Privacy policy

Last updated: June 3, 2026

Project Sahitya (“we,” “us,” or “our”) is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you interact with our website (www.projectsahitya.org), the Project Sahitya Teacher Portal (web application), and related services. This policy is designed in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India.

1. Information we collect

We may collect the following categories of personal data:

• Identity Information: Name, email address, and phone number when you subscribe to our newsletter, create a Project Sahitya Teacher Portal account, or email us directly.
• Teacher/User Accounts: Login credentials, device information, progress data, notes, and bookmarks for the Project Sahitya Teacher Portal (web application).
• Communication Data:Newsletter subscriptions and email correspondence you send to us. Volunteer and partner school applications are submitted through embedded Google Forms; Project Sahitya does not store that data on our own servers, and it is governed by Google's privacy policy.
• Student Screening Data: Collected by authorized teachers through the Project Sahitya Teacher Portal during literacy assessments. This includes: student names (encrypted at rest using AES-256), date of birth, and gender; assessment scores for letter recognition, phonemic awareness, sight reading, and engagement; a literacy level computed by a deterministic scoring algorithm (no AI or profiling) and the curriculum lesson plans linked to it; and consent records retained for 3 years. Anonymized, aggregated data may be used in academic research with the consent of the school and, where required, parents or guardians.
• Usage Data: Anonymized analytics, page views, and interaction data to improve our services.

2. Legal basis for processing

Under the DPDP Act 2023, we process your personal data based on the following lawful grounds:

• Consent (Section 6): We obtain your explicit consent before collecting personal data through our forms. Each form includes a mandatory consent checkbox. You may withdraw consent at any time by contacting us.
• Legitimate Uses (Section 7): We may process data without explicit consent where permitted by law, such as responding to your voluntary enquiries or complying with legal obligations.

3. Use of data

We use the collected information for the following purposes:

• To provide and maintain our educational services, including the Project Sahitya Teacher Portal and curriculum delivery.
• To communicate with you about our programs, events, newsletters, and organizational updates.
• To manage volunteer and partner school applications.
• To improve our website, Teacher Portal, and educational content based on usage patterns.
• To ensure the security and integrity of our platform, including device verification and content protection.

4. Cookie usage

Our website uses cookies and similar technologies. When you first visit, a cookie consent banner allows you to accept all cookies or limit usage to necessary cookies only.

Essential cookies (always active):

• Supabase session cookies (sb-*): Used for user authentication and session management. These are strictly necessary for the admin dashboard and any logged-in functionality.
• Cloudflare cookies (__cf_bm, __cflb): Set by Cloudflare for bot protection, security, and performance. These are necessary for the website to function securely.
• Cloudflare Turnstile cookies (cf_clearance): Used for CAPTCHA verification on forms to prevent spam and abuse.
• Cookie consent preference (sahitya-cookie-consent): Stored in localStorage to remember your cookie preference.

Cookie-free analytics:

• Cloudflare Web Analytics: Privacy-first analytics that do not use cookies, localStorage, or any client-side state, and do not track individual users. Loaded automatically without requiring consent.

5. Data retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law. Specific retention periods are:

• Email correspondence: Emails you send to contact@sahitya.org.in are retained per our Google Workspace mailbox policies. You can request deletion at any time.
• Volunteer and partner applications:Submitted via embedded Google Forms. Retention and deletion are governed by Google's policies and the response sheet owned by Project Sahitya; we delete entries upon request.
• Newsletter subscriptions: Retained until you unsubscribe. Unsubscribed email addresses are kept in a suppression list for 1 year to prevent re-subscription.
• User accounts (Project Sahitya Teacher Portal): Retained while the account is active. Deleted within 90 days of account deletion request.
• Security and audit logs: IP addresses are stored in our audit logs for security monitoring and compliance purposes. Audit logs are retained for 2 years, after which they are deleted.
• Student assessment data: Screening assessments, computed literacy levels, and linked lesson plans are retained until manually deleted by an administrator or upon a valid data deletion request.

6. Data storage & security

We implement industry-standard security measures to protect your personal data:

• All data is transmitted over HTTPS with TLS encryption.
• Database access is restricted with role-based access controls.
• Password data is hashed and never stored in plain text.
• Sensitive student data (names) is encrypted at rest using symmetric encryption before being stored in the database.
• Rate limiting and CAPTCHA verification are used to prevent abuse of our forms.

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure.

7. Hosting & infrastructure providers

Our website and services are hosted using the following infrastructure providers:

• Cloudflare Workers:Application hosting. Our web server runs on Cloudflare's globally distributed edge network.
• Supabase Cloud: PostgreSQL database and authentication service hosted on AWS infrastructure (United States, Virginia region).
• Cloudflare: CDN, DNS, and DDoS protection. Edge servers are globally distributed.
• Cloudflare R2: Object storage for uploaded media files, served via media.projectsahitya.org.

