Privacy Policy | Tamasha Live

1. INTRODUCTION & SCOPE

1.1. About Us: Gamepe Technologies Private Limited ("Gamepe," "we," "us," or "our") operates a portfolio of digital platforms designed to facilitate social connection, entertainment, and wellness through live audio interactions. Our platforms include, but are not limited to: Tamasha, Playroom, Playroom Pro, Friendchat, Dostii, Dosti Pro, Masti, Masti Pro, Yaari, Openly, and Audio Jockey (collectively, the "Platforms").

1.2. Purpose of This Policy: This Privacy Policy ("Policy") is a legal document that explains how we collect, use, share, store, and protect your personal data when you use any of our Platforms. We are committed to being transparent about our data practices and to processing your data lawfully, fairly, and in a transparent manner in compliance with the Digital Personal Data Protection Act, 2023 ("DPDPA") and other applicable laws.

1.3. Your Consent & Agreement: By accessing, registering for, or using any of our Platforms, you acknowledge that you have read, understood, and agree to be bound by the terms of this Privacy Policy and our Terms of Use. If you do not agree, you must immediately cease using and uninstall our Platforms.

1.4. Key Definitions (as per DPDPA):

1.4.1. "Data Principal" means you, the individual to whom the personal data relates.

1.4.2. "Data Fiduciary" means Gamepe Technologies Private Limited, as we determine the purpose and means of processing your personal data.

1.4.3. "Personal Data" means any data about an individual who is identifiable by or in relation to such data.

1.4.4. "Processing" covers the entire lifecycle of data handling, including collection, recording, storage, use, sharing, and deletion.

1.4.5. "Data Processor" means a third party that processes personal data on our behalf.

1.5. How We Obtain Your Consent: When you create an account on any of our Platforms, you will be presented with this Privacy Policy and required to provide your free, specific, informed, unconditional, and unambiguous consent by actively checking an unticked box or clicking a clearly labeled "I Agree" button. This affirmative action signifies your agreement to the processing of your personal data as described herein. We do not use pre-ticked boxes, implied consent, or consent obtained through inactivity.

2. DATA WE COLLECT AND ITS LAWFUL PURPOSE

2.1. We collect different types of data for specific, lawful purposes. The details below form the basis of our "Notice" to you as required under Section 5 of the DPDPA.

A. Account & Profile Data: We may collect your name, mobile number, email, username, profile picture, gender, date of birth, and password hash. This information is processed to create and manage your unique account, verify your identity, personalize your experience, and facilitate login. The lawful basis for this processing is your Consent (Section 6 of DPDPA) and the necessity for the Performance of our contract with you.

B. User-Generated Content & Interaction Data: This includes the content of your live voice and video calls (conversations, interactions), associated metadata (timestamps, duration), and any text or media you may share. This data is processed for three primary purposes. First, for Core Service Delivery to enable the real-time communication which is our Platform's primary function. Second, for Safety, Security & Moderation to protect our community through real-time and post-session analysis for prohibited content, investigating reports, and preventing fraud. Third, for Quality & Training to improve our automated safety systems and for internal quality assurance. The lawful basis is Performance of Contract for core delivery, Legitimate Use for prevention of offences (Section 7(c)) for safety, and your Consent for quality and training enhancements.

C. Host-Specific Data: If you are a Host, we collect KYC Details (PAN, Aadhaar for verification), bank account details, a voice sample, language proficiency, past experience, and performance metrics. This is processed to verify your identity, facilitate earnings payouts and tax compliance, assess suitability, ensure quality, and enforce Platform policies. The lawful basis is your Consent and the Necessity for purposes related to employment or similar relationship (Section 7(i)) as an independent contractor.

D. Transaction & Financial Data: We process records of your virtual coin purchases, payment method details (handled by third-party gateways), gift transactions, and earnings history. This is necessary to process in-app purchases, facilitate the virtual economy, calculate and disburse Host earnings, and for financial record-keeping and fraud prevention. The lawful basis is Performance of Contract and compliance with Legal Obligations for financial records.

