Sakha Foundation — Terms & Conditions

Effective Date: October 23, 2025

Organization Name: Serving Aid key for Humans and Animals Foundation (Sakha Foundation)
Operation Office: Kantabada, Bhubaneswar, Odisha – 752054, India
Email: support@sakhafoundation.org
Website: www.sakhafoundation.org

1. Policy Purpose

   This Privacy Policy outlines how Sakha Foundation (“we”, “our”, “the Foundation”) collects, stores, processes, and protects personal and sensitive data obtained from donors, volunteers, visitors, and partners.

2. Legal Framework

   We comply with:

   • Digital Personal Data Protection (DPDP) Act, 2023
   • Information Technology Act, 2000 (Sections 43A & 72A)
   • Income Tax Act, 1961 (for 80G / 12A donations)
   • Foreign Contribution Regulation Act, 2010 (FCRA)
   • General Data Protection Regulation (GDPR) for EU donors
   • Any applicable Indian or international data protection standards.

3. Scope of Application

   This Policy applies to:

   • All users visiting or interacting with our website, donation portals, social media, and email campaigns.
   • Donors (domestic and foreign), volunteers, employees, and partner organizations.
   • Data collected both online and offline through forms, events, or campaigns.

4. Lawful Basis for Processing

   We process personal data lawfully under one or more of these bases:

   • Consent (e.g., newsletters, donations, registrations)
   • Legal obligation (e.g., FCRA reporting, audit compliance)
   • Legitimate interest (e.g., improving NGO programs, impact tracking)

5. Categories of Data Collected

   We may collect:

   • Personal identification details (name, gender, date of birth)
   • Contact details (email, phone, address)
   • Payment data (masked card/UPI/bank info, transaction ID)
   • Tax details (PAN, nationality for 80G/FCRA)
   • Volunteer records and resume details
   • Communication preferences
   • IP address, cookies, and browser data
   • Feedback and survey responses

6. Sensitive Personal Data

   We handle sensitive information (e.g., health, disability, or child-related data) only when essential for project participation or reporting and with explicit consent.

7. Purpose of Data Use

   Data is collected for:

   • Donation processing and receipt issuance
   • Compliance with legal and audit requirements
   • Communication of impact stories and newsletters
   • Volunteer coordination
   • Research, reporting, and improvement of services
   • Fraud prevention and cybersecurity

8. Data Accuracy & Donor Responsibility

   Donors and users must ensure the information they provide is accurate, current, and complete.

   Sakha Foundation is not liable for issues arising from incorrect or outdated information.

9. Data Minimization

   We collect only the minimum necessary data required to achieve lawful purposes and avoid unnecessary data retention.

10. Children’s Privacy

    • We do not knowingly collect personal data from children below 18 years without verified parental consent.
    • Any data inadvertently collected will be deleted immediately upon notification.

11. Data Storage Location

    • All primary data is securely stored on cloud servers located in India (e.g., AWS Mumbai or equivalent).
    • Back-ups or mirrored copies may be stored in foreign data centres, but only with encrypted channels compliant with DPDP 2023 Section 16(1).
    • Physical documents (forms, registers) are kept in locked, access-controlled offices.

12. Retention Duration

    • Donation & tax records — retained 8 years for audit and Income-Tax compliance.
    • Volunteer & HR files — retained 5 years after project completion.
    • Event or campaign data — retained until the project’s closure.
    • Beyond these limits, data is securely deleted or anonymized.

13. Encryption & Security Measures

    • All electronic data is protected by AES-256 encryption in transit and at rest.
    • Access is restricted through multi-factor authentication, firewalls, and secure SSL (HTTPS) channels.
    • Security audits and vulnerability scans are conducted periodically.
    • Any suspected breach is handled as per Point 28 (Data Breach Response Protocol).

14. Consent Management

    • Consent is obtained explicitly through checkboxes, sign-ups, or written acknowledgment before data collection.
    • Users may withdraw consent anytime by emailing support@sakhafoundation.org.
    • Withdrawal may affect certain services (e.g., newsletters or donation receipts), but will never impact mandatory records required by law.

15. Third-Party Service Providers

    We may engage trusted vendors for:

    • Payment processing (Razorpay, PayU, etc.)
    • Email & communication (SendGrid, Resend, Gmail API, etc)
    • Cloud & backup (AWS, Google Cloud, etc)

    Each provider operates under written Data Processing Agreements (DPAs) ensuring confidentiality, encryption, and compliance with Indian and global standards.

