1. Introduction
Welcome to MaheshBabuFans.net ("we", "us", "our"). We are an independent, unregistered fan community dedicated to celebrating the work and legacy of actor Mahesh Babu. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website and services.
We are committed to protecting your privacy and complying with applicable data protection laws, including:
- Digital Personal Data Protection Act, 2023 (DPDP Act) - India
- General Data Protection Regulation (GDPR) - European Union
- California Consumer Privacy Act (CCPA) - United States
- Information Technology Act, 2000 - India
By using MaheshBabuFans.net, you consent to the collection and use of your personal information as described in this policy. If you do not agree with our practices, please do not use our services.
2. Data We Collect
2.1 Information You Provide
During Account Registration:
- Email Address (Required, Immutable) - Used for login, communications, and account recovery.⚠️ Cannot be changed after signup
- Password (Required) - Securely hashed using bcrypt; never stored in plain text.
- Full Name (Required) - Used for event passes, contest prizes, and official communications. Should match government-issued documents.
- Phone Number (Optional) - Used for SMS notifications (if you opt-in) and account security. Must be in E.164 international format (e.g., +919876543210).
2.2 OAuth Provider Data (If You Use Social Login)
When you sign in with Google or Apple, we receive:
- Email address (may be Apple Private Relay email for Apple Sign In)
- Full name from your Google/Apple profile
- Unique provider user ID (stored internally for authentication)
- Profile picture URL (currently not stored)
Note: OAuth providers (Google, Apple) are currently disabled in our production environment. When enabled, these providers will also receive your consent to share this information with us.
2.3 User-Generated Content (Fan Zone)
When you upload content to our Fan Zone, we collect:
- Images and videos you upload
- Title and description you provide
- Category selection (art, edit, video, photo)
- File metadata (content type, file size, upload timestamp)
- Your user ID (linked to your account)
2.4 Fan Association Data
If you register a fan association, we collect:
- Association name
- Level (region, district, state, national)
- Geographic location (country, state, district)
- Proof documents (uploaded files for verification)
- Unique association code (generated after approval)
2.5 Automatically Collected Data
- Session cookies - Essential for authentication (no third-party tracking cookies)
- Request logs - URL, HTTP method, timestamp (via Fastify/Pino logging)
- CDN logs - Managed by Cloudflare (IP addresses, user agents, request patterns)
- Account activity - Login timestamps, email verification status, account creation date
Important: We do NOT actively collect or store IP addresses or user agents in our application database. These may be temporarily logged by our CDN provider (Cloudflare) for security and performance purposes.
2.6 Digital Badge Data
Our privacy-preserving badge system stores:
- Badge Token (JWT) - Contains ONLY your user ID, badge ID, and issuance timestamp
- Badge issuance date
- Expiration date (if applicable; null = never expires)
- Revocation status (if badge is revoked)
Privacy Design: Badge QR codes contain NO personal information (no email, name, or phone). Full details are only retrieved from our secure database when someone verifies your badge.
