What we hold, why we hold it, and what you can do about it.
The full disclosure required by the EU GDPR and the UK GDPR. Plain language where the law allows it. Cross-references to the underlying articles where it does not.
The short version
We hold the smallest amount of personal data we can get away with. We never sell it, never train AI on it, and never hand it to recruiters, advertisers or affiliate networks. We keep your name, WhatsApp number, LinkedIn URL and the profile fields you write yourself. We log security events with one-way hashes of your IP address. Members can read, edit, export, and ask to delete their data at any time.
The longer version below is the full disclosure required under the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent regimes. It is structured to mirror Articles 13 and 14 of those regulations.
To request a copy of your data, correct an error, or delete your account, email surya@igamingrealtalk.com from the address on your profile. We respond within thirty days, usually within seven.
Who is responsible for your data
The data controller for the personal data described in this policy is the operator of iGRT Community, currently its founder, operating as a sole proprietor, contactable at surya@igamingrealtalk.com. Once a registered legal entity is incorporated, this section will be updated and the registered entity will become the controller.
We have not appointed a Data Protection Officer because the scale and nature of our processing does not legally require one under Article 37 of the GDPR. The founder personally handles all privacy correspondence. Email surya@igamingrealtalk.com for anything privacy-related.
What we collect, and why
We only collect the categories of data listed below. Anything not listed is not collected.
| Category | Field | Source |
|---|---|---|
| Identity | Full name, email, WhatsApp number (in E.164 format), LinkedIn URL | You, at signup |
| Profile | Headline, short bio, company name, primary category, country, optional tags | You, on the dashboard |
| Preferences | What you are available for, and who can see your LinkedIn URL and company | You, on the dashboard |
| Authentication | An Argon2 hash of your password, refresh-token hashes, and the "must change password" flag | Generated when you set or rotate your password |
| Activity | Last seen timestamp, members you saved, profile views, blocks | Generated as you use the dashboard |
| Security log | Audit-log entries with action type, actor and target identifiers, a one-way SHA-256 hash of your IP address, a truncated user-agent string | Generated when you sign in or change your password |
| Reports | Reports you file or that are filed against you, including the reason and any free-text detail | You, or another member |
| Ban-evasion record | If you are permanently banned: a one-way hash of your WhatsApp number, a one-way hash of your LinkedIn URL, a short reason string. No identifiable name or email. | Generated only at the moment of permanent ban |
We do not store the content of your one-to-one WhatsApp conversations. WhatsApp is operated by Meta Platforms, Inc. and is governed by your own account terms with Meta. We provide deep-links only.
We do not ask you for a profile photo. The dashboard renders an initials-based avatar generated locally from your name. The underlying schema includes a photo-URL field, but the member experience provides no way to set or display it, so in normal use it stays empty.
The member dashboard is analytics-free. Our public marketing pages may load Umami, a privacy-friendly, cookieless analytics tool, to count visits in aggregate; it sets no cookies and does not track you across sites or build a profile of you. We use no advertising trackers, fingerprinting libraries, or session-replay tools anywhere.
Why we process it, and on what legal basis
Under GDPR each processing activity needs a lawful basis. Ours break down as follows.
| Purpose | Legal basis | Why |
|---|---|---|
| Vetting and approving applications | Legitimate interests (Art. 6(1)(f)) | Maintaining the integrity of a closed, trust-based network. |
| Running the directory and your account | Performance of a contract (Art. 6(1)(b)) | The terms you accepted at signup commit us to provide the dashboard. |
| Authenticating you and protecting your session | Performance of a contract (Art. 6(1)(b)) and legitimate interests in security | You cannot use a private network without sign-in. |
| Sending you a one-time temporary password by email, only when we issue one and choose email delivery | Performance of a contract (Art. 6(1)(b)) | So an approved member can receive sign-in credentials when manual WhatsApp delivery is not used. |
| Audit logs of authentication and security events | Legitimate interests (Art. 6(1)(f)), and legal obligations to keep adequate security records | Detecting unauthorised access, complying with security obligations. |
| Enforcing the rules (suspensions, removals, ban records) | Legitimate interests (Art. 6(1)(f)) | Protecting other members from fraud, harassment and impersonation. |
| Replying to your privacy, abuse or support emails | Legitimate interests (Art. 6(1)(f)) or legal obligation where applicable | So you can talk to a human about your account. |
We do not currently use consent (Art. 6(1)(a)) as a legal basis for any of the processing above, because consent is the wrong basis for things you cannot meaningfully opt out of and still use the service. If we later add optional features that require consent (for example, marketing emails or analytics) we will collect opt-in consent at that point and you will be able to withdraw it at any time.
We do not process special-category data (health, biometric, political, religious, sexual orientation) and we ask you not to submit it in your bio or in support emails.
Who we share data with
We do not sell your data. We do not licence the directory to recruiters, AI training pipelines, or marketing databases. The third parties below are the only entities that receive personal data on our instructions, each acting as a processor under Article 28 of the GDPR.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Hosting the public website and the member dashboard. | United States |
| Railway Corp. | Hosting the API service, the Postgres database, and the Redis cache. | United States |
| Resend, Inc. | Delivering a one-time temporary password to you by email, only when we issue one and select email delivery. No automatic, notification, or marketing email is ever sent. | United States |
| Umami | Aggregate, cookieless visit analytics on the public marketing pages only — never on the member dashboard. Active only when configured; sets no cookies and performs no cross-site tracking. | Operator-controlled host (self-hosted, or Umami Software, Inc.) |
| Meta Platforms, Inc. (WhatsApp) | You initiate conversations through your own WhatsApp account. We do not transmit messages to Meta on your behalf. Meta is your processor for those conversations, not ours. | United States and Ireland |
We may also disclose personal data to a court, regulator or law enforcement agency where we are legally compelled to do so, and to a professional adviser (for example a lawyer) under a duty of confidentiality if we need their advice.
