Privacy Policy
Platform: Khelo (https://khelo.online) · Operator: the entity identified in Contact & Legal Information ("Khelo", "we", "us") Last updated: 2026-07-15 · Version: 1.0
This Policy is the notice required under the Digital Personal Data Protection Act, 2023 ("DPDP Act"). Khelo is the Data Fiduciary for the personal data described below. Related documents: Terms & Conditions · Cookie Policy · Data Retention Policy · Third-Party Services · Children's Privacy · Grievance Redressal.
Table of Contents
- What Khelo is
- Personal data we collect
- What we do NOT collect
- Why we process your data (purposes)
- Payments — an important note
- Who can see your data
- Sharing with third parties
- Where your data is stored
- How long we keep it
- Your rights
- Security & breach notification
- Children
- Changes to this Policy
- Contact & grievances
1. What Khelo is
Khelo is a community sports platform that helps people in India discover, host, and join local games (football, cricket, badminton, basketball, tennis, volleyball, table tennis, pickleball), form groups and teams, and run amateur competitions.
2. Personal data we collect
Provided by you
| Category | Data | Required? |
|---|---|---|
| Account | Mobile number, password (stored only as a salted bcrypt hash), date of birth (18+ age gate), and your recorded acceptance of the Terms and this Policy (version, timestamp, IP address, device user-agent) | Required |
| Profile | Display name, unique username, city; optionally: profile photo, bio, gender, state, PIN code, email address | Name/username/city required for full use |
| Sports profile | Sports you play, per-sport skill level, positions/roles, years of experience, dominant hand/foot, playing style, availability (weekday/weekend, time of day), travel radius | Optional |
| Locations | Saved "playing areas" (place name, address, coordinates) and a derived home coordinate; each area may be tagged (home/office/college/weekend) | Optional |
| Activity content | Matches you create or join, positions declared per match, group/team memberships, competition entries, chosen team names/colors/crests, invite responses | Generated by use |
| Reviews | Ratings and comments you give and receive, no-show/late flags, abuse reports | Generated by use |
| Payment coordination | For hosts: your UPI ID, payee name, and/or uploaded UPI QR image. For players: your "I paid" claims, optional UPI transaction reference numbers, optional payment screenshots, notes | Only for paid matches |
Collected automatically
| Category | Data |
|---|---|
| Session security | IP address and device/browser user-agent, stored against each login session (refresh token record) |
| Usage counters | Last login time, login count, XP/level/streak activity |
| Notifications | In-app notification history; a push token (FCM) may be stored if your device provides one — push delivery is currently not active |
3. What we do NOT collect
- No Aadhaar or government ID, no financial account numbers, no card details.
- No payment processing data — money moves directly between players and hosts via their own UPI apps; Khelo never receives or holds funds (see §5).
- No advertising identifiers, no third-party analytics or tracking SDKs, no contact-list or SMS access.
- Precise device GPS is used only if you grant location permission for map/venue features; it is used at request time and is not continuously tracked.
4. Why we process your data (purposes)
| Purpose | Data used | Lawful basis (DPDP) |
|---|---|---|
| Creating and securing your account | Phone, password hash, session IP/device | Consent; legitimate use for security |
| Running games you host/join | Profile, bookings, match data | Consent / performance of the service you request |
| Payment coordination & dispute trail | UPI details, claims, references, proofs, immutable audit log | Consent; establishing/protecting legal claims of users |
| Personalized recommendations | Sports profile, locations/zones, availability, friends/groups, reputation | Consent (profile data is user-supplied for this purpose) |
| Trust & safety | Reviews, reputation aggregates, abuse reports, blocks | Legitimate use: protecting other users |
| Service communications | In-app notifications; OTP SMS to your number (when the OTP flow is enabled) | Service necessity |
| Legal compliance | Any of the above when demanded by law | Legal obligation |
We do not sell personal data, and we do not use it for third-party advertising.
5. Payments — an important note
Khelo is not a payment system, wallet, or escrow. For paid games, the host publishes their own UPI details; players pay the host directly through their UPI app of choice. Khelo only records the coordination status (applied / marked paid / verified / rejected) and any evidence a player volunteers (reference number, screenshot), and keeps an immutable audit log of these actions for dispute context. Refunds and payment disputes are between host and player — see the Refund & Cancellation Policy.
6. Who can see your data
- Public/other users: your display name, username, photo, bio, city, sports profile, reputation aggregates and reviews received, and your participation in public matches/groups/competitions. Match pages shared externally (
khelo.online/m/…) show the match title, sport, venue/area, time, price, and host display name. - Match hosts see the roster of their match, applicants' names/positions, and payment-claim status for their own match.
- Never public: your phone number, email, password hash, session IPs/devices, saved playing areas' exact coordinates, payment screenshots/references (visible only to you, the relevant host, and administrators resolving a dispute).
7. Sharing with third parties
We share data only with the processors needed to run the service — full list with purposes in the Third-Party Services Disclosure. Summary: hosting on AWS (Mumbai region), SMS OTP gateway (Fast2SMS or 2Factor — receives your phone number only when an OTP is sent), Google Places (receives search text/coordinates you type when searching venues — proxied through our servers, never your identity), OpenStreetMap tiles (your IP requests map images), Let's Encrypt/Cloudflare (connection security). Dormant integrations (Razorpay, Firebase push) process no data unless activated, at which point this Policy will be updated.
We disclose data to authorities only against valid legal process under Indian law.
8. Where your data is stored
On servers operated for us by Amazon Web Services (AWS Lightsail), default region ap-south-1 (Mumbai, India). Uploaded images (photos, QR codes, payment proofs) are stored on the same infrastructure.
9. How long we keep it
See the Data Retention Policy. In short: account data for the life of the account; deleted accounts are deactivated immediately and personal data is erased or anonymized within the windows stated there; the payment audit trail is retained longer in anonymized/limited form for dispute and legal purposes.
10. Your rights
Under the DPDP Act you may:
- Access a summary of your personal data and processing activities;
- Correct inaccurate or incomplete data (largely self-service via your profile);
- Erase your data (account deletion — see the Account Deletion Policy);
- Grievance redressal — see Grievance Redressal Policy;
- Nominate an individual to exercise your rights in case of death or incapacity;
- Withdraw consent at any time (this may end our ability to provide the service).
Self-service: data export (Profile → Privacy & data → Export, in JSON and CSV) and account deletion (same screen, password-confirmed) are available in-app; every export and deletion is recorded in a protective audit log. The manual route via §14 remains available as a fallback.
If unsatisfied with our response, you may complain to the Data Protection Board of India.
11. Security & breach notification
Safeguards implemented: passwords and OTPs stored only as strong hashes; encrypted transport (HTTPS/TLS); short-lived session tokens with rotation and reuse detection; role- and ownership-based access controls; rate limiting; minimal network exposure; audit logging of payment actions. Details: Security documentation.
In the event of a personal data breach we will notify the Data Protection Board of India and affected users as required by the DPDP Act, describing the nature of the breach and remedial measures.
12. Children
Khelo is intended for users 18 years or older. We do not knowingly process children's data; see the Children's Privacy Policy, including the current absence of technical age verification and how to report an underage account.
13. Changes to this Policy
We will post updates here with a new "Last updated" date and, for material changes, notify you in-app. Continued use after the effective date constitutes acceptance to the extent permitted by law; where fresh consent is legally required, we will ask for it.
14. Contact & grievances
Data/privacy requests & Grievance Officer: privacy@khelo.online (officer's name and postal address are listed in Contact & Legal Information) — acknowledgment within 24 hours, resolution within 15 days (Grievance Redressal Policy).