16. No Commercial Data Sharing

    • Sakha Foundation does not sell, rent, trade, or lease donor or volunteer information.
    • Personal data will never be shared with marketing or fundraising agencies without written consent.

17. Disclosure under Legal Obligation

    Data may be disclosed to government or regulatory bodies (e.g., MHA for FCRA, Income-Tax Dept., or CERT-In) only when legally required. Such disclosures are documented internally and limited to relevant records.

18. Cross-Border Data Transfer

    • If data must be processed outside India (e.g., by cloud services), it will occur only in jurisdictions offering equivalent protection under DPDP Act Section 16(2) or with explicit donor consent.
    • All transfers use encrypted VPN or secure API channels.

19. Cookies & Web Tracking

    • The website uses essential cookies for functionality and analytics cookies for traffic analysis.
    • Users may disable non-essential cookies through browser settings.
    • No profiling or behavioural tracking for commercial advertising is performed.

20. Link to External Websites

    • The Foundation’s site may contain links to partner NGOs or CSR platforms.
    • We are not responsible for the privacy practices or content of external sites.
    • Users are encouraged to review each linked site’s policy before sharing data.

21. Right to Access

    • Individuals have the right to request a copy of the personal data held about them.
    • Requests should be emailed to support@sakhafoundation.org with ID verification.
    • The Foundation will respond within 30 calendar days as per DPDP Act Section 12(2).

22. Right to Correction

    • Users may request rectification of inaccurate or outdated information.
    • Updates will be made within 15 working days of verification.
    • Corrected data is automatically propagated to internal systems and legal records.

23. Right to Deletion (Erasure)

    • Individuals can request deletion of their personal data unless retention is required for:
      • Legal, audit, or taxation obligations, or
      • FCRA / CSR reporting compliance.
    • Once validated, records are irreversibly deleted or anonymized.

24. Right to Data Portability

    Upon written request, users may receive a machine-readable export (CSV/PDF) of their personal information collected through donations or volunteer forms. Provided within 45 days, subject to verification.

25. Right to Withdraw Consent

    • Users may withdraw marketing or newsletter consent at any time by:
      • Clicking “unsubscribe,” or
      • Emailing support@sakhafoundation.org.
    • Withdrawal will not affect prior lawful processing or mandatory retention records.

26. Transparency of Data Use

    The Foundation publishes an annual Data Protection Summary Report showing:

    • Total records processed,
    • Categories of information shared with regulators,
    • Security incidents (if any) handled under DPDP Section 9.

27. Automated Decision-Making

    Sakha Foundation does not employ automated decision-making or profiling that affects donors or volunteers. Any AI-driven analytics used for awareness or reporting remain non-personal and anonymized.

28. Data Breach Response Protocol

    In the event of an actual or suspected breach:

    • Incident logged immediately in the security register.
    • Containment measures applied within 7 days.
    • Affected users notified within 7 days of detection.
    • Report filed with the Data Protection Board of India and CERT-In as required.
    • Post-incident audit and prevention plan documented.

29. Grievance Redressal Mechanism

    For any privacy complaint or suspected misuse, users may contact:

    Data Protection Officer (DPO): Mr./Ms. [Name]
    Email: support@sakhafoundation.org

    • Complaints are acknowledged within 30 days and resolved within 90 days.
    • Unresolved matters may be escalated to the Data Protection Board of India.

30. Accountability and Audit

    • Annual internal audits review compliance with DPDP and IT Act requirements.
    • Access logs, encryption keys, and vendor compliance reports are archived for 5 years.
    • Non-compliance triggers corrective training and disciplinary procedures.

Information Security Management & Technical Clauses

31. Information Security Management

    Sakha Foundation maintains a formal Information Security Policy aligned with ISO/IEC 27001 principles. Role-based access control ensures that only authorized personnel can handle donor, volunteer, and beneficiary data. Every system login and data retrieval is logged and monitored to prevent unauthorized access. The Foundation conducts annual IT security audits to assess compliance with privacy standards.

32. Password & Access Control Policy

    • Strong passwords (minimum 12 characters, mixed case, symbols, and numerals) are mandatory for all system users.
    • Multi-Factor Authentication (MFA) will be enabled for critical systems such as donation dashboards and financial databases.
    • Password sharing is prohibited; violations result in immediate account suspension.
    • System access is revoked automatically when a staff or volunteer leaves the organization.

