Privacy Policy

Privacy Policy

Last updated: November 6, 2025

Controller: Klub Software Innovation India Pvt Ltd

Scope: This policy covers all Klub web & mobile services, SSO, payments, community features, events, and analytics.

1. Summary

We collect only what's necessary to run communities, process payments, schedule events, provide support, and improve the service. We use Google SSO (email, full name, calendar) to authenticate and to create/update calendar events. Payments are processed by Razorpay; Klub does not store full card details.

2. Personal data we collect

Account & identity

  • Google SSO: email address, full name, profile picture (where available). We use these to create and manage accounts.
  • Optional profile fields: display name, bio, avatar, social links, timezone.

Platform activity

  • Posts, comments, messages, course enrollments, event registrations, spaces joined, follower relationships, metadata (timestamps, IP, device info).

Communications

  • Support requests, emails, in-app messages, calendar invites.

Payments & billing

  • Razorpay-managed payments: transaction ID, payment method token, amount, currency, billing name, billing email, invoicing data. Klub stores payment metadata and Razorpay transaction IDs for reconciliation and refunds. We do not store raw card data.

Integrations & logs

  • Google Calendar event data when user grants calendar scope (event title, start/end, description, attendees as provided by the user).
  • Usage logs, crash reports, analytics (aggregated & pseudonymized where possible).

Cookies & tracking

  • Session cookies, preference cookies, analytics cookies, and advertising/attribution cookies.

3. How we use your data (legal bases / purposes)

  • Authentication & account management: create accounts, sign-in, passwordless flows via Google SSO.
  • Calendar management: create/update/delete calendar events on behalf of creators/members when calendar permission is granted; send invites and reminders. (Scope usage is limited to event management only.)
  • Payments & billing: process payments and refunds via Razorpay; send invoices/receipts; detect fraud; comply with taxes.
  • Core product features: show feeds, enrollments, course access, member-only content, one-on-one calls, leaderboards.
  • Communications & notifications: transactional emails (joins, invoices, event reminders) and in-app notifications. Marketing only with explicit consent.
  • Analytics & product improvement: platform performance, feature usage, A/B testing — aggregated/pseudonymized by default.
  • Legal & safety: comply with legal requests, enforce TOS, prevent fraud/abuse.

4. Google SSO & Calendar — exact scope & usage (explicit)

  • Google SSO (openid / profile / email): used to authenticate and import: email, full name, profile picture. We store email and name as primary identifiers.
  • Google Calendar scope (calendar.events): Klub will only request this scope when the user explicitly schedules events or enables calendar sync. Uses: create calendar invites, update event times, cancel events, add guests (as provided by the user), write reminders. Klub will:
    • Request minimal scopes at time-of-use, with clear UI explaining purpose.
    • Show to user exactly what will be written to their calendar and allow per-event consent.
    • Provide UI to revoke calendar access and remove created events (where feasible).
    • Log calendar operations (event IDs, timestamps) for reconciliation and deletion.

5. Payments via Razorpay — exact scope & usage (explicit)

  • We integrate Razorpay for payment processing. Klub collects and stores Razorpay transaction IDs, order IDs, status, and basic billing info needed for receipts and refunds.
  • Card data & PCI: all card handling and storage is performed by Razorpay. Klub never stores raw card numbers, CVV, or full PAN. We store only tokens / masked details returned by Razorpay where necessary.
  • Refunds & disputes: Klub will interact with Razorpay APIs to initiate refunds; we retain transaction metadata for finance and compliance.
  • Billing privacy: billing address, tax details are stored for invoicing and tax compliance only.

6. Data sharing & third parties

  • Service providers: Razorpay (payments), SendGrid (email), Google (SSO & Calendar), analytics vendors, cloud hosting providers. We require processors to maintain appropriate security.
  • Marketplace / integrations: creators can opt to connect third-party integrations (YouTube, Stripe, etc.) — data exchange only with explicit consent.
  • Legal requests: we may disclose data to comply with laws, court orders, or to prevent harm. We will notify users unless prohibited.

7. Data retention & deletion

  • Accounts & content: retained until user deletes account or requests deletion. After deletion request, content is removed from public view within 48–72 hours; backups may persist up to 90 days for logs/forensics.
  • Payments: financial records retained for legal/tax compliance (local jurisdictional timelines; e.g., minimum 7 years recommended — confirm with finance counsel).
  • Analytics: aggregated data retained as long as needed for product improvement; raw logs and personally-identifying analytics retained only for limited operational needs (e.g., 90 days).

8. User rights & controls

  • Access, correction, portability, deletion — users can request via account settings or privacy@klub.it (or your legal contact). We'll verify identity before action.
  • Google SSO users can revoke Klub access via their Google account security settings — revocation stops new access; Klub will retain prior data subject to retention rules.
  • Marketing opt-out: unsubscribe links and in-app toggles.
  • Data export: provide user their account data in machine-readable format upon request within a reasonable window (e.g., 30 days).

9. Minors & restricted users

Klub is for 12+ age users.

10. Security & compliance

  • Encryption: TLS in transit; AES-256 or equivalent at rest for sensitive PII.
  • Access controls: least privilege, MFA for admin access, periodic access reviews.
  • Incident response: 72-hour internal incident triage, 30-day public disclosure timeline where legally required; notify affected users and authorities as required.
  • Pen testing & audits: annual penetration tests and third-party security review pre-seed/seed.
  • PCI & data: rely on Razorpay for PCI compliance; Klub will not be in scope for card data storage.

11. Cross-border transfers

Data may be stored and processed in India and other jurisdictions (cloud providers). Klub will apply safeguards (SCCs or equivalent) and notify users where transfers affect rights.

12. Cookies & tracking

  • Types: essential, analytics, preference, marketing. Users can manage cookie preferences in UI. Do not use third-party trackers for sensitive data without consent.

13. Changes to this policy

We'll post changes with a revision date and, for material changes, notify active users 7 days before enforcement.

14. Contact & complaints

Privacy contact: aksshat@klub.it.com