3. Legal Basis for Processing
We process your personal data based on the following legal grounds:
Consent (GDPR Art. 6(1)(a), DPDP Act Sec. 6)
You provide explicit consent when you:
- Create an account and accept these terms
- Upload content to Fan Zone
- Register a fan association
- Opt-in to optional features (e.g., SMS notifications)
Contract Performance (GDPR Art. 6(1)(b))
Processing is necessary to provide you with our services, including:
- Account creation and authentication
- Content hosting and moderation
- Digital badge issuance
Legitimate Interests (GDPR Art. 6(1)(f))
We have legitimate interests in:
- Preventing fraud and abuse
- Moderating user-generated content
- Improving our services
- Ensuring platform security
Legal Obligations (GDPR Art. 6(1)(c))
We may process data to comply with:
- Indian IT Act, 2000 (intermediary due diligence)
- Court orders or legal process
- Tax and accounting regulations
4. How We Use Your Data
We use your personal information for the following purposes:
🔐 Account Management
- Create and maintain your user account
- Authenticate your login sessions (JWT tokens)
- Send account-related notifications (email verification, password resets)
- Issue privacy-preserving digital identity badges
🎨 User-Generated Content
- Host and display your Fan Zone uploads
- Moderate content for policy compliance
- Attribute content to your account
- Enable community engagement features (planned)
🏆 Fan Associations
- Verify association registrations
- Generate unique association codes
- Issue verifiable digital badges
- Maintain association directory (planned)
🛡️ Security & Compliance
- Detect and prevent fraud, spam, and abuse
- Enforce our Terms & Conditions
- Comply with legal obligations
- Respond to law enforcement requests (when legally required)
📊 Service Improvement
- Analyze aggregated usage patterns (no individual tracking)
- Debug technical issues
- Optimize platform performance
- Develop new features based on community needs
📧 Communications
- Send essential service notifications (account security, policy updates)
- Respond to your inquiries via contact form
- Notify about moderation decisions (content approval/rejection)
- Send optional promotional updates (with your consent - planned)
We will NEVER: Sell your personal information to third parties, use your data for targeted advertising, or share your information with data brokers.
5. Third-Party Services
We use the following third-party services that may access or process your data:
☁️ Cloudflare CDN
Purpose: Content delivery, DDoS protection, TLS encryption
Data Processed: HTTP requests, IP addresses, user agents (in access logs)
Location: Global edge network
Privacy Policy: cloudflare.com/privacypolicy
🔑 Google OAuth (When Enabled)
Purpose: Social login authentication
Data Shared: Email, full name, Google User ID
Status: Currently disabled in production
Privacy Policy: policies.google.com/privacy
🍎 Apple Sign In (When Enabled)
Purpose: Social login authentication
Data Shared: Email (or Private Relay), full name (optional), Apple User ID
Status: Currently disabled in production
Privacy Policy: apple.com/legal/privacy
🗄️ Self-Hosted Infrastructure
Components: Supabase Postgres, MinIO storage, GoTrue auth, Directus CMS
Location: Our own VPS (Virtual Private Server) in India
Data Control: We have full control; no data sent to third-party clouds
✅ All user data (accounts, uploads, associations) stays on our own servers
🚫 Services We Do NOT Use:
- ❌ Google Analytics or other third-party analytics (we use Cloudflare Analytics only)
- ❌ Social media tracking pixels (Facebook Pixel, Twitter, etc.)
- ❌ Advertising networks
- ❌ Email marketing services (we send emails directly from our server)
- ❌ Error tracking services (Sentry, etc.)
- ❌ A/B testing tools
6. Children's Privacy
🧒 Age Requirements & Parental Consent
MaheshBabuFans.net does not have a minimum age restriction. However, we take the privacy of children very seriously and comply with applicable child protection laws:
- Under 13 (COPPA - US): Parental or guardian consent required
- Under 16 (GDPR Article 8 - EU): Parental or guardian consent required
- Under 18 (DPDP Act - India): Parental or guardian consent required
Parental Consent Mechanism
If you are under the applicable age in your jurisdiction:
- You must have your parent or legal guardian read this Privacy Policy and our Terms & Conditions
- Your parent/guardian must create the account on your behalf OR provide written consent
- Your parent/guardian can exercise all privacy rights (access, deletion, etc.) on your behalf
Parents/Guardians: Your Rights
If your child has created an account without your consent, you have the right to:
- Request access to your child's personal information
- Request deletion of your child's account and all associated data
- Refuse to allow further collection of your child's information
- Revoke consent previously provided
To exercise these rights, please contact us at: [email protected]
Data Minimization for Minors
We do not knowingly collect more information from children than is necessary for account creation and service provision. Optional features (e.g., phone number, profile pictures) are never required for minors.
⚠️ If we discover underage account without consent:
We will immediately contact the email address on file, request parental verification within 72 hours, and suspend the account until consent is provided. If consent is not received within 14 days, the account and all associated data will be permanently deleted.