33. Device & Endpoint Security

    • All official computers and mobile devices use licensed antivirus software and firewalls.
    • USB drives or portable media are allowed only with encryption and prior written authorization.
    • NGO laptops must be encrypted with full-disk protection (BitLocker / FileVault equivalents).
    • All systems automatically lock after 5 minutes of inactivity.

34. Network & Infrastructure Protection

    • Office WI-Fi is protected using WPA3 encryption; guest access is restricted to an isolated network.
    • Secure Sockets Layer (SSL/TLS) encryption is mandatory for all website transactions.
    • Intrusion detection and automated alert systems monitor unusual data activity 24×7.
    • Server backups are encrypted and stored in geographically separate data centres.

35. Vendor & Third-Party Compliance

    • Vendors who handle or process any personal data must sign a Data Processing Agreement (DPA) with Sakha Foundation.
    • All vendors are assessed annually for: Security controls and certifications, Privacy practices, and History of data breaches or violations.
    • Non-compliant vendors are suspended immediately, and their access to data is revoked.

36. Sub-Processor Responsibility

    • Vendors may not engage sub-processors without prior written approval from Sakha Foundation.
    • All sub-processors must comply with equivalent or stronger data protection obligations.
    • A maintained record of authorized sub-processors is available upon donor request.

37. International Donor & Data Transfer Compliance

    • For donors residing outside India, the Foundation adheres to global data-protection standards (e.g., GDPR, UK DPA 2018, CCPA where applicable).
    • Cross-border data transfers occur only through secure APIs and encrypted VPN channels.
    • Payment data is processed exclusively through PCI-DSS certified gateways (e.g., Razorpay, PayU, Stripe).

38. FCRA & Audit Trail Integrity

    • Every international transaction is logged with donor nationality, purpose code, and receipt ID as per FCRA Rule 13.
    • Transaction logs cannot be altered and are retained for 10 years.
    • Periodic audits by independent Chartered Accountants ensure transparency and legal compliance.

39. Child & Vulnerable-Person Data Protection

    • Any personal data of children (<18 years) or vulnerable individuals is collected only with verified parental or guardian consent.
    • The Foundation follows POCSO Act, 2012, Juvenile Justice Act, 2015, and UNICEF Media Guidelines.
    • Images of minors are blurred or anonymized unless explicit written consent is obtained.
    • Violation of child-data protection rules results in termination and legal action.

40. Training & Awareness Programs

    • Every employee, intern, and volunteer undergoes annual privacy and cybersecurity training.
    • The program includes: Phishing detection, Safe data handling, Device security, and Reporting obligations for potential data breaches.
    • Attendance and performance in these trainings are recorded for compliance reporting.

Transparency & Governance

41. Transparency & Public Disclosure

    • The Foundation publishes a summary of its privacy practices and data-management framework in its Annual Report.
    • Non-confidential privacy audits and compliance summaries may be shared on www.sakhafoundation.org for public trust.
    • Any material change to data-handling methods will be announced within 30 days of implementation.

42. Open Communication & Clarifications

    • Users can request explanations on how their information is collected, processed, or secured.
    • Official communication will always originate from the domain @sakhafoundation.org.
    • Queries sent to support@sakhafoundation.org receive acknowledgment within 7 days.

43. Record of Processing Activities (ROPA)

    The Data Protection Officer (DPO) maintains a register detailing: Purpose of processing, Data categories & lawful basis, Retention periods, Third-party recipients and safeguards. The ROPA is reviewed semi-annually for accuracy and completeness.

44. Privacy Impact Assessments (PIA)

    Conducted before introducing new digital tools, campaigns, or donor-management systems. PIAs evaluate data sensitivity, risk exposure, and mitigation plans. Results are documented and retained for 6 Months and subject to change.

45. Ethical Use of Information

    Personal data will never be used for: Political promotion, Religious proselytization, Commercial advertising. Aggregated, anonymized data may be used only for awareness, research, or impact evaluation with appropriate attribution.

46. Non-Discrimination in Data Processing

    Access to programs, volunteering, or aid is granted without bias of caste, creed, gender, language, disability, or economic status. Algorithms or analytics are periodically audited for bias and fairness under DPDP Act Sec 8(2).

47. Policy Review & Revision Cycle

    This Privacy Policy undergoes a full review annually or upon legal/technological change. Revised versions display the new Effective Date and summary of changes. Continued use of the website implies acceptance of the updated terms.

