This policy explains what personal data Kalaloka collects, why we collect it, who we share it with, and how you can control it. We wrote this in plain language so you can understand it without a law degree.
Who this applies to: Anyone who uses the Kalaloka mobile app on Android or iOS.
Legal framework: This policy complies with the Digital Personal Data Protection Act, 2023 (DPDPA) of India, Google Play Data Safety requirements, and Apple App Store privacy guidelines.
| Term | What it means |
|---|---|
| Data Fiduciary | Us — DigiYogi, the company that decides why and how your data is processed |
| Data Principal | You — the person whose data we process |
| Personal Data | Any information that can identify you directly or indirectly |
| Consent | Your clear, informed, and voluntary agreement to data processing |
| Processing | Collecting, storing, using, sharing, or deleting your data |
| App Name | Kalaloka |
| Data Fiduciary | DigiYogi |
| Website | https://kalaloka.com |
| support@digiyogi.com | |
| Grievance Officer | support@digiyogi.com |
| Data Storage Location | India (E2E Networks, Mumbai region) |
| Media Storage | Cloudflare R2 |
You must provide this data to create an account and use Kalaloka.
| Data | Why We Need It | Legal Basis |
|---|---|---|
| Mobile phone number (+91XXXXXXXXXX) | OTP verification, payment prefill, account security | Consent + Contract performance |
| Full name | Display on your profile | Consent + Contract performance |
| Date of birth | Verify you are 13 or older | Legal compliance (DPDPA) |
| Language preference | Show the app in your language | Consent |
| Genre interests | Show stories you like | Consent |
This data is not required. You can skip it and still use the app.
| Data | Why | Shared With |
|---|---|---|
| Screen views and app interactions | Understand what features you use | Amplitude (analytics) |
| User ID, username, name | Link analytics to your account | Amplitude (analytics) |
| Advertising ID | Show you relevant ads | Google AdMob |
| Push notification token | Send notifications you asked for | NOT shared — stored on our server only |
| Platform (Android / iOS) | Fix platform-specific bugs | NOT shared |
If you choose to sign in with Google or Facebook, we receive:
You can always sign in with your phone number instead. Social login is optional.
We never use your data for purposes not listed here. If we ever need to, we will ask for your consent first.
We do not sell your personal data. Here is exactly who receives it and why:
| Third Party | Data Received | Why |
|---|---|---|
| Amplitude (USA) | User ID, username, name, screen views | Analytics |
| Google AdMob (USA) | Advertising ID, ad interactions | Advertisements |
| Razorpay (India) | Phone number (prefill), order details | Payment processing |
| Google OAuth (USA) | idToken (openid, email, profile) | Social login |
| Facebook (USA) | Access token (public_profile, email) | Social login |
| Expo / Firebase FCM (USA) | Push notification token | Push notifications |
We believe in collecting the minimum data needed. We never collect:
| Protection | What We Do |
|---|---|
| Encryption in transit | All data sent between your phone and our servers is encrypted using HTTPS / TLS 1.2 or higher |
| Encryption at rest | All data on our servers (PostgreSQL on E2E Networks, India) is encrypted at rest |
| Auth tokens | Your login tokens are stored in your device's SecureStore — encrypted and inaccessible to other apps |
| Media files | Stored on Cloudflare R2 with access controls |
| Server security | E2E Networks, India — firewall protection and access controls |
| Payment data | We never touch your card, UPI, or bank details. Razorpay handles all payments and is PCI-DSS compliant |
| Access control | Only authorized DigiYogi team members can access user data, and only when needed |
| Payment processor | Razorpay (India) — PCI-DSS Level 1 certified |
| What we send to Razorpay | Your phone number (prefilled), order ID, amount |
| What Razorpay sees | Your payment instrument info (card, UPI, wallet) — we never see this |
| What we store | Order metadata: transaction ID, amount, date, status, content purchased |
| What we do NOT store | Card numbers, UPI IDs, bank accounts, CVV, or any payment credentials |
| How long we keep order records | 7 years — required by Indian tax law |
Kalaloka is not for children under 13.
If we discover a user under 13 has created an account, we will delete their account and all associated data promptly. Contact support@digiyogi.com if you believe this has occurred.
| Data Type | How Long | Why |
|---|---|---|
| Account data (profile, preferences) | Until you request deletion | You need it to use the app |
| Analytics data (Amplitude) | 24 months, then anonymized | Industry standard for product analytics |
| Payment and order records | 7 years | Required by Indian tax law (Income Tax Act, GST law) |
| Push notification tokens | Until you uninstall or disable notifications | Required to send notifications |
When you delete your account, we remove your personal data from active systems within 30 days. Some data may remain in encrypted backups for up to 90 days, after which it is permanently deleted. Payment records are retained for 7 years as required by Indian law.
