A Project by Meridian Bridge Strategy
Archived analysis

This page is old. Games24x7 was reviewed on 2026-05-11.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
Gaming

Games24x7

Ready Score 38/100
Critical Risk vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 11 May 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

Games24x7 is operating on an outdated 'implied consent' model that violates the core pillars of the DPDP Act. The policy lacks almost all mandatory user rights and fails to explain how long they keep your personal information.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-05-11
  • Company: Games24x7
  • Readiness score: 38/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • Uses 'browse-wrap' consent which is invalid under the DPDP Act
  • Completely ignores Data Principal rights like deletion or correction
  • No mention of data retention periods or 'right to be forgotten'
  • Missing a designated Grievance Officer with specific contact details
  • No framework for the new Right to Nominate under Section 14
  • Vague 'legitimate use' claims for marketing without explicit consent

✅ Strengths

  • Clearly lists the specific third-party roles handling data
  • Provides a direct opt-out link for Google Analytics tracking
  • Explicitly warns users about public message board risks
  • Simple, non-legalistic language that is easy to read

Overview

Games24x7 is one of India’s biggest gaming companies, famous for brands like RummyCircle and My11Circle. They act as a Data Fiduciary — that’s the legal term for a company that decides why and how your data is collected.

Since they handle everything from your name and email to your gaming habits and potentially financial data, they have a huge responsibility. If you use their site, you are the Data Principal (the person the data belongs to). This policy is the “contract” between you and them, and right now, it looks very outdated.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

This is the biggest red flag. Games24x7 uses what we call “bundled consent.” They assume that just because you are on their website, you agree to everything.

What the policy says: “By visiting our Website, you accept this Privacy Policy. If you disagree… please do not use the Website.”

What the law requires: Under the DPDP Act, consent must be free, specific, informed, and unconditional. You can’t just say “if you’re here, you agree.” You have to give them a clear “Notice” first, explaining exactly what you are collecting and why, in plain language.

The problem: You can’t give a user an all-or-nothing choice. They should be able to play a game without necessarily agreeing to be tracked for ads.

Section 7 — Certain Legitimate Uses ⚠️

The law allows companies to process data without consent in very specific cases, like medical emergencies or court orders.

What the policy says: They claim they can use your data to “protect and defend our rights” and “conform with the law.”

The problem: Games24x7 uses very broad language here. While “complying with the law” is a Legitimate Use, using data for “marketing” or “remarketing” (which they mention) is NOT a legitimate use. For marketing, they must get your explicit permission.

Section 8 — Obligations of Data Fiduciary ⚠️

As a Data Fiduciary, Games24x7 is responsible for keeping your data safe, even if they hire another company to handle it.

What the policy says: “These entities… are under a legal obligation… to maintain the confidentiality and security of any personal information.”

What the law requires: It’s not enough to just sign a contract with a vendor. Games24x7 is legally on the hook if their partners leak your data. They must ensure “reasonable security safeguards” are in place.

The problem: The policy mentions third parties are restricted, but it doesn’t explain what security standards Games24x7 itself uses to protect your data from hackers.

Section 9 — Data Retention 🔴

This is a major “failing” grade.

What the policy says: Absolutely nothing. The policy is silent on how long they keep your data.

What the law requires: This is a big change in the new law. A company must delete your data as soon as the purpose for collecting it is over. If you stop playing their games, they shouldn’t keep your data forever.

The problem: Without a clear “Retention Policy,” your data could be sitting on their servers for a decade, increasing your risk in case of a data breach.

Section 11 — Rights of Data Principal 🔴

The DPDP Act gives you, the Data Principal, “superpowers” over your data. You have the right to see what they have, correct mistakes, and ask them to delete it.

The problem: Games24x7’s policy doesn’t mention a single one of these rights. There is no mention of:

  • Right to Correction: Fixing a wrong phone number.
  • Right to Erasure: Asking them to delete your account and data.
  • Right to Nominate: Picking someone to manage your data if you pass away.

Section 12 — Right of Grievance Redressal 🔴

If you’re unhappy with how your data is handled, you need a clear way to complain.

What the policy says: “Questions and comments regarding this policy should be directed to contactus@games24x7.com

What the law requires: You must appoint a specific Grievance Officer. This person’s name and contact details must be published. If they don’t solve your problem, the law says they must tell you how to escalate it to the Data Protection Board of India.

The problem: A generic “contact us” email doesn’t meet the legal requirement. It’s too easy for your complaint to get lost in the customer support queue.

Section 16 — Cross-Border Data Transfer ✅

What the policy says: They mention using third parties for things like analytics and marketing, which often means sending data to servers in the US or Europe.

What the law requires: You can send data abroad unless the Indian government specifically “blacklists” a country.

Strength: For now, Games24x7 is likely safe here as long as they aren’t sending data to restricted regions, but they should eventually list where the data actually goes.

Risk Assessment

CategoryRisk LevelPotential Impact
Illegal ConsentHighThe entire database could be deemed “illegally collected”
Missing RightsHighFines for not allowing users to delete or correct data
Grievance HandlingMediumUsers can complain directly to the govt if no officer is found
Data RetentionCriticalKeeping data indefinitely is a direct violation of Section 9

Recommendations

If you are a business owner looking at this policy, here is what you should learn:

  1. Stop using “By using this site…” as a way to get consent. Use a clear pop-up that asks for a “Yes” or “No.”
  2. Add a Deletion Clause. Tell your users, “We keep your data for 2 years after your last login, then we delete it.”
  3. Name a Human. Don’t use “info@company.com.” Assign a Grievance Officer and list their actual work email.
  4. List the Rights. Explicitly tell your users they have the right to access, correct, and erase their data. It builds trust!
  5. Check your vendors. Ensure your contracts with marketing firms actually hold them accountable for privacy.

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida guide DPDP Data Breach Notification Compliance

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call