1001 BLR · Legal

Privacy Policy

Last updated · 27 May 2026

We're 1001 Things To Do (“1001 BLR”, “we”, “us”). This page explains what data we collect when you join the waitlist, why we collect it, and what your rights are. Plain English, no fluff.

What we collect

  • Email address— required to join the waitlist and verify it's really you (one-time code).
  • Name — so we can greet you properly.
  • Phone number — optional, only if you opt in to WhatsApp updates.
  • Referral data — if a friend invited you, we record their referral code so they get credit.
  • Technical data — your IP address and browser user agent, captured at signup for fraud prevention and audit.
  • Anonymous analytics — page views and performance metrics via Vercel Analytics and Speed Insights. No personal identifiers, production only.
  • Bot protection — when enabled, Cloudflare Turnstile runs a captcha challenge. Cloudflare may receive limited request metadata to score it.

Cookies and local storage

  • visitor_id — a random cookie set on first visit so we can count unique landings. One year. No identity attached.
  • Auth session — a secure, HTTP-only cookie issued by Supabase after you verify your email. Lets you stay signed in.
  • Admin auth— only used if you're an admin. Not relevant to regular users.
  • Local storage — your signup state and referrer code are cached in your browser under 1001ttd_* keys so the page loads instantly. You can clear it any time.

Why we collect it

  • To put you on the waitlist and tell you when we launch.
  • To send transactional emails — your verification code, position updates, launch news — via Resend.
  • To send WhatsApp updates, only if you opt in.
  • To prevent abuse, fake signups, and referral fraud.
  • To improve the product through aggregated, anonymous analytics.

Who we share it with

We don't sell your data. We do use a small set of trusted vendors to run the service:

  • Supabase — auth + database (typically Singapore region).
  • Vercel — hosting, analytics, and speed insights (United States).
  • Resend — transactional email delivery (United States).
  • Cloudflare — Turnstile bot protection (global).

This means your data may be processed outside India. We pick vendors with GDPR-grade safeguards and only share what's needed.

Email and unsubscribe

Every broadcast email from us includes a one-click unsubscribe link. When you unsubscribe, we stop sending marketing immediately and delete your email from active lists within 30 days, kept only that long for legal and audit purposes.

Your rights

Regardless of where you live, you can ask us to:

  • See a copy of the data we hold about you.
  • Correct anything that's wrong.
  • Delete your account and data entirely.
  • Stop receiving marketing.
  • Withdraw any consent you've given.

Email and we'll act on it within 30 days.

Children

The waitlist is for people aged 13 and over. If you're younger, please don't sign up. If we find out we've collected data from someone under 13, we'll delete it.

Security

We use industry-standard encryption in transit (HTTPS) and at rest. No system is bulletproof — if we ever have a breach affecting you, we'll tell you promptly.

Changes to this policy

If we make material changes, we'll update the date at the top and email you if it affects how your data is used.

Contact

1001 Things To Do, Bengaluru, India.