7. Your Rights
Depending on your location, you have the following rights regarding your personal data:
🔍 Right to Access (GDPR Art. 15, CCPA §1798.110, DPDP Sec. 11)
You can request a copy of all personal data we hold about you, including:
- Account information (email, name, phone)
- Upload history and metadata
- Association registration details
- Badge tokens and issuance records
How to request:Email us at [email protected] (we'll respond within 30 days)
✏️ Right to Rectification (GDPR Art. 16, DPDP Sec. 12)
You can update or correct inaccurate personal information:
- Full name, phone number: Update via your account settings
- Email: Cannot be changed (immutable for security); contact us if critical error
- Association details: Request update via contact form
🗑️ Right to Erasure / Deletion (GDPR Art. 17, CCPA §1798.105, DPDP Sec. 12)
You can request deletion of your account and personal data:
- Account will be deactivated immediately
- 30-day grace period for recovery (data retained but inaccessible)
- After 30 days, all data permanently deleted
- Exception: We may retain minimal data for legal compliance (e.g., fraud prevention records for 1 year)
Note: Deletion is irreversible after the 30-day grace period. User-generated content may be retained if required for legal proceedings.
How to request:Email us at [email protected] with subject "Account Deletion Request"
📦 Right to Data Portability (GDPR Art. 20)
You can request your data in a structured, machine-readable format (JSON):
- Account profile data
- Upload metadata and URLs
- Association records
- Audit logs of your actions
Delivery:We'll provide a downloadable ZIP file within 30 days
⛔ Right to Object (GDPR Art. 21)
You can object to processing based on legitimate interests or for direct marketing:
- Opt-out of promotional emails (if we add this feature)
- Request to stop processing for specific purposes
- We will cease processing unless we have compelling legitimate grounds
🚫 Right to Restrict Processing (GDPR Art. 18)
You can request temporary restriction of processing while we:
- Verify data accuracy (if you dispute it)
- Assess your objection to processing
- Preserve data for legal claims (instead of deleting)
🔙 Right to Withdraw Consent (GDPR Art. 7(3), DPDP Sec. 6)
You can withdraw consent at any time for:
- Optional features (SMS notifications, promotional emails)
- Deleting your account stops all processing
- Note: Withdrawal does not affect lawfulness of processing before withdrawal
📝 Right to Complain to Authorities
If you believe we've violated your privacy rights, you can file a complaint with:
- India: Data Protection Board of India (DPBI)
Website: TBD (once DPDP Act 2023 is fully enforced) - EU: Your local Data Protection Authority
Find your DPA (edpb.europa.eu) - California: California Attorney General
oag.ca.gov/privacy
💰 Right to Non-Discrimination (CCPA §1798.125)
If you exercise your CCPA rights, we will NOT:
- Deny you services
- Charge different prices or rates
- Provide a different level or quality of service
- Suggest you'll receive different pricing or service
⏱️ Response Timeframes:
- 🇮🇳 India (DPDP Act): We will respond to requests within 30 days
- 🇪🇺 EU (GDPR): We will respond within 1 month (extendable to 3 months for complex requests)
- 🇺🇸 California (CCPA): We will respond within 45 days (extendable to 90 days)
9. Data Security
We implement industry-standard security measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction.
