Privacy Policy

At Gamyata, we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our accessibility testing platform.

By using Gamyata, you consent to the data practices described in this policy. If you do not agree with our policies and practices, please do not use our service.

Personal Information

We collect information you provide directly to us, such as:

• Name and contact information (email address, phone number)
• Account credentials and profile information
• Organization details and role information
• Payment and billing information
• Communication preferences

Usage Information

We automatically collect certain information about your use of our service:

• Log data (IP address, browser type, access times)
• Device information and identifiers
• Usage patterns and feature interactions
• Performance and error data

Website Testing Data

When you use our accessibility testing features, we may collect:

• URLs and content of websites you test
• Accessibility scan results and reports
• Issues and compliance data
• Performance metrics and analytics

Where the General Data Protection Regulation (Regulation (EU) 2016/679 / UK GDPR) applies to our processing, we rely on the following lawful bases under Article 6:

• Contract performance (Art. 6(1)(b)): to provide the Gamyata service you have signed up for: account creation, scan execution, report delivery, billing, customer support.
• Legitimate interests (Art. 6(1)(f)): for service security (abuse detection, rate-limiting, fraud prevention), product reliability (aggregated error logs with PII scrubbed), and informing you of material product changes. We balance these against your rights and you can object at any time.
• Consent (Art. 6(1)(a)): for optional analytics cookies (PostHog), marketing communications, and any future data uses we introduce that go beyond service delivery. You can withdraw consent at any time without affecting prior processing.
• Legal obligation (Art. 6(1)(c)): to comply with tax, anti-money-laundering, accounting, and lawful government requests.

We do not rely on Art. 6(1)(d) (vital interests) or 6(1)(e) (public interest / official authority). We do not process special categories of personal data (Art. 9) intentionally; if such data appears incidentally in a scanned page's content the Controller (you) is responsible for the lawful basis of submission under our Data Processing Agreement.

We engage the following sub-processors to deliver Gamyata. The full list with processing purposes and regions, plus the Data Processing Agreement template, is published at /dpa: Logto (auth, EU), Amazon Web Services (compute/storage, ap-south-1 + eu-west-1), Razorpay (payments, India), Anthropic (LLM inference, US, zero-retention), OpenAI (LLM inference, US, zero-retention), Sentry (error monitoring with PII scrubbed at ingest, EU), and PostHog (product analytics, opt-in only, EU).

We give 30 days' prior notice before introducing or replacing a sub-processor and you have the right to object on reasonable data-protection grounds.

We use the information we collect to:

• Provide and maintain our accessibility testing services
• Process your account registration and manage your subscription
• Generate accessibility reports and compliance documentation
• Improve our platform and develop new features
• Provide customer support and respond to inquiries
• Send important service updates and notifications
• Ensure platform security and prevent fraud
• Comply with legal obligations and enforce our terms

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following circumstances:

Service Providers

We may share information with trusted third-party service providers who assist us in:

• Hosting and maintaining our platform
• Processing payments and billing
• Providing customer support
• Analyzing usage data and improving our service

Legal Requirements

We may disclose your information if required by law or in response to:

• Valid legal requests from government authorities
• Court orders or subpoenas
• Protection of our rights, property, or safety
• Prevention of fraud or security threats

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction.

We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

Our security measures include:

• Encryption of data in transit and at rest
• Regular security assessments and updates
• Access controls and authentication mechanisms
• Secure data centers and infrastructure
• Employee training on data protection
• Incident response and breach notification procedures

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

We retain your personal information for as long as necessary to provide our services and fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law.

Our retention periods include:

• Account Information: Retained while your account is active and for a reasonable period after deactivation
• Usage Data: Retained for analytics and service improvement purposes
• Testing Data: Retained according to your subscription plan and preferences
• Legal Records: Retained as required by applicable laws and regulations

Depending on your location, you may have certain rights regarding your personal information:

Access and Portability

You can request access to your personal information and receive a copy of the data we hold about you.

Correction and Updates

You can request correction of inaccurate or incomplete personal information.

Deletion

You can request deletion of your personal information, subject to certain legal and contractual obligations.

Opt-out and Preferences

You can opt out of certain communications and update your privacy preferences through your account settings.

Data Portability

You can request a copy of your data in a structured, machine-readable format.

We use cookies and similar tracking technologies to enhance your experience, analyze usage patterns, and provide personalized content.

Types of cookies we use:

• Essential Cookies: Required for basic platform functionality
• Analytics Cookies: Help us understand how users interact with our platform
• Preference Cookies: Remember your settings and preferences
• Security Cookies: Help protect against fraud and ensure security

You can control cookie settings through your browser preferences, though disabling certain cookies may affect platform functionality.

Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place to protect your information in accordance with this policy and applicable laws.

For users in the European Economic Area (EEA), we rely on adequacy decisions, standard contractual clauses, and other appropriate safeguards for international transfers.

Our service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of any material changes by:

• Posting the updated policy on our website
• Sending email notifications to registered users
• Displaying prominent notices on our platform

Your continued use of our service after any changes indicates your acceptance of the updated policy.

If you are a California resident, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (collectively the “CCPA”) gives you the following rights with respect to the personal information we collect about you:

• Right to Know. You can ask us what categories of personal information we collect, the sources, the business or commercial purpose, the categories of third parties with whom we share it, and the specific pieces of personal information we hold about you.
• Right to Delete. You can ask us to delete personal information we have collected from you, subject to legally permitted exceptions (security, legal compliance, completing a transaction you requested).
• Right to Correct. You can ask us to correct inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale or Sharing. Under the CCPA we do not sell personal information for monetary or other valuable consideration, and we do not share personal information for cross-context behavioural advertising. We also honour the Global Privacy Control (GPC) browser signal and treat Sec-GPC: 1 as an opt-out request.
• Right to Limit Use of Sensitive Personal Information. We do not use sensitive personal information beyond what is necessary to provide the service.
• Right to Non-Discrimination. We will not deny service, charge different prices, or provide a different level or quality of service because you exercised any of these rights.

To exercise any of these rights, contact privacy@gamyata.com with the subject line “CCPA Request”. We will verify your request before responding (normally by confirming control of the email address on the account) and respond within 45 days as required by CCPA §1798.130. You may also designate an authorised agent to make a request on your behalf in accordance with §1798.135(c).

If you have any questions about this Privacy Policy or our data practices, please contact us:

We are appointing a designated Data Protection Officer and an EU Representative under GDPR Art. 27 ahead of GA. Until those names are finalised, the privacy contact above is the canonical channel and will be forwarded to the appointee on assignment. (Pending legal-counsel sign-off on the appointee details.)

For users in the European Union, you also have the right to lodge a complaint with your local data protection authority.