Legal
Privacy Policy
Last updated: 28 April 2026 · Effective: 28 April 2026
Blynkx (“we”, “our”, or “us”) operates the social media operations platform at blynkx.com. This Privacy Policy explains how we collect, use, store, share, and protect your personal data, and your rights under the Digital Personal Data Protection Act 2023 (DPDP Act) and applicable law.
1. Who We Are
Blynkx is a social media operations platform that helps teams publish content, manage approval workflows, schedule posts, and monitor publishing operations across multiple social media channels.
Data Fiduciary: Blynkx (blynkx.com)
Grievance / Privacy Contact: privacy@blynkx.com
2. Personal Data We Collect
a) Account and Authentication Data
- Email address and hashed password (if using email/password sign-in)
- Name and profile details you provide
- Session tokens and sign-in timestamps
- IP address and user-agent (for security logging)
b) Social Account Connection Data
- OAuth access and refresh tokens for connected social platforms (e.g. Twitter/X, Facebook, LinkedIn, Instagram)
- Provider account name, profile picture URL, and provider account ID
- Connection status and last authorisation timestamps
c) Post and Content Data
- Post text, title, and scheduling details you create within the platform
- Target social accounts and publishing status
- Approval workflow history (who submitted, approved, or rejected a post)
d) Media Data
- Files (images, videos) you upload for use in posts
- File metadata: name, size, MIME type, upload timestamp, uploader identity
e) Usage and Operational Data
- Action logs for audit purposes (actor ID, action type, request ID, timestamps)
- Error and performance telemetry (no post content included in system logs)
- Feature usage patterns to improve the platform
We do not sell your personal data to third parties, and we do not use post content for advertising profiling.
3. How We Use Your Data
| Purpose | Lawful Basis (DPDP Act 2023) |
|---|---|
| Authenticate your account and maintain secure sessions | Consent / Contractual necessity |
| Connect and publish to your linked social accounts | Consent (explicit — you initiate each connection) |
| Manage post creation, approval, scheduling, and publishing | Contractual necessity |
| Store and serve media you upload for use in posts | Contractual necessity |
| Send platform notifications (e.g. approval requests, publish confirmations) | Consent / Legitimate interest |
| Monitor platform health and investigate incidents | Legitimate interest (minimal data, no post content) |
| Comply with legal obligations and respond to lawful requests | Legal obligation |
4. Data Sharing and Sub-Processors
We share personal data only as necessary to operate the platform. Our current sub-processors include:
- Cloud infrastructure (AWS) — for hosting, database, and media storage
- Social platform APIs (Twitter/X, Facebook/Meta, LinkedIn, Instagram) — solely to fulfil publishing actions you request
- Identity provider (Keycloak, self-hosted) — for SSO authentication, operated by us
We do not share your personal data with marketing partners, data brokers, or analytics providers beyond what is necessary for platform operations. All sub-processors are bound by data processing agreements.
5. Data Retention
- Account and profile data: Retained for the duration of your active account, plus a grace period post-deletion request.
- Social account tokens: Retained until you disconnect the account or the token expires/is revoked.
- Post content and media: Retained for the duration of your account unless you delete individual items.
- Session tokens: Expire after 8 hours of inactivity (cookie-based, not server-stored).
- Audit and system logs: Retained for up to 90 days on a rolling basis. Logs contain only operational identifiers — no post content.
Specific retention windows will be published in an updated version of this policy prior to general availability.
6. Your Rights as a Data Principal (DPDP Act 2023)
Under the Digital Personal Data Protection Act 2023, you have the following rights:
- Right to information — Know what personal data we process and the purposes for which it is used.
- Right of access — Request a summary of your personal data held by us.
- Right of correction and erasure — Request correction of inaccurate data or erasure of data we no longer need.
- Right to withdraw consent — Withdraw consent for optional processing at any time (e.g. disconnect a social account, delete posts). Withdrawal does not affect lawfulness of processing prior to withdrawal.
- Right to grievance redressal — Raise a grievance with our Grievance Officer (see Section 8).
- Right to nominate — Nominate another individual to exercise rights on your behalf in case of death or incapacity.
To exercise any of these rights, contact us at privacy@blynkx.com. We will acknowledge your request within 72 hours and respond within 30 days.
7. Cookies and Tracking
We use a minimal set of cookies necessary to operate the platform:
- Session cookie (
blynks-session) — Stores your encrypted session after sign-in. Expires in 8 hours. HttpOnly, Secure, SameSite=Lax. - OAuth state cookie (
blynks-oauth-state) — Short-lived token used only during the social account connection flow. Deleted on completion. HttpOnly, Secure, SameSite=Lax.
We do not use third-party tracking cookies, advertising pixels, or behavioural analytics cookies.
8. Grievance Officer
If you have a complaint about how we handle your personal data, you can raise it with our Grievance Officer:
Blynkx Privacy Team
Email: privacy@blynkx.com
We aim to acknowledge all complaints within 72 hours and resolve them within 30 days. If your complaint is not resolved to your satisfaction, you may escalate to the Data Protection Board of India.
9. Data Security
We implement technical and organisational measures to protect your personal data, including:
- Encrypted storage of passwords using bcrypt
- HTTPS-only transport for all data in transit
- Session tokens stored as signed, HttpOnly cookies — never accessible to browser scripts
- OAuth tokens stored server-side only, never exposed to the client
- Role-based access controls (RBAC) limiting data access to authorised users and roles
- Audit logging for sensitive operations
In the event of a personal data breach that is likely to result in harm to you, we will notify you and the Data Protection Board of India in accordance with the DPDP Act 2023.
10. Cross-Border Data Transfers
Your data may be processed on infrastructure located outside India (including AWS regions). Where personal data is transferred cross-border, we apply appropriate safeguards in accordance with the DPDP Act 2023. We will update this section with confirmed data residency details prior to general availability.
11. Children's Privacy
Blynkx is not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected such data, please contact us at privacy@blynkx.com and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top and, where changes are material, notify registered users by email or in-app notification at least 15 days in advance. Your continued use of Blynkx after the effective date constitutes acceptance of the updated policy.
Questions about this policy? Write to us at privacy@blynkx.com. We're happy to help.