Privacy Policy
Last updated: July 5, 2026
1. Overview and Scope
This Privacy Policy ("Policy") explains how bms.web (the personal portfolio and social platform of Braj Mohan Singh, hereinafter referred to as "we", "us", or "our") collects, uses, processes, and protects your personal data. We are committed to safeguarding your privacy and ensuring compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Digital Personal Data Protection Act, 2023 (DPDPA) of India.
2. Lawful Basis for Processing
Under applicable data protection laws, we process your data under the following lawful bases:
- Consent: When you voluntarily provide information (e.g., subscribing to a newsletter, filling out a profile).
- Contractual Necessity: To provide the core services of the platform, such as authenticating your account and displaying your public portfolio/social feed.
- Legitimate Interests: To secure the platform, prevent fraud, and analyze aggregate usage to improve our services.
3. Information We Collect
3.1. Authentication Data
We use Google OAuth, GitHub OAuth, and Email/OTP for authentication. When you sign in, we collect your email address, display name, and avatar. We do not store your passwords for OAuth accounts. For Email/OTP accounts, passwords are cryptographically hashed using industry-standard bcrypt algorithms.
3.2. Profile & Social Data
Information you voluntarily provide: username, bio, location, professional skills, social links, and your social graph (followers and following).
3.3. User-Generated Content
Content you create, including blog posts, projects, certificates, comments, likes, and OMDB watchlist interactions, is stored and may be visible to the public.
3.4. Automatically Collected Data
We collect IP addresses and browser metadata solely for rate-limiting, security auditing, and preventing Denial of Service (DoS) attacks.
4. How We Use Your Information
- To authenticate you and provide access to features.
- To display your public profile, posts, projects, and certificates.
- To power the social feed algorithm.
- To send transactional emails (OTPs, password resets) and subscribed newsletters.
- To maintain the security and integrity of the Service.
We do not sell, rent, or monetize your personal data to third-party data brokers or advertising networks under any circumstances.
5. Data Retention Timelines
We retain your personal data only for as long as necessary:
- Active Accounts: Data is retained for the lifetime of the account.
- Deactivated Accounts: Profile data is hidden immediately. Data is retained for 30 days to allow reactivation, after which it is permanently purged.
- Security Logs: IP addresses and rate-limit logs are retained for a maximum of 90 days.
6. International Data Transfers
Our databases (MongoDB Atlas) and hosting providers may be located in regions outside your home country. By using the Service, you consent to the transfer of your data to these jurisdictions. We rely on standard contractual clauses (SCCs) and robust encryption to ensure your data remains protected internationally.
7. Data Security and Breach Notification
We implement strict security measures, including HTTPS/TLS encryption, secure cookie sessions (NextAuth), input HTML sanitization, and strict rate limits.
Breach Protocol: In the event of a data breach that compromises your personal data, we will notify affected users via email within 72 hours of becoming aware of the breach, outlining the nature of the breach and steps taken to mitigate it.
8. Your Comprehensive Data Rights
Depending on your jurisdiction, you possess the following rights:
- Right to Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Edit or correct inaccurate profile information.
- Right to Erasure (Right to be Forgotten): Request the permanent deletion of your account and associated data.
- Right to Restrict Processing: Request a temporary halt to data processing while disputes are resolved.
- Right to Data Portability: Request your data in a structured, commonly used, machine-readable format.
To exercise these rights, please contact us. We will respond to verified requests within 30 days.
9. Children's Privacy (COPPA)
This Service is strictly not intended for individuals under the age of 13 (or 16 in certain EU jurisdictions). We do not knowingly collect personal data from minors. If we discover that a minor has provided us with personal data, we will delete it immediately.
10. Changes to This Policy
We may update this Policy periodically to reflect legal or operational changes. Material changes will be communicated via email or a prominent notice on the platform prior to taking effect.
11. Contact Information
If you have questions, concerns, or wish to exercise your data rights, please contact the Data Protection Officer (Braj Mohan Singh) via our Contact Form.