Clash Masters

Privacy Policy

← Home

Last updated May 2026.

1. Who we are

ClashMasters is a skill-based 1v1 Clash Royale contest platform operated from India. This Privacy Policy explains what personal data we collect about you, why we collect it, who we share it with, how long we keep it, and the rights you have over it. For the purposes of India's Digital Personal Data Protection Act, 2023, ClashMasters is the Data Fiduciary for the personal data described here.

2. What we collect

Account data — collected when you sign up:

  • Email address (used as your login and our primary way to reach you).
  • A bcrypt hash of the password you choose. The plain password is never stored.
  • A display name shown to opponents and on your profile.

Clash Royale link — collected when you link your in-game profile:

  • Your Clash Royale player tag (e.g. #8G2GY00R).
  • Your in-game name, level, trophies, and most-recent battle history, fetched from Supercell's public Clash Royale API solely to verify ownership of the tag and to determine match outcomes.
  • Your latest Clash Royale Friend Link, used to send and accept Friendly Battle invites between matched players.

Wallet and payment data — collected when you deposit, play, or withdraw:

  • Your wallet balance and a ledger of every deposit, contest entry, prize payout, and withdrawal.
  • For deposits: PhonePe order and transaction identifiers, the amount, and the raw PhonePe status/webhook payload (used to reconcile a payment if it gets stuck). Card numbers, UPI PINs, banking credentials, and CVVs are never seen or stored by ClashMasters — they are entered on PhonePe's checkout and stay with PhonePe.
  • For withdrawals: the UPI VPA you nominate, the amount, and the bank/UPI reference of the payout once completed.

KYC data — collected before your first withdrawal, where required by Indian regulations:

  • PAN number, phone number, and UPI VPA. Used to comply with anti-fraud and tax reporting requirements applicable to skill-gaming payouts in India.

Contest data:

  • Each contest you join — entry tier, opponent, start/end times, the verified crown count, the result (top player / draw / timeout), and the prize-money or refund applied to your wallet.

Technical data — collected automatically by the web server and the application as you use the site:

  • IP address and user-agent string (kept in webserver access logs).
  • One session cookie named cmsessid, used solely to keep you logged in. It points to a row in our server-side sessions table; no personal data is stored in the cookie itself.
  • Anti-CSRF tokens, attached to forms while you are logged in.

3. Why we collect it

  • To run your account — so you can log in, see your wallet, and play.
  • To match and verify contests — so we can confirm a Friendly Battle was played between you and your opponent and determine the top player from the in-game crown count.
  • To process payments — so we can credit deposits to your wallet and pay out withdrawals to your UPI ID.
  • To prevent fraud, multi-accounting, and collusion — so the platform stays fair, in line with our Fair Play policy.
  • To meet our legal obligations — including anti-fraud, tax, and regulatory requirements applicable to skill-gaming operators in India.
  • To respond to you — when you write to us via the contact form or by email.

4. Who we share it with

We do not sell your data. We share it only with service providers strictly required to deliver the service, and only the data each one needs:

Recipient What we share Why
PhonePe Deposit / payout amounts, an order ID, your email, and (for payouts) your UPI VPA. To process the payment.
Supercell (Clash Royale API) Your linked Clash Royale player tag. To verify your in-game identity and read the result of the Friendly Battle for a contest.
Hosting & email provider All data stored on the server, including database rows and webserver logs; outbound emails we send to you. To host the platform and deliver our messages to your inbox.
Law-enforcement & regulators Any data legally required. Where a valid legal request, court order, or statutory obligation applies.

Each provider has its own privacy practices. PhonePe (Indian payment gateway) and our hosting provider operate primarily within India; the Clash Royale API is operated by Supercell Oy from Finland (European Union). Where data leaves India, we rely on the recipient's published security and privacy practices.

5. How long we keep it

  • Active accounts — for as long as your account exists.
  • Wallet, payment, and contest records — retained for at least seven years after the relevant transaction, to meet financial-record-keeping and tax obligations.
  • KYC data — retained for at least seven years from the date of your last withdrawal, in line with anti-fraud and tax record-keeping requirements.
  • Webserver and application logs — typically 90 days, longer where retention is required to investigate suspected fraud or abuse.
  • Email correspondence — kept while it remains relevant to an open issue, and deleted on a rolling basis afterwards.

When you ask us to delete your account, we erase or anonymise the data we are not legally obliged to retain. Records we are required to keep (financial, KYC, tax) are kept for the periods listed above and then deleted.

6. Your rights

Under the Digital Personal Data Protection Act, 2023, you have the right to:

  • Access a summary of the personal data we hold about you.
  • Have inaccurate or outdated personal data corrected.
  • Have your personal data erased, subject to the retention obligations in Section 5.
  • Withdraw consent you previously gave us. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal, and may make some features (e.g. playing contests, withdrawing funds) unavailable.
  • Nominate another individual to exercise these rights on your behalf in the event of your death or incapacity.
  • Raise a grievance with our Grievance Officer (Section 11).

To exercise any of these rights, write to connect@clashmasters.in from the email address on your account. We will verify your identity before acting on the request and respond within a reasonable period — typically within two business days, and in any event within the timelines required by law.

7. Cookies and tracking

We use a single first-party session cookie named cmsessid whose only purpose is to keep you logged in. We do not run third-party analytics, advertising pixels, fingerprinting scripts, or behavioural-tracking cookies on the site. If this changes, this page will be updated with the details first.

8. Children

ClashMasters is not directed at, and we do not knowingly collect personal data from, anyone under 18 years of age. Real-money skill contests on this platform are restricted to adults. If you believe a minor has created an account, please write to connect@clashmasters.in so we can disable the account and erase the data.

9. Security

  • The site is served over HTTPS only; insecure (http) requests are redirected.
  • Passwords are stored as bcrypt hashes — they are not recoverable, even by us.
  • Sessions live in our database, not in the cookie. The cookie holds only an opaque session identifier.
  • Forms that change state (login, deposit, withdrawal, profile edits) are CSRF-protected.
  • Payment credentials are entered on PhonePe's checkout and never reach our servers.
  • Access to administrative tools is restricted to a small set of authorised accounts.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at connect@clashmasters.in.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated "Last updated" date. If a change is significant — for example, a new category of data or a new third-party recipient — we will also notify you by email before it takes effect.

11. Contact & Grievance Officer

For any privacy question, request, or grievance, write to our Grievance Officer at connect@clashmasters.in. Please include enough detail for us to identify your account (the email address you signed up with) and describe what you would like us to do. We aim to acknowledge privacy queries within two business days.