How khela Safeguards Your Privacy
We apply the following core principles to every decision about how your personal data is handled on the khela platform.
SSL Encryption
All data transmitted between your device and the khela platform is protected by TLS/SSL encryption. Sensitive fields such as passwords and payment details are additionally encrypted at rest using industry-standard algorithms.
Minimal Data Collection
khela collects only the personal data that is strictly necessary to deliver, secure, and improve its services. We do not collect data speculatively or for purposes beyond what is described in this policy.
Access Controls
Your personal data is accessible only to khela staff members and third-party processors who have a demonstrated operational need. All access is logged and reviewed regularly by our internal security team.
No Data Selling
khela does not sell, rent, or trade your personal information to third-party marketers or data brokers under any circumstances. Your data is used solely for operating and improving our platform and services.
Right to Erasure
Subject to legal retention requirements, you have the right to request deletion of your personal data. khela will process all verified erasure requests within 30 days and confirm completion by email.
Bangladesh-Focused Compliance
While khela applies GDPR-aligned data protection practices globally, our policies are specifically designed with Bangladeshi players in mind, respecting local norms and the expectations of players transacting in BDT via bKash, Nagad, and Rocket.
1. Personal Data We Collect
When you register, use, or interact with the khela platform, we may collect the following categories of personal data:
| Category | Specific Data Points | When Collected |
|---|---|---|
| Identity Data | Full legal name, date of birth, gender, national ID number, passport number, photograph | Registration & KYC verification |
| Contact Data | Email address, mobile phone number, residential address (including city: Dhaka, Chittagong, Sylhet, etc.) | Registration & account updates |
| Financial Data | bKash/Nagad/Rocket/Upay mobile numbers, bank account details (BRAC Bank, City Bank, etc.), transaction history, deposit and withdrawal amounts in BDT | Cashier & payment processing |
| Betting & Gaming Data | Wager history, game session logs, bet amounts, win/loss records, bonus usage | During active platform use |
| Technical Data | IP address, device type, browser type and version, operating system, screen resolution, time zone | Automatically on site visit |
| Usage Data | Pages visited, features used, clickstream data, session duration, referral source | Automatically on site visit |
| Communications Data | Support chat transcripts, email correspondence, responsible gaming self-disclosures | When you contact support |
We do not intentionally collect special category data (such as racial or ethnic origin, political opinions, religious beliefs, or health data) unless you voluntarily disclose such information during a responsible gaming interaction. In that case, any health-related disclosures are used solely for the purpose of applying appropriate player protection measures and are never shared with third parties for commercial purposes.
2. How We Use Your Personal Data
khela processes your personal data for the following purposes. Each purpose is linked to a legal basis described in Section 3 below.
- Account creation and management: To register your account, verify your identity, manage your profile, and communicate account-related updates.
- Payment processing: To process deposits and withdrawals via bKash, Nagad, Rocket, Upay, Visa, Mastercard, bank transfer, and cryptocurrency, and to maintain accurate financial records in BDT.
- KYC and fraud prevention: To verify your age and identity in accordance with our 18+ policy, to detect and prevent fraud, money laundering, account takeover, and other prohibited conduct.
- Service delivery: To provide access to khela's cricket betting markets (including BPL, IPL, T20 World Cup), live casino (Evolution Gaming, Ezugi), slots (Pragmatic Play, NetEnt, Microgaming), and other platform features.
- Responsible gaming: To monitor betting patterns for signs of problem gambling, to apply self-exclusion decisions, and to enforce deposit and loss limits that you have set on your account.
- Customer support: To respond to your queries, resolve disputes, and process complaints through our 24/7 support team.
- Marketing and promotions: To send you relevant offers, bonuses, and promotional communications (including seasonal promotions for Eid, Pohela Boishakh, and BPL season) where you have opted in. You may opt out at any time via your account settings or by contacting support.
- Legal compliance: To comply with applicable laws, regulatory requirements, court orders, and lawful requests from competent authorities.
