Event Kabaadi

Legal · Last revised 31 May 2026

Privacy Policy

Event Kabaadi (“we”, “us”, “the platform”) operates the marketplace at eventkabaadi.com. This Privacy Policy explains what personal information we collect from you, how we use it, who we share it with, how long we keep it, and the rights you have under India’s Digital Personal Data Protection Act, 2023 (the “DPDP Act”).

For the purposes of the DPDP Act, Event Kabaadi is the “Data Fiduciary” and you, as a user, are the “Data Principal”.

1. Information we collect

We collect the following categories of personal information:

1.1 Account & identity

  • Phone number — required for sign-in via SMS one-time-password (OTP). Stored in E.164 format.
  • Display name — the name you supply at onboarding.
  • PAN identity details — when you complete Individual KYC: PAN number, full name, date of birth, and a selfie. We verify these with Sandbox (sandbox.co.in). Only the verified name is retained on your account; the raw PAN number is stored hashed.
  • GST identity details — when you complete Business KYC: GSTIN, legal name, trade name, registered state. Verified with Masters India.

1.2 Marketplace activity

  • Listings you create: title, description, price, photos, condition, category, state/city/neighbourhood, and the coordinates we silently capture from your browser’s geolocation API (only used for distance-based search ranking and map embeds you explicitly share).
  • Chat messages and attachments exchanged with other users via the platform’s chat interface.
  • Watchlist items you save.
  • Payment records for paid listings or add-ons: order id, payment id, amount, GST split. Card numbers and bank credentials are handled by Razorpay and are never stored on our servers.

1.3 Technical signals

  • IP address, browser user-agent, device type.
  • Cookies necessary for login (an HTTP-only session cookie) and for remembering your selected home-base city.
  • Aggregated usage telemetry (page views, click events) for product analytics. We do not use third-party advertising trackers.

2. How we use your information

We use the information above strictly for these purposes:

  • Authenticating you when you sign in via OTP and keeping your session active for the cookie’s 30-day lifetime.
  • Verifying your identity (PAN) and your business (GSTIN) for marketplace trust signals.
  • Letting you publish, edit, find, save, and respond to listings.
  • Enabling chat between buyers and sellers, including delivering push notifications when supported by your device.
  • Processing payments through Razorpay and providing GST-compliant receipts.
  • Sending operational notifications (KYC outcome, listing publication, expiry warnings, payment receipts, security alerts) via SMS, email, or in-app push.
  • Investigating fraud, abuse, or violations of our Terms of Service.
  • Complying with applicable Indian law, including responding to legal demands.

3. Who we share it with

We share personal information only with the following categories of recipients, and only to the extent each requires to perform the service we’ve engaged them for:

  • Identity verification providers — Sandbox (PAN), Masters India (GST). They receive the specific identifiers needed to verify and the consent reason you grant at submission time. They do not receive your marketplace activity.
  • Payment processor — Razorpay receives the minimum order metadata needed to process payment. PCI-DSS compliance is theirs.
  • Cloud infrastructure — Firebase (Auth, Storage, Firestore) and Postgres-as-a-service for application data. These hold your data under our control; they do not use it for their own purposes.
  • Other users — your display name, your verified-seller badge state, listing details, and (only after you connect via chat) your neighbourhood are visible to the counterparty in any transaction. Your phone number is shared with a counterparty only when you both initiate a phone call via the platform.
  • Law enforcement — only on a lawful request that compels disclosure under Indian law.

We do not sell your personal information. We do not share it with advertisers. We do not use it for any purpose outside what this policy describes.

4. How long we keep it

  • Account data (phone, name, KYC results, listings, chat history): for as long as your account is active. If you delete your account (see §6) we soft-delete for 30 days to support a reactivation window, then hard-delete.
  • Selfies and KYC photos: two years from account-closure, then hard-deleted via a scheduled job. This aligns with the “purpose limitation” principle of DPDP §5.
  • Payment records: retained for seven years to meet GST invoicing and audit obligations.
  • Audit logs (admin actions, security events): two years.

5. How we protect it

  • All data is transmitted over HTTPS with HSTS enforcement.
  • Postgres connections require SSL.
  • Sensitive identifiers (PAN, GSTIN) are stored either hashed or inside provider-side audit records, never in plaintext on our servers.
  • Selfies and KYC photos are stored in private Firebase Storage buckets readable only by administrators via short-lived (15 minute) signed URLs.
  • Administrative access is role-gated, MFA-protected (when enabled by the operator), and every privileged action is recorded in an audit log.

6. Your rights as a Data Principal

Under DPDP Act §11–§14, you have the following rights. Each right has a self-serve flow inside the product where reasonable; anything else is served via support@eventkabaadi.com.

  • Right to access — request a copy of the personal data we hold about you. Self-serve at Settings → Privacy → Download my data.
  • Right to correction — correct inaccurate information. Self-serve at Settings → Account. Name corrections for identity-verified accounts require support involvement.
  • Right to erasure — delete your account and the personal information associated with it. Self-serve at Settings → Privacy → Delete my account. We retain a limited subset (payment records under §4) only where another statute requires it.
  • Right to grievance redressal — raise a complaint to our Data Protection Officer (see §9). We respond to grievance complaints within 30 days as required by DPDP.
  • Right to nominate — appoint another natural person to exercise these rights in the event of your death or incapacity. Contact our DPO.

7. Children

Event Kabaadi is not directed at children under 18. We do not knowingly collect personal information from children. If you believe a child has registered an account, contact our DPO and we will close the account and delete the data.

8. Changes to this policy

We may update this policy from time to time. Material changes (e.g. a new category of recipient, a longer retention window) will be notified via in-app banner and, for active users, via email. The “Last revised” date at the top of this page always reflects the current version.

9. Contact

Grievance Officer / Data Protection Officer:
Email: dpo@eventkabaadi.com
General privacy questions: privacy@eventkabaadi.com

This document is a v1 launch policy. It does not constitute legal advice. You should consult a lawyer if you have questions about your specific situation.