8. Third-party service providers

We use the following third-party services to operate our platform. Each service has its own privacy policy governing data handling:

• Resend: Transactional email delivery for newsletters, confirmations, and notifications. Resend processes your email address and name to deliver emails on our behalf. Resend is based in the United States.
• Cloudflare Turnstile: CAPTCHA service for bot protection on our forms. Turnstile collects device and browser information to verify human users.

9. Cross-border data transfers

Some of our infrastructure and third-party services are hosted outside India. Specifically:

• Our application server (Cloudflare Workers) runs on a globally distributed edge network. Our database (Supabase) is hosted in the United States.
• Resend (email delivery) processes data in the United States.
• Cloudflare operates a global network; your data may be cached at edge servers in various countries.

By consenting to this Privacy Policy, you acknowledge and agree to the transfer of your data to these jurisdictions. We ensure that all cross-border transfers comply with the requirements of the DPDP Act 2023 and that appropriate safeguards are in place with each service provider. We are actively monitoring the Central Government's notifications under DPDP Act Section 16 regarding restrictions on cross-border transfer of children's personal data, and will migrate data processing to Indian infrastructure if and when required by law.

10. Rights for EU/UK visitors (GDPR)

If you are a resident of the European Union or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR), including:

• Right to Restrict Processing: You may request that we limit how we use your data in certain circumstances.
• Right to Object: You may object to the processing of your data for direct marketing or where we rely on legitimate interests.
• Right to Data Portability: You may request your data in a structured, commonly used, machine-readable format.
• Right to Lodge a Complaint:You may file a complaint with your national Data Protection Authority. For UK residents, this is the Information Commissioner's Office (ICO).

The rights of access, rectification, erasure, and withdrawal of consent described in Section 12 below also apply to EU/UK residents. To exercise any of these rights, please contact us using the details in Section 16.

11. Children's privacy

Project Sahitya's mission centres on children aged 5-10 in rural India. We take children's privacy extremely seriously and comply with Section 9 of the DPDP Act 2023:

• We do not collect personal data directly from children through our website. Our digital services (website and Project Sahitya Teacher Portal) are designed for adults — teachers, volunteers, and donors.
• Any data related to student outcomes or progress is collected and managed by authorized teachers through the Project Sahitya Teacher Portal, with appropriate parental or guardian consent obtained by the partner school.
• Student information used in our impact reports and testimonials is anonymized or shared with explicit verifiable consent from parents or guardians.
• We do not perform any tracking, behavioural monitoring, or targeted advertising directed at children.

12. Your rights under the DPDP Act 2023

As a Data Principal, you have the following rights regarding your personal data:

• Right to Access (Section 11): You may request a summary of your personal data that we process, and information about how it is being processed.
• Right to Correction (Section 12): You may request correction of inaccurate or incomplete personal data.
• Right to Erasure (Section 12): You may request deletion of your personal data, subject to legal retention obligations (e.g., records we are required to keep for compliance or audit purposes).
• Right to Withdraw Consent (Section 6): You may withdraw your consent for data processing at any time. For newsletters, use the unsubscribe link in any email. For other data, contact us using the details below.
• Right to Grievance Redressal (Section 13): You may raise concerns or complaints about our data processing practices. We will respond within 30 days.
• Right to Nominate: You have the right to nominate another person to exercise your data rights on your behalf in the event of your death or incapacity.

13. How to make a data access or deletion request

To exercise any of your data rights:

• Email us at contact@sahitya.org.inwith the subject line “Data Rights Request.”
• For newsletters, you can also use the unsubscribe link in any email to withdraw consent immediately.

Please include in your request:

• Your full name and the email address associated with your data.
• A description of the specific right you wish to exercise (access, correction, deletion, or withdrawal of consent).

We will verify your identity and respond to your request within 30 days. If we cannot fulfil your request due to legal obligations (e.g., tax record retention), we will inform you of the reasons.

14. Automated decision-making

Project Sahitya does not use automated decision-making or profiling that produces legal or similarly significant effects on individuals. No decisions about your eligibility, access to services, or any other matter are made solely by automated processing of your personal data.

15. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will update the “Last updated” date at the top of this page.
• For significant changes, we will notify newsletter subscribers via email and display a prominent notice on our website.
• If changes affect the basis on which we process your data, we will seek fresh consent where required.

We encourage you to review this page periodically to stay informed about how we protect your data.

16. Data protection contact

As a small nonprofit organization, Project Sahitya is not required to appoint a formal Data Protection Officer under the DPDP Act 2023. However, we take data protection seriously and have designated a point of contact for all privacy-related matters.

If you have any questions about this Privacy Policy, wish to exercise your data rights, or have any concerns regarding your data, please contact us:

If you are not satisfied with our response, you may lodge a complaint with the Data Protection Board of India as established under the DPDP Act 2023.