E. Technical & Device Data: We collect your device type, operating system, IP address, browser type, app version, session cookies, and analytics data. This information is processed to monitor platform performance, troubleshoot technical issues, analyse usage patterns, and enhance security against unauthorized access. The lawful basis is our Legitimate Use in ensuring the Security and proper functioning of our Platform.

F. Wellness Data (Specific to Openly Platform): This encompasses all data mentioned in Category B, with particular sensitivity to information about your emotional state, life circumstances, and goals voluntarily shared during wellness sessions. This is processed strictly to provide the peer-support wellness service, ensure Listener compliance with non-medical boundaries, and implement critical safety protocols. Due to its heightened sensitivity, the lawful basis for this processing is your Explicit Consent (Section 6).

G. Location Data: We may collect GPS data, IP-based location information, and location metadata from posts. This is processed to enable location-based features (such as showing nearby users or events) and to detect and prevent fraudulent activities. The lawful basis for this processing is your Consent (Section 6 of DPDP Act).

3. GRANULAR CONSENT FOR SPECIFIC PROCESSING

3.1. Your Control: For certain processing activities beyond the absolute core service delivery, we will seek your separate, granular, and explicit consent.

3.2. Consent for AI/ML Model Training: We may use anonymized and de-identified extracts from audio interactions to train and improve our artificial intelligence and machine learning models, used solely for enhancing platform safety and user experience.

3.3. Marketing Communications: We will only send you promotional messages about new features or campaigns if you explicitly opt-in. You can unsubscribe anytime via the link in the message or in your account settings.

4. HOW WE SHARE YOUR PERSONAL DATA

We do not sell your personal data. We share it only in the following circumstances:

4.1. With Other Users & Hosts: Your profile information (username, picture) and the user-generated content you share within calls or chats may be visible to other participants as per the intended functionality of the Platforms.

4.2. Within the Gamepe Ecosystem: To provide a seamless service, Hosts using the Audio Jockey app serve users across all our Platforms (Tamasha, Playroom, Openly, etc.). Your interaction data may therefore be processed by a Host who is part of this unified system. All Platforms and Hosts are governed by this unified Privacy Policy and the same stringent contractual obligations.

4.3. With Service Providers (Data Processors): We engage trusted third-party companies to perform services on our behalf, such as cloud hosting, payment processing, communication delivery, data analytics, customer support, and fraud detection. These partners are bound by strict contractual agreements that mandate DPDPA-compliant processing, confidentiality, and security standards.

4.4. With Legal & Regulatory Authorities: We may disclose your information if required by law, court order, or governmental authority; to enforce our Terms of Use; to protect the rights, safety, or property of Gamepe, our users, or the public; or to defend against legal claims. In such cases, we disclose only the minimum necessary information.

4.5. In Connection with Corporate Transactions: Your information may be transferred as part of a merger, acquisition, sale of assets, or transition of service to another provider. We will ensure the successor entity is bound by this Policy or provides equivalent protections.

5. DATA SECURITY AND BREACH NOTIFICATION

5.1. Our Security Measures: We implement robust technical and organizational measures to protect your data in compliance with Rule 6 of the DPDP Rules, 2025. These include, at a minimum:

5.1.1. Data Security Measures: Industry-standard encryption (TLS 1.2+ for data in transit and AES-256 for sensitive data at rest), obfuscation, masking, or the use of virtual tokens mapped to personal data where appropriate.

5.1.2. Access Controls: Strict role-based access control (RBAC) systems to regulate access to computer resources used by us or our Data Processors, granted on a need-to-know and least-privilege basis.

5.1.3. Visibility and Monitoring: Comprehensive logging, real-time monitoring, and periodic review mechanisms to enable detection, investigation, and remediation of unauthorized access. Logs are retained for a minimum period of one year as required by law.