Some third parties we work with process data outside India. Under the DPDPA 2023, we may transfer personal data to countries not restricted by the Indian Government.
| Third Party | Destination | Safeguards |
|---|---|---|
| Amplitude | United States | SOC 2 Type II certified. Encrypted in transit and at rest |
| Google AdMob | United States | Google data protection frameworks. Encrypted in transit and at rest |
| Google OAuth | United States | Google's infrastructure. Encrypted in transit and at rest |
| United States | Meta's infrastructure. Encrypted in transit and at rest | |
| Expo / FCM | United States | Google Firebase infrastructure. Encrypted in transit and at rest |
| Razorpay | India | No cross-border transfer. Data stays in India |
| E2E Networks | India | No cross-border transfer. Data stays in India |
| Cloudflare R2 | India (configured) | Encrypted at rest and in transit |
Under the DPDPA 2023 and our own commitment, you have the following rights:
You can see all personal data we hold about you. Email support@digiyogi.com. Response within 30 days.
Edit your profile directly in the app (name, bio, photo, interests), or email us for data that cannot be changed in the app.
Go to Settings → Delete Account, or email us. Account deletion is permanent and cannot be undone. We process within 30 days. Payment records are retained for 7 years as required by law.
Under DPDPA 2023, you can nominate another person to exercise your data rights on your behalf in case of death or incapacity. Email us with the nominee's details.
If you believe your data rights have been violated, see Section 15 to file a grievance.
Your consent to process your data is:
| Free | You choose whether to give it. You can use phone login instead of social login. |
| Specific | We tell you exactly what data and for what purpose before you consent. |
| Informed | This policy is available before sign-up and in the app at all times. |
| Unconditional | We do not bundle consent for unrelated purposes. |
| Unambiguous | You take a clear action (tapping a button, filling a field) to give consent. |
Withdrawing consent is as easy as giving it (see Section 12.4). We will stop processing within 30 days. No fee for withdrawing consent.
If a data breach occurs that is likely to harm you, we will:
| support@digiyogi.com | |
| Response time | Within 30 days of receiving your complaint |
Please include: your registered mobile number or User ID, a clear description of your complaint, and what resolution you are seeking.
If you are not satisfied with our response, or if we do not respond within 30 days, you may escalate to the Data Protection Board of India established under the DPDPA 2023. Contact details are available at the Ministry of Electronics and Information Technology (MeitY) website.
| Change Type | How We Notify You |
|---|---|
| Minor changes (clarifications, formatting) | Updated policy on our website. New "Last Updated" date at the top. |
| Significant changes (new data collection, new third parties, new purposes) | In-app notification + email. We will ask for fresh consent if the change requires it. |
Continued use of the app after changes means you accept the updated policy.
| support@digiyogi.com | |
| Website | https://kalaloka.com |
| Privacy Policy URL | https://kalaloka.com/privacy-policy |
| Mailing address | DigiYogi, India |
We will respond to all privacy-related inquiries within 30 days.
| Data Type | Collected | Shared | Can Be Deleted |
|---|---|---|---|
| Phone number | ✓ | Razorpay (payments) | ✓ On account deletion |
| Name | ✓ | Amplitude (analytics) | ✓ On account deletion |
| Date of birth | ✓ | — | ✓ On account deletion |
| Email (social login) | ✓ (optional) | — | ✓ On account deletion |
| Photos (profile/cover) | ✓ (optional) | — | ✓ On account deletion |
| App activity | ✓ | Amplitude (analytics) | ✓ On account deletion |
| Advertising ID | ✓ | Google AdMob | ✓ Opt out via device settings |
| Payment info | ✗ (Razorpay handles) | — | — |
| Data Type | Collected | Linked to Identity |
|---|---|---|
| Phone number | ✓ | ✓ |
| Name | ✓ | ✓ |
| Date of birth | ✓ | ✓ |
| Email (if social login) | ✓ | ✓ |
| Photos | ✓ (optional) | ✓ |
| Usage data | ✓ | ✓ |
| Advertising ID | ✓ | ✓ |
| Payment data | ✗ | — |
This policy is effective as of May 1, 2026.
DigiYogi — Data Fiduciary for Kalaloka
Prepared in compliance with the Digital Personal Data Protection Act, 2023, Google Play Data Safety requirements, and Apple App Store privacy guidelines.