🔒 Encryption
- TLS 1.3: All data in transit is encrypted via HTTPS (Cloudflare)
- Bcrypt: Passwords are hashed with bcrypt (cost factor 10) - never stored in plain text
- JWT: Authentication tokens signed with HS256 (HMAC-SHA256)
- RS256 Badges: Digital badges signed with RSA-2048 asymmetric keys
🛡️ Access Controls
- JWT validation: Every API request verified at Kong gateway AND Fastify API
- Role-based access: Admins have separate roles for moderation/association approval
- Database schemas: Isolated schemas (
auth,app,directus) - Private networks: All services communicate via Docker internal network (not exposed to internet)
🔐 Infrastructure Security
- Kong Gateway: Single public entry point (ports 80/443 only)
- Rate limiting: Prevents brute force and DoS attacks
- DDoS protection: Cloudflare shields our origin servers
- Firewall rules: VPS firewall blocks all ports except 80/443
- Docker isolation: Each service runs in isolated container
📝 Logging & Monitoring
- Structured logging: Pino JSON logs for audit trails
- No sensitive data: Passwords, tokens never logged
- Audit logs: Track content moderation, badge issuance, admin actions
- Log retention: Rotated daily, retained for 30 days
💾 Backup Security
- Nightly backups: Postgres
pg_dumpto MinIO/R2 - Encrypted backups: All backup files encrypted at rest
- 30-day retention: Automatic cleanup of old backups
- Restore testing: Quarterly backup restoration drills
⚠️ Data Breach Notification
In the unlikely event of a data breach that compromises your personal information, we will:
- Notify affected users via email within 72 hours of discovery (GDPR Art. 34)
- Report to relevant authorities (DPBI, DPAs) as required by law
- Provide clear information about what data was affected and steps we're taking
- Offer guidance on how to protect yourself (e.g., password reset)
Report security issues: If you discover a vulnerability, please email [email protected]
🔧 Your Security Responsibilities
- Use a strong, unique password (8+ characters, mix of letters/numbers/symbols)
- Never share your password or login credentials
- Log out after using shared or public devices
- Keep your email account secure (it's used for account recovery)
- Enable two-factor authentication when available (planned post-MVP)
- Report suspicious activity immediately
10. Data Retention
We retain your personal information only as long as necessary for the purposes outlined in this Privacy Policy or as required by law.
🕐 Active Accounts
While your account is active, we retain:
- Account profile data (email, name, phone) - Indefinitely
- User-generated content - Indefinitely (until you delete)
- Upload metadata - Indefinitely
- Badge tokens - Indefinitely (until revoked)
- Audit logs - 30 days
🗑️ Account Deletion
When you request account deletion:
- Immediate: Account deactivated (cannot log in)
- 30-day grace period: Data retained but inaccessible (you can recover account)
- After 30 days: Permanent deletion:
- Account profile deleted
- Authentication tokens invalidated
- User-generated content deleted from storage
- Database records purged
- Badge tokens revoked
Note: To recover your account during the 30-day grace period, email [email protected]
⚖️ Legal Retention
We may retain minimal data beyond deletion if required for:
- Fraud prevention: Hashed email + account creation date for 1 year (to prevent re-registration abuse)
- Legal disputes: Records relevant to pending litigation
- Tax compliance: Transaction records for 7 years (if applicable)
- Law enforcement: Data preserved under valid court order
Legal retention is anonymized where possible (e.g., we only keep hashed email, not the email itself)
🚨 Content Moderation Records
If your content was rejected for policy violations:
- Rejected content: Deleted immediately
- Moderation decision log: Retained for 90 days (for appeals)
- Severe violations (illegal content): Reported to authorities, retained as required by law
📊 Aggregated Data
We may retain anonymized, aggregated data indefinitely for statistical purposes (e.g., "Total fans registered: 50,000"). This data cannot be traced back to individual users.
📅 Retention Summary Table
| Data Type | Active Account | After Deletion Request |
|---|---|---|
| Account profile | Indefinite | 30 days → Deleted |
| Passwords (hashed) | Indefinite | 30 days → Deleted |
| User-generated content | Until you delete | 30 days → Deleted |
| Badge tokens | Until revoked | Immediately revoked |
| Audit logs | 30 days | 30 days → Deleted |
| Fraud prevention hash | N/A | 1 year (anonymized) |
| Backup files | 30 days rolling | 30 days → Deleted |
11. International Data Transfers
🌍 Data Storage Location
All user data is stored on our self-hosted infrastructure located in India. We do NOT transfer your personal data to third-party clouds outside India.
