Khelo · Privacy Policy · Version 1.0

Privacy Policy

Platform: Khelo (https://khelo.online) · Operator: the entity identified in Contact & Legal Information ("Khelo", "we", "us") Last updated: 2026-07-15 · Version: 1.0

This Policy is the notice required under the Digital Personal Data Protection Act, 2023 ("DPDP Act"). Khelo is the Data Fiduciary for the personal data described below. Related documents: Terms & Conditions · Cookie Policy · Data Retention Policy · Third-Party Services · Children's Privacy · Grievance Redressal.

Table of Contents

  1. What Khelo is
  2. Personal data we collect
  3. What we do NOT collect
  4. Why we process your data (purposes)
  5. Payments — an important note
  6. Who can see your data
  7. Sharing with third parties
  8. Where your data is stored
  9. How long we keep it
  10. Your rights
  11. Security & breach notification
  12. Children
  13. Changes to this Policy
  14. Contact & grievances

1. What Khelo is

Khelo is a community sports platform that helps people in India discover, host, and join local games (football, cricket, badminton, basketball, tennis, volleyball, table tennis, pickleball), form groups and teams, and run amateur competitions.

2. Personal data we collect

Provided by you

Category Data Required?
Account Mobile number, password (stored only as a salted bcrypt hash), date of birth (18+ age gate), and your recorded acceptance of the Terms and this Policy (version, timestamp, IP address, device user-agent) Required
Profile Display name, unique username, city; optionally: profile photo, bio, gender, state, PIN code, email address Name/username/city required for full use
Sports profile Sports you play, per-sport skill level, positions/roles, years of experience, dominant hand/foot, playing style, availability (weekday/weekend, time of day), travel radius Optional
Locations Saved "playing areas" (place name, address, coordinates) and a derived home coordinate; each area may be tagged (home/office/college/weekend) Optional
Activity content Matches you create or join, positions declared per match, group/team memberships, competition entries, chosen team names/colors/crests, invite responses Generated by use
Reviews Ratings and comments you give and receive, no-show/late flags, abuse reports Generated by use
Payment coordination For hosts: your UPI ID, payee name, and/or uploaded UPI QR image. For players: your "I paid" claims, optional UPI transaction reference numbers, optional payment screenshots, notes Only for paid matches

Collected automatically

Category Data
Session security IP address and device/browser user-agent, stored against each login session (refresh token record)
Usage counters Last login time, login count, XP/level/streak activity
Notifications In-app notification history; a push token (FCM) may be stored if your device provides one — push delivery is currently not active

3. What we do NOT collect

4. Why we process your data (purposes)

Purpose Data used Lawful basis (DPDP)
Creating and securing your account Phone, password hash, session IP/device Consent; legitimate use for security
Running games you host/join Profile, bookings, match data Consent / performance of the service you request
Payment coordination & dispute trail UPI details, claims, references, proofs, immutable audit log Consent; establishing/protecting legal claims of users
Personalized recommendations Sports profile, locations/zones, availability, friends/groups, reputation Consent (profile data is user-supplied for this purpose)
Trust & safety Reviews, reputation aggregates, abuse reports, blocks Legitimate use: protecting other users
Service communications In-app notifications; OTP SMS to your number (when the OTP flow is enabled) Service necessity
Legal compliance Any of the above when demanded by law Legal obligation

We do not sell personal data, and we do not use it for third-party advertising.

5. Payments — an important note

Khelo is not a payment system, wallet, or escrow. For paid games, the host publishes their own UPI details; players pay the host directly through their UPI app of choice. Khelo only records the coordination status (applied / marked paid / verified / rejected) and any evidence a player volunteers (reference number, screenshot), and keeps an immutable audit log of these actions for dispute context. Refunds and payment disputes are between host and player — see the Refund & Cancellation Policy.

6. Who can see your data

7. Sharing with third parties

We share data only with the processors needed to run the service — full list with purposes in the Third-Party Services Disclosure. Summary: hosting on AWS (Mumbai region), SMS OTP gateway (Fast2SMS or 2Factor — receives your phone number only when an OTP is sent), Google Places (receives search text/coordinates you type when searching venues — proxied through our servers, never your identity), OpenStreetMap tiles (your IP requests map images), Let's Encrypt/Cloudflare (connection security). Dormant integrations (Razorpay, Firebase push) process no data unless activated, at which point this Policy will be updated.

We disclose data to authorities only against valid legal process under Indian law.

8. Where your data is stored

On servers operated for us by Amazon Web Services (AWS Lightsail), default region ap-south-1 (Mumbai, India). Uploaded images (photos, QR codes, payment proofs) are stored on the same infrastructure.

9. How long we keep it

See the Data Retention Policy. In short: account data for the life of the account; deleted accounts are deactivated immediately and personal data is erased or anonymized within the windows stated there; the payment audit trail is retained longer in anonymized/limited form for dispute and legal purposes.

10. Your rights

Under the DPDP Act you may:

Self-service: data export (Profile → Privacy & data → Export, in JSON and CSV) and account deletion (same screen, password-confirmed) are available in-app; every export and deletion is recorded in a protective audit log. The manual route via §14 remains available as a fallback.

If unsatisfied with our response, you may complain to the Data Protection Board of India.

11. Security & breach notification

Safeguards implemented: passwords and OTPs stored only as strong hashes; encrypted transport (HTTPS/TLS); short-lived session tokens with rotation and reuse detection; role- and ownership-based access controls; rate limiting; minimal network exposure; audit logging of payment actions. Details: Security documentation.

In the event of a personal data breach we will notify the Data Protection Board of India and affected users as required by the DPDP Act, describing the nature of the breach and remedial measures.

12. Children

Khelo is intended for users 18 years or older. We do not knowingly process children's data; see the Children's Privacy Policy, including the current absence of technical age verification and how to report an underage account.

13. Changes to this Policy

We will post updates here with a new "Last updated" date and, for material changes, notify you in-app. Continued use after the effective date constitutes acceptance to the extent permitted by law; where fresh consent is legally required, we will ask for it.

14. Contact & grievances

Data/privacy requests & Grievance Officer: privacy@khelo.online (officer's name and postal address are listed in Contact & Legal Information) — acknowledgment within 24 hours, resolution within 15 days (Grievance Redressal Policy).