Legal · Privacy Policy

Privacy Policy.

Last updated: 15 June 2026

Scope today

The Service today is a waitlist landing page. The only personal data we collect at this stage is the email address you submit, plus the request metadata your browser sends automatically (IP address, user agent, timestamp). We use it once, to email you when V1 opens. The fuller provisions below apply once accounts, profiles and project posting are live.

1. Introduction

This Privacy Policy (the “Policy”) describes the manner in which Kali Nigam, an individual proprietor operating the platform available at brag.build(the “Service”, also referred to as “Brag”, “we”, “us” or “our”), collects, uses, discloses and otherwise processes the personal data of users (the “User”, “you” or “your”). This Policy is to be read together with the Terms of Service and applies in accordance with the Digital Personal Data Protection Act, 2023 (the “DPDP Act”) and other applicable laws of the Republic of India.

2. Categories of Personal Data Collected

We collect the following categories of personal data:

  • Account data: email address, username, hashed password, and authentication identifiers received from third-party identity providers (e.g. Google) where you elect to sign in via such provider.
  • Profile data: display name, biography, avatar image, cover image, location, external links (such as personal website, X/Twitter, GitHub), and any additional fields you elect to provide.
  • User Content: the projects, descriptions, titles, build stories, media (including images and video), tags and links you submit for publication on the Service.
  • Interaction data: follows, likes, pinned projects, notifications, and similar activity records generated by your use of the Service.
  • Technical data: IP address, browser type and version, device identifiers, operating system, referrer URL, timestamps, session identifiers and similar diagnostic and security data, collected automatically when you access the Service.

3. Purposes of Processing

We process your personal data for the following purposes:

  • to create and administer your account and to authenticate you;
  • to provide, operate, maintain, and improve the features and functionality of the Service;
  • to publish and display your User Content in the manner you direct;
  • to communicate with you in respect of the Service, including service announcements, security alerts, password reset emails, and email verification;
  • to enforce our Terms of Service, prevent fraud or abuse, secure the Service, and comply with applicable legal obligations;
  • to analyse usage of the Service in aggregate form for the purposes of product improvement.

The legal basis for processing under the DPDP Act is your consent, freely given at the point of account creation, and, in relation to security and legal-compliance processing, our legitimate interests and statutory obligations.

4. Disclosure to Third Parties

We do not sell your personal data. We share personal data only with the following categories of recipients, each of which acts as a data processor on our behalf and is bound by appropriate confidentiality and data-protection obligations:

  • Neon, Inc.— managed PostgreSQL database hosting (storage of account, profile and interaction data);
  • Cloudflare, Inc. — object storage via the R2 service (storage of avatar, cover and project media uploaded by you);
  • Vercel Inc.— application hosting, edge networking and request logging;
  • Resend, Inc.— transactional email delivery (verification and password-reset emails);
  • Google LLC— only where you elect to authenticate via Google, in which case we receive your verified email and profile basic identifiers from Google.

We may additionally disclose personal data (a) in response to a valid subpoena, court order or other lawful request from a competent authority; (b) to enforce our Terms of Service or to protect the rights, property or safety of Brag, our users or the public; or (c) in connection with any merger, acquisition or sale of assets, in which case we will require the acquirer to honour the commitments set out in this Policy.

5. International Transfers

Certain of our processors are located, and may process your personal data, outside the Republic of India (including in the United States). Where such transfers occur, we rely on the standard contractual terms offered by each processor and on the statutory framework of the DPDP Act, which presently permits transfers to jurisdictions not specifically restricted by the Central Government.

6. Retention

We retain your personal data for as long as your account remains active. Upon deletion of your account, we will delete or irreversibly anonymise your personal data within thirty (30) days, except where retention is required to comply with a legal obligation, resolve a dispute, or enforce our agreements. Aggregated and de-identified data may be retained indefinitely.

7. Your Rights

Subject to the DPDP Act and to applicable verification requirements, you have the following rights in respect of your personal data:

  • the right to access a summary of the personal data we hold about you and a list of recipients with whom we have shared it;
  • the right to correct or complete inaccurate or incomplete personal data;
  • the right to request erasure of your personal data;
  • the right to withdraw your consent at any time, without prejudice to the lawfulness of processing carried out prior to such withdrawal;
  • the right of grievance redressal in accordance with Section 13 of the DPDP Act.

Many of these rights can be exercised directly from within the Service, including through the controls available at /settings/profile and the account-deletion control at /settings/danger. Where this is not possible, you may submit a request to the contact details set out in Section 11.

8. Security

We employ reasonable administrative, technical and physical safeguards designed to protect personal data against unauthorized access, disclosure, alteration or destruction, including encryption of passwords at rest using industry standard hashing algorithms and encryption of data in transit using Transport Layer Security. Notwithstanding the foregoing, no method of electronic transmission or storage is one-hundred per cent (100%) secure, and we cannot guarantee absolute security.

9. Cookies and Local Storage

The Service uses strictly necessary cookies and local storage for the purpose of maintaining your authenticated session and for similar essential functionality. We do not use third-party advertising or behavioural-tracking cookies. You may configure your browser to refuse cookies; however, doing so may prevent you from accessing or using portions of the Service.

10. Children

The Service is not intended for use by, and we do not knowingly collect personal data from, any individual who is under eighteen (18) years of age. If you believe that we have inadvertently collected personal data from a child, please contact us at the address set out in Section 11 and we will take reasonable steps to delete such data.

11. Grievance Officer and Contact

In accordance with Section 8(9) of the DPDP Act, the contact details of our grievance redressal officer are as follows:

Name: Kali Nigam
Email: onerollforkali@gmail.com

We will endeavour to respond to grievances and rights-requests within the timelines prescribed by the DPDP Act.

12. Updates to this Policy

We may amend this Policy from time to time. The most current version will always be posted on this page, with the “Last updated” date at the top reflecting the most recent revision. Where the changes are material, we will, where reasonable, notify you by email or by an in-Service notice.