Privacy Policy

We made YI EcoWarriors to teach kids about e-waste in a fun way. To run the game, we have to remember a few things about you: your email, a password (kept in a scrambled form even we cannot read), the avatar you picked, and the points and badges you earn as you play. If you are a student we also remember your first name, your birth year, your city, your school, and your class. Adults (teachers, parents, others) give us a name, a phone number, a city, and how they heard about the app.

We do not sell your information. We do not show you ads. We do not share your data with other companies so they can market to you. Only the YI EcoWarriors team can see your account, and only when we need to fix something for you.

If you are under 18 in India, the law says your parent or guardian has to say yes before we collect your information. We ask for that during sign-up.

If you ever want us to delete everything, email [PLACEHOLDER: support email]and we will delete your account and your data. We are also building a one-click delete button inside the app for the future.

This app is operated by [PLACEHOLDER: legal entity name, e.g. Confederation of Indian Industry / Young Indians chapter], a [PLACEHOLDER: entity type and registration jurisdiction], with its registered office at [PLACEHOLDER: registered office address]. Throughout this policy, “we”, “us”, and “YI EcoWarriors” refer to that entity.

For any privacy question, write to [PLACEHOLDER: primary privacy contact email]. For the formal grievance route required under Indian law, see Section 11 below.

We split the data we collect by who the user is, because the student flow and the adult flow on the app collect different fields.

We use the information above only for the following purposes:

• To create your account and let you sign back in.
• To save your progress so the game does not reset every time you open it.
• To show leaderboards inside the app (your preferred name and avatar are visible to other players; your email and mobile number are never shown).
• To send transactional emails: account confirmation, password reset, and security-critical notices.
• To understand, in aggregate, which lessons and games are working and which are confusing, so we can improve the content. We do this with privacy-friendly analytics (see Section 8 on cookies and tracking).
• To respond when you contact our support address.

We do not use your data to build advertising profiles, to sell to data brokers, or to share with third parties for their own marketing.

Your account, profile, and gameplay data are stored in a managed Postgres database hosted on Supabase in the ap-south-1 (Mumbai) region. Data is encrypted at rest on the database server and in transit between your device and our servers (HTTPS / TLS 1.2+).

Static assets (images, audio, JavaScript) are served via [PLACEHOLDER: CDN provider name, e.g. Cloudflare / Vercel Edge]. The CDN does not receive your profile data; it only delivers files everyone gets the same copy of.

We keep your account data for as long as your account exists. If you want us to delete it sooner, see Section 7 below.

Until our in-app account-deletion button ships, you can request deletion by emailing [PLACEHOLDER: support email]with the subject line “Delete my account” from the email address you signed up with. We will action the request within [PLACEHOLDER: commitment SLA, e.g. 30 days]and confirm by email when it is done.

Some records may persist after deletion for the brief additional period our database backups retain them. Backups roll forward and old snapshots are overwritten on a [PLACEHOLDER: retention window, e.g. 30-day] schedule. We will never restore a deleted account from backup except where the law requires it.

A large share of YI EcoWarriors users are children between the ages of 8 and 17. Under Section 9 of the Digital Personal Data Protection Act, 2023, we treat anyone under 18 in India as a child for the purposes of this policy. For children, the following applies:

• Verifiable parental consent: we require a parent or guardian to consent before a child’s personal data is processed. The current consent mechanism is [PLACEHOLDER: exact verifiable consent mechanism, e.g. parent email confirmation + identity attestation form]. We are evaluating stronger verification options and will update this policy when the mechanism changes.
• No behavioural tracking: we do not track the browsing of children for the purpose of behavioural profiling.
• No targeted advertising: we do not show advertising on the app at all, and we will not introduce targeted advertising to children in the future.
• No use that is detrimental to the child’s wellbeing:we will not use children’s data in any way that we have reasonable grounds to believe causes or is likely to cause harm to the child.

A parent or guardian can ask us at any time, by writing to [PLACEHOLDER: support email], to review the data we hold on their child, correct it, or delete it entirely.

Under the Digital Personal Data Protection Act, 2023, you (or your parent/guardian, if you are a child) have the following rights regarding your personal data:

• Right to access: ask us for a summary of the personal data we hold about you.
• Right to correction and erasure: ask us to correct inaccurate data or delete data we no longer need.
• Right to withdraw consent: revoke previously given consent at any time. (Note: withdrawing consent for processing required to run your account means we will need to close that account.)
• Right to grievance redressal: raise a complaint with our grievance officer (see Section 11) and, if unresolved, with the Data Protection Board of India.
• Right to nominate: nominate another individual who may exercise these rights on your behalf in the event of your death or incapacity.

To exercise any of these rights, email [PLACEHOLDER: support email]with the subject line that matches your request (for example, “Access my data”, “Delete my account”). We will respond within [PLACEHOLDER: response SLA, e.g. 30 days].

We use a small number of cookies and analytics signals, chosen because they do not personally identify individual users:

• Strictly necessary cookies: the session cookie that keeps you signed in. Without this, the app cannot function. No consent dance applies to strictly necessary cookies.
• Privacy-friendly product analytics: we use [PLACEHOLDER: analytics provider, e.g. Plausible / self-hosted Umami / GA4 with IP anonymization on]to understand which pages and games people use. The analytics provider sees only an anonymized request, never your name, email, or full IP address.
• Edge platform logs: [PLACEHOLDER: CDN / edge provider] keeps short-lived request logs for abuse-prevention and uptime monitoring. These logs are deleted within [PLACEHOLDER: log retention window, e.g. 7 days].

We do not use cookies for advertising, retargeting, or cross-site tracking. We do not embed third-party social media trackers (no Facebook Pixel, no TikTok Pixel, etc).

We follow Reasonable Security Practices as defined under the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. In practice, this includes:

• All traffic between your device and our servers is encrypted with TLS (HTTPS).
• Passwords are stored as salted one-way hashes (we cannot read them, even if we wanted to).
• Database access is gated by Postgres Row-Level Security (RLS), so the API can only return rows that belong to the signed-in user.
• Administrative access to the database is [PLACEHOLDER: describe access policy, e.g. limited to two named operators and audited].
• We rotate [PLACEHOLDER: describe key/secret rotation cadence]and review our security posture on a [PLACEHOLDER: cadence, e.g. quarterly] basis.
• In the event of a personal data breach, we will notify affected users and the Data Protection Board of India in accordance with Section 8(6) of the DPDP Act, 2023.

We will update this policy if the way we collect, use, or store personal data changes. When we do, we will:

• Bump the “Last updated” date at the top.
• Email registered users about material changes, with a short summary of what changed and why.
• Keep an archive of past versions, available on request to [PLACEHOLDER: support email].

For general privacy questions, email [PLACEHOLDER: support email].

Under Indian law we are required to publish the name and contact details of a grievance officer who handles complaints related to personal data. Ours is:

We aim to acknowledge a grievance within [PLACEHOLDER: acknowledgement SLA, e.g. 48 hours] and resolve it within [PLACEHOLDER: resolution SLA, e.g. 15 days]. If you are not satisfied with the response, you may approach the Data Protection Board of India.