical data: IP address, device type, browser, and basic logs needed to keep the service secure and abuse-free.

2. How we use it

  • To run the donor-discovery service you signed up for.
  • To send transactional emails (sign-in, account, contact-share notifications).
  • To prevent abuse, fraud, and harassment, and to comply with the law.
  • We do not sell your data and we do not use it for advertising.

3. Lawful basis

We process your data on the basis of your consent given at sign-up and at the point you choose to publish a donor profile. Where you ask us to act on your request (e.g. send an OTP, deliver a message), we also process data to fulfil that request.

4. Who we share it with

  • Other users of BloodBridge — only the donor information you have chosen to make visible. Exact location is never shown; only an approximate marker is.
  • Infrastructure providers (data processors): Supabase (database, authentication), our SMTP provider for outbound email, our SMS/OTP gateway, and our hosting provider. These vendors may store data outside India; we use them under contractual safeguards.
  • Authorities when required to by law, or to protect the safety of users.

5. Cross-border transfers

Some of our processors host data outside India. The DPDP Act permits such transfers unless the country is specifically restricted by the Government of India. We do not transfer data to any country currently restricted under that Act.

6. Retention

We keep your data for as long as your account is active. If you delete your account, we delete the personal data linked to it within 30 days, except where law requires us to keep a minimal record (e.g. abuse reports, audit logs).

7. Your rights

Under the DPDP Act you can:

  • Access the personal data we hold about you.
  • Correct or update inaccurate data.
  • Erase your account and data.
  • Withdraw consent at any time — this is as easy as deleting your account.
  • Nominate a person to exercise these rights on your behalf if you are unable to.
  • File a complaint with us, and escalate to the Data Protection Board of India.

8. Security

We use row-level security on our database, encrypted transport (HTTPS), rate-limiting on sensitive endpoints, and audit logs on contact-reveal events. No system is perfectly secure, and you remain responsible for keeping your password and OTP confidential.

9. Cookies

We use only the cookies needed to keep you signed in and to remember a redirect after login. We do not set advertising or analytics cookies.

10. Children

BloodBridge is for users aged 18 and over. We do not knowingly collect data from anyone below 18. If you believe a child has given us data, write to us and we will delete it.

11. Contact us about your data

For any privacy question, request, or complaint, write to ankit@bloodbridge.live. We aim to acknowledge within 48 hours and resolve within 15 days, in line with the timelines set by Indian law (DPDP Act & IT Rules 2021).

12. Changes

If we change this policy in a material way, we will notify you on the site and update the date above. The current version always lives at this URL.

This is a community-drafted v1. Even though BloodBridge is non-profit, Indian privacy law still applies to us, and this page is our best-effort starting point until a practising lawyer reviews it. It is not legal advice. Read the Terms of Service and the Health Notice alongside this policy.