Privacy Policy

1. Who We Are

The Young CREATORS of MAYA program ("Program") is operated by Department of Lore, a division of Mayaverse Media Pvt. Ltd. ("MAYA," "Department of Lore," "we," "us," or "our"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you access or use our website at creators.entermaya.com (the "Site").

For questions about this policy, contact us at privacy@entermaya.com.

2. Information We Collect

2.1 Information You Provide

• Account information: Full name and email address when you create an account via email OTP or Google sign-in.
• OAuth data: If you sign in with Google, we receive your name, email address, and profile picture URL from Google.
• Submissions: Essay text, document URLs, video URLs, and submission titles you provide to the Program.
• Invitation data: Email addresses you provide when requesting or sending invites.
• Communications: Any information you provide when contacting us.

2.2 Information Collected Automatically

• Usage analytics: Pages visited, click events (element type and text, not content of forms), scroll depth, and time spent on pages. This data is collected using our own first-party tracking system (no third-party analytics services like Google Analytics).
• Session identifiers: A randomly generated session ID stored in your browser to associate usage data with a browsing session. This is not linked to your identity unless you are logged in.
• Device and connection data: IP address, browser type (user agent string), and referring URL. IP addresses are used for security and abuse prevention; we do not use them for geolocation profiling.
• Cookies: We use a cookie consent banner. We set functional cookies necessary for site operation (authentication token, session ID). Analytics and marketing cookies are only set after you grant consent. See Section 5 below.

2.3 Information We Do Not Collect

• We do not collect date of birth, government ID, biometric data, or precise geolocation. We do not collect phone number or physical address except where voluntarily provided for prize fulfillment (shipping address and phone for physical book delivery).
• We do not use third-party advertising networks, behavioral advertising, or tracking pixels from ad platforms.
• We do not sell, rent, or share your personal information with third parties for their marketing purposes.

3. How We Use Your Information

• Operate the Program: Create and manage your account, process submissions, administer judging and prizes.
• Communicate with you: Send login verification codes, submission status updates, prize notifications, and invite notifications.
• Improve the Site: Analyze aggregated, non-identifying usage patterns (which pages are most visited, where users drop off) to improve layout and content.
• Security: Detect and prevent fraud, abuse, unauthorized access, or other harmful activity.
• Legal compliance: Comply with applicable laws, regulations, or legal processes.

We do not use your data for profiling, automated decision-making that produces legal effects, behavioral advertising, or targeted marketing to third parties.

4. Who We Share Your Information With

• Program judges: Your submission content and title (not your personal contact details) are shared with the judging panel (Anand Gandhi, Zain Memon, and the MAYA team) for evaluation.
• Service providers:
  • Resend (email delivery): Receives your email address to deliver transactional emails. Resend processes data under their privacy policy.
  • Google OAuth (authentication): If you choose Google sign-in, your authentication is processed under Google's privacy policy.
  • Railway (hosting): Our servers are hosted on Railway. Data is stored in Railway's infrastructure under their privacy policy.
• Winners: If your submission wins an award, your name and submission title may be published on the Site and MAYA channels. We will notify you before publication.
• Legal requirements: We may disclose information if required by law, subpoena, court order, or to protect our rights or safety.

We do not sell your personal information. We have no advertising partners. We do not share data with data brokers.

5. Cookies and Tracking Technologies

When you first visit the Site, a cookie consent banner appears. You may accept or reject non-essential cookies.

• Strictly necessary cookies: Authentication token (JWT stored in localStorage), session ID. These are required for the Site to function and cannot be disabled.
• Analytics cookies: If you consent, we track page views, scroll depth, clicks, and session duration using our own first-party system. No data is sent to third-party analytics providers.
• Marketing cookies: Currently none. If we add any in the future, they will require your explicit consent.

You can withdraw cookie consent at any time by clearing your browser cookies and revisiting the Site.

6. Children and Young People

The Program is designed for participants aged 15 to 23. This means some of our users are minors under the age of 18.

6.1 COPPA (United States)

COPPA applies to children under 13. Because the Program's minimum age is 15, COPPA's verifiable parental consent requirements do not directly apply. However, we do not knowingly collect data from anyone under 15. If we learn that a user is under 15, we will promptly delete their account and associated data.

