Legal

Privacy policy.

This document explains what personal data we collect, how we use it, who we share it with, and the rights you have over it. It applies to nowmedia.in, app.nowmedia.in, and any other site or service operated by NOW Media.

Last updated

Who we are

"NOW Media" is a brand of Bleep Design Private Limited, a private limited company incorporated in India with its registered office in Bangalore, Karnataka. References in this policy to "we", "us", or "our" mean Bleep Design Private Limited operating under the NOW Media brand.

For the purpose of India's Digital Personal Data Protection Act 2023 (DPDP Act) we act as a Data Fiduciary. For the purpose of the EU General Data Protection Regulation (GDPR) and the UK GDPR, where they apply to visitors from those regions, we act as a Data Controller.

What we collect

We only collect what we need to run our business and to serve you.

1. Information you give us directly

  • Scope builder & lead forms. Name, phone number, email address, business name, project scope selections, optional context you choose to add, and a one-time verification code sent to your email or phone.
  • Discovery Blueprint. Strategic answers about your business, audience, brand, and goals, which you submit voluntarily so we can prepare a calibrated brief.
  • Client portal. Account profile, project files you upload, messages you exchange with us, billing and payment information, and approvals you record.
  • Careers. Resume, portfolio, and contact details if you apply for a role.
  • Newsletter & bookings. Email address for subscriptions; calendar details when you book a call.
  • Direct correspondence. Anything you choose to send us by email, chat, or messaging.

2. Information we collect automatically

  • Device and connection data. IP address, browser type, operating system, device type, screen size, referrer URL, and approximate location derived from the IP address.
  • Usage data. Pages viewed, links clicked, scroll depth, time on page, form interactions, and session recordings (where session-recording tools are enabled).
  • Cookies and similar technologies. See the Cookies section below.

3. Information from third parties

We may receive limited information from advertising platforms (for example, Meta or Google) when you interact with our ads, and from enrichment tools we use to qualify leads. We only use this to contextualise inbound interest, we do not buy bulk contact lists.

Why we use it

  • To respond to your scope, enquiry, or proposal request.
  • To deliver work under an engagement contract with you.
  • To send transactional messages (verification codes, scope receipts, project updates, invoices).
  • To operate the client portal and authenticate you when you sign in.
  • To measure how our site performs and improve it.
  • To run marketing campaigns to relevant audiences (with consent where required).
  • To meet legal, tax, and accounting obligations in India.
  • To detect, prevent, and respond to fraud, abuse, or security incidents.

Depending on the activity, our basis for processing is one of:

  • Consent, for marketing analytics, advertising cookies, and newsletter subscriptions.
  • Contract, to perform an engagement you have signed with us, or to take steps before signing.
  • Legal obligation, for invoicing, tax records, and lawful disclosures.
  • Legitimate interest, for essential analytics, security, fraud prevention, and direct communication with prospective clients who reached out to us.

Who we share data with

We do not sell your personal data. We do not rent it, trade it, or share it with any third party for their own marketing, advertising, or business purposes. The only third parties involved with your data are the sub-processors listed below, they act strictly on our instructions, under contractual confidentiality, and process your data only to operate the services we provide to you.

We rely on these sub-processors because no modern website or client portal can operate without infrastructure providers (hosting, database, authentication, email, analytics, payments). Each one is chosen for a specific operational function and is contractually bound to act only on our instructions and to keep your data confidential.

Provider Purpose Region
Supabase Database, authentication, file storage for the client portal Tokyo, Japan
Vercel Website and portal hosting, edge serving Global edge / United States
Cloudflare File storage (R2), DNS, traffic protection Global edge / United States
Resend Transactional email (verification codes, receipts, updates) United States
Sanity Content management for editorial pages United States / EU
Meta Platforms Advertising Pixel and Conversions API for campaign measurement United States / Ireland
Google GA4 analytics, Google Ads measurement, Google Sign-In for the portal United States
Microsoft Clarity Anonymised session recordings and heatmaps United States
PostHog Product analytics for the portal United States
Plausible Privacy-friendly aggregate website analytics European Union
TidyCal Calendar bookings for sales calls United States
Zoho Books Invoicing, accounting, and tax records India

This list may change as our stack evolves. We will keep it current and note any material change in this policy.

We may also disclose data to professional advisers (lawyers, accountants, auditors), to acquirers in connection with a corporate transaction, and to authorities where we are required by law.

International transfers

Some of our service providers are based outside India. Where data is transferred internationally we rely on the standard contractual protections that those providers offer, including the Standard Contractual Clauses approved by the European Commission and equivalent measures under UK and Indian law.

Cookies and similar technologies

We use a small number of cookies and similar storage:

  • Strictly necessary, authentication, session continuity, cookie-consent preference, and fraud prevention. These cannot be turned off.
  • Analytics, GA4, Microsoft Clarity, PostHog, and Plausible help us understand site performance and how the portal is used.
  • Marketing, Meta Pixel and Google Ads measure campaign effectiveness so we do not waste budget on people who are not interested in agencies like ours.

Visitors from the EU, the UK, and EEA see a consent banner on first visit and can accept or decline non-essential cookies. You can change your decision at any time by clearing the cookie now-cookie-consent in your browser and reloading the page, or by emailing us. Browser-level controls (Do Not Track, ad-blockers) are respected on a best-effort basis.

How long we keep data

  • Lead enquiries, kept for up to 24 months from your last interaction unless you become a client.
  • Client records, kept for the duration of the engagement plus 7 years to satisfy Indian tax and statutory record retention.
  • Account & portal data, kept while your account is active; deleted within 90 days of account closure unless we are required to retain it for legal reasons.
  • Analytics & logs, kept in aggregate or anonymised form for up to 26 months.
  • Marketing contacts, kept until you unsubscribe or ask us to delete you.

Your rights

Subject to applicable law, you have the right to:

  • Access the personal data we hold about you.
  • Ask us to correct inaccurate or incomplete information.
  • Ask us to delete your data, where there is no overriding legal reason to retain it.
  • Withdraw consent for processing that depends on consent (this does not affect prior processing).
  • Object to processing that relies on legitimate interest.
  • Ask us to restrict processing in certain circumstances.
  • Receive a portable copy of data you provided to us.
  • Nominate a person to exercise these rights on your behalf in the event of incapacity (DPDP Act).
  • Lodge a complaint with the Data Protection Board of India, the Information Commissioner's Office (UK), or your local supervisory authority.

To exercise any of these rights, email privacy@nowmedia.in. We will respond within 30 days. We may ask you to verify your identity before acting on a request.

Security

We use technical and organisational measures appropriate to the sensitivity of the data we handle: encryption in transit (HTTPS), encryption at rest for stored files, role-based access control, row-level security on the database, audit logs, multi-factor authentication for staff accounts, and least-privilege access for all team members. No system is ever fully secure, and we cannot guarantee absolute security, but we treat your data with the same care we expect from the providers we trust with our own.

Children

Our services are aimed at founders, businesses, and professional users. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, please contact us and we will delete it.

Changes to this policy

We may update this policy from time to time. When we do, we will change the "Last updated" date at the top and, for material changes, notify you by email or via the portal. Continuing to use our site or services after a change means you accept the updated policy.

How to contact us

For any privacy question, request, or complaint:

We have not appointed a statutory Data Protection Officer because we are not required to. The founders are personally accountable for the handling of personal data at NOW Media.