- Platform improvement: To analyse usage data, conduct A/B testing, and improve the performance, security, and user experience of the khela platform.
khela does not use your personal data to make fully automated decisions that produce significant legal effects on you without human oversight. Where automated processes are used (for example, in fraud scoring), decisions that materially affect your account are reviewed by a human member of our compliance or security team before action is taken.
3. Legal Basis for Processing
Every processing activity carried out by khela rests on one or more of the following lawful bases:
- Contractual necessity: Processing required to fulfil our contract with you as a registered khela player — including account management, payment processing, game delivery, and dispute resolution.
- Legal obligation: Processing required for khela to comply with applicable laws, including anti-money laundering (AML) obligations, age verification requirements, financial record-keeping, and responding to lawful authority requests.
- Legitimate interests: Processing carried out to pursue khela's legitimate business interests — including fraud detection, platform security, responsible gaming monitoring, and internal analytics — provided those interests are not overridden by your rights and freedoms.
- Consent: Processing based on your freely given, specific, informed, and revocable consent — primarily for direct marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
- Vital interests: In exceptional circumstances, processing that is necessary to protect the vital interests of you or another person — for example, passing information to emergency services in a serious responsible gaming safeguarding situation.
4. Data Sharing & Disclosure
khela shares your personal data only in the following circumstances, and only to the extent necessary for the stated purpose:
- Game providers: Pragmatic Play, Evolution Gaming, NetEnt, Microgaming, Spribe, and Ezugi receive session and authentication data necessary to deliver their games through the khela platform. These providers operate under data processing agreements that prohibit them from using your data for any purpose beyond service delivery.
- Payment processors: bKash, Nagad, Rocket (Dutch-Bangla Bank), Upay (UCB), Visa, Mastercard, and our banking partners (BRAC Bank, City Bank, Islami Bank, Sonali Bank) receive only the transaction data necessary to process your deposit or withdrawal. Payment card data is never stored on khela's own servers.
- Identity verification providers: Third-party KYC service providers receive copies of identity documents submitted for account verification. All such providers are contractually bound to process verification data solely for the purpose of confirming your identity and age.
- Fraud prevention and AML screening: Aggregated or pseudonymised data may be shared with fraud prevention databases and financial intelligence tools used by khela's compliance team. Individual data is shared only where a genuine fraud or AML concern has been identified.
- Legal and regulatory authorities: khela may disclose personal data to law enforcement agencies, financial intelligence units, or regulatory bodies where required by law or in response to a valid legal request. khela will notify you of such disclosure where legally permitted to do so.
- Business transfers: In the event of a merger, acquisition, or sale of all or part of khela's business, your personal data may be transferred to the acquiring entity as part of the transaction. You will be notified in advance of any such transfer and of any material change to how your data is processed as a result.
5. Cookies & Tracking Technologies
khela uses cookies and similar tracking technologies to operate the platform, remember your preferences, analyse traffic, and prevent fraud. The following categories of cookies are used:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Session management, login authentication, security tokens, fraud detection flags | Session / up to 24 hours |
| Functional | Remembering your language preference, currency display (BDT/৳), preferred payment method | Up to 12 months |
| Analytics | Understanding how pages are used, which games are most popular, session durations, and navigation paths — used to improve the platform | Up to 24 months |
| Marketing | Tracking which promotional campaigns led you to khela, to measure the effectiveness of our advertising and avoid showing you irrelevant ads. Used only with consent. | Up to 12 months |
Strictly necessary cookies cannot be disabled as they are essential for the platform to function. You may manage your cookie preferences for all other categories via your browser settings or by contacting our support team. Note that disabling functional or analytics cookies may affect your experience on the platform.
khela does not use third-party advertising networks that track your browsing activity across unrelated websites for ad targeting purposes.
6. Data Retention
khela retains your personal data for as long as is necessary to fulfil the purposes for which it was collected, subject to the following minimum retention periods:
- Account data (identity, contact, KYC documents): Retained for a minimum of five years from the date of account closure, in compliance with anti-money laundering record-keeping obligations.
- Financial transaction records (deposits, withdrawals, bet history): Retained for a minimum of seven years from the date of each transaction, in line with financial record-keeping requirements.