48. Force Majeure

    The Foundation is not liable for breach or delay caused by circumstances beyond its control—including natural disasters, war, civil unrest, pandemics, internet failure, or government orders.

49. Governing Law & Jurisdiction

    This Privacy Policy is governed by the laws of India, including the DPDP Act 2023 and the IT Act 2000. All disputes shall fall under the exclusive jurisdiction of the District Court of Khurdha, Odisha. For international donors, applicable foreign privacy statutes (GDPR/CCPA) will also be honoured.

50. User Acknowledgment & Consent

    By using the website, donating, volunteering, or submitting information, users acknowledge that they have read, understood, and agreed to this Privacy Policy in its entirety. Users confirm that the data they provide is truthful and that they consent to its lawful use for the stated purposes.

Advanced Data Security & Accountability

51. Data Classification & Labelling Policy

    All data is classified as Public, Internal, Confidential, or Restricted. “Restricted” data (e.g., donor KYC, beneficiary records) is encrypted end-to-end and stored in dedicated databases. Employees handling confidential data must sign a Non-Disclosure Agreement (NDA).

52. Internal Access Logs

    Every data access event is recorded (user, timestamp, record type). Logs are immutable and reviewed monthly by the Data Protection Officer (DPO). Unauthorized access triggers automatic alerts and suspension pending review.

53. Privacy by Design & Default

    All new digital projects (apps, donation systems, CRMs) are built with privacy embedded at design stage, following DPDP Section 9(1) principles. Default settings always favour minimal data collection and maximum anonymity.

54. Beneficiary Data Protection

    Sensitive community or beneficiary data (e.g., livelihood, health, and disability) is anonymized before publication or research. Geo-location or photographic identifiers are never shared without consent. Aggregated data may be used for research under ethical guidelines only.

55. Confidential Whistle-blower Protection

    Employees, volunteers, or donors reporting suspected data misuse or privacy violations are protected under Sakha Foundation’s Whistle-blower Policy. Retaliation or disclosure of whistle-blower identity is strictly prohibited and punishable under Section 72A of the IT Act, 2000.

56. Media & Publication Consent

    Before publishing photographs, testimonials, or stories of individuals, written consent is mandatory. For children, guardian consent is required in writing or digitally (via form or OTP). Every publication must undergo Ethical Content Review.

57. Cloud Vendor Geographic Restriction

    The Foundation uses only cloud data centres located within India for storing sensitive or FCRA-linked information. Foreign backup servers are allowed only for non-personal media or analytics data with encryption and data protection parity.

58. Privacy Governance Committee

    A Privacy & Data Governance Committee comprising trustees, DPO, and legal advisors meets quarterly to: Review compliance metrics, Approve vendor audits, Evaluate breach reports and mitigation, Recommend system upgrades.

59. Digital Forensics & Incident Recovery

    In case of data theft or hacking, digital forensics are conducted by a CERT-In empaneled cybersecurity agency. Post-incident reviews identify root causes, apply patches, and retrain staff.

60. AI and Automated Tools Disclaimer

    Any use of Artificial Intelligence (AI) or data analytics by Sakha Foundation is limited to: Donation pattern analysis, Program reporting, and Awareness content. AI tools never access personal donor identities or financial data directly. AI recommendations are human-reviewed before publication.

61. Right to Lodge Complaint (International Donors)

    EU/EEA donors may contact the Data Protection Board of India (DPBI) or their local EU data authority for unresolved complaints. The Foundation will cooperate with cross-border data inquiries as required under GDPR Article 50.

62. Right to Restrict Processing

    Users may request temporary restriction of their data processing (e.g., for investigations or corrections). During restriction, the Foundation will not modify or share the data unless legally required.

63. Environmental & Sustainability Integration

    Digital infrastructure is designed to reduce environmental footprint. The Foundation commits to: Using renewable-energy powered cloud hosting (where available), Minimizing paper records, Recycling electronic waste through certified vendors.

64. Policy Accessibility & Translation

    This Privacy Policy is available in English and Odia, ensuring accessibility for all stakeholders. Braille or audio formats can be provided upon request for differently-abled users. The Foundation complies with Accessibility Guidelines (WCAG 2.1) for web readability.

65. Contact & Data Protection Officer (DPO)

    Email: support@sakhafoundation.org

    Postal Address: Sakha Foundation, Kantabada, Khurdha District, Odisha, India