- Database: Supabase Postgres - India VPS
- File storage: MinIO - India VPS
- Authentication: GoTrue - India VPS
- CMS: Directus - India VPS
☁️ Cloudflare Edge Network (CDN)
Your HTTP requests may be processed by Cloudflare's global edge network for:
- TLS termination and encryption
- DDoS protection
- Edge caching (for faster page loads)
Cloudflare may temporarily store request metadata (IP addresses, user agents) in their edge data centers worldwide. This data is automatically deleted after a short retention period (typically 24-72 hours).
Cloudflare Data Processing Agreement: cloudflare.com/cloudflare-customer-dpa
🇪🇺 EU Users (GDPR Compliance)
If you are located in the European Union, your data may be transferred from the EU to India (non-adequate country under GDPR). We ensure GDPR-compliant transfers through:
- Standard Contractual Clauses (SCCs): EU Commission-approved data transfer agreements
- Your explicit consent: By using our services, you consent to transfer your data to India
- Adequate safeguards: Encryption in transit (TLS 1.3), access controls, GDPR-compliant rights
You have the right to request a copy of the safeguards we use for international transfers. Email [email protected]
🔒 No Third-Party Cloud Transfers
We do NOT use or transfer data to:
- ❌ AWS (Amazon Web Services)
- ❌ Google Cloud Platform
- ❌ Microsoft Azure
- ❌ Data brokers or marketing platforms
- ❌ Social media analytics services
✅ We maintain full control of your data on our own infrastructure
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or new features. When we make material changes, we will notify you as follows:
📧 Notification Methods:
- Email notification - Sent to your registered email address at least 30 days before changes take effect
- Prominent banner - Displayed on our website when you log in
- "Last Updated" date - Updated at the top of this page
⚠️ Material Changes
We consider the following to be "material changes" requiring explicit notice:
- Collecting new types of personal information
- Using data for new purposes not previously disclosed
- Sharing data with new third parties
- Reducing user rights or protections
- Changing data retention periods significantly
- Transferring data to new countries
For material changes, you will have the option to:
- Accept the new terms and continue using our services
- Decline the new terms and delete your account (with full data export)
📜 Version History
We maintain a version history of all Privacy Policy changes. You can view previous versions at:
TODO: Add link to policy version history page (or GitHub repository if open source)
Continued use of our services after policy updates constitutes acceptance of the new terms. If you do not agree with changes, you must stop using our services and request account deletion before the effective date.
13. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:
📧 Privacy Inquiries
Email:
Contact Form:
maheshbabufans.net/contactResponse Time:
We aim to respond within 48-72 hours (business days)
🛡️ Data Protection Officer (DPO)
For GDPR-related inquiries, you can contact our Data Protection Officer:
Email: [email protected]
(Note: As an unregistered fan community, we are not legally required to have a DPO under DPDP Act or GDPR. This contact is provided for transparency.)
🚨 Security Issues
If you discover a security vulnerability, please report it immediately:
Email: [email protected]
Please do not disclose security issues publicly until we've had a chance to address them.
📬 Postal Address (GDPR Requirement)
You can also contact us via postal mail:
MaheshBabuFans.netHyderabad
Hyderabad, Telangana, India
India
Note: GDPR Art. 13(1)(a) requires a postal address for EU users. We recommend using a P.O. Box or registered agent service for privacy.
⏱️ When to Contact Us:
- Exercise your data rights (access, deletion, portability, etc.)
- Report a privacy concern or data breach
- Request information about how we process your data
- Appeal a content moderation decision
- Withdraw consent for data processing
- Ask questions about this Privacy Policy
- Report underage account without parental consent
This Privacy Policy was last updated on November 7, 2025
MaheshBabuFans.net is an independent fan community and is not affiliated with, endorsed by, or connected to Mahesh Babu, GMB Entertainment, or any official entities.