Legal desk
Privacy Policy
How Prime Card Rummy collects, uses, stores, retains, transfers, protects, discloses and enables control over personal information when visitors use primecardrummy.org.
Last updated: 30 April 2026
Prime Card Rummy (“we”, “our”, “us”) publishes this Privacy Policy (“Policy”) to describe how personally identifiable information (“Personal Data”) or data that indirectly identifies you (“Indirect Markers”) is processed when interacting with primecardrummy.org (collectively, the “Site”). By loading pages, subscribing to outbound links, activating client-side routines, transmitting email, triggering dialogues within embedded components—or otherwise utilising features—you acknowledge this Policy layered atop applicable statutes (including but not restricted to prevailing Indian interpretations of informational privacy norms, supplemented by GDPR-aligned principles voluntarily adopted for cross-border coherence).
Capitalised headings aid navigation; cumulative clauses remain enforceable minus conflict with mandatory consumer law overriding contract text.
1. Data Steward & Contact
Operational controller: Prime Card Rummy editorial desk reachable at support@primecardrummy.org for privacy-specific escalations flagged with [Privacy] in the subject unless emergency legal process demands alternate routing.
Hosting, DNS, CDN, logging, anomaly detection, transactional email infrastructure, registrar contact proxies, cryptographic certificate authorities, outbound measurement partners—all act as subprocessors enumerated contextually infra; they reside outside direct employment yet remain bound by contractual data processing obligations mirroring fairness & purpose limitation doctrines.
Children’s surfaces: wagering-adjacent content is adulthood-oriented. Verified under-18 Personal Data ingestion triggers suppression pathways.
2. Categories of Data Processed
| Category | Examples | Primary Purposes |
|---|---|---|
| Technical Telemetry | IP address, UA string, referrer, coarse geolocation approximation, timestamps, hashed session tokens, hashed query tokens, anomaly scores | Security, diagnostics, lawful bases for abuse investigations |
| Interaction Telemetry | Scroll depth aggregates, carousel dwell approximations, search-box keystroke timing patterns (never raw payloads beyond transient buffers), DOWNLOAD click metadata if analytics scripts load | Editorial UX tuning, CTR calibration |
| Communications Contents | Free-text email payloads, attachments, optional PGP-encrypted blobs | Fulfilling your request, archiving audit trail |
| Voluntary Structured Forms (if deployed later) | Name, organisational affiliation—only upon explicit modular expansion | Supporting partnership vetting |
We do not architect native account systems, biometric vaults, or payment instrument vaults atop this apex domain baseline.
Cookies / similar technologies divide into:
- Strictly necessary: session integrity, concurrency tokens, CSP nonces ephemeral.
- Analytics: e.g., Google Analytics 4 when measurement IDs ship post-build—configurable/consent overlays may augment when regulatory posture tightens beyond present static baseline.
- Preference: theme toggles—not currently stockpiled persistently unless roadmap injects personalization flags.
Outbound partner domains may slam additional trackers—subject to THEIR policies beyond our SLA.
3. Lawful Basis Matrix (EU-style overlay)
Though primary traffic may originate outside strict GDPR territoriality, referencing Article 6 mapping clarifies disciplined thinking:
| Processing | Basis |
|---|---|
| Security logging | Legitimate interests (Art. 6(1)(f)) balanced against intrusion minimisation |
| Analytics | Consent toggles pending regional overlay; transitional legitimate interest scaffolding where jurisprudence permits |
| Correspondence | Contractual pre-steps / legitimate interest in responding |
Indian PDPB evolution: when statute crystallises granular duties, headings here realign—not obliterate legacy commitments prematurely.
4. Retention & Erasure Logic
SMTP logs compress after ~90 rolling days unless subpoena freezes apply. Abuse investigation bundles may lengthen (hashed artefacts). Editorial correspondence archives indefinite while necessity persists—unless erasure petitions satisfy verification & exception hooks (financial crime ongoing inquiry, overlapping litigation hold).
CDN edge caches degrade autonomously; instructing instantaneous global purge contradicts propagation physics—grace windows apply.
Automated TTL jobs rotate search-index JSON artefacts per build—they lack Personal Data granularity.
5. International Transfers
Infrastructure may traverse EU, USA, SG, IN commercial hosting regions—Standard Contractual Clauses (2021 SCC modules) anchor adequacy bridging where relevant. SCHREMS-II supplemental measures: TLS 1.2+ in transit, encryption-at-rest contingent on blob classification, segregation of IAM roles minimising lateral pivot.
Transfers to authoritarian jurisdictions lacking independent judiciary—paused unless encryption nullifies intelligibility endpoints & strict access logs ride along.
6. Security Programme Pillars
- TLS cert transparency monitoring.
- Least-privilege CI deploy keys rotating quarterly nominally (expedited if anomaly).
- Separate staging vs. prod secret scopes intangible to static site edge except build pipeline ephemeral tokens.
- Human social engineering rehearsals for BEC attempts referencing brand confusion.
Residual risk statement: absolute security is folklore; disclosures remain honest about zero-day residuals.
7. Your Rights Requests
Depending on geography you may wield access, correction, portability, restriction, objection, automated decision objections (we avoid solely automated punitive adjudications), withdrawal of consent—not absolute if superseded by law. Verification may require cryptographic challenge email loops to prevent dossier farming.
California shining light analogue: categorical disclosure upon validated identity.
8. Disclosure to Authorities
Validated legal process—not informal “asking nicely”—triggers calibrated cooperation: transparency reports may aggregate gag-order volumes when gag lifted.
Corporate restructuring (M&A) triggers successor notice—opt-out carve-outs may appear pre-close.
9. Material Changes Cadence
Version bumps append top-of-doc notice banner in rebuild artefacts. Continued visitation post effective date manifests implied awareness unless jurisdiction demands firmer affirmative re-consent.
10. Regulator & Escalations
Unresolved disputes may escalate to supervisory authorities (EU DPA of habitual residence/workplace—notably if EU traffic grows materially) or forthcoming Indian statutory Data Protection Board once operational.
Preserve copies offline; cryptographic provenance hashing optional for integrity-minded readers.