5.1.4. Business Continuity: Reasonable measures for continued processing in the event of data compromise, including regular data backups and disaster recovery protocols.

5.1.5. Contractual Safeguards: Appropriate provisions in all contracts with Data Processors requiring them to maintain equivalent security safeguards.

5.1.6. Organizational Measures: Regular security audits, employee training, and documented policies to ensure effective observance of all security safeguards.

5.2. Personal Data Breach Response: In the unfortunate event of a personal data breach (unauthorized access, disclosure, loss, etc.) that is likely to result in harm to you, we are committed to complying with Section 8(6) of the DPDP Act and Rule 7 of the DPDP Rules, 2025.

5.2.1. Notification to Affected Data Principals: Upon becoming aware of any personal data breach, we will, without delay, intimate each affected Data Principal through their user account or registered communication mode, providing:

5.2.1.1. a description of the breach, including its nature, extent, and timing of occurrence;

5.2.1.2. the consequences relevant to you that are likely to arise from the breach;

5.2.1.3. the measures implemented and being implemented by us to mitigate risk;

5.2.1.4. the safety measures you may take to protect your interests; and

5.2.1.5. the business contact information of the person authorized to respond to your queries.

5.2.2. Notification to the Data Protection Board of India: We will also intimate the Data Protection Board of India:

5.2.2.1. without delay, a description of the breach, including its nature, extent, timing and location of occurrence, and the likely impact; and

5.2.2.2. within seventy-two (72) hours of becoming aware of the breach (or such longer period as the Board may allow), the following:

5.2.2.2.1. updated and detailed information regarding the breach;

5.2.2.2.2. broad facts related to the events, circumstances, and reasons leading to the breach;

5.2.2.2.3. measures implemented or proposed to mitigate risk;

5.2.2.2.4. any findings regarding the person who caused the breach;

5.2.2.2.5. remedial measures taken to prevent recurrence; and

5.2.2.2.6. a report regarding the intimations given to affected Data Principals.

6. DATA RETENTION & ERASURE

We retain your personal data only as long as it is necessary for the purposes stated in this Policy, or as required to comply with legal, tax, or regulatory obligations.

6.1. Key Retention Periods: Retained for a minimum period of one (1) year from the date of processing, as required under Rule 8(3) of the DPDP Rules, 2025, for the purposes specified in the Seventh Schedule. After this mandatory retention period, such logs will be securely erased unless required for ongoing investigations, legal proceedings, or compliance with any other applicable law.

6.1.1. Extended Retention for Specified Data Fiduciaries: Depending on the classification of our Platforms and the volume of registered users, we may be required to retain certain personal data for extended periods as specified in the Third Schedule to the DPDP Rules, 2025. If our Platforms qualify as:

6.1.1.1. a social media intermediary with not less than two crore registered users in India;

6.1.1.2. an e-commerce entity with not less than two crore registered users in India; or

6.1.1.3. an online gaming intermediary with not less than fifty lakh registered users in India,

we may retain personal data for up to three (3) years from the date on which you last approached us for the performance of the specified purpose or exercised your rights, in accordance with the Third Schedule.

6.1.2. Financial & Transaction Records: Retained for the period mandated by Indian tax and financial laws, currently 6 to 8 years from the end of the relevant financial year (or 6 years from the transaction date, whichever is applicable), to comply with income tax, GST, and other regulatory requirements.

6.2. Your Right to Erasure and Account Deletion Process:

6.2.1. Requesting Erasure: You may request the deletion of your account and personal data at any time through the "Delete Account" function within the Platform's settings, or by contacting our Grievance Officer.

6.2.2. Grace Period for Account Recovery: Upon receiving your deletion request, your account will be immediately deactivated. Your personal data will then be permanently and irreversibly erased from our live production systems after a 30-day grace period from the date of deactivation. This grace period is provided to allow you the opportunity to recover your account if the deletion request was made in error, in accordance with your right to withdraw consent under Section 6 of the DPDP Act.