If we ever transfer the network to a successor organisation (acquisition, restructuring, change of legal entity) we will tell members in advance and give you a meaningful window to delete your account before the transfer takes effect.
International transfers
Some of the processors listed above are based in the United States. When personal data leaves the European Economic Area, the United Kingdom or another adequacy region, we rely on the safeguards set out in Article 46 of the GDPR.
- For Vercel and Railway, we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the UK International Data Transfer Addendum.
- For Resend, we rely on the same SCCs and the EU-US Data Privacy Framework where the receiving entity is certified.
- For Umami, where analytics is enabled and the host sits outside the EEA or UK, we rely on the same SCCs; where it is self-hosted on our existing infrastructure, no separate transfer occurs.
- For Meta (WhatsApp), the transfer is governed by your own relationship with Meta and not by us.
You can request a summary of the transfer mechanism we rely on for a specific processor by emailing surya@igamingrealtalk.com.
How long we keep things
Our retention policy is organised by data category, not by an arbitrary blanket period.
| Data | While account is active | After account closes |
|---|---|---|
| Profile fields | Until you edit or remove them | Deleted within 14 days |
| Authentication credentials (password hash, refresh tokens) | Until rotated or expired (refresh tokens automatically expire after 30 days) | Deleted within 14 days |
| Profile views and saved-members list | Until you remove them | Deleted within 14 days |
| Audit logs (sign-in events, security events, with hashed IP) | Continuously appended | Retained for up to 24 months from the date of the event, then deleted automatically |
| Reports filed against you | Retained while the report is open and for up to 24 months after resolution | Same window applies; underlying member identifiers are nulled when an account closes |
| Ban-evasion record (hashed only) | Created only on permanent ban | Retained indefinitely. The record cannot be reversed back into a name, number or URL. |
The ban-evasion record is the one piece of data we retain after an account closes in a non-deletable form. We do this on the basis of our legitimate interest in protecting other members from re-application by previously banned actors, and we minimise the retained data to one-way hashes plus a short reason string.
Your rights under the GDPR and UK GDPR
You have the following rights over the personal data we hold about you. They apply whether or not you are based inside the EU or the UK; we apply them to all members.
- Right of access (Art. 15). You can ask us for a copy of your personal data and confirmation of how we are processing it.
- Right to rectification (Art. 16). You can ask us to correct inaccurate data and complete incomplete data. Most fields you can edit yourself from the dashboard.
- Right to erasure (Art. 17), also known as the "right to be forgotten". You can ask us to delete your account. We will, with two exceptions: the audit log retention window described above, and the hashed ban-evasion record where it applies. Both exceptions rely on Article 17(3) of the GDPR.
- Right to restriction (Art. 18). You can ask us to pause processing while we investigate a dispute about accuracy or lawfulness.
- Right to data portability (Art. 20). You can ask for the data you provided in a structured, commonly used, machine-readable format. We provide JSON.
- Right to object (Art. 21). Where we rely on legitimate interests, you can object and we will reassess. Where we cannot show a compelling legitimate ground that overrides your rights, we will stop.
- Right to withdraw consent. Where we rely on consent (we currently do not, but may in future for optional features), you can withdraw it at any time without affecting the lawfulness of past processing.
- Right not to be subject to fully automated decisions (Art. 22). We do not run automated decision making with legal or similarly significant effects. Membership decisions, suspensions and bans are made by a human reviewer.
How to exercise your rights
Email surya@igamingrealtalk.com from the email address on your profile and tell us which right you want to exercise. You do not need to use a specific form or a specific phrase. Plain language is fine.
- We respond within thirty calendar days. The first response is usually within seven days.
- We may ask you for additional information if we cannot verify that the request is yours, but we keep that to the minimum necessary.
- Exercising a right is free. Where a request is manifestly unfounded or excessive (for example, repeated identical requests inside a short window), Article 12(5) GDPR allows us to charge a reasonable fee or refuse, in which case we explain why.
Complaints to a supervisory authority
If you are unhappy with how we have handled your data, please tell us first so we can fix it. You also have the right to complain to a data-protection supervisory authority directly. You can choose the authority of the country where you live, where you work, or where the alleged infringement took place.
- European Union members can find their national supervisory authority through the European Data Protection Board at edpb.europa.eu/about-edpb/board/members.
- United Kingdom members can complain to the Information Commissioner's Office at ico.org.uk/make-a-complaint.
Security
We apply the safeguards required by Article 32 of the GDPR.
- All traffic to the dashboard and the API is encrypted in transit (HTTPS, TLS 1.3 where supported).
- Passwords are hashed with Argon2id. We never see, store, or transmit a password in plain text.
- IP addresses in audit logs are stored as one-way SHA-256 hashes, not in clear form.
- Refresh tokens use a rotating-family pattern that detects token reuse and revokes the entire family on theft signals.
- Database backups are encrypted at rest by our hosting provider.
No system is perfectly secure. If you discover a vulnerability, please report it responsibly to surya@igamingrealtalk.com before disclosing it elsewhere.
Children
iGRT Community is for adult professionals. The dashboard is not designed for, marketed to, or intended for use by anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has signed up, email surya@igamingrealtalk.com and we will delete the account.
Changes to this policy
We update this policy when our processing changes, when a new processor is introduced, or when the law moves. The "Effective" and "Last reviewed" dates at the top of the page record when the current text took effect. Material changes are announced in the dashboard and in the founder-run WhatsApp groups at least fourteen days before they take effect.
END OF DOCUMENT · PRIVACY POLICY · 9 MAY 2026