- Communications and support records: Retained for three years from the date of the interaction, or longer where the communication relates to an ongoing dispute or legal matter.
- Cookie and usage data: Analytics data is retained for a maximum of 24 months. Session cookies are deleted upon browser close.
- Marketing consent records: Retained for as long as your account is active plus three years, to demonstrate compliance with consent requirements.
Where data is no longer required for any lawful purpose, it is securely deleted or anonymised. Anonymised data (data that cannot be linked back to any individual) may be retained indefinitely for statistical and platform improvement purposes.
7. Security Measures
khela implements a multi-layered approach to data security, designed to protect your personal data against unauthorised access, accidental loss, destruction, or alteration. Our current security measures include:
- Transport security: All connections to khela.biz are protected by TLS 1.2 or TLS 1.3 encryption. HTTP connections are automatically redirected to HTTPS. SSL certificates are maintained and rotated in accordance with industry best practice.
- Encryption at rest: Sensitive data fields — including passwords (stored as salted hashes), payment method identifiers, and identity document scans — are encrypted at rest using AES-256 or equivalent.
- Access controls: Access to production data is restricted on a strict need-to-know basis using role-based access controls. All administrative access is protected by multi-factor authentication (MFA) and is logged.
- Network security: The khela platform is protected by web application firewalls (WAF), intrusion detection systems (IDS), and DDoS mitigation services. Infrastructure is hosted in ISO 27001-certified data centres.
- Vulnerability management: Regular automated and manual security assessments are conducted on the khela platform. Critical vulnerabilities are patched within 48 hours of identification.
- Incident response: khela maintains a documented data breach response plan. In the event of a breach affecting your personal data, you will be notified within 72 hours of khela becoming aware of the incident, in accordance with applicable notification obligations.
- Third-party security: All third-party processors (game providers, payment partners, KYC providers) are contractually required to maintain security standards equivalent to or exceeding those applied by khela.
While khela takes all reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. You also have a responsibility to keep your login credentials confidential and to notify khela immediately at [email protected] if you suspect your account has been compromised.
8. Your Data Rights
As a khela player, you hold the following rights with respect to your personal data. To exercise any of these rights, please contact our Data Protection team at [email protected] with the subject line "Data Rights Request" and we will respond within 30 days.
- Right of access: You have the right to request a copy of all personal data khela holds about you, along with information about how it is used, who it is shared with, and how long it will be retained.
- Right to rectification: If any personal data we hold about you is inaccurate or incomplete, you have the right to request that it be corrected. You may update basic profile information (email address, mobile number) directly in your account settings.
- Right to erasure: You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent (and there is no other lawful basis), or where you object to processing. Mandatory legal retention obligations may limit the scope of erasure in some cases.
- Right to restriction of processing: You have the right to request that khela restricts the processing of your data in certain circumstances — for example, while the accuracy of data is being contested, or where you have objected to processing and khela is assessing the grounds for that objection.
- Right to data portability: Where processing is based on your consent or on contractual necessity, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV), and to transmit that data to another controller.
- Right to object: You have the right to object to processing carried out on the basis of legitimate interests, including profiling. You also have an unconditional right to object to the processing of your data for direct marketing purposes at any time.
- Rights relating to automated decision-making: You have the right not to be subject to a decision based solely on automated processing that produces significant legal or similarly significant effects on you. As noted in Section 2, khela ensures human review is applied before any account-affecting decision is finalised.
- Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing. Marketing opt-out can be managed via your account settings or by emailing [email protected].
khela will not charge a fee for exercising any data rights request unless the request is manifestly unfounded or excessive, in which case a reasonable administrative fee may apply. We may need to verify your identity before processing a request — this is to ensure your data is not disclosed to an unauthorised third party.
9. Third-Party Service Providers
The khela platform integrates with a number of third-party service providers to deliver its full range of features. The following categories of third-party processors handle personal data on behalf of khela under contractual data processing agreements:
- Game content providers: Pragmatic Play, Evolution Gaming, NetEnt, Microgaming, Spribe, Ezugi. These providers process session tokens and player IDs to authenticate game sessions and return results to the khela platform.
- Mobile financial services (MFS): bKash, Nagad, Rocket (Dutch-Bangla Bank), Upay (UCB). These providers process transaction data to execute deposits and withdrawals in BDT.
- Banking partners: BRAC Bank, City Bank, Islami Bank, Sonali Bank, Dutch-Bangla Bank. Used for bank transfer deposit and withdrawal channels.
- Cryptocurrency payment processors: Third-party crypto payment gateways handle USDT (TRC-20, ERC-20) and Bitcoin transactions. Blockchain transactions are publicly visible by nature; khela is not responsible for the pseudonymous public nature of blockchain records.
- Identity verification (KYC) providers: Specialist third-party KYC platforms that process government-issued identity documents and perform liveness checks to confirm player age and identity.
- Cloud infrastructure and hosting: khela's platform is hosted on ISO 27001-certified cloud infrastructure. Data centre locations are in jurisdictions with appropriate data protection frameworks.
- Analytics platforms: Web analytics tools that process aggregated and pseudonymised usage data to help khela understand platform performance. No full IP addresses are stored by analytics tools.
All third-party processors are selected through a due diligence process and are required to demonstrate appropriate technical and organisational security measures. khela reviews third-party data processing arrangements on at least an annual basis.
This Privacy Policy does not cover the privacy practices of third-party websites that may be linked from the khela platform (for example, game provider websites). khela is not responsible for the content or privacy practices of any third-party site.
10. Minors & Age Verification
The khela platform is strictly intended for individuals who are 18 years of age or older. khela takes the protection of minors extremely seriously and employs the following measures to prevent underage access:
- Date of birth is collected at registration and cross-referenced against identity documentation during KYC verification. Any account where the verified age is below 18 is immediately and permanently closed.
- Device fingerprinting and behavioural analysis are used to detect patterns consistent with underage use and to flag accounts for enhanced review.
- Parents and guardians who suspect that a minor in their household has registered an account on khela are encouraged to contact [email protected] immediately. khela will investigate all such reports as a priority and will close any confirmed underage account within 24 hours of verification.
- Where an underage account is confirmed, all funds deposited will be returned to the originating payment method after deduction of any winnings accrued by the underage user, and all betting activity will be voided.
khela does not knowingly collect or process the personal data of any individual under the age of 18 for any purpose other than the immediate closure and remediation process described above. If you believe khela holds personal data about a minor, please contact us immediately at [email protected].
11. Changes to This Privacy Policy
khela reserves the right to update this Privacy Policy at any time to reflect changes in our data practices, applicable law, or business operations. Where material changes are made — for example, changes to the categories of data collected, the purposes for processing, or the third parties with whom data is shared — khela will notify registered account holders by email to the address on file, with a minimum of seven days' notice before the revised policy takes effect.
Non-material changes (such as formatting corrections, clarification of existing practices, or updated contact details) may be made without advance notice. The "Last Updated" date at the top of this page will always reflect the date of the most recent revision.
Your continued use of the khela platform after any revised Privacy Policy has taken effect constitutes your acknowledgement of the updated policy. If you do not accept a material revision, you must stop using the platform and request account closure before the revised policy takes effect. The current version of this Privacy Policy is always available at khela.biz/privacy-policy.
12. Contact & Data Enquiries
For any questions, concerns, or formal requests relating to this Privacy Policy or the processing of your personal data by khela, please contact us through the following channels:
- Email (Data Protection): [email protected] — Subject line: "Privacy / Data Rights Request"
- Live Chat: Available 24/7 inside your khela account dashboard
- Response time: khela will acknowledge all data-related enquiries within 48 hours and will provide a substantive response within 30 days. Complex requests may require up to an additional 60 days, in which case you will be informed of the extension and the reason for it.
khela is committed to resolving all privacy concerns promptly and transparently. If you are not satisfied with khela's response to a data rights request or privacy complaint, you have the right to escalate the matter to the relevant data protection authority or regulatory body in your jurisdiction.
Have Questions About Your Privacy?
Our support team is available 24/7 to help with data rights requests, account security, or anything else on your mind.