6.2 GDPR (European Union)

Under GDPR Article 8, the age at which a child can independently consent to data processing by an online service varies by EU member state (ranging from 13 to 16). For users below the applicable age in their country, parental or guardian consent is required. We apply a default threshold of 16 years for EU users. If you are under 16 and located in the EU, you must obtain your parent or guardian's consent before creating an account.

6.3 UK Children's Code

The UK Age Appropriate Design Code applies to services likely accessed by users under 18. We apply high-privacy defaults for all users: data collection is minimized, no behavioral advertising is used, no profiling or nudge techniques are employed, and privacy settings default to the most protective option.

6.4 CCPA (California, USA)

Under the California Consumer Privacy Act, we do not sell the personal information of any user, including minors aged 13 to 15. California users under 16 have the right to opt in to any sale of their data (we do not sell data, so this does not apply).

6.5 DPDPA (India)

The Digital Personal Data Protection Act, 2023 (DPDPA) applies to processing of digital personal data of individuals in India. Under the DPDPA:

• Data Fiduciary: Mayaverse Media Pvt. Ltd. (Department of Lore) is the Data Fiduciary responsible for the processing of your personal data.
• Purpose limitation: We process personal data only for the purposes described in Section 3 of this policy. We do not process data for purposes incompatible with those stated.
• Consent: By creating an account, you consent to the processing of your personal data as described herein. You may withdraw consent at any time by contacting us, though this may affect your ability to use the Site.
• Data Principal rights: You have the right to access, correct, and erase your personal data, and the right to nominate another person to exercise your rights in the event of your death or incapacity.
• Children's data: For users under 18 in India, verifiable parental consent is obtained before processing personal data, in compliance with Section 9 of the DPDPA.
• Grievance Officer: For grievances related to the processing of your personal data under the DPDPA, contact our Grievance Officer at privacy@entermaya.com. We will acknowledge your grievance within 48 hours and resolve it within 30 days.

6.6 Parental Rights

If you are a parent or guardian and believe your child has provided personal information to us without your consent, please contact us at privacy@entermaya.com. We will promptly investigate and, if necessary, delete the information.

Parents and guardians may at any time:

• Request access to their child's personal data
• Request correction or deletion of their child's personal data
• Withdraw consent for continued processing
• Request a copy of their child's data in a portable format

7. Your Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data ("right to be forgotten").
• Portability: Request your data in a structured, machine-readable format.
• Objection: Object to processing of your data for specific purposes.
• Withdraw consent: Withdraw consent at any time where processing is based on consent.
• Non-discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, email privacy@entermaya.com. We will respond within 30 days (or sooner if required by your local law).

8. Data Security

• Authentication is passwordless via email one-time codes (OTP) or Google OAuth. No passwords are stored.
• Sessions use JSON Web Tokens (JWT) with configurable expiration (24 hours to 30 days based on your preferences).
• All data in transit is encrypted via HTTPS/TLS.
• Database access is restricted to application-level credentials and is not exposed to the public internet.
• File uploads are stored in a secured directory with access controls.

While we implement industry-standard security measures, no system is perfectly secure. If you become aware of a security vulnerability, please report it to security@entermaya.com.

9. Data Retention

• Account data: Retained for the duration of the Program and 12 months thereafter, unless you request earlier deletion.
• Submissions: Retained for judging and, if awarded, for publication. Non-winning submissions are deleted within 12 months of the Program's conclusion.
• Analytics data: Aggregated and anonymized within 90 days. Raw analytics logs are deleted after 90 days.
• Invitation records: Deleted 12 months after expiration or acceptance.
• Cookie consent records: Retained for 24 months as proof of consent, as required by GDPR.

10. International Data Transfers

Our servers are hosted in the United States via Railway. If you access the Site from outside the United States, your data will be transferred to and processed in the United States. We rely on standard contractual clauses and the data processing agreements of our service providers to ensure adequate protection for international transfers.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered users and by a prominent notice on the Site. Your continued use of the Site after changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related questions, data requests, or concerns:

• Email: privacy@entermaya.com
• Website: entermaya.com