CrazyTopup ("we", "us") respects your privacy. This policy explains the data we collect when you visit crazytopup.in or buy from us, what we do with it, and what your rights are - in line with India's Digital Personal Data Protection Act, 2023 (DPDP Act).
1. Data we collect
You give us, directly:
- Order details - email, phone number, name (optional), and the Player ID / Account ID / Zone ID needed to fulfill a game top-up.
- Account info if you sign in - via Clerk, our auth provider. Clerk handles your phone OTP or Google sign-in; we receive your verified email and (optionally) name and phone.
- Support messages you send us via email or WhatsApp.
Collected automatically when you visit:
- Device and browser data - IP address, user agent, screen size. Used to render the right layout, debug issues, and protect against abuse.
- Analytics events - page views, click events, conversions. We use Google Analytics 4 (GA4) for this. GA4 receives a pseudonymised identifier; we do not pass your email or phone to it.
- Cookies - session cookies set by Clerk for authentication, plus a small set of operational cookies used by the storefront. See "Cookies" below.
From payment and delivery partners:
- Razorpay sends us the payment ID, status, method (UPI / card / netbanking / wallet), and the email / phone you used to pay. We do not see or store your full card number, CVV, UPI PIN, or banking credentials - those stay inside Razorpay's PCI-DSS environment.
- Our fulfillment partner returns the voucher code, PIN, validity, and a transaction reference for each fulfilled order.
2. Why we use your data
- To fulfill your order - we have to know your email/Player ID to deliver what you bought.
- To send order receipts and delivery emails via Resend, our transactional email provider.
- To answer support tickets and help you with refunds or wrong-ID situations.
- To prevent fraud - we may use device/IP signals and Razorpay risk signals to block suspicious orders.
- To improve the site - aggregated analytics help us see which products are popular, which pages are slow, and where checkout breaks.
- To meet legal obligations - tax records, audit trails for payments, and disclosure to authorities when legally required.
3. Who we share data with
We share only what is necessary to run the service. We do not sell your personal data. Our processors are:
- Razorpay (payments) - email, phone, name, order amount.
- Our fulfillment partner (gift card & top-up delivery) - email, the order reference, and the denomination ordered. No phone, no Player ID.
- Clerk (auth) - email, phone (if you signed in), browser session data.
- Resend (transactional email) - the email address we are sending to and the order context inside the email.
- Vercel (hosting) and Neon Postgres (database) - all storefront data passes through these. Both are SOC 2 Type 2 audited.
- Google Analytics - pseudonymised event data only.
We may disclose data to law enforcement or regulators if compelled by a valid legal order, or to protect our rights or the safety of our users.
4. Where your data lives
Our database is hosted in Singapore (AWS ap-southeast-1, via Neon). Vercel serves the site from edge locations worldwide, with primary compute in Mumbai for India. Some of our processors (Clerk, Resend, Razorpay, and our fulfillment partner) may store or process data in other countries. By using the site you consent to this cross-border transfer for the purposes described above.
5. How long we keep it
- Order records - retained for at least 8 years to meet Indian tax and accounting requirements.
- Payment records - retained as required by Razorpay and the Reserve Bank of India.
- Account data - retained while your account is active. If you delete your account we keep what is required to honour past orders and tax records, and delete the rest.
- Analytics data - GA4 default retention is 14 months at event level.
6. Cookies
We use a small number of cookies. None of them serve advertising. Categories:
- Strictly necessary - Clerk session cookie, CSRF token. The site does not function without these.
- Analytics - Google Analytics first-party cookies (`_ga`, `_ga_*`).
You can clear or block cookies via your browser settings. Blocking the strictly-necessary cookies will break sign-in and checkout.
7. Your rights under the DPDP Act
You can ask us, at any time, to:
- Access the personal data we hold about you.
- Correct inaccurate or outdated information.
- Erase data we no longer need to keep (subject to the retention rules in Section 5).
- Withdraw consent for marketing communications (we currently send only transactional email; this is a future-proofing right).
- Nominate a person to exercise these rights on your behalf in the event of death or incapacity.
- Complain to the Data Protection Board of India if you believe we've mishandled your data.
Two of these you can do yourself, instantly, without emailing us — visit /account/privacy while signed in to download a JSON copy of all your data or to delete your account. For correction or other DPDP requests email cs@crazytopup.in with the subject "Data request" and we will respond within 30 days.
8. Children
We do not knowingly collect data from anyone under 18. If you are a parent or guardian and believe a child has provided us with personal data without consent, contact us and we will delete it.
9. Security
We use HTTPS everywhere, encrypt data at rest, restrict admin access to a small allowlist, and rotate credentials. Despite our best efforts, no system is impervious. If we ever suffer a data breach affecting you, we will notify you and the Data Protection Board within the legally required timeframe.
10. Changes to this policy
We update this policy when our data practices change. The "last updated" date at the top reflects the most recent revision. We will notify you of material changes by email when feasible.
11. Grievance Officer
In accordance with the Digital Personal Data Protection Act, 2023 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have designated a Grievance Officer for data-related complaints:
- Designation: Grievance Officer, CrazyTopup
- Email: cs@crazytopup.in (subject: "Data request")
- Response time: We acknowledge within 48 hours and respond within 30 days.
If you are a guest customer (no account) and want to access, correct, or delete data we hold about you, email us from the email address you used at checkout with subject "Data request" and your order number.
If you are unsatisfied with our response you have the right to complain to the Data Protection Board of India once it is operational.
12. Contact
For privacy questions, data requests, or concerns about how we handle your data, email cs@crazytopup.in. For everything else see our Terms of Service.