Legal

Privacy Policy

Last updated: April 2026. We believe your data belongs to you.

1. Introduction & Data Fiduciary Identity

This Privacy Policy describes how GamerFlick (“we”, “us”, or “our”), the Data Fiduciary under the Digital Personal Data Protection Act, 2023 (“DPDP Act”), collects, uses, shares, and protects personal data when you use the GamerFlick platform at gamerflick.in and associated mobile applications.

By creating an account or using the Service, you consent to the practices described in this Policy. If you do not agree, please discontinue use of the Service. This Policy is governed by the DPDP Act, 2023, and the Information Technology Act, 2000.

2. Information We Collect

We collect the following categories of personal data:

  • Account Info: Email address, phone number, and date of birth (required to verify age eligibility).
  • Profile Info: Display name, username, avatar image, and gaming IDs you choose to share.
  • Device Fingerprint: Hardware identifiers and device signals used solely for anti-fraud purposes (enforcing the 3-account-per-device limit). Not used for advertising.
  • Gaming Activity: Tournament entries, match results, XP progression, referral activity, and community interactions.
  • Financial Data: COIN purchase history, POINTS balance, withdrawal records, and UPI handle. PAN (Permanent Account Number) is collected when required for withdrawals to comply with Indian tax law.
  • Communications: Emails, in-app messages, and support tickets you send to us.
  • Automated Data: Cookies, browser/device type, IP address, page views, Web Vitals, crash reports, and session recordings (see Section 4).

3. Lawful Grounds & Purposes

Under the DPDP Act, 2023, we process your personal data on the following lawful grounds and for the explicit purposes stated:

  • Consent: Account creation, marketing communications, and session recording (Microsoft Clarity).
  • Contract performance: Processing tournament entries, prize distributions, COIN purchases, and UPI payouts.
  • Legal obligation: TDS deduction and reporting under the Income-tax Act, 1961; KYC/PAN verification for financial transactions.
  • Legitimate interests: Platform security, anti-fraud (device fingerprinting), abuse prevention, and product improvement — balanced against your privacy rights.
  • Vital interests: Detecting and responding to safety threats to users or the platform.

4. Data Sharing with Third Parties

We do not sell your personal data. We share data only with the processors listed below, each bound by data processing agreements:

  • Vercel — hosting infrastructure, Vercel Analytics (page view counts, no PII), and Speed Insights (Web Vitals).
  • Cloudflare — DNS resolution and edge network security.
  • Firebase (Google LLC) — user authentication (sign-in, token management).
  • Google Cloud Storage — storage of user-uploaded images (avatars, tournament banners) via presigned URLs.
  • Razorpay — payment gateway for COIN purchases and UPI payouts (once live). Razorpay processes payment card and UPI data under their own PCI-DSS compliance.
  • Microsoft Clarity — anonymised session recordings and heatmaps to understand user behaviour. Clarity does not receive financial data or PAN. You may opt out via clarity.microsoft.com/opt-out.
  • Zoho Mail (Zoho Corporation Pvt. Ltd.) — transactional email delivery (welcome emails, OTPs, withdrawal confirmations) via smtp.zoho.in.

5. Data Retention

We retain personal data for as long as your account is active or as needed to provide the Service. Following a verified account deletion request:

  • Account and profile data is deleted within 30 days.
  • Financial records (COIN purchases, withdrawals, TDS deductions, PAN data) are retained for 7 years from the date of the transaction, as required by the Income-tax Act, 1961 and applicable financial regulations.
  • Soft-deleted records (flagged with deleted_at) are purged from production databases after the applicable retention window.

6. Your Rights under the DPDP Act

As a Data Principal under the DPDP Act, 2023, you have the following rights:

  • Access: Obtain confirmation of what personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete personal data.
  • Erasure: Request deletion of personal data no longer required for the stated purposes (subject to legal retention obligations).
  • Data Portability: Receive a copy of your personal data in a structured, commonly-used format.
  • Withdraw Consent: Withdraw previously given consent at any time (this does not affect lawfulness of processing before withdrawal).
  • Grievance Redressal: Lodge a complaint with our Grievance Officer (Section 10) or with the Data Protection Board of India.

To exercise any of these rights, email privacy@gamerflick.in with the subject line “DPDP Rights Request”. We will respond within 30 days.

7. Data Security

We implement industry-standard technical and organisational measures to protect your personal data:

  • All data in transit is encrypted via TLS 1.2 or higher.
  • All financial operations (COIN purchases, prize credits, withdrawals) use database-level row locking within atomic transactions to prevent race conditions and double-spends.
  • A soft-delete-only policy ensures no data is permanently erased without a formal retention review.
  • Access to production systems and PAN data is restricted to authorised personnel only.
  • We conduct periodic security reviews and penetration tests.

8. Children's Privacy

GamerFlick does not knowingly collect personal data from children under the age of 13. Users aged 13–17 may access free and social features only with verifiable parental or guardian consent. Participation in paid tournaments is restricted to users aged 18 and above.

If we learn that personal data has been collected from a user under 13 without appropriate consent, we will take prompt steps to delete that data and terminate the associated account. Parents or guardians who believe their child has an account should contact us at privacy@gamerflick.in.

9. International Data Transfers

Some of our third-party processors operate servers outside India. Your data may be transferred to and processed in the following jurisdictions:

  • United States — Vercel, Firebase (Google LLC), Microsoft Clarity.
  • European Union / EEA — Cloudflare edge nodes (may vary by region).

By using the Service and consenting to this Policy, you explicitly consent to such transfers. Where required by the DPDP Act, we ensure that adequate safeguards (standard contractual clauses or equivalent) are in place with each processor before transferring your data.

10. Grievance Officer

In accordance with the DPDP Act, 2023, and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have appointed a Grievance Officer:

  • Name: Yash Patel
  • Email: grievance@gamerflick.in
  • Response time: Within 30 days of receipt of a complaint.

11. Governing Law

This Privacy Policy is governed by the laws of India, including the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000. Any disputes arising from this Policy shall be resolved in accordance with Section 13 of our Terms of Service.

12. Changes & Notification

We may update this Privacy Policy from time to time. Material changes — including new categories of data collected, new processors, or changes to your rights — will be communicated via in-app notification or email at least 7 days before taking effect. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the Service after changes take effect constitutes acceptance of the updated Policy.