6.2.3. Pre-Deletion Notice: At least forty-eight (48) hours before the completion of the time period for erasure of your personal data under this Policy or applicable law, we will notify you through your registered contact information that such personal data shall be erased upon completion of such period, unless you log into your user account, otherwise initiate contact with us for the performance of the specified purpose, or exercise your rights in relation to the processing of such personal data.

6.2.4. Processing Timeframe: We will process your erasure request and complete the deletion within 30 days of verification, subject to the exceptions below.

6.2.5. Exceptions (Legal Hold): The only exceptions to erasure are where we are required by law to retain certain personal data for a longer period. This is primarily limited to:

6.2.5.1. Financial and transaction records, which we are obligated to retain for the period mandated by Indian tax and financial laws (currently 6-8 years from the end of the relevant financial year).

6.2.5.2. Data required for ongoing fraud investigations, legal disputes, or to comply with a valid legal order.

Once any applicable mandatory retention period expires, we will securely delete or anonymize this data.

7. YOUR RIGHTS UNDER THE DPDPA

As a Data Principal, you have the following rights regarding your personal data:

7.1. Right to Access & Summary (Section 11): You have the right to request a summary of the personal data we process about you and the processing activities undertaken with respect to such data. You can exercise this right by submitting a request via the in-app "Privacy Dashboard" or by emailing our Grievance Officer.

7.2. Right to Correction & Erasure (Section 12): You have the right to correct inaccurate or misleading personal data, complete incomplete personal data, and update your personal data. You also have the right to request the erasure of your personal data. You can update your profile data directly in the app. For erasure requests, please use the "Delete Account" function or contact our Grievance Officer.

7.3. Right to Grievance Redressal (Section 13): You have the right to have readily available means of grievance redressal regarding any act or omission of ours concerning your personal data. You can raise a grievance through the in-app "Report/Help" section or by contacting our Grievance Officer directly. We are committed to responding to all grievances within 15 days of receipt.

7.4. Right to Nominate (Section 14): You have the right to nominate any other individual who, in the event of your death or incapacity, can exercise your rights under the DPDPA on your behalf. You may make such nomination using the means specified in the "Privacy Dashboard" section of your account and furnishing the particulars required (such as the nominee's name, contact information, and relationship to you). A dedicated nomination form will be available for this purpose. Upon your death or incapacity, the nominated individual may exercise your rights in accordance with the terms of service and applicable law.

7.5. Right to Withdraw Consent (Section 6): Where our processing is based on your consent, you have the right to withdraw your consent at any time. The ease of withdrawing consent will be comparable to the ease with which it was given. You can manage and withdraw your consent for specific processing activities (like AI training or marketing) using the granular consent toggles in your "Privacy Settings." Please note that withdrawing consent may limit your access to certain non-essential features of the Platforms.

8. CHILDREN'S PRIVACY AND VERIFIABLE PARENTAL CONSENT

8.1. Age Restriction and Consent Requirement: Our Platforms and services are intended for individuals who have completed the age of eighteen (18) years. We do not knowingly collect Personal Data from children (individuals under 18 years) without verifiable parental consent, as required under Section 9 of the DPDP Act and Rule 10 of the DPDP Rules, 2025.

8.2. Verifiable Parental Consent Mechanism: If you are a parent or lawful guardian and wish to allow your child to use our Platforms, you will be required to provide verifiable consent through our designated mechanism. This may include:

8.2.1. verification using reliable identity and age details already available with us;

8.2.2. voluntary provision of identity and age details by you; or

8.2.3. verification through a virtual token mapped to identity and age details issued by an authorized entity (including DigiLocker).

