Privacy Policy
We built Bowled’em to be lean on data. Here’s exactly what we collect, why, and what we don’t. Bowled’em is currently an independent personal project — not a registered company — in an active testing phase. This policy is written to be consistent with India’s Digital Personal Data Protection Act, 2023 (DPDP Act).
1. Information We Collect
Google account details — when you sign in via Google, we receive your email address, full name, and profile picture URL. We never receive or store your Google password. We do not request additional Google scopes — no calendar, no Gmail, no contacts.
Public nickname — a nickname you choose inside the app (1–30 characters). This can be edited once per account.
Match data — team names, player names, ball-by-ball events, venue city, scorer name, captain choice, and derived statistics. Saved matches are linked to your account and visible on your Home screen.
Career stats — total runs, batting average, strike rate, highest score, total wickets, bowling average, economy, maidens, and best figures — derived from matches you’ve been claimed in. These power your Player Card and Individual Performance tab.
Referral attribution — when you accept an invite link, we store the referrer’s user ID on your account so we can credit them on a successful sign-up.
Scorer token — a random string saved in your browser’s localStorage so only you can edit the match you created. On sign-up, any guest match is linked to your account automatically.
Connection data — the WebSocket session that streams live match updates. The session ID is ephemeral and discarded when you close the page.
Server access logs — standard logs (IP address, timestamp, request path, response code) kept for up to 30 days for security, abuse detection, and debugging.
Analytics — anonymous product events. If you’re signed in, events are tagged with your user ID so we can debug specific issues you report to support.
2. How We Use Your Data
- To operate the live scoring engine, real-time scorecards, result pages, and your saved-match Home screen.
- To compute and display your Player Card and career Individual Performance tab.
- To authenticate you via Google Sign-In and keep you signed in across devices.
- To auto-claim past performances when a name match is detected (Player Claiming with auto-backfill — see Terms §6).
- To populate the “Your Team” tab and let you invite teammates via WhatsApp / iMessage.
- To render Open Graph (OG) preview images so your match link shows a rich preview when shared.
- To send transactional messages — such as important account notices. We do not send marketing emails or SMS without your explicit opt-in.
- To enforce our Terms — for example, to detect abuse or attempts to use the Service for gambling.
3. Lawful Basis (DPDP Act)
We process your personal data on the following bases under the Digital Personal Data Protection Act, 2023:
Consent — given when you sign in via Google and accept these Terms and this Privacy Policy. You may withdraw consent at any time by deleting your account.
Certain legitimate uses — security monitoring, fraud prevention, abuse detection, and product analytics that improve the Service, where processing is reasonably expected and does not override your interests.
Legal obligation — responding to lawful requests from Indian authorities, and complying with applicable law.
4. Data Sharing
We do not sell your data. Match data you create becomes accessible to anyone you share the match link with — that is the core value of the Service.
We share data with the following third-party processors strictly to run the Service:
Google LLC — sign-in via OAuth 2.0.
MongoDB Atlas — encrypted managed database hosting (region: India).
Cloud hosting providers — for compute, storage, and CDN.
Resend (or a comparable transactional-email service) — for occasional service-related emails.
Ad networks (future, free tier only) — we do not currently serve ads. If this changes, we will update this policy before ads go live.
We may also disclose data when legally required — for example in response to a court order, statutory notice, or directions from a competent Indian authority.
5. International Data Transfers
Your match data is stored in MongoDB Atlas in an Indian region. Some processors — such as Google — operate globally and may process certain data outside India. Where this occurs, we rely on those processors’ own applicable data protection commitments. We are a one-person project using standard third-party APIs and do not have individually negotiated data processing agreements with these providers.
6. Cookies, Tokens & Analytics
We use browser localStorage to keep your scorer token, session JWT (if any), and the service-worker cache. We do not use third-party tracking pixels — no Meta/Facebook pixel, no TikTok pixel. Analytics events (anonymous unless you’re signed in) help us understand which features are used and where users get stuck. You can clear local storage via your browser settings at any time.
7. Data Retention
Match data is retained indefinitely so you can revisit it any time, unless you ask us to delete it or you delete your account. Live matches with no activity for 3+ hours are auto-marked “abandoned” — the data is retained, not deleted.
Server access logs are kept for 30 days.
Backup snapshots are purged within 30 days of account deletion.
Anonymous aggregate metrics — such as average match length — may be retained indefinitely with no personally identifying information attached.
8. Your Rights Under the DPDP Act
As a Data Principal under India’s DPDP Act, 2023, you have the right to:
Access — request details of the personal data we hold about you.
Correction — your full name updates from Google on each sign-in; your nickname is editable once from the Profile screen. For other corrections, email us.
Erasure — delete your account at any time from the Profile screen. Your personal profile, saved matches, and career stats are removed from active databases within 7 working days; backup snapshots are purged within 30 days.
Portability — request a JSON export of your matches and stats by emailing support@bowledem.com.
Withdraw consent — by deleting your account. Note that some processing may continue where required by law or for fraud prevention.
Grievance — raise any privacy concern with us directly at support@bowledem.com (see Section 13).
9. Children’s Policy
Bowled’em is intended for users aged 18 and above, in line with India’s Digital Personal Data Protection Act, 2023. If you are under 18, please do not sign up. Parents or guardians who become aware of a minor using the Service may email support@bowledem.com and we will remove the data within 7 working days.
10. Photos & Player Cards
Photos you upload to generate a Player Card are processed entirely in your browser — they are not uploaded to our servers. The exported PNG is a client-side file you control. Profile pictures sourced from Google are loaded from Google’s CDN; we do not copy them to our own storage.
11. Security
We use TLS in transit, encryption at rest for the database, signed and short-lived JWTs for sessions, and standard infrastructure-level protections including firewall rules, rate limits, and anomaly logging. We do not store passwords.
No system is 100% secure. If you suspect any breach or vulnerability, please notify us immediately at support@bowledem.com. We will investigate and notify affected users and the relevant authority within the timelines required under the DPDP Act.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The “Last updated” date above will reflect any changes. For material changes, we’ll try to notify active users in-app. Your continued use of the Service after a change means you accept the updated policy.
13. Contact & Privacy Grievances
For any privacy questions, data-removal requests, or grievances under the DPDP Act, contact us at:
Email: support@bowledem.com
Subject line: “Privacy — Bowled’em”
We aim to acknowledge your message within 72 hours and resolve it within 30 days. Bowled’em is a one-person project and every message gets read personally.