Legal
Privacy Policy
1. Information We Collect
1.1 From Donors
- ·Full name, email address, phone number
- ·PAN — mandatory for generating your 80G tax deduction receipt
- ·Payment details (processed via Razorpay/Cashfree — we never store card numbers)
- ·Donation amount and history
1.2 From Beneficiaries (BPL Families)
- ·Full names and ages of all family members
- ·Medical history and health conditions
- ·Contact number
- ·BPL / Ration card — for Below Poverty Line verification
- ·KYC result — a verified/failed status and reference ID from a third-party KYC provider. We never collect or store Aadhaar numbers or images.
- ·Geographic location (district/state)
1.3 From Emergency Grant Applicants
- ·Name and contact details
- ·Hospital name and account details
- ·Unique Health Identification (UHID) code
- ·Official hospital cost estimates (documents)
1.4 Automatically Collected
- ·IP address (diagnostics and fraud prevention)
- ·Browser type, device type, pages visited
- ·Referral URLs and cookies (see Section 6)
2. How We Use Your Information
For Donors
- ·Generate and email your 80G tax deduction receipt automatically
- ·Submit PAN and donation data to the Income Tax Department via Form 10BD annually (by May 31st)
- ·Send Form 10BE tax write-off certificates
- ·Send donation confirmations and impact updates
- ·Prevent fraud and ensure platform security
For Beneficiaries
- ·Verify Below Poverty Line status via the BPL/ration card and a third-party KYC check — no Aadhaar number or image is collected or stored
- ·Place verified families in the active sponsorship queue
- ·Share verified profile data with Samavesh solely for purchasing your health insurance policy
- ·Send SMS notifications on policy issuance
For Emergency Grant Applicants
- ·Verify hospital documents and obtain board approval
- ·Execute direct bank transfer to hospital — never to individual accounts
3. What We Do NOT Do
- ·We never sell your personal data to any third party
- ·We never collect or store Aadhaar numbers or Aadhaar card images — a hard prohibition under the Aadhaar Act, 2016 (Section 29)
- ·We never store credit/debit card numbers — all processing is handled by PCI-DSS compliant gateways
- ·We never disburse cash to individual bank accounts — emergency grants go directly to hospitals only
- ·We never send your data outside India — all servers are within India per DPDP Act compliance
4. Sharing of Information
4.1 Samavesh (Insurance Broker)
When a beneficiary is fully funded, we share their verified profile (name, family details, contact) with Samavesh, our IRDAI-registered insurance broker, solely to purchase a health insurance policy. Samavesh is contractually bound to use this data only for policy issuance.
4.2 Payment Gateway Partners
We share transaction data with Razorpay/Cashfree for payment processing. They operate under their own privacy policies and are PCI-DSS compliant.
4.3 Income Tax Department (Mandatory Legal Obligation)
Donor PAN numbers and donation amounts are submitted to the Income Tax Department annually via Form 10BD. This is a statutory obligation under the Income Tax Act, 1961. Donors are informed of this at the time of collection.
4.4 Law Enforcement
We may disclose personal information if required by law, court order, or government authority. We will notify you unless legally prohibited.
We do not share your information with advertisers or marketing companies.
5. Sensitive Personal Data
| Data Type | Protection |
|---|---|
| KYC reference ID | Third-party KYC result only — no Aadhaar number or image is ever stored |
| BPL card images | Secure directory; pre-signed expiring URLs only |
| Medical history | Encrypted at rest; access restricted to verified staff |
| PAN number | Encrypted at rest; used only for 80G and Form 10BD |
| Hospital bank account | Used only for direct grant disbursement; not stored post-transfer |
6. Cookies
We use cookies to maintain your session, remember preferences, analyse traffic, and prevent fraud. We do not use third-party advertising cookies. You may disable cookies in your browser — core donation functions will continue to work.
7. Data Localization & Security
All data is stored on servers physically located within India in compliance with the DPDP Act, 2023. Security measures include AES-256 encryption at rest, TLS 1.2+ in transit, pre-signed expiring URLs for documents, role-based access controls, and annual security audits.
In the event of a data breach, we will notify you within 72 hours as required under the DPDP Act.
8. Data Retention
| Data Type | Retention |
|---|---|
| Donor records (name, PAN, donation history) | 8 years (Income Tax Act) |
| 80G receipts and Form 10BD data | 8 years |
| Beneficiary profiles | 5 years post-policy expiry |
| Payment transaction records | 8 years |
| Emergency grant records | 8 years |
| Website analytics (anonymised) | 2 years |
9. Your Rights Under DPDP Act 2023
You have the right to access, correct, and erase your data, raise grievances, and nominate a representative. Contact our Grievance Officer to exercise these rights.
10. Children's Privacy
Beneficiary families include minors. Their data is collected only with parent/guardian consent, stored with enhanced encryption, and used only for insurance facilitation and grant management. Our donor-facing platform is intended for users aged 18 and above.
11. Grievance Officer
Geeta Rai
Grievance Officer
Kingston Aura, Hadapsar
Pune — 411028
Maharashtra, India
48 hr acknowledgement · 30 day resolution
12. Changes to This Policy
We may update this Policy from time to time. Material changes will be notified via email and a prominent notice on the Platform. Continued use constitutes acceptance.
This Privacy Policy is governed by the laws of the Republic of India.
Disputes are subject to the exclusive jurisdiction of courts in Pune, Maharashtra.