8.3. Our Obligations: Where we process personal data of a child with verifiable parental consent, we will:

8.3.1. not undertake processing that is likely to cause any detrimental effect on the child's well-being;

8.3.2. not undertake tracking or behavioral monitoring of the child; and

8.3.3. not undertake targeted advertising directed at the child.

8.4. Inadvertent Collection: If we become aware that we have inadvertently collected Personal Data from a child without verifiable parental consent, we will take immediate steps to delete such data from our servers and terminate the child's account.

8.5. Contact for Parents: If you are a parent or guardian and believe your child has provided us with data without your consent, or if you wish to provide verifiable consent, please contact our Grievance Officer immediately.

9. DATA STORAGE, LOCATION, AND INTERNATIONAL TRANSFERS

9.1. Primary Storage Location: We process and store your personal data primarily on our servers located within India. Specifically, our primary production infrastructure, including all cloud services that store user data, is hosted in the asia-south1 (Mumbai) region on Google Cloud Platform (GCP) and equivalent secure infrastructure for other service providers.

9.2. Compliance with Indian Law: As a result, all collection, storage, and processing of your personal data occurs within the territory of India in compliance with the Digital Personal Data Protection Act, 2023.

9.3. International Transfers: We do not routinely transfer your personal data outside India. In the event an international transfer becomes necessary for specific service provisions (e.g., using a specialized Data Processor located abroad), such transfer will only be conducted:

9.3.1. With your explicit consent where required; and

9.3.2. In accordance with Chapter IV (Section 16) of the DPDP Act and any applicable rules issued by the Central Government, including transferring only to countries or entities notified as providing an adequate level of data protection.

9.4. Data Processor Compliance: Any Data Processor engaged outside India will be bound by contractual obligations requiring them to process data in compliance with the DPDP Act and to implement security measures equivalent to those required under Indian law.

10. COMMUNICATION POLICY (WhatsApp & RCS)

We may contact you via WhatsApp and RCS for OTPs, updates, reminders, and promotions.

These services are operated by third-party providers.

You can opt out of promotional messages anytime.

We are not responsible for delays or failures caused by these platforms.

11. GRIEVANCE REDRESSAL AND CONTACT INFORMATION

We are committed to responding to and resolving all legitimate grievances promptly. While our internal target is to respond within 15 days of receipt, we will ensure that all grievances are resolved within the maximum period of 90 days as prescribed under Rule 14(3) of the DPDP Rules, 2025.

Grievance Officer (as required under IT Act, 2000):
Mr. Saurabh Gupta
Email: contact@tamasha.live

Data Protection Officer (DPO):
[Note: To be appointed if designated as a Significant Data Fiduciary. This section should be updated upon appointment.]
Name: [To be Appointed]
Email: dpo@gamepe.in

General Queries: For any questions about this Policy, you may also contact us via the in-app help center.

We are committed to responding to and resolving all legitimate grievances within 15 days of receipt, as required by law.

Contact Information in Communications: In every response we provide to you regarding the exercise of your rights under this Policy, we will include the business contact information of our Data Protection Officer (if appointed) or the designated person authorized to answer your questions about the processing of your personal data, as required under Rule 9 of the DPDP Rules, 2025.

12. CHANGES TO THIS POLICY

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or services. The "Last Updated" date at the top will indicate the latest version.

12.1. Notification of Material Changes: If we make material changes that reduce your rights or increase our ability to process your data, we will notify you prominently within the Platform (e.g., via a banner, push notification) or by email at least 15 days before the changes take effect.

12.2. Continued Use: Your continued use of our Platforms after the effective date of the revised Policy constitutes your acceptance of the terms.

Your use of our Platforms is also governed by our Terms of Use, which includes important provisions on acceptable conduct, payments, and limitations of liability.

Gamepe Technologies Private Limited

Registered Address: C/o Sorted Square Coworking Private Limited, Panchvati Vastra Nagar, Behind Roshni Ghar Road, Lashkar City, Gwalior, Gird, Madhya Pradesh 474009,