CricketDream ("we", "us", or "our") operates the website cricketdream.in (the "Platform"). As a Data Fiduciary under the DPDP Act, we are responsible for how your personal data is collected, processed, stored, and protected. This Privacy Policy explains those practices and your rights as a Data Principal.
By using the Platform you freely and unambiguously consent to the practices described below. You may withdraw this consent at any time (see Section 6).
Platform Operator Details
Platform name: CricketDream
Website: https://cricketdream.in
Nature of platform: Free fantasy cricket — no real money, prizes, or gambling
1. Personal Data We Collect
We collect only the minimum personal data needed for the Platform to function (data minimisation principle).
1.1 Data you provide directly
| Data | Purpose | Retention |
|---|---|---|
| Email address | Account creation, authentication, transactional emails (e.g. password reset) | For the life of the account; deleted within 30 days of account deletion request |
| Username / display name | Shown on leaderboards and within leagues | Same as above |
| Password (hashed) | Secure authentication — never stored in plain text | Same as above |
1.2 Data collected automatically
| Data | Purpose | Retention |
|---|---|---|
| IP address & approximate location | Fraud prevention, security logging | Up to 90 days in security logs |
| Browser / device type | Compatibility and aggregated analytics | Anonymised after 30 days |
| Usage data (pages, actions) | Product improvement — stored anonymised/aggregated only | Anonymised; no identifiable record retained beyond 30 days |
1.3 Data we do NOT collect
- Payment or financial data (the Platform is 100% free).
- Government IDs, Aadhaar, PAN, or identity document numbers.
- Precise GPS location.
- Sensitive personal data as defined under the DPDP Act.
2. Legal Basis for Processing
Under the DPDP Act 2023 and DPDP Rules 2025, we process your personal data on the following lawful bases:
- Consent — You freely provide your email and username when registering. By registering you give free, specific, informed, unconditional, and unambiguous consent to our processing of your data for the purposes stated in Section 1.
- Legitimate use — Security logging, fraud prevention, and legal compliance constitute legitimate processing purposes under Section 7 of the DPDP Act.
We process your data only for the specific purposes stated above. We will not use your data for any other purpose without obtaining fresh consent.
3. Data Storage & Third-Party Processors
Your data is stored on Supabase (database and authentication), which operates on AWS infrastructure primarily located in the United States. The Platform is deployed on Vercel, also based in the United States.
By using the Platform you acknowledge that your data may be transferred to and processed in the United States, which may have different data-protection standards than India. Both Supabase and Vercel comply with internationally recognised security frameworks (SOC 2 Type II, ISO 27001). We rely on their security measures and standard data processing agreements for cross-border transfers.
We do not sell, rent, share, or trade your personal data with any third party for marketing or commercial purposes.
4. Your Rights as a Data Principal
The DPDP Act 2023 and DPDP Rules 2025 grant you the following rights. To exercise any right, you can manage your account directly from your Profile Settings page, or raise a request through the Platform. We will acknowledge within 48 hours and resolve within 30 days.
- Right to Access — Request a summary of the personal data we hold about you and the purposes for which it is being processed.
- Right to Correction & Completion — Ask us to correct inaccurate or incomplete personal data.
- Right to Erasure — Request deletion of your account and all associated personal data. We will complete deletion within 30 days. You can also delete your account directly from your profile settings.
- Right to Withdraw Consent — You may withdraw consent at any time by deleting your account or emailing us. Withdrawal does not affect the legality of processing carried out before withdrawal.
- Right to Grievance Redressal — Raise a complaint with our Grievance Officer (see Section 9). If unsatisfied with the resolution, you may appeal to the Data Protection Board of India once it is operationalised by the Government of India.
- Right to Nominate — Under Section 14 of the DPDP Act, you may nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity. To register a nominee, raise a request through the Platform.
5. How We Use Your Information
- To create and manage your account (purpose: contract fulfilment).
- To enable fantasy team building, draft participation, and private leagues (purpose: core service).
- To display leaderboards and award points (purpose: core service).
- To send transactional emails only (e.g. password reset). We do not send marketing emails without your explicit consent.
- To detect and prevent fraudulent or abusive activity (purpose: security & legitimate interest).
- To comply with applicable legal obligations.
6. Consent & How to Withdraw It
Your consent to this Privacy Policy is obtained at account registration. It is:
- Free — not a condition of accessing any paid service (the Platform is entirely free).
- Specific — limited to the purposes described in Section 1 and 5.
- Informed — this policy provides full details of processing.
- Unambiguous — you actively register to use the Platform.
To withdraw consent, you can:
- Delete your account directly from your Profile Settings page — this immediately queues deletion of all your personal data.
Withdrawing consent will result in the deletion of your account and all associated personal data within 30 days. This does not affect data already lawfully processed.
7. Cookies & Local Storage
We use browser local storage (not traditional third-party cookies) to persist your login session via Supabase Auth. No third-party advertising, tracking, or profiling cookies are set. Any analytics are anonymised and aggregated before storage.
8. Children's Privacy
The Platform is strictly for users aged 18 and above. We do not knowingly collect personal data from individuals under 18. Under the DPDP Act 2023, processing data of a child requires verifiable parental consent — since our Platform is age-restricted to 18+, users under 18 are not permitted to register.
If you believe a minor has created an account, please raise a report through the Platform and we will delete the account and all associated data promptly.
9. Security & Data Breach Notification
9.1 Security measures
We implement the following security safeguards as required under the DPDP Rules 2025:
- HTTPS / TLS encryption for all data in transit.
- Salted password hashing (bcrypt) — plain-text passwords are never stored or transmitted.
- Row-Level Security (RLS) in the Supabase database — users can only access their own data.
- Access controls and regular access log reviews.
- Encrypted data backups to ensure continuity.
9.2 Data breach notification
In the event of a personal data breach that may adversely affect you:
- We will notify the Data Protection Board of India as required under the DPDP Rules 2025.
- We will notify affected users without undue delay via the email address registered on their account, describing the nature of the breach and the steps taken or proposed to address it.
- We maintain security logs for a minimum of 90 days to support breach detection and investigation, in line with DPDP Rules 2025 requirements.
No method of transmission over the internet is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.
10. Grievance Officer & Data Protection Board
In accordance with the IT Act 2000, IT (Intermediary Guidelines) Rules 2021, the DPDP Act 2023, and the Consumer Protection (E-Commerce) Rules 2020, our Grievance Officer details are:
Name: CricketDream Privacy & Grievance Team
Contact: Via Platform (Profile Settings or account management)
Acknowledgement: Within 48 hours of receipt
Resolution: Within 30 days of receipt
If you are not satisfied with the resolution provided by our Grievance Officer, you may escalate your complaint to the Data Protection Board of India once it is operationalised by the Government of India under the DPDP Act 2023.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in law or our practices. Material changes will be communicated by updating the "Last updated" date at the top of this page and, where appropriate, by sending a notification to your registered email address. Continued use of the Platform after any change constitutes acceptance of the revised policy.
12. Contact Us
For any privacy-related questions, data requests, or complaints, use the account management options in your Profile Settings